AppOmni Finds Now Assist Agents Could Trigger Unauthorized Actions
Artificial intelligence agents running in a ServiceNow cloud platform could be pushed into unauthorized tasks through a prompt injection technique that exploits normal agent-to-agent communication, shows research from AppOmni.
See Also: Agentic AI and the Future of Automated Threats
The findings show how default configurations allowed one agent to recruit others with broader privileges in the company's AI layer Now Assist, even when prompt-injection protections were turned on.
Researchers said the system failed to distinguish trusted instructions from untrusted data. Large language models "prioritize the reward above all else," meaning they may treat embedded malicious text as essential to completing the original task, said Aaron Costello, chief of SaaS security research at AppOmni. He observed a "far higher success rate" when injected prompts were framed as necessary steps toward the agent's intended goal, he told Information Security Media Group.
Multi-agent environments magnify the risk, he said. A "team of AI agents are only as resilient as their weakest link." Only one agent needs to misinterpret the malicious text. Downstream agents unaware of upstream deviations and execute the task they receive from the Orchestrator, which is the system component that selects which agent handles each task.
The exposure depended on how Now Assist handles agent discovery - the ability of one agent to find and invoke others - and on deployment choices such as which LLM is used, team grouping, discoverability settings and each agent's configured privileges. These alignments allow a low-privileged agent to offload work to a higher-privileged agent.
Three configuration choices determine whether agent discovery occurs, and all are enabled by default in typical deployments. The underlying LLM must support agent discovery - both available options, Azure OpenAI and the default Now LLM, have this feature enabled.
This architecture becomes risky when any agent reads data from an untrusted source. Without strict trust segmentation, the LLM may treat that data as an instruction rather than content, especially if the injected text implies it is necessary to complete the original task.
In one test, Costello deployed two out-of-the-box agents: an incident-categorization agent that summarizes records, and a record-management agent that can create, read and update records. Both agents were available only to an administrator. He then created a low-privileged user who could open new incident tickets but could not view others' records.
The low-privileged user created a ticket containing a malicious description instructing any reading agent to fetch another ticket's description and overwrite it. That user could not access the referenced record directly because of access controls.
When an administrator later asked Now Assist to categorize the malicious ticket, the system initiated its routing sequence. The AIA ReAct Engine - a component that manages the flow of information between agents - forwarded the task to the Orchestrator, the component that searches for the most appropriate agent. That agent read the malicious text and returned it to the AIA ReAct Engine, which treated it as instructions and sent the updated task back to the Orchestrator. The Orchestrator selected the record-management agent, which had the necessary permissions to update the referenced record.
The record-management agent completed the unauthorized update, returned control to the categorization agent and finished the original task normally. Since the low-privileged user owned the initial ticket, that user saw sensitive content copied into their own record.
Costello said other tests also produced results, including tricking an agent into assigning roles that enabled privilege escalation. He said agents frequently overlooked inconsistencies between their original task and the malicious redirection because downstream agents lacked the context that earlier steps had been compromised. In environments with simple mail transfer protocol enabled, prompts could also lead agents to send outbound email containing data from other records.
The results showed that the capabilities of an agent's tools dictate the impact of an attack. The report said that "the possible impact is determined by the capabilities of the tools, which are possessed by the agents within the team." The misconfigurations can create a "significant source of risk," it said, sometimes exceeding the risks associated with the underlying model.
Costello said that the ecosystem has matured since earlier testing. ServiceNow now allows AI agents to run with the permissions of a dedicated "AI user," giving organizations a way to scope permissions more granularly. Before this feature existed, Costello said it was "extremely difficult to limit the authority of an agent," and guardrails embedded in instructions were ineffective because an attacker could simply override them.