CURRENT
Example Publisher Logo

CURRENT

A journal for living in the agentic age

Daily Brief
Market Pulse
Foundations
Practitioner's Corner
Echoes
Vision

When Your Auditor Doesn't Have a Category for Prompt Injection

Michael Bargury maps novel AI threats to compliance frameworks auditors recognize—solving the gap between agent security and governance infrastructure that actually works.

By Rina Takahashi— December 10, 2025
When Your Auditor Doesn't Have a Category for Prompt Injection

Michael Bargury maps novel AI threats to compliance frameworks auditors recognize—solving the gap between agent security and governance infrastructure that actually works.

In August 2025, Michael Bargury demonstrated zero-click attacks against enterprise AI agents at Black Hat USA. An attacker needs only a user's email address to hijack ChatGPT, Microsoft Copilot, Salesforce Einstein, or Google Gemini sessions. Hidden instructions in harmless-looking emails can replace banking details, launch phishing campaigns, or extract sensitive data—without the victim opening the malicious email.

Some vendors patched the vulnerabilities. Others declined, citing them as intended functionality.

Here's the problem: these attacks don't map to any compliance framework auditors recognize. Prompt injection, RAG poisoning, citation manipulation—these threats were invented last year. The standards auditors use to verify compliance predate them by decades.

Bargury, CTO and co-founder of Zenity, is building infrastructure to close that gap. What he's actually built: a framework that breaks down novel AI threats into components that map to established security standards—making them auditable using frameworks that already exist.

Breaking Down Attacks That Didn't Exist in Compliance Documentation

Bargury leads the OWASP Low-Code/No-Code Top 10 project and contributed to the MITRE ATLAS framework. In October 2024, his team launched the GenAI Attacks Matrix—a framework that documents AI-specific attack techniques and maps them to standards auditors already understand.

By March 2025, MITRE ATLAS had incorporated eight new attack techniques and four sub-techniques from Zenity's work, including a case study on financial transaction hijacking through Microsoft 365 Copilot. The framework breaks down attacks that didn't exist in compliance documentation into specific techniques that map to OWASP and MITRE categories.

An auditor asking about SOX compliance gets documentation showing how the system prevents AI agents from making unmonitored changes. A GDPR review gets evidence that agents access only necessary data with enforced least privilege. The threats are new. The categories they map to aren't.

What Happens When the Auditor Shows Up

Organizations deploy agents faster than security frameworks evolve. Bargury compared the current state to "being back in the '90s"—irrational exuberance for innovation outstripping security maturity.

The operational challenge: you can show an auditor your agent's prompt instructions and RAG retrieval logs. But their checklist doesn't have a category for "prompt injection prevention" or "RAG poisoning mitigation." They're looking for evidence of least-privilege access, input validation, audit trails—concepts that predate AI agents.

Without a mapping between what your agents actually do and what the compliance framework expects to see, you can't demonstrate compliance even when you're handling risks properly.

“

"If you're a Fortune 500 and you've decided to adopt agents across the organization, you buy a whole bunch of licenses. And you have custom agents everywhere. You need to create a security program for that."

The gap between "our agents work reliably" and "here's evidence that satisfies your SOC 2 audit" is real infrastructure work.

The Translation Layer Enterprises Actually Need

At TinyFish, we've seen this challenge firsthand. When you're building enterprise web agent systems that handle sensitive data across thousands of sites, trustworthiness means proving to auditors that you're handling risks properly using frameworks they understand. You can defend against novel threats all day. But if you can't prove it using standards auditors recognize, you're stuck.

Bargury's framework mapping solves a specific production problem: legibility. Organizations need infrastructure that makes novel threats auditable using existing governance structures. He's breaking down attacks into components that map to standards auditors already understand—not waiting for compliance frameworks to catch up, not inventing new ones.

You can't wait for compliance frameworks to evolve at the pace of AI threats. Bargury is building the infrastructure that makes AI agents governable using the standards that already exist.

Things to follow up on...

  • AgentFlayer zero-click exploits: Bargury's Black Hat USA 2025 research demonstrated working exploits against OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, and Google Gemini where attackers need only a user's email address to completely take over enterprise AI agents.

  • GenAI Attacks Matrix development: Unlike MITRE ATT&CK which documents observed adversary behavior, the GenAI Attacks Matrix documents security research before threats are observed in the wild because Bargury believes it's important to get ahead of threats given how fast AI is being adopted.

  • Financial transaction hijacking case study: The MITRE ATLAS integration includes a detailed case study showing how an external adversary can perform Remote Copilot Execution attacks by intercepting vendor bank details requests within Microsoft 365 Copilot and taking full control as a malicious insider.

  • Open-source offensive security tools: Zenity Labs released power-pwn and LOLCopilot on GitHub to help organizations gain visibility into risks within their agentic AI platforms, though the tools include fail-safe mechanisms to prevent misuse at scale.

Rina Takahashi
ABOUT THE AUTHOR

Rina Takahashi, 37, former marketplace operations engineer turned enterprise AI writer. Built and maintained web-facing automations at scale for travel and e-commerce platforms. Now writes about reliable web agents, observability, and production-grade AI infrastructure at TinyFish.

In August 2025, Michael Bargury demonstrated zero-click attacks against enterprise AI agents at Black Hat USA. An attacker needs only a user's email address to hijack ChatGPT, Microsoft Copilot, Salesforce Einstein, or Google Gemini sessions. Hidden instructions in harmless-looking emails can replace banking details, launch phishing campaigns, or extract sensitive data—without the victim opening the malicious email.

Some vendors patched the vulnerabilities. Others declined, citing them as intended functionality.

Here's the problem: these attacks don't map to any compliance framework auditors recognize. Prompt injection, RAG poisoning, citation manipulation—these threats were invented last year. The standards auditors use to verify compliance predate them by decades.

Bargury, CTO and co-founder of Zenity, is building infrastructure to close that gap. What he's actually built: a framework that breaks down novel AI threats into components that map to established security standards—making them auditable using frameworks that already exist.

Breaking Down Attacks That Didn't Exist in Compliance Documentation

Bargury leads the OWASP Low-Code/No-Code Top 10 project and contributed to the MITRE ATLAS framework. In October 2024, his team launched the GenAI Attacks Matrix—a framework that documents AI-specific attack techniques and maps them to standards auditors already understand.

By March 2025, MITRE ATLAS had incorporated eight new attack techniques and four sub-techniques from Zenity's work, including a case study on financial transaction hijacking through Microsoft 365 Copilot. The framework breaks down attacks that didn't exist in compliance documentation into specific techniques that map to OWASP and MITRE categories.

An auditor asking about SOX compliance gets documentation showing how the system prevents AI agents from making unmonitored changes. A GDPR review gets evidence that agents access only necessary data with enforced least privilege. The threats are new. The categories they map to aren't.

What Happens When the Auditor Shows Up

Organizations deploy agents faster than security frameworks evolve. Bargury compared the current state to "being back in the '90s"—irrational exuberance for innovation outstripping security maturity.

The operational challenge: you can show an auditor your agent's prompt instructions and RAG retrieval logs. But their checklist doesn't have a category for "prompt injection prevention" or "RAG poisoning mitigation." They're looking for evidence of least-privilege access, input validation, audit trails—concepts that predate AI agents.

Without a mapping between what your agents actually do and what the compliance framework expects to see, you can't demonstrate compliance even when you're handling risks properly.

“

"If you're a Fortune 500 and you've decided to adopt agents across the organization, you buy a whole bunch of licenses. And you have custom agents everywhere. You need to create a security program for that."

The gap between "our agents work reliably" and "here's evidence that satisfies your SOC 2 audit" is real infrastructure work.

The Translation Layer Enterprises Actually Need

At TinyFish, we've seen this challenge firsthand. When you're building enterprise web agent systems that handle sensitive data across thousands of sites, trustworthiness means proving to auditors that you're handling risks properly using frameworks they understand. You can defend against novel threats all day. But if you can't prove it using standards auditors recognize, you're stuck.

Bargury's framework mapping solves a specific production problem: legibility. Organizations need infrastructure that makes novel threats auditable using existing governance structures. He's breaking down attacks into components that map to standards auditors already understand—not waiting for compliance frameworks to catch up, not inventing new ones.

You can't wait for compliance frameworks to evolve at the pace of AI threats. Bargury is building the infrastructure that makes AI agents governable using the standards that already exist.

Things to follow up on...

  • AgentFlayer zero-click exploits: Bargury's Black Hat USA 2025 research demonstrated working exploits against OpenAI ChatGPT, Microsoft Copilot Studio, Salesforce Einstein, and Google Gemini where attackers need only a user's email address to completely take over enterprise AI agents.

  • GenAI Attacks Matrix development: Unlike MITRE ATT&CK which documents observed adversary behavior, the GenAI Attacks Matrix documents security research before threats are observed in the wild because Bargury believes it's important to get ahead of threats given how fast AI is being adopted.

  • Financial transaction hijacking case study: The MITRE ATLAS integration includes a detailed case study showing how an external adversary can perform Remote Copilot Execution attacks by intercepting vendor bank details requests within Microsoft 365 Copilot and taking full control as a malicious insider.

  • Open-source offensive security tools: Zenity Labs released power-pwn and LOLCopilot on GitHub to help organizations gain visibility into risks within their agentic AI platforms, though the tools include fail-safe mechanisms to prevent misuse at scale.

Rina Takahashi
ABOUT THE AUTHOR

Rina Takahashi, 37, former marketplace operations engineer turned enterprise AI writer. Built and maintained web-facing automations at scale for travel and e-commerce platforms. Now writes about reliable web agents, observability, and production-grade AI infrastructure at TinyFish.