A living map of the attack patterns emerging across multi-agent, RAG, and tool-calling AI in 2026. Less a paper. More a worldview, published and revised in the open.
Unlike our other research streams, the Threat Landscape is one document, not a series. It's our continuously updated map of where AI security is — what we're seeing, what we expect, and how defenders should prioritize. It launches at v0.1 as a working draft, updates quarterly, and grows with the field.
Across Q1–Q2 2026, the AI attack surface shifted decisively toward inter-system compromise: multi-agent privilege escalation, indirect injection via tool outputs, supply-chain attacks on shared agent frameworks, and RAG perimeter degradation. This document tracks what we're seeing across engagements, what we expect next, and how defenders should prioritize. It's revised quarterly as the field shifts.
Multi-agent privilege escalation
Patterns where compromise of one agent in a graph escalates through delegation, tool inheritance, or trust assumptions to compromise the broader system. Observed in CrewAI, LangGraph, and custom orchestration deployments.
ACTIVE · most reports flowingIndirect injection via tool outputs
Attacks where untrusted content reaches a model not via user input but via tool outputs (API responses, scraped data, retrieved documents). The attack vector is becoming harder to defend as agents take more action on tool data.
ACTIVE · field reports increasingAgent framework supply chain
Compromise of shared frameworks, libraries, or model weights used by many AI systems. A single supply-chain compromise potentially affects every downstream deployment.
EMERGING · early signals onlyRAG perimeter degradation
Failure modes specific to retrieval-augmented systems: vector poisoning, cross-tenant similarity leakage, ACL bypass via query manipulation, document-layer injection. The fastest-growing attack class in 2026.
ACTIVE · primary attack class observedInfrastructure misalignment
Where AI deployment realities outrun the infrastructure security baseline — over-privileged containers, runaway cost loops, credential isolation failures. Often the easiest attacks because they exploit conventional infrastructure weaknesses on AI-specific systems.
MONITORING · steady, well-understoodHuman oversight failure modes
Where AI systems are deployed with human-in-the-loop oversight that doesn't actually catch the failure modes the system can produce. Increasingly visible as agentic systems take more autonomous action.
EMERGING · governance implicationsQuarterly major updates.
The document publishes a new minor version each quarter (v0.1 → v0.2 → v0.3...) with substantive additions, removals, or reorganizations. Major version bumps (v1.0, v2.0) occur when the field undergoes structural change.
Continuous minor revisions.
Between quarterly versions, the document may receive minor revisions — typo corrections, clarifications, citation additions. These are not separately versioned but are included in the next minor-version change log.
Engagement-driven additions.
When sanitized engagement findings reveal new attack patterns or significantly shift our understanding of existing ones, they're added to the landscape in the next quarterly update. The change log references the underlying findings (sanitized).
Reader-driven corrections.
Researchers, practitioners, and readers who identify errors or omissions can submit corrections. Substantive corrections are credited in the change log.
Initial publication. Five sections covering multi-agent escalation, indirect injection via tool outputs, agent framework supply chain, RAG perimeter degradation, and defense anti-patterns. Working draft.
Future versions appear here as they're published. Each version remains accessible at a permanent URL.
Quarterly emails when a new version publishes, including the change log and the engagements that drove the changes (sanitized). Unsubscribe anytime.
Threat Landscape v0.1 published MAY 2026 · Next quarterly update Q3 2026
SEE OTHER RESEARCH STREAMS →