Kore.ai Agent Security Risks

Business Process Agents kore.ai Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (7) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
5.87
High
Attack Surface
4.8
Medium
Blast Radius
5.87
High
Defense Controls
7
Medium
About The Agent

Kore.ai is a hosted multi-agent business process platform that orchestrates conversational and automation agents through a centralized supervisor pattern with configurable delegation boundaries. The same platform runtime drives natural language understanding, pre-built tool integrations to enterprise systems, persistent memory stores across sessions, and multi-agent coordination through typed message passing with audit trail coverage across all operational and administrative actions.

About the AI Risk Quadrant

Tight Operators agents combine a contained attack surface with moderate blast radius and partial defense coverage that limits realized risk below the high-exposure threshold. Kore.ai fits this placement because its operator-configurable guardrails, four-tier role-based access control, and comprehensive audit logging provide documented defense layers, while its blast radius remains elevated through extensive outbound integration authority and credential-bearing API access to connected enterprise systems.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Kore.ai presents a moderate-surface risk profile where extensive outbound integration authority and credential-bearing API access are partially offset by vendor-documented guardrails that require operator activation.

Key Input Risks
The platform ingests user-controlled messages through web chat widgets, messaging SDKs, and voice channels that feed directly into the agent reasoning layer. Input guardrails for prompt injection exist as a configurable feature but are not default-on [6], and the vendor disclosure program [1] lists no published advisories; operators should enable guardrail enforcement before production deployment.
Key Execution Risks
Agents execute business logic through the compiled Agent Business Language runtime and route inference calls to third-party LLMs through a platform-mediated gateway. The ABL runtime provides typed execution traces and cycle detection [10] but no independently attested boundary-escape resistance; operators should request vendor documentation of isolation testing before deploying sensitive workflows.
Key Action Risks
Configured agents autonomously invoke outbound API calls, database writes, and webhook triggers through more than two hundred pre-built integrations without per-action operator approval on default configurations [11]. The highest-blast-radius scope is credential-bearing API authentication to connected enterprise systems through JWT-signed bearer token exchange [5].
Key Output Risks
Agent output traverses configurable filtering layers for toxicity and PII redaction before reaching end users or downstream integrations [6]. Untrusted content can propagate to downstream consumers through integration webhooks and inter-agent message passing channels without mandatory data-loss-prevention enforcement enabled by default on the platform.
Key Monitoring Risks
The platform documents tamper-resistant audit logging with three-level scoping and SIEM integration API support for operational event forwarding [9]. Anomaly detection for prompt injection attempts or credential misuse patterns is not documented as a default-on capability and remains an operator-configured supplement requiring explicit alerting rule deployment.

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Kore.ai demonstrates a balanced risk profile where vendor-documented defense controls partially offset the elevated blast potential created by extensive outbound integration authority.

AIRQ Metrics

The Tight Operators placement reflects moderate capability exposure contained by RBAC permission gating and audit logging that reduce realized risk below the high-surface threshold for enterprise deployments.

The four headline metrics capture the relationship between inbound attack surface, outbound blast potential, and the defense controls available on the documented default configuration.

Metric Score Comments
AIRQ Score 5.87 Defense controls offset about half the blast potential, leaving residual risk from the extensive outbound integration authority.
Blast Radius 5.87 / 10 Network and credential access through pre-built integrations elevate blast potential above the platform-contained baseline.
Attack Surface 4.8 / 10 Mandatory floor activates given confirmed untrusted input ingestion, sensitive data handling, and external egress channels across platform integrations.
Defense Controls 7 / 15 Vendor-documented controls with configurable guardrails and audit logging reduce exposure but lack independent attestation.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. The platform presents a uniform moderate-surface profile with orchestration elevated by multi-agent coordination capabilities and the remaining surfaces contained at the operator-configurable boundary.

Attack Surface Metrics

Most surfaces cluster at the moderate band reflecting vendor-documented controls with orchestration elevated by multi-agent supervisor authority.

The ten canonical surfaces measure how adversarial input can reach the agent reasoning loop and steer behavior across documented interaction patterns.

Surface Score Comments
User Input 2 / 4 Multi-channel ingestion through browser widgets, conversational SDKs, and telephony interfaces feeds user-controlled content into the agent reasoning layer. Input validation exists as an operator-configurable guardrail feature [6] with prompt injection detection and topic restriction, but the default configuration does not mandate pre-processing filtering before content reaches LLM inference.
External Data 2 / 4 Retrieval-augmented generation pulls from configured knowledge bases and enterprise data connectors with JSON Schema validation on memory store contents [7]. The platform mediates external data access through typed retrieval APIs rather than exposing raw database connections, limiting the injection surface to the configured knowledge base boundaries.
Memory 2 / 4 Persistent memory stores retain context across interactions at session, user, and application scopes with configurable retention policies and schema validation [7]. Memory contents persist across sessions without integrity verification against tampering, though scope boundaries limit cross-user contamination vectors on multi-tenant deployments.
Reasoning 2 / 4 LLM inference calls route through the platform gateway with guardrail interception points for hallucination detection and topic drift filtering [6]. The reasoning layer processes content from all upstream input channels without mandatory content-type separation, meaning adversarial payloads reaching any input surface also reach the reasoning boundary. The OWASP framework identifies Excessive Agency (LLM06) in agentic architectures as a primary risk vector [3] applicable to this multi-channel reasoning configuration.
Planning 2 / 4 Multi-step task decomposition executes through the Agent Business Language compiler with cycle detection and typed execution traces enforced by the Artemis runtime [10]. The compiled ABL definitions provide deterministic execution boundaries that LLM output cannot override at the planning layer, limiting arbitrary plan injection to the configurable delegation boundaries.
Tool Execution 2 / 4 Pre-built tool integrations execute through the platform runtime with role-based permission scoping and audit trail coverage for every invocation [11]. Tool authority is bounded by the integration configuration rather than arbitrary code execution, and RBAC enforcement gates tool access at the workspace and agent permission level [8].
Orchestration 3 / 4 Multi-agent supervisor pattern with A2A protocol support enables marketplace agent composition and configurable delegation boundaries across orchestrated workflows [11]. The orchestration surface is elevated because supervisor agents can delegate to subordinate agents with inherited tool authority, creating transitive permission chains across the agent topology. The agentic security framework identifies inter-agent delegation and tool misuse as primary threat vectors for platforms with this orchestration pattern [4].
Inter-Agent 2 / 4 Agent-to-agent communication flows through typed message passing with platform-mediated routing and audit log coverage [11]. Inter-agent messages inherit the sending agent permission scope rather than requiring independent authorization per message, though platform routing constrains communication to configured agent topologies.
Output Processing 1 / 4 Responses pass through configurable output guardrails including toxicity filtering and content restriction before delivery to end users or downstream integrations [6]. The output processing surface is minimal because guardrail enforcement occurs at the platform boundary layer rather than relying on per-agent output validation logic.
Configuration 2 / 4 Platform settings managed through four-tier role-based access control with Master Admin, Admin, Member, and Viewer roles enforcing module-level permissions [8]. Configuration changes are captured in the tamper-resistant audit log with SIEM forwarding capability, and workspace-level isolation prevents cross-tenant configuration contamination.

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Kore.ai meets all three conditions through its multi-channel input ingestion, enterprise data handling across persistent memory stores, and outbound API execution to connected third-party systems.

Lethal Trifecta · Complete (3 of 3)

Kore.ai exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — The platform accepts user-controlled content from multiple public-facing channels including browser widgets, mobile SDKs, and telephony interfaces without mandatory pre-processing validation on default configurations [6].
  • Sensitive data — Agents process enterprise data including customer records and credentials through persistent memory stores with session, user, and application scopes that retain sensitive content across interactions [7].
  • External egress — The platform maintains more than two hundred pre-built outbound integrations enabling credential-bearing API calls, webhook execution, and data writes to connected enterprise systems [11].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. The blast radius profile reflects moderate outbound capability with network access and credential handling elevated by extensive pre-built integration authority to connected enterprise systems.

Blast Radius Metrics

Network and credential access stand above the baseline reflecting the platform documented integration surface and token-bearing authentication flows.

The six canonical factors measure the scope of damage a compromised agent could inflict through its documented default capabilities and integration authority.

Factor Score Comments
Code execution 2 / 4 Business logic executes through the compiled ABL runtime without direct shell access or arbitrary code execution capabilities [10]. The platform provides deterministic execution traces rather than general-purpose compute, limiting code execution blast to the boundaries of configured workflow definitions.
File system access 2 / 4 File access is limited to platform-managed document stores and knowledge bases without direct host filesystem exposure [11]. The agent interacts with file content through typed platform APIs rather than POSIX filesystem operations, constraining blast radius to the configured document boundary.
Network access 3 / 4 More than two hundred pre-built integrations enable outbound API calls, webhooks, and data writes to connected CRMs, databases, ticketing systems, and communication channels [14][11]. The network blast radius is elevated because configured integrations execute autonomously within workflow boundaries without per-request operator approval.
Credential access 3 / 4 JWT-signed session authentication and bearer token exchange grant agents access to configured third-party service credentials through the platform SDK security framework [15]. Credential blast radius is elevated because token-bearing authentication to external systems operates within the agent session scope without per-invocation re-authorization [5].
Autonomous action 2 / 4 Agents execute configured workflow actions within operator-defined delegation boundaries without unbounded autonomous escalation beyond the configured integration scope [11]. Autonomous action is contained by the ABL compiler enforcement and RBAC permission gating at the workspace level.
Deployment access 2 / 4 Multi-stage deployment pipeline with environment promotion controls limits production access to authorized release workflows managed through platform CI/CD [11]. Deployment blast radius is contained because production promotion requires explicit environment-level authorization rather than agent-initiated deployment.

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The platform documents configurable defense controls across guardrails, access control, and monitoring that provide partial coverage with vendor-documentation confidence but lack independent bypass attestation.

Defense Controls Metrics

Controls are present and documented at the vendor tier with action controls and monitoring slightly elevated by granular RBAC and comprehensive audit coverage.

The five canonical components measure what the agent platform provides by default to detect, contain, and report on adversarial activity without operator intervention.

Component Score Comments
Input Guardrails 1 / 3 Documented prompt injection detection and topic restriction with configurable sensitivity thresholds and fallback behaviors [6]. Controls are operator-configured rather than default-on, and no independent red-team attestation of bypass resistance has been published for the detection models.
Execution Isolation 1 / 3 ABL compiled runtime provides logical isolation with typed execution traces and cycle detection enforced by the Artemis engine [10]. No published boundary-escape testing, runtime sandbox attestation, or independent audit of the ABL enforcement mechanism exists in the public documentation.
Action Controls 2 / 3 Four-tier RBAC with module-level permissions across accounts, tools, and agentic applications provides granular action gating [8]. Configurable approval workflows for sensitive operations complement role boundaries, and the permission model is documented with workspace-level isolation enforcement. Independent research identifies the platform as implementing RBAC and audit logs as core governance primitives [2].
Output Guardrails 1 / 3 Toxicity filtering and configurable response restrictions with fallback behaviors documented for the output layer [6]. No independent evaluation of filter bypass rates, adversarial robustness testing, or DLP enforcement effectiveness has been published by external researchers.
Monitoring 2 / 3 Three-level audit logging at Admin Hub, Workspace, and Agent scopes with SIEM integration API and tamper-resistant event capture [9]. Coverage includes administrative and operational actions with real-time dashboard support and end-to-end tracing [13], though anomaly detection requires operator-configured alerting rules. Third-party compliance verification confirms SOC 2, HIPAA, and ISO 27001 certification status [12].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators can reduce realized risk by activating configurable platform controls and layering external monitoring on top of the documented default posture.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Mandate prompt injection detection at maximum sensitivity for all production agents — counters the default-off guardrail configuration that leaves input surfaces unfiltered.
  • Configuration Configure topic restriction rules to limit agent scope to documented business domains and reject off-topic prompts — counters unconstrained input reaching the reasoning layer.
  • Engineering Deploy a pre-processing proxy with regex-based injection pattern matching before messages enter the platform SDK — counters adversarial payloads bypassing configurable guardrail thresholds.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Enforce workspace-level isolation policies ensuring agents in different business domains cannot share execution context or memory stores — counters cross-domain contamination vectors.
  • Configuration Enable multi-stage deployment pipelines with mandatory staging validation before production promotion — counters untested workflow definitions reaching production execution.
  • Engineering Deploy network segmentation between the agent platform and sensitive internal systems — counters lateral movement from a compromised agent session reaching protected resources.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Restrict OAuth scopes for third-party integrations to minimum required permissions and audit scope assignments quarterly — counters over-privileged integration credentials persisting.
  • Configuration Enable human-in-the-loop approval workflows for all actions that modify production data or invoke financial transactions — counters autonomous execution of high-blast operations.
  • Engineering Configure rate limiting on outbound API calls to prevent credential-bearing bulk operations from an agent operating outside intended boundaries — counters automated exfiltration attempts.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Enable PII redaction rules on all output channels and configure DLP policies to block sensitive data patterns in agent responses — counters data leakage through unfiltered outputs.
  • Configuration Deploy response length limits and structured output schemas that reject free-text responses exceeding defined boundaries — counters data exfiltration where injected prompts steer the agent to dump memory contents into verbose outputs.
  • Engineering Configure output monitoring alerts for anomalous response patterns that may indicate guardrail bypass — counters silent exfiltration through apparently normal response channels.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward all audit events to a centralized SIEM with correlation rules for credential access patterns and unusual integration invocations — counters undetected lateral movement.
  • Configuration Enable real-time alerting on failed authentication attempts, privilege escalation events, and anomalous agent behavior metrics — counters delayed incident detection.
  • Engineering Implement automated log correlation scripts that flag anomalous credential usage patterns across integration endpoints — counters undetected lateral movement through token reuse.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Kore.ai Vulnerability Disclosure Program The vendor operates a vulnerability disclosure program accepting reports via support ticket with no monetary bounty guaranteed and no published advisories as of the research date.

Selected Research

  1. From Prompt-Response to Goal-Directed Systems Architecture survey of agentic AI platforms references Kore.ai as implementing RBAC guardrails and comprehensive audit logs as core governance primitives for enterprise agent deployments.
  2. OWASP Top 10 for LLM Applications 2025 Industry framework covering Excessive Agency risks in agentic architectures directly applicable to multi-agent business process platforms with configurable autonomy levels.
  3. OWASP Top 10 for Agentic Applications 2026 Dedicated framework for agentic AI security covering tool misuse identity abuse inter-agent risks and rogue agent scenarios relevant to enterprise orchestration platforms.

Vendor Documentation

  1. Kore.ai Trust Center SafeBase-hosted transparency portal documenting security posture vulnerability management data encryption incident response and SOC 2 Type II plus PCI DSS plus ISO 27001 certifications.
  2. Guardrails Documentation Technical documentation for the platform guardrail framework covering prompt injection detection toxicity filtering and topic restriction with configurable fallback behaviors.
  3. Memory Stores Documentation Technical documentation for persistent memory stores with session user and application scopes plus JSON Schema validation and configurable retention policies.
  4. Role Management Documentation RBAC implementation documentation defining Master Admin and Admin and Member and Viewer roles with module-level permissions across accounts tools and agentic apps.
  5. Audit Log Documentation Tamper-resistant audit logging system with three-level scoping at Admin Hub and Workspace and Agent levels plus SIEM integration API and complete coverage of operational actions.
  6. Platform Security and Governance Product page documenting the Artemis runtime with compiled ABL definitions typed trace events cycle detection and engine-enforced policy constraints that LLMs cannot override.
  7. Agent Platform Overview Comprehensive platform documentation covering multi-agent orchestration AI safety and guardrails enterprise CI/CD with multi-stage deployments and collaboration audit capabilities.

Other Sources

  1. Nudge Security Vendor Profile Third-party vendor risk profile confirming SOC 2 and HIPAA and ISO 27001 and FedRAMP and CSA STAR Level 1 compliance status alongside supply chain visibility details.
  2. AI Observability Documentation Platform observability suite documenting end-to-end tracing of agent activity real-time dashboards for latency and error rates and comprehensive audit trail creation for regulatory compliance.
  3. Automation AI Integrations Overview Documentation of more than two hundred pre-built integrations with business applications live agent systems and external NLU engines enabling outbound API execution.
  4. SDK Security Documentation SDK security documentation covering JWT-signed session authentication bearer token exchange and JWE encryption for sensitive data in agent-client communication.