• Insights
    • Blog
    • Perspectives
    • Webinars
  • Offerings
    • Strategic innovation
    • Digital innovation
    • Product innovation
    • High-tech innovation
    • On-site consulting
    • Verhaert NL
  • Markets
    • Space & security
    • FMCG
    • Life sciences
    • Industry
  • Capabilities
    • AILab
    • DesignLab
    • DigitalLab
    • EmbeddedLab
    • FabLab
    • InnoLab
    • MechLab
    • OpenLab
    • OpticsLab
    • PhysicsLab
  • Technologies
    • Technology portfolio
    • IoT & sensors
    • AI & data science
    • Robotics & autonomy
    • Cooling, heating & fluidics
  • About
    • News
    • Our story
  • Careers
  • Contact
Verhaert Masters in InnovationVerhaert Masters in Innovation
Verhaert Masters in InnovationVerhaert Masters in Innovation
  • Insights
        • Blog
        • Perspectives
        • Podcast
        • Webinars
        • FEATURED
          Innovation Day 2026
  • Offerings
        • Strategic
          innovation
        • Digital
          innovation
        • Product
          innovation
        • High-tech
          innovation
        • On-site
          consulting
        • FEATURED
          Verhaert NL
  • Markets
        • Space & defense
        • FMCG
        • Life sciences
        • Industry
  • Capabilities
        • AILab
        • DesignLab
        • DigitalLab
        • EmbeddedLab
        • FabLab
        • InnoLab
        • MechLab
        • OpenLab
        • OpticsLab
        • PhysicsLab
  • Technologies
        • IoT & sensors
        • AI & data science
        • Robotics & autonomy
        • Cooling, heating & fluidics
        • Optics
  • About
        • News
        • Our story
  • Careers
  • Contact

How to secure agentic AI in software development

7 April 2026 Posted by Niels Verleysen Digital innovation

Agentic AI is rapidly transforming how software is built, and for good reason. Used well, it can significantly boost productivity, reduce time-to-market, and unlock new ways of working. At the same time, realizing this potential requires using these tools thoughtfully. Like any powerful technology, agentic AI introduces new risks that need to be addressed to ensure it’s applied securely and effectively. So how do we use these AI tools responsibly while enjoying the benefits they bring? Let’s dive in!

Agentic AI

What is agentic AI?

Before diving into the risks, it’s important to understand how agentic AI actually works. At a high level, agentic AI tools are designed to take a task, break it down into steps and execute those steps autonomously. By iteratively reading and generating text, the tool aims to mimic reasoning and is able to call upon all kinds of tools to successfully execute its tasks, often using external tools such as APIs, databases or code execution environments.

The more access it has to data and tools, the more capable it becomes. However, these systems are not deterministic, they don’t follow fixed rules but instead make probabilistic decisions about what to do next. Now, the question of how well these tasks can be executed autonomously is food for another discussion. What is often overlooked, though, more autonomy and access also means that the impact of its mistakes, or manipulation by others, can be much bigger.

Where things go wrong

If an agent can act, it can also misact, and this can happen in different ways. Let’s look at 3 concrete risks.

  1. Dataset poisoning: With dataset poisoning, the foundational model used as the brain of your agent is already being attacked before it has been trained. Because the model relies on vast amounts of internet data, it’s often collected at scale with limited filtering. The internet is riddled with examples of how things should not be done: in software development, for example, lots of open source codebases are filled with vulnerabilities. But what if a hacker utilizes this to specifically target you? Research funded by Anthropic investigated just that and found that as little as 0.00016% of the training set has to be directly poisoned to be able to introduce a backdoor. These backdoors can be triggered by specific phrases, causing the model to behave in ways defined by the attacker
  2. Prompt injection: A more direct and immediate threat is prompt injection. Here, the attacker doesn’t target the model itself, but its input. By manipulating what the model reads, they can influence how it behaves. An attacker could host a legitimate website containing hidden instructions, text invisible to the user but readable by the model. These instructions tell the agent to extract sensitive information (account credentials, banking information, API keys, …) and send it elsewhere. Even with clear safeguards in place, researchers pulled this off using a surprisingly simple approach, making it clear that it’s far easier to exploit than you’d expect.
  3. Slopsquatting: Even without direct manipulation, agents can create risk through their own mistakes: They have an inherent tendency to hallucinate. Since LLMs probabilistically produce text (what word would be most probable to follow in the sentence), they do make mistakes and present things that don’t exist. Attackers can exploit this. If an agent tends to invent a dependency name, an attacker can register it and attach malicious code. When someone else’s agent later tries to install it, the system becomes compromised. This technique has been dubbed as slopsquatting, as the AI variant of typosquatting, and it turns model errors into attack vectors.

How to mitigate the risks

All of these vulnerabilities stem from the same underlying issue: the agent can act autonomously. In theory, the safest approach would be to manually approve every action and verify every output. But doing so removes the very benefit agents provide: autonomy. So what are your other options?

Sandbox the agent

Agents should never run directly on your core systems, production servers or sensitive data with unrestricted access. How can you implement it:

  • Run the agent in a container, virtual machine or isolated cloud environment.
  • Define and limit access to only the directories, files or databases it actually needs for its tasks.
  • Prevent it from installing arbitrary packages or executing commands outside its environment.

If something goes wrong, whether due to a model hallucination, a prompt injection attack or an external exploit, the damage is confined to the sandbox, protecting your main systems and customer data. There are also specialized sandbox processes that can wrap around your agent and do this confinement for you.

Control external communication

Limit which websites, APIs or network endpoints the agent can access. You implement it as follows:

  • Use egress filtering with a deny-by-default configuration, only allowing connections to trusted domains.
  • Require human approval for each request to an untrusted domain.
  • Monitor outbound requests to detect unexpected activity.

This reduces exposure to prompt injection attacks or slopsquatting, where malicious content on a web page could trick the agent into revealing secrets or executing harmful commands.

Apply least-privilege access

Give the agent only the credentials, permissions and data it absolutely needs for its task. How to implement it?

  • Use user-scoped tokens rather than global or admin credentials.
  • Make tokens time-limited so access expires automatically.
  • Restrict permissions to the minimum required actions (read-only where possible).

If an agent is compromised, leaked credentials or tokens won’t grant full access to sensitive systems, reducing potential damage.

Keep humans in the loop

Agents can act autonomously, but critical actions should always have oversight. You implement it as follows:

  • Require review for any actions affecting production systems, customer data, or financial transactions.
  • Log agent decisions and outputs for auditing.
  • Where possible, set up a system that allows agent actions to be rolled back.

Humans can catch mistakes or malicious behavior that the agent might miss, while still letting the agent handle low-risk tasks to improve efficiency.

Final thoughts

Agentic AI is powerful precisely because it can act independently. But that same independence creates a new attack surface. Not just when using a (free) agentic AI tool online, but also when building a custom tool for your business. Want to learn more about how we use and build AI tools responsibly? Make sure to reach out to our AI specialists!

Tags: Agentic AIAutonomous AgentsPrompt Injection
Any questions? Curious how this can boost your business? Get in touch with Steven!
Latest digital innovation blogposts
  • 13/04/2026
    Beyond the box: Making logistics smarter, safer and sustainable
  • 07/04/2026
    How to secure agentic AI in software development
  • 30/01/2026
    Blurring the line between optical hardware and AI
  • 01/12/2025
    Who really owns your data? Navigating cloud compliance in a global ecosystem
  • 18/11/2025
    More than a chatbot: Turning LLMs into real business value
Verhaert group

Verhaert Masters in Innovation is a pioneering innovation group helping companies and entrepreneurs to innovate, creating new products, businesses and services.

Verhaert icon LinkedIn Verhaert icon YouTube Verhaert icon Instagram Verhaert icon phone Verhaert icon mail

Offerings
Markets
Capabilities
Technologies
Perspectives
Blogs
Webinars
About
News
Careers
Contact

© 1969-2026 • Verhaert New Products & Services NV • BE 0439.039.420 • Privacy policy • Terms of use