AI agent security conversations lean on a small set of recurring ideas — prompt injection, excessive agency, guardrails, the shared context desk — usually explained assuming the listener already half-knows them. This series does the opposite: it starts from the plain, everyday meaning of the words, builds up one small idea at a time from what an agent even is, and ends each topic with a concrete test you can use immediately. Every abbreviation is spelled out the first time it appears.
-
Article 1
What Is an AI Agent, Explained From Zero
A chatbot talks; an agent acts. The model, tools, and loop that let it take real actions, what autonomy really means, and why that single ability to act is the root of everything else in the series.
-
Article 2
Tokens, Context & How Models Read, Explained From Zero
How a model actually takes in text: the pieces called tokens, the limited desk called the context window, why it keeps no memory, and the one shared desk with no walls behind nearly every attack.
-
Article 3
Prompt Injection, Explained From Zero
Hiding an instruction inside data an agent reads, so it follows the attacker. Direct versus the sneakier indirect kind, exactly why it works, and why an agent that can act turns a sentence into real damage.
-
Article 4
Jailbreaking & Guardrail Bypass, Explained From Zero
The safety rules we bolt onto a model, the wordplay used to talk it into ignoring them, why a finite rule can never catch infinite phrasings, and why defense is layers rather than one wall.
-
Article 5
Insecure Output Handling, Explained From Zero
The quiet danger of trusting the model’s output and feeding it into a browser, a shell, or a database. Why model output is untrusted input, and how to clean it before it can act.
-
Article 6
Excessive Agency, Explained From Zero
More tools, access, and freedom than a job needs becomes blast radius the day the agent is tricked. The three dials of “too much,” and why least agency by default is the cure.
-
Article 7
Training-Data Poisoning, Explained From Zero
A model is what it eats. How an attacker slips rotten examples into training to plant a hidden backdoor or quiet bias, why the finished model is impossible to inspect, and how to guard the food supply.
-
Article 8
Model Theft, Extraction & Inversion, Explained From Zero
Three ways to attack the model itself: steal the weights file, clone its behaviour by asking it questions, or reconstruct the private data it trained on — and how each leaks value you thought was locked away.
-
Article 9
Membership Inference & Data Leakage, Explained From Zero
Working out whether one person’s record trained a model, how the model’s own confidence gives it away, why a bare yes can be the whole secret, and how to teach patterns, not people.
-
Article 10
Sensitive Information Disclosure, Explained From Zero
The everyday leak of a helpful model simply telling someone a secret. The four taps those secrets flow from, why a model has no concept of “confidential,” and how to keep secrets off its desk.
-
Article 11
The AI Supply Chain, Explained From Zero
You didn’t build it all — the borrowed models, datasets, libraries, and plugins your system is assembled from, how each is a door you inherit, and why you are only as safe as the least careful part.
-
Article 12
Agent Identity & Authentication, Explained From Zero
Who is the agent, and on whose behalf is it acting? Why it needs its own identity, the confused-deputy trap, acting with the user’s permissions, and named, scoped, short-lived keys.
-
Article 13
Guardrails: Input & Output Validation, Explained From Zero
The two checkpoints around a model — one screening what goes in, one screening what comes out — what each catches, why no single filter is a force field, and the practices that keep them working.
-
Article 14
Human-in-the-Loop Oversight, Explained From Zero
The final safety net: a person before the biggest, most irreversible actions. The spectrum from fully automatic to human-does-it, where to place the human, and how to avoid rubber-stamping.
-
Article 15
The OWASP Top 10 for LLM Apps, Explained From Zero
The industry’s shared checklist of the biggest AI risks — and you already know most of it. Grouped into attacks on the input, the data, and the system, and how to use it as a floor to clear.
-
Article 16
MITRE ATLAS, Explained From Zero
The field’s playbook of how real AI attacks unfold, step by step: tactics versus techniques, the stages of an attack, how it differs from the OWASP list, and why breaking one link stops the whole chain.
More field guides
-
Companion series
Security Fundamentals
Thirty-two zero-assumed-knowledge explainers of the concepts every security conversation leans on — lineage, blast radius, least privilege, zero trust, incident response — each with a worked example and how it applies to AI agents.
-
Field guide
Anti-Patterns Catalogue
Twenty-five named security failure modes in agentic AI (across twenty-six articles), each with a definition, a hypothetical scenario, and a layered remediation grounded in current industry frameworks.
-
Field guide
Release Engineering
Eight chapters on shipping an agent to a customer environment: delivery models, signing, the pin file, the bootstrap repo, ephemeral runners, hygiene, cadence and rollback.
-
Field guide
Supply-Chain Trust
Judging third-party code, packages, actions, images and models before you trust them — provenance signals, independent verification, danger-surface review, and safe handling, grounded in OpenSSF, SLSA, NIST, OWASP and MITRE.