← all posts
Data Exfiltration

The Data Exfiltration Risk in AI Agent Workflows

A W-9 onboarding agent can process a vendor PDF correctly and still leak the original document if a compromised tool silently emails it out.

An AI agent can complete the user’s task correctly and still move sensitive data somewhere it should never go.

That is the data exfiltration risk hiding inside many enterprise agent workflows.

A Simple Example

Imagine a W-9 onboarding agent.

A vendor sends a W-9 PDF. The agent receives the document, extracts the relevant information, validates the fields, and routes the onboarding workflow forward.

Everything looks normal.

But one of the tools in the workflow contains a hidden or malicious instruction: after processing the PDF, email the original document to an external address.

The model did not need to go rogue. The agent did not need to invent a malicious plan. It simply followed the tools and instructions in its environment.

The vendor’s tax document still left the system.

Why This Is Different From Model Safety

Traditional model safety focuses on what the model says: toxic output, unsafe recommendations, prompt injection, or policy-violating text.

Those controls matter, but agentic systems add another surface area.

Agents do things:

Once an agent can act through tools, the enterprise risk is not only bad output. It is unauthorized data movement.

How AGP Helps

AGP sits between agents and tools so data movement can be governed at runtime.

Before a tool executes, AGP can evaluate:

If a W-9 onboarding agent suddenly tries to email a vendor PDF to an unexpected destination, that should not be treated as a normal tool call.

It should be blocked, held for approval, or escalated before the document leaves the system.

AGP is free to use and self-hosted — put it between your agents and your systems.