This article, a lightly adapted version of Perplexity's response to NIST/CAISI Request for Information 2025-0035, details our observations and recommendations concerning the security of frontier AI agents. These insights are informed by Perplexity's experience operating general-purpose agentic systems used by millions of users and thousands of enterprises in both controlled and open-world environments. Agent architectures change core assumptions around code-data separation, authority boundaries, and execution predictability, creating new confidentiality, integrity, and availability failure modes. We map principal attack surfaces across tools, connectors, hosting boundaries, and multi-agent coordination, with particular emphasis on indirect prompt injection, confused-deputy behavior, and cascading failures in long-running workflows. We then assess current defenses as a layered stack: input-level and model-level mitigations, sandboxed execution, and deterministic policy enforcement for high-consequence actions. Finally, we identify standards and research gaps, including adaptive security benchmarks, policy models for delegation and privilege control, and guidance for secure multi-agent system design aligned with NIST risk management principles.

翻译：本文是Perplexity对NIST/CAISI 2025-0035号信息征询书的轻度改编版回应，详细阐述了我们在前沿人工智能代理安全方面的观察与建议。这些见解源自Perplexity在受控环境和开放环境中运营数百万人及数千家企业使用的通用代理系统的实践经验。代理架构改变了关于代码-数据分离、权限边界和执行可预测性的核心假设，从而产生了新的机密性、完整性和可用性失效模式。我们梳理了工具、连接器、托管边界和多代理协调等主要攻击面，特别关注间接提示注入、权限混淆代理行为以及长时工作流中的级联故障。随后，我们以分层架构评估当前防御措施：输入级与模型级缓解策略、沙箱化执行机制，以及针对高影响行为的确定性策略执行框架。最后，我们指出了标准制定与研究空白领域，包括自适应安全基准测试、委托与权限控制策略模型，以及符合NIST风险管理原则的安全多代理系统设计指南。