1、From Prompts to Plans:Security and Safety Testing for Agentic AIJason StanleyHead of AI Research Deployment,ServiceNow AI ResearchSecTor BlackHat,2025 Oct 02AI adoption is realChatGPT:200M weekly usersStack Overflow:51%of pros use AI dailyMcKinsey:78%of orgs use AI in 1 functionGartner:33%of org sof
2、tware soon agenticAI adoption is realChatGPT:200M weekly usersStack Overflow:51%of pros use AI dailyMcKinsey:78%of orgs use AI in 1 functionSo are threatsOffense is strengthening,automating,and going multimodal:RL-trained jailbreakers,image-driven injection,agents complying with harmful requests.Who
3、le system and supply chain surfaces are targets.Exploits of AI systems and agents go primetime.Gartner:33%of org software soon agenticSystems are changingSo are risksBut TESTING isnt changing at the same speed1.Front door instead of all the seamsFront doorFocus on initial input-output exchange.ASR j
4、udged on one outputAll the seamsAttention to multitude of pathways:multi-turn,memory,tools,environment,protocolsBut TESTING isnt changing at the same speed1.Front door instead of all the seams2.Stateless instead of statefulStatelessOne prompt one reply.Freeze history,memory,tools,environment,rolesSt
5、atefulLet past actions influence future behaviorBut TESTING isnt changing at the same speed1.Front door instead of all the seams2.Stateless instead of stateful3.Ignores deployment contextContext unawareTesting uses risk taxonomies from public frameworks,not your threat modelContext awareYour threat
6、model informs what risks matter,which drives your testing prioritiesBut TESTING isnt changing at the same speed1.Front door instead of all the seams2.Stateless instead of stateful3.Ignores deployment context4.Ignores utility-security tradeoffSecurity aloneAttack and defense effectiveness evaluated i