3 Tips on how to deploy Agentic AI securely 
Wherever you are in your journey

Author: Jair Santanna
Date: 18/09/2025

Invented lyrics to famous songs, scientific papers that don’t exist: there are multiple examples  of famous LLM hallucinations. These  aren’t a bug, they’re a feature. These models are designed to generate fluent, plausible-sounding text, not to verify truth. 

That means they can confidently invent details, misinterpret context, or fill gaps with fabricated information. When hallucinations occur in an “agentic loop”, where the AI isn’t just talking but acting, the consequences multiply. 

A fabricated citation might be harmless in casual conversation, but in a live system with access to the internet, enterprise data, or executable code, that same fabrication can trigger costly, dangerous, or even catastrophic actions. In this blog our AI security specialist Jair Santanna shares 3 tips to prevent this from happening.

Jair, our principal AI cybersecurity specialist, develops and leads AI cybersecurity services and AI-powered innovations at Bureau Veritas in Europe. He is also an assistant professor at the University of Twente and a member of the EUROPOL EC3 advisory group on RandD, combining recognized expertise with a hands-on, innovative approach.

Chatbots: the first wave of AI applications

Do you remember November 2022? The launch of ChatGPT made artificial intelligence (AI) mainstream overnight. Within weeks, millions of people were using a conversational AI assistant in their daily lives for drafting emails, brainstorming ideas, even writing poetry. It felt like a science fiction moment suddenly turned into a browser tab.

Since then, the transformation has been very intense. Microsoft embedded Copilot into many of their tools, Google launched Gemini, Anthropic introduced Claude, and countless companies followed with their own AI-powered chatbots. What was once an experiment quickly became the default interface for interacting with AI. Just for your reflection: How many times did you interact with an AI chatbot in the last week?

Here in late 2025, chatbots are still the most common form of AI in use. In fact, when we delivered AI penetration testing or AI red teaming in the last quarter, most companies asked us to evaluate their customized AI chatbot systems, often connected to sensitive internal tools or datasets. The three most common functionalities that we found in the chatbots were:

1. Internet access: chatbots that browse in real-time to pull in fresh information.
2. Data integration: systems wired into enterprise databases, CRMs, Google suite, and knowledge bases.
3. Code execution: assistants capable of running scripts and producing functioning programs.

From LLMs to Chatbots to AI agents to Agentic AI

What started as “just text prediction” with Large Language Models (LLMs) has grown into “digital coworkers”. Here is where some terminology may get confusing. LLMs are “the brain” of most Generative AI applications. Chatbots are the AI applications that facilitate end-users, in a written and/or spoken way, to communicate with LLMs. Then, Chatbots got more and more functionalities and lately, in a few cases, could be considered AI agents. 

Researchers from Cornell University define AI agents as “autonomous software programs that perform specific tasks.” In the same paper, they define Agentic AI as “systems of multiple AI agents collaborating to achieve complex goals”. They use a very clear analogy of two systems that control an environment’s temperature, displayed in the following image.

As of late 2025, discussions around Agentic AI often center on tools designed for AI workflow automation and integration (e.g., n8n, Dify) or on broader SaaS automation platforms (e.g., Zapier, Make, Microsoft Power Automate). Both AI-specific and general workflow automation platforms enable LLMs to trigger real-world actions.

What’s most exciting is that every organization can now imagine practical, high-value agents tailored to their daily operations. For example:

1. Companies can use research agents that scan industry news, summarize competitors’ strategies, and deliver polished reports that follow internal templates.
2. Sales teams benefit from outreach agents that qualify leads, draft personalized emails, and update the CRM automatically.
3. HR departments can use onboarding agents that prepare personalized welcome packets, schedule training sessions, and collect required documents.
4. Finance teams can deploy compliance agents that reconcile transactions, flag anomalies, and generate audit-ready summaries.
5. Even product teams can run customer-feedback agents that monitor social channels, cluster insights, and recommend prioritized improvements.

The opportunities are endless.  The real barrier is NOT the technology anymore, but our creativity.

The AI pitfalls

At the center of chatbots and Agentic AI are the large language models (LLMs). They are astonishingly capable, able to synthesize text, reason over instructions, and even generate working code. But let me be clear: LLMs are powerful, yet very fragile . Their very strengths mask deep pitfalls, unbounded autonomy, hidden vulnerabilities, and cascading risks across digital supply chains. The benefits, as described in the previous sections, are still higher than the risks if well-considered and addressed.

Consider four common functionalities that make AI agents appealing, and the risks that come with them:

1. Internet access → misinformation risks. A customer-facing chatbot for a travel agency might pull visa requirements from an unreliable website. If those details are outdated or false, a traveler could arrive at the border unprepared, leading to personal disruption and lasting reputational damage for the agency.
2. Data integration → security and privacy exposure. When an AI assistant is connected to sensitive enterprise systems, like a hospital’s patient database, the stakes rise dramatically. A poorly designed prompt or malicious insider could coax the model into exposing private health data, triggering lawsuits and regulatory penalties.
3. Code execution → unintended consequences. AI-generated scripts can look correct but hide subtle flaws. A marketing team relying on such code might accidentally send emails without honoring unsubscribe requests, effectively spamming thousands of users and violating compliance rules, potentially triggering fines of up to $43,280 per email.
4. Decider for critical assets or business operations → violate business rules or even laws. The infamous Chevrolet incident illustrates this risk. A dealership’s chatbot, unbounded by pricing logic, “sold” a Chevy Tahoe originally from between US$60k and US$80k for US$1. Without strict integration with official systems, AI can generate outputs that violate business rules, contracts, or even laws. 

These links to cases underscore the critical importance of implementing proper guardrails, human oversight, and system integration when deploying AI agents in business-critical environments. Each incident represents not just a technical failure, but a breakdown in risk management that could have been prevented with appropriate safeguards.

Our 3 tips and a list of standards to make your AI application safer

Regardless of where your company is in the AI journey, if they have an application with LLM calls (API), a Chatbot, an AI agent, or an Agentic AI application, these are the three most important pieces of advice we give to clients.

1. Guardrails. You should implement guardrails before and after the LLM call. This allows you to sanitize inputs before they hit the model, and filter outputs before they reach the user or another system. Guardrails are not a mitigation but rather a first line of defense or baseline hygiene. Usually, a good place to start is directly with the AI model/resource provider, for example, AWS bedrock has several guardrails that can be easily implemented out of the box, mainly applicable if you are using LLMs or resources provided by them.
2. Respect the “AI Triangle of Risk”. Any AI solution should never combine these aspects at the same time: (1) untrusted inputs, (2) sensitive data access, or (3) outbound network access. Combining two or more of these at the same time has been proven a recipe for disaster. We dive into more details on this AI Triangle of Risk in the Webinar How to deploy AI securely.
3. Security testing. You should perform regular penetration testing and/or red teaming for AI systems. Preferably by third-party providers that are not biased to the implementation of your AI system. Make sure tests are mapped to risks listed by the industry, such as the knowledge base of adversary tactics, techniques, and case studies specifically for AI systems called MITRE ATLAS and the Top 10 GenAI Security Risks by OWASP community.

In addition to these 3 tips and other advice, we strongly advise clients to know and comply to frameworks and standards. Frameworks and standards are the foundation for building safe, trustworthy, and future-proof AI systems. 

They provide structured methods to identify and mitigate risks, give companies a way to demonstrate accountability to clients, regulators, and the public, and reduce long-term compliance costs as regulations like the EU AI Act come into force. 

In short, paying attention to frameworks today helps organizations avoid costly mistakes, strengthen stakeholder trust, and stay ahead of both attackers and regulators. Here is a list of some important frameworks, standards, and regulations related to AI.