Securing Agentic AI Systems: Threat Models and Penetration Testing Strategies for Enterprise Deployments

Agentic AI systems—autonomous or semi-autonomous agents capable of multi-step planning, tool invocation, and real-world action execution—are entering enterprise production environments at a pace that has materially outstripped the maturation of corresponding security controls. The attack surfaces introduced by these deployments, spanning indirect prompt injection through retrieval pipelines, tool-use escalation across execution sandboxes, model and memory poisoning in long-lived vector stores, and supply-chain subversion of unsigned model artifacts, fall outside the detection and prevention scope of conventional application security tooling, including static analysis, dynamic analysis, and software composition analysis. This article proposes a structured threat model for agentic AI systems that defines a five-category asset taxonomy, four adversary classes, and six representative attack patterns grounded in current industry frameworks and adversarial AI research. A six-phase penetration testing methodology is developed to address each attack class within safe, pre-production, and CI/CD-compatible boundaries, extending from architecture and supply chain review through runtime telemetry correlation with application security posture management platforms. Mitigation patterns are mapped directly to each identified attack class and integrated with DevSecOps pipeline controls, including prompt linting, tool-schema validation, signed artifact verification, and continuous red-team playbook execution. Outcome metrics covering guardrail efficacy, supply-chain integrity coverage, tool-use safety, and runtime risk reduction provide the quantitative evidence base required for both operational program management and publication standards. The controls and governance directions presented in this article align with current industry consensus on the shift from point-in-time scanning toward posture, provenance, and runtime-informed prioritization as the organizing principles of mature enterprise application security programs.