The Road to Agentic AI: Navigating Architecture, Threats, and Solutions

This post was originally published on Trend Micro Research. Co-authored with Vincenzo Ciancaglini, Marco Balduzzi, Salvatore Gariuolo, and Rainer Vosseler.

Key takeaways

• Understanding the security of agentic AI systems requires analyzing their multi-layered architecture and identifying the specific risks at each layer.
• If left unprotected, these systems can be compromised by attackers, who can exfiltrate sensitive information, manipulate behavior through data poisoning, or disrupt critical components via supply chain attacks.
• Due to their complex structure, risks may not remain confined to a single component or layer — they can propagate across the different parts of the system.
• For organizations that are currently using or planning to adopt Agentic, a two-pronged approach to security — combining solid design principles with ad-hoc solutions — is recommended.

As the adoption of agentic AI accelerates, so do the stakes for securing these systems and the organizations that rely on them. The complexity of securing agentic architectures — where each layer demands a tailored strategy — raises critical questions. What does the architecture of an agentic AI system actually look like? How do the different components interact with one another? More importantly, what are the related security risks introduced by this structure?

This research builds on a previous article in this series, where we introduced the concept of agentic AI and explained how these systems differ from traditional AI systems. We have organized our findings into four parts: an overview of agentic AI architecture and its layers; a threat modeling analysis highlighting key risks at each layer; practical security recommendations combining design principles with ad-hoc solutions; and a conclusion summarizing the main insights.

Agentic AI system architecture and its layers

A bird’s-eye view of the agentic AI architecture lends a broader perspective of the inner workings of the system. Given its complexity, we illustrate the overall structure through various logical layers:

The layers are as follows:

• Data (yellow): Represents the storage components needed throughout the whole agentic lifecycle, from the training data for models to runtime memory storage.
• Orchestration (red): Manages actions related to processing, such as activating the computational agents.
• Agent (purple): Includes tools and agents that perform the AI tasks.
• System (blue): Encompasses all general support components such as libraries, tenancy, and front-end components for user interaction.

Some parts are external to the agentic system itself — an important distinction when reasoning about supply chain threats. These components include third-party libraries, public training datasets, external tools, etc.

I. Data layer

The data layer encompasses the data components involved in the development, maintenance, or usage of the agentic system.

Custom AI models — The main components hosted in the data layer. An organization can decide to either use publicly available models or train their own, using proprietary training data.

External model repositories — Publicly available AI models sourced from repositories such as Huggingface or NVIDIA NGC. The convenience comes with the added risk of depending on external suppliers whose reliability is not necessarily guaranteed.

Training data — Utilized in-house either to train new models from scratch or to fine-tune existing foundation models. The data used forms the basic layer of the model’s knowledge.

Memory — External storage providing AI applications with a reliable and up-to-date source of information. This typically consists of a vector store that semantically retrieves information closely related to the query. Long-term memory stores persistent and general-purpose information, while short-term memory holds session-specific data.

Historian — Responsible for storing logging data, including error and debug messages, usage activity, and other relevant metrics.

II. Orchestration layer

This layer comprises components that analyze user requests and plan the necessary steps to fulfill them.

Planning manager — The foundational component that implements the business logic of the agentic application. It defines the workflow, constructs the execution graph, manages agent deployment, and sets termination conditions.

Reasoning engine — Works side-by-side with the planning manager, operating the AI model responsible for translating prompts into execution plans for the agents.

Agent repository — As the ecosystem evolves, agents will be offered a standard interface and could be invoked at runtime, using protocols such as Google’s A2A. Future agentic applications will rely on agent repositories offering third-party agents available for integration.

III. Agent layer

The agent layer contains the components that actually perform the tasks.

Agents — Software units responsible for completing individual tasks and returning results to the orchestrator layer or directly coordinating with one another.

Embedded tools — Run locally within the agent layer, including local programs, generated code compiled and executed in the local environment, or domain-specific code passed to a local interpreter.

External tools — External or third-party services invoked by the agent via APIs or external databases with specialized data. Standardized protocols like the Model Context Protocol (MCP) allow tools to be exposed and accessible by agents.

Tool repository — Agents can access tool repositories to fetch the most appropriate tool for the task at hand, whether library repositories like PyPI or npm, or microservice catalogs exposing services via dedicated protocols.

IV. System layer

The standard software components ensuring canonical application functionalities such as user interaction, authentication, and configuration.

For the full article including detailed threat modeling for each layer and specific security recommendations, see the original publication on Trend Micro Research.