Atomicwork Agent Security Risks

Business Process Agents atomicwork.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (8) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.01
High
Attack Surface
4.8
Medium
Blast Radius
3.75
Medium
Defense Controls
8
Medium
About The Agent

Atomicwork is a cloud-hosted SaaS ITSM/ESM platform that deploys autonomous AI Coworkers to handle IT operations, employee support, HR, and finance workflows across enterprise environments. The platform integrates with Microsoft Teams, Slack, email, and a web portal for employee interactions, and connects to 100+ enterprise applications including Okta, Workday, Salesforce, and Microsoft Entra through native API connectors and the Model Context Protocol. The primary risk surface is the convergence of untrusted employee input channels, access to sensitive enterprise data across integrated systems, and external egress through messaging and workflow automation.

About the AI Risk Quadrant

Tight Operators places Atomicwork in the quadrant where moderate attack surface meets contained blast radius with meaningful vendor controls. The attack surface score of 4.80 is elevated from a raw 3.70 by the trifecta floor because all three dimensions trigger: untrusted input from employee chat channels, sensitive enterprise data across 100+ integrations, and external egress through Teams, Slack, and email. The blast radius stays at 3.75 because Coworker execution is sandboxed and scoped to ITSM actions rather than infrastructure. Operators should prioritize independent testing of input guardrails to validate vendor claims.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Atomicwork presents a trifecta-complete risk posture with vendor-documented controls that lack independent adversarial validation across input guardrails and output filtering on the default configuration.

Key Input Risks
Atomicwork Coworkers ingest employee-authored chat across multiple enterprise messaging channels, MCP server responses, and indexed wiki content from operator-configured SharePoint knowledge bases. Vendor-documented prompt injection guardrails lack independent adversarial testing, and class-level ITSM AI vulnerabilities demonstrate the pattern risk.
Key Execution Risks
Coworkers execute generated code and MCP tool invocations inside tenant-scoped sandbox containers with SDK bundle isolation, scoped to the request and released after completion. No published red-team findings or third-party penetration test results target the sandbox boundary or cross-tenant isolation mechanism.
Key Action Risks
Coworkers autonomously provision access, create ITSM records, send notifications across Teams and Slack, and trigger workflows in external enterprise systems using the requesting user's scoped identity. The highest-blast scope is identity-inherited access to 100+ integrations including Okta, Microsoft Entra, and Workday.
Key Output Risks
Coworkers emit text responses, ITSM record updates, and access provisioning decisions across Teams, Slack, and email channels with vendor-documented PII masking at the tool level. No DLP or exfiltration channel blocking is documented, leaving messaging platforms as the primary untrusted output surface.
Key Monitoring Risks
Vendor documents audit logs and continuous Coworker performance monitoring validated by SOC 2 Type II re-certification. Behavioral anomaly detection and SIEM forwarding are not documented defaults, requiring operators to configure their own log forwarding and alerting pipelines.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Atomicwork's AIRQ composite of 2.93 reflects a contained blast radius moderated by vendor-documented defense controls against a trifecta-elevated attack surface.

AIRQ Metrics

Atomicwork lands in Tight Operators with an attack surface of 4.80, blast radius of 3.75, and defense controls of 8, placing it below both the X=5 and Y=7 quadrant boundaries.

Atomicwork's scores below reflect vendor-documented controls that have not been independently adversarially tested, placing the defense score in the middle band where operator hardening can close the gap.

Metric Score Comments
AIRQ Score 4.01 Score of 2.93 indicates moderate capability adjusted for a trifecta-complete but contained-blast risk profile requiring input guardrail validation.
Blast Radius 3.75 / 10 Sandboxed code execution and scoped ITSM actions keep blast factors contained; credential passthrough and autonomous workflows are the primary exposure drivers.
Attack Surface 4.8 / 10 Trifecta-complete posture elevates the attack surface from 3.70 to 4.80, with eight surfaces at band 2 and two at band 1.
Defense Controls 8 / 15 Vendor publishes sandbox isolation, RBAC, and SOC 2 monitoring but does not publish independent adversarial test results for input or output guardrails.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Atomicwork's reasoning loop processes employee chat messages, crawled enterprise knowledge, MCP tool outputs, and integration data from 100+ connected enterprise applications.

Attack Surface Metrics

Higher scores indicate broader untrusted input channels or reduced validation boundaries, with user input, external data, and tool execution carrying the most weight.

Each row names a surface scored from 0 to 4 based on the documented default exposure, with comments citing the vendor evidence that grounds the band.

Surface Score Comments
User Input 2 / 4 Coworkers accept employee messages from Teams, Slack, email, and web portal with vendor-documented guardrails; class-level CVE-2025-12420 demonstrates ITSM AI user impersonation risk [1][4].
External Data 2 / 4 Platform crawls operator-configured knowledge bases and ingests data from 100+ enterprise connectors alongside MCP server outputs from runtime tool discovery [8][14].
Memory 2 / 4 Per-tenant vector database indexes knowledge base embeddings and conversation context, while per-request sandbox execution ensures no runtime state carries over between Coworker invocations [13].
Reasoning 2 / 4 Multi-model ensemble architecture using Azure AI Foundry and Claude Agent SDK with explainable AI linking answers to sources [6][10].
Planning 2 / 4 Graph-based workflow engine decomposes tasks into vertices for agents, tools, and function calls with configurable human checkpoints per pipeline [7].
Tool Execution 2 / 4 Generated code and MCP tool invocations execute in per-request isolated sandboxes with tenant SDK bundle isolation, scoped and released after completion [8].
Orchestration 2 / 4 Temporal-based multi-agent workflows coordinate specialist Coworkers with independent retry policies and failure isolation across parallel execution paths [7].
Inter-Agent 2 / 4 Coordinator agent manages handoffs between specialist Coworkers within the platform boundary; class-level research demonstrates agent-to-agent prompt injection in comparable ITSM agents, and no vendor documentation addresses cross-Coworker input sanitization [2][13].
Output Processing 1 / 4 Coworkers emit text responses and ITSM actions with vendor-documented PII masking, but no DLP or exfiltration channel blocking is documented [6].
Configuration 1 / 4 Admin console manages Coworker permissions and integrations with RBAC and deterministic execution policies, with no auto-loaded config files from untrusted sources [4].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Atomicwork's employee chat channels feed untrusted input into a reasoning loop that reads sensitive enterprise data and sends outputs through Teams, Slack, and email.

Lethal Trifecta · Complete (3 of 3)

Atomicwork exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Employee-authored requests arrive through four chat surfaces — Teams, Slack, email, and the web console — feeding directly into the Coworker reasoning loop together with MCP server responses and indexed knowledge articles [3][4].
  • Sensitive data — Coworkers access employee PII including names and contact details, IT service records, HR compensation data through Workday, and identity attributes through Entra and Okta as documented in the vendor privacy policy [9][4].
  • External egress — Coworkers send notifications via Teams, Slack, and email, trigger workflows in external systems, and invoke outbound MCP tool calls to configured servers [14][12].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Atomicwork Coworker reaches sandboxed code execution, scoped ITSM record operations, credential passthrough to 100+ enterprise integrations, and autonomous workflow triggers.

Blast Radius Metrics

Higher blast scores indicate broader reach from a compromised Coworker, from sandboxed interpreters at band 1 to unrestricted infrastructure access at band 4.

Each row maps a blast factor to its score and the documented Coworker capability that determines the reach of a successful compromise.

Factor Score Comments
Code execution 1 / 4 Generated code runs in a per-request isolated sandbox released after execution, with no shell access or persistent code execution capability documented [8].
File system access 1 / 4 Coworkers access enterprise data through API connectors and indexed knowledge bases with no direct file system read or write access documented [4].
Network access 2 / 4 Outbound network calls route through configured integration endpoints and operator-specified MCP servers with tenant SDK bundle isolation [14][8].
Credential access 2 / 4 Coworkers inherit the requesting user's identity and scoped roles through platform-managed permissions; vendor documents RBAC but does not explicitly confirm Coworkers cannot hold service-account-level credentials [4].
Autonomous action 2 / 4 AI Coworkers operate autonomously with event-based triggers and scheduled workflows, with configurable human checkpoints and deterministic execution policies [12].
Deployment access 1 / 4 A compromised Coworker could create or modify ITSM incident records and change requests, but cannot deploy code, provision cloud resources, or modify infrastructure directly [7].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Atomicwork publishes sandbox isolation, RBAC, audit logging, and compliance certifications while leaving input guardrail testing and output DLP as operator-managed responsibilities.

Defense Controls Metrics

Higher defense scores indicate stronger vendor-implemented safeguards available on the default configuration, with a score of 3 representing independently verified and audited controls.

Each component reflects the vendor's documented default posture, scored from 0 to 3 based on evidence tier: inferred, vendor-documented, or independently verified.

Component Score Comments
Input Guardrails 1 / 3 Vendor documents guardrails blocking prompt injection and data leakage at the tool level, with vendor-claimed continuous testing per the TRUST framework; no independent adversarial benchmarks published [4][6].
Execution Isolation 2 / 3 Per-request sandbox with tenant SDK bundle isolation scoped and released after execution, certified under SOC 2 Type II and ISO 42001 [5][8][11].
Action Controls 2 / 3 RBAC with deterministic execution policies and configurable human checkpoints per workflow, with Coworkers inheriting user identity without elevated privileges [4].
Output Guardrails 1 / 3 PII masking and data leakage blocking at the tool level with explainable AI linking answers to sources, but no documented DLP or URL sanitization [6].
Monitoring 2 / 3 Vendor-documented audit logs cover operations with SOC 2 Type II re-certification attesting to ongoing control effectiveness, but no behavioral anomaly detection or SIEM integration documented [5].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize independent adversarial testing of input guardrails and deploying outbound DLP to break the trifecta-complete egress path on the default configuration.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require security review of all knowledge base content before indexing to prevent injection payloads from entering the reasoning loop through employee-managed wikis.
  • Configuration Restrict MCP server connections to an operator-maintained allowlist and disable runtime discovery of unapproved external tool servers in the admin console.
  • Engineering Deploy a third-party prompt injection classifier on the input path to validate employee messages before they reach the Coworker reasoning loop.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate security review of all Coworker sandbox configurations before production deployment, documenting allowed tool scopes per Coworker role.
  • Configuration Configure sandbox network policies to restrict outbound connections to operator-approved integration endpoints only, blocking direct internet access from the Coworker runtime.
  • Engineering Instrument sandbox telemetry to emit structured logs for every tool invocation, MCP call, and integration API request with request and response payloads.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Require mandatory human approval for all access provisioning, credential rotation, and change management workflows before Coworker execution proceeds.
  • Configuration Configure deterministic execution policies to deny-by-default for sensitive actions including user deprovisioning, security group modification, and financial approvals.
  • Engineering Build automated drift detection comparing Coworker actions against approved runbooks, alerting on any action outside the documented operational scope.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish a data classification policy requiring PII and credential redaction for all Coworker outputs — counters Output Guardrails at band 1 where no DLP is documented.
  • Configuration Configure output filtering rules to block Coworker responses containing patterns matching internal hostnames, API endpoints, or infrastructure identifiers.
  • Engineering Deploy an outbound DLP gateway on the Coworker output path to scan for sensitive data patterns across Teams, Slack, and email channels.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require weekly review of Coworker audit logs focusing on credential access events and cross-integration calls that deviate from established Coworker action baselines.
  • Configuration Forward Coworker audit logs to the SIEM platform and configure alerting rules for unusual integration access patterns or privilege escalation attempts.
  • Engineering Build behavioral baseline models for each Coworker's action patterns and deploy automated anomaly detection alerting when deviations exceed configured thresholds.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2025-12420 ServiceNow AI user impersonation CyberScoop 2025; class-level ITSM AI agent vulnerability enabling user impersonation via AI exploitation

Selected Research

  1. AppOmni Now Assist agent-to-agent prompt injection AppOmni 2025; demonstrates second-order prompt injection in ServiceNow ITSM AI agent discovery
  2. OWASP Top 10 for LLM Prompt Injection OWASP 2025; defines prompt injection categories applicable to LLM-powered agents processing untrusted input

Vendor Documentation

  1. Atomicwork enterprise security and compliance Vendor security page documenting sandbox isolation, RBAC, input guardrails, SOC 2 Type II, ISO 27001, and ISO 42001 certifications.
  2. Atomicwork Trust Center Vendor trust center providing SOC 2 Type II re-certification status, ISO 27001 surveillance records, and data security control documentation.
  3. Atomicwork TRUST framework for responsible AI Vendor blog describing the five-pillar responsible AI framework covering explainability, PII masking, and vendor-claimed prompt injection testing.
  4. Atomicwork agentic framework architecture Vendor blog documenting the graph-based workflow engine, parallel agent execution, and modular Coworker customization architecture.
  5. Atomicwork Claude SDK and MCP integration Vendor blog documenting tenant SDK bundle isolation, per-request sandbox lifecycle, MCP tool discovery, and Temporal-based orchestration.
  6. Atomicwork privacy policy Vendor privacy policy documenting data collection categories, GDPR transfer safeguards, and PII handling practices.

Other Sources

  1. Microsoft Azure AI Foundry customer story Microsoft 2025; confirms multi-model ensemble and deep Microsoft ecosystem integration
  2. Atomicwork ISO 42001 certification Vendor blog; one of first organizations to achieve ISO/IEC 42001:2023 AI management systems certification
  3. Atomicwork AI agents feature overview Vendor feature page; AI Workforce capabilities and 24/7 autonomous operation and multi-agent collaboration
  4. Atomicwork multi-agent streaming architecture Vendor blog; coordinator-based multi-agent turn architecture and specialist coworker handoffs
  5. Atomicwork MCP protocol for AI integration Vendor blog; MCP client-server architecture for standardized AI-to-system communication