My Assistant Was a Spy... The Betrayal of AI Agents [AI Mistake Note]

In the movie "Iron Man," the protagonist Tony Stark collaborates with the AI assistant Jarvis. The photo shows a scene where Iron Man communicates with Jarvis. Movie capture.

People in power have such great authority and responsibility that they inevitably need an assistant. Assistants stay closer to those in power than anyone else. Even if they lack real power, the amount of information they can access is considerable. But imagine for a moment: what if that "trusted assistant," who manages official schedules and knows even the most private secrets, turned out to be a spy? This actually happened. The assistant to the head of government, the Prime Minister, was a spy.

In 1974, Willy Brandt, the Chancellor of West Germany, saw his personal assistant Gunter Guillaume arrested on charges of being an East German spy. For years, Guillaume had shadowed Brandt as his assistant. He organized confidential documents for Brandt, attended important meetings, and even accompanied the Chancellor on private trips. In reality, the details of Brandt's historic "Ostpolitik"?his policy of reconciliation between East and West Germany?were being reported to East Germany in real time. When it was revealed that the trusted assistant was actually the eyes and ears of an enemy nation, Brandt took political responsibility and resigned as Chancellor.

Half a century later, we are entering the era of a "new assistant." This is the emergence of "AI agents" following the artificial intelligence (AI) revolution.

Gunter Guillaume (right) and Willy Brandt. Wikipedia

AI agents not only follow user instructions and commands but also actively perceive their environment and circumstances to make autonomous decisions and take action. Their roles and scope are virtually unlimited. They can be simple schedule-managing assistants, or they can be deeply involved in tasks such as data analysis, sales, and programming. For a technically advanced AI agent, the duties of Gunter Guillaume would be only a small part of their capabilities.

Big tech companies such as OpenAI, Google, Microsoft (MS), Meta, and Amazon are all investing heavily in perfecting AI agents. OpenAI CEO Sam Altman has stated, "By 2025, AI agents will fully enter the labor market." Salesforce CEO Marc Benioff has declared, "We will become the world's number one provider of digital labor through AI agents."

Even at the current level, AI agents are already involved in a wide range of corporate operations. Mobility company Lyft has established an AI agent system for customer support, utilizing Anthropic's Claude. Lyft's AI agent quickly handles repetitive customer inquiries and routes more complex issues to human agents. In February, Lyft announced, "This system has reduced the time needed to resolve customer issues by 87%."

According to a report published by market research firm CB Insights in February, 63% of companies responded that "AI agents will become a very important strategy within the next 12 months." This indicates that the adoption of AI agents is moving beyond simple experimentation and entering a full-scale implementation phase.

Despite the growing importance of AI agents, companies still have concerns. The greatest concern cited by companies regarding AI agents is "reliability and security" (47%). This is significantly higher than other concerns, such as technical implementation difficulties (41%) and lack of personnel and skills (35%). What kinds of reliability and security issues do AI agents present?

A hacker with both hands on a laptop. Photo by Getty Images Bank

What is the simplest and most universal function an AI agent should perform? It would be things like organizing emails, summarizing meetings, and managing schedules. But what if this AI assistant could be manipulated by external instructions? Just like Gunter Guillaume was a spy for East Germany.

The international nonprofit organization OWASP, which focuses on digital security, updates its list of the top 10 vulnerabilities in AI applications every year. Since the first report was published in 2023, the number one vulnerability has consistently been "prompt injection."

Prompt injection refers to the act of extracting sensitive data, manipulating outputs, or spreading misinformation by inserting seemingly normal prompts. Let's imagine a scenario where prompt injection occurs in an AI chatbot.

In this way, a hacker could extract Company K's confidential information?very easily, in fact. Prompt injection does not require much technical knowledge. All it takes is entering a simple prompt.

Companies exposed to prompt injection can not only suffer leaks of sensitive information but also have their critical decision-making processes compromised. Recently, many companies have adopted AI in their recruitment processes. Recruitment AI agents review and analyze documents submitted by applicants and make preliminary decisions (pass or fail).

What if a malicious applicant launches a prompt injection attack? For example, by hiding a specific prompt command in their application documents that triggers the recruitment AI agent. When the recruitment AI agent reads the document, it automatically responds to the embedded prompt, potentially awarding the applicant a high score or even granting immediate acceptance.

It is impossible to completely prevent prompt injection, but basic and minimal measures can significantly reduce the risk. Getty Images Bank

Prompt injection poses a serious threat to companies, but it is not easy to prevent 100%. Overly restricting user questions (inputs) or answers (outputs) to prevent prompt injection can degrade AI performance.

Nevertheless, there are many basic and important ways to mitigate the risk of prompt injection and protect both users and companies.

IBM has proposed four principles for preventing and mitigating prompt injection: "following general security practices," "input validation," "granting minimal privileges," and "human intervention."

Following General Security Practices

IBM advises, "Avoid suspicious emails and websites." This is a basic code of conduct and security principle for digital service users. By doing so, you can reduce the chances of encountering malicious prompts in the first place.

Input Validation

This involves reviewing known types of prompt injection in advance and blocking similar inputs beforehand. IBM explains, "Organizations can compare user inputs to known injections and use filters to block prompts that appear similar, thereby stopping some attacks."

Granting Minimal Privileges

AI agents should be granted only the minimum necessary privileges. Potentially risky functions should be restricted, and only essential access should be allowed. IBM notes, "While limiting privileges may not immediately prevent injection, it can limit the extent of the damage."

Human Intervention

No matter how capable and trustworthy an AI assistant may be, human involvement is necessary. Especially in critical decision-making processes, the "human in the loop" approach?where a person intervenes for final approval?can reduce the risk of dangerous outputs.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.