The security tooling built for the first generation of agentic AI was designed around a tractable problem. A scripted agent has a defined set of tool calls, a predictable execution path, and an enumerable set of failure modes. You could list them. You could test against them. You could build guardrails that matched specific patterns, because the patterns were finite. The threat surface was a fixed list derived from a fixed set of capabilities.
That model held as long as agents were fundamentally instructional — systems that executed sequences of steps toward outcomes specified in advance by a human author. The orchestration layer defined what would happen. The agent was, in the most precise sense, running a program.
Goal-oriented agents do not run programs. They pursue objectives. The operational lifecycle of an autonomous agent — initialization, input, inference, decision, execution — is not a sequence of predetermined steps but a continuous loop of environmental sensing and replanning. The agent selects its next action based on what it observes, what it remembers, and what it has determined it needs to accomplish. That determination is not fixed. It evolves.
What Scripted Agents Actually Were
It is worth being precise about what the scripted model provided, because its security properties were genuinely useful. A scripted agent’s attack surface was, in principle, bounded. The tool set was declared. The execution graph was known at design time. The set of actions the agent could take was enumerable, which meant the set of actions an attacker could induce was also enumerable. Security analysis was a coverage problem: enumerate the capabilities, enumerate the failure modes, build controls that closed the gaps.
A scripted agent’s threat surface is a function of its declared capabilities. Enumerate the capabilities, enumerate the failure modes. The attack surface is bounded because the execution graph is bounded. Controls can be matched to patterns because the patterns are finite and known at design time.
The SoK systematization by Dehghantanha and Homayoun (arXiv:2603.22928) makes the architecture of this problem explicit. In a scripted or copilot deployment — an LLM paired with tool APIs and enterprise RAG — the attack surfaces are numbered and mappable: user input, retrieved content ingress, tool call serialization, sandbox boundary, file I/O, API token scope, indexer, retriever, long-term memory, audit telemetry. Ten attack surfaces, each corresponding to a defined component. Security teams could build controls against each surface because each surface corresponded to a specific integration point with a specific function.
The scripted model also had a tractable detection story. An agent executing a known sequence of tool calls produces a trace with recognizable patterns. Anomaly detection could be pattern-based, because the baseline was a pattern. A deviation from the expected sequence was, by definition, a signal.
The Goal-Oriented Shift and What It Changes
The transition to goal-oriented agents does not merely expand the attack surface. It changes its character. Su, Luo, and collaborators (arXiv:2506.23844) frame this precisely: the paradigm shift is from static inference systems to interactive, memory-augmented entities capable of perceiving, reasoning, and acting in dynamic, open-ended environments. The security risks that emerge — memory poisoning, tool misuse, reward hacking, emergent misalignment — are qualitatively novel. They extend beyond the threat models designed for conventional systems or standalone LLMs.
The critical structural difference is this: in a scripted agent, the threat surface is a function of the agent’s capabilities. In a goal-oriented agent, the threat surface is a function of the agent’s objective and the environment it is operating in. The same agent, pursuing a different goal in a different environment, presents a categorically different attack surface. The surface is not static. It is generated at runtime.
- Bounded by declared capability set
- Enumerable at design time
- Fixed execution graph, known paths
- Pattern-based detection viable
- Guardrails match to specific tool-call patterns
- Failure modes correspond to integration points
- Generated at runtime by objective + environment
- Not enumerable at design time
- Dynamic replanning, paths unknown in advance
- Pattern-based detection insufficient
- Guardrails cannot anticipate emergent action sequences
- Failure modes emerge from goal pursuit, not component function
This is not a quantitative expansion of the prior model. It is a structural discontinuity. The threat surface of a goal-oriented agent cannot be derived from the threat surface of its scripted predecessor by adding more items to the list. The list is the wrong data structure for the problem.
Autonomy as a Security Variable
The Su et al. survey introduces an autonomy-oriented taxonomy that makes this legible. As agents gain long-term memory retention, modular tool use, recursive planning, and reflective reasoning, they move through progressive levels of cognitive and operational independence. Each level introduces failure modes that do not exist at the level below. Deferred decision hazards arise when an agent delays commitment until it has gathered sufficient environmental information — the decision is not anchored at initialization, so the threat cannot be fixed at initialization. Irreversible tool chains emerge when a sequence of individually authorized tool calls composes into an outcome that no individual authorization gate could have anticipated.
Initialization · Input · Inference · Decision · Execution. The five-layer lifecycle framework maps compound threats across the full operational arc of an autonomous agent. Point-based defenses fail because the threats are cross-temporal and multi-stage — a single-layer control cannot address a compound that spans layers.
Deng, Zhang, and collaborators at Tsinghua and Ant Group (arXiv:2603.11619) demonstrate this concretely through the OpenClaw lifecycle analysis. Compound threats — indirect prompt injection combined with skill supply chain contamination, memory poisoning combined with intent drift — span multiple lifecycle layers. A defense that covers one layer does not cover the compound. The attack surface of a goal-oriented agent is not a set of surfaces. It is a set of trajectories through those surfaces, where the trajectory is determined by what the agent is trying to accomplish.
This is the security implication of the goal-oriented shift that existing frameworks have not fully absorbed. The SoK authors note that agentic systems blur trust boundaries between the model, data, and execution environment — not because the components have changed, but because the agent’s goal-directed behavior creates connections between components that were designed to be isolated. A scripted agent respects the isolation by design. A goal-oriented agent crosses it by reasoning.
What This Means for Existing Controls
The structural claim here has a direct consequence for the control architecture built on the scripted model. Guardrails, policy layers, and monitoring systems designed against a static attack surface are not merely insufficient for goal-oriented agents. They are designed for the wrong problem. They assume the threat surface is fixed and enumerable. They build controls against patterns. Goal-oriented agents produce threats that are not patterns — they are emergent properties of goal pursuit in a specific environment at a specific moment.
Governance and operational controls can mitigate the risks of goal-oriented agents. They cannot structurally resolve them. A monitoring system that detects known-bad patterns cannot detect the novel action sequence a goal-pursuing agent assembles from individually permitted components. The detection problem in goal-oriented environments is not a pattern-matching problem. It is an intent-verification problem — and the tooling for that does not yet exist at scale.
This is not an argument against the controls that exist. It is an argument for understanding what they can and cannot do. The Unsafe Action Rate, Policy Adherence Rate, and Privilege Escalation Distance metrics proposed in the SoK systematization (arXiv:2603.22928) are exactly the right metrics for what they measure: the frequency of unsafe actions, the rate of policy compliance, the distance of escalation from initial privileges. None of them measure whether the agent’s goal has drifted. None of them detect intent. They are well-designed instruments for the scripted threat model applied to a more capable surface.
The series that follows this post traces the consequence of that gap through three more posts. Post 2 examines goal hijacking as a categorically different attack class from prompt injection. Post 3 interrogates the platform-layer bet — what Google’s vertical stack can and cannot resolve at this structural level. Post 4 makes the case for what detection in goal-oriented environments actually requires, and why that is the open problem this field has not yet seriously addressed.
The threat surface of a goal-oriented agent is not an expanded version of the scripted agent’s threat surface. It is a different kind of object — generated at runtime by objective and environment rather than declared at design time by capability set. Every security control built for the scripted model is solving a tractable instance of a problem that has become intractable. That is the shift this series is examining.
