What is an AI Agent?

An AI agent is a software system that uses a language model as its decision-making core, combined with tools, memory, and a control loop that lets it plan multi-step tasks, take actions in an environment, observe results, and continue toward a goal. Where a chatbot answers a question once and stops, an agent runs a loop until the work is done.

What separates an agent from a chatbot

Three properties:

1. Tool use. The model can invoke functions — read files, query APIs, execute code, browse the web, send emails — and incorporate the results back into its reasoning.
2. Multi-step planning. Given a goal ("research this company and draft a partnership email"), the agent decomposes it into sub-tasks and executes them in sequence.
3. A control loop. The agent runs plan → act → observe → reflect repeatedly until a stopping condition is reached, rather than producing one response and exiting.

The model is the brain; the control loop is the agent.

Common agent architectures

• ReAct (Reasoning + Acting) — the model alternates between reasoning steps in natural language and tool calls
• Plan-and-execute — a planning model produces a task list, an execution model walks the list
• Tree-of-thoughts — explores multiple reasoning branches in parallel and selects the best
• Multi-agent orchestration — a coordinator agent delegates to specialist agents (often via the A2A protocol)

Frameworks: LangChain, LlamaIndex, AutoGen, CrewAI, OpenAI's Agents SDK, Anthropic's Computer Use, Google's Vertex AI Agent Builder.

Why agents create new security problems

A chatbot's blast radius is the conversation. An agent's blast radius is whatever its tools can touch — files, APIs, services, downstream systems. Two structural risk multipliers:

• Authority compounds. Every tool the agent has access to extends its possible-actions surface. Compromising the agent compromises the union of those tools.
• Errors propagate across steps. A wrong decision in step 2 corrupts the inputs to steps 3-N. Hallucinated context in an agent loop self-amplifies.

Specific attack classes that don't exist for non-agentic LLM apps:

• Tool abuse — coercing the agent into using tools for unauthorized purposes
• Indirect prompt injection through tool responses — adversarial content in retrieved data hijacks the agent
• Cross-agent prompt injection — when one agent delegates to another, malicious responses from the delegate can hijack the caller
• Persistence via memory — long-lived agents with memory stores can be poisoned with instructions that fire on later sessions

OWASP's Agentic AI Top 10 catalogs these patterns. Repello's Agent Wiz product was built specifically to threat-model agentic deployments before they ship.