Leena AI Agent Security Risks

Business Process Agents leena.ai Humble Providers
AI RISK QUADRANT POSITION DEFENSE CONTROLS (6) ATTACK SURFACE (4.8) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
4.31
High
Attack Surface
4.8
Medium
Blast Radius
4.63
Medium
Defense Controls
6
High
About The Agent

Leena AI is a cloud-hosted enterprise agentic platform that orchestrates specialized AI Colleagues across HR, IT, Finance, and Procurement domains, connecting to enterprise systems of record through OAuth integrations and the Model Context Protocol. Its default configuration processes employee requests across chat, voice, email, and messaging channels while executing business process actions including access provisioning, salary updates, and credential management through service account connections. The primary risk surface is the broad multi-channel input path combined with enterprise system write access through stored service account credentials.

About the AI Risk Quadrant

Humble Providers placement reflects an agent whose orchestration connectivity and multi-channel input surface create meaningful attack exposure, while moderate blast radius and vendor-documented defense controls keep the composite below agents with direct host-level execution privileges. The grounding mechanism and Liability Gate middleware demonstrate intentional defense investment, but undocumented execution isolation and absent output filtering leave operator-managed gaps. Operators deploying Leena AI inherit enterprise system credential exposure that requires supplemental DLP and monitoring controls beyond the vendor-provided defaults.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Leena AI presents a broadly connected enterprise agent with documented input and action controls but significant gaps in execution isolation, output filtering, and automated security monitoring.

Key Input Risks
Employee prompts from chat, voice, email, SMS, and MCP invocations from external agents enter the reasoning context alongside enterprise knowledge base documents without independent adversarial content scanning. The grounding mechanism separates user queries from prompt context but no injection detection layer validates inbound content before processing [2].
Key Execution Risks
The proprietary WorkLM model and external LLMs process enterprise data within vendor-managed multi-tenant cloud infrastructure without documented container isolation or runtime sandboxing for individual agent executions. No independent audit confirms the isolation boundaries between tenant workloads [11].
Key Action Risks
Password resets, access provisioning, salary updates, and user account deletions execute against enterprise systems of record through pre-built connectors without mandatory per-action operator approval by default. The Liability Gate middleware is configurable per action type but its default-on posture for destructive operations is undocumented [3].
Key Output Risks
Agent responses containing enterprise HR data, compensation figures, and organizational details flow outbound via Slack, Teams, email, SMS, and MCP callbacks without documented DLP filtering or credential redaction. The output path lacks exfiltration blocking between the reasoning loop and downstream messaging channels [8].
Key Monitoring Risks
Audit logs capture configurable module-level events with IP tracking and retention up to five years, but no SIEM integration or automated anomaly detection exists on the default configuration. Real-time security alerting for privilege escalation or bulk data access patterns is entirely operator-managed [7].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Leena AI scores reflect an agent with moderate inherent risk balanced by vendor-documented controls that leave specific gaps in isolation and output filtering.

AIRQ Metrics

Leena AI lands in the Humble Providers quadrant with an attack surface of 4.80, a blast radius of 4.63, and a defense score of 6; deployable with standard enterprise controls supplemented by output filtering and SIEM integration.

Each axis is scored independently: attack surface out of 10, blast radius out of 10, defense controls out of 15, and the composite AIRQ score out of 15.

Metric Score Comments
AIRQ Score 4.31 Moderate composite signals that vendor controls partially contain risk but operator hardening remains necessary for enterprise deployments.
Blast Radius 4.63 / 10 Network access to enterprise systems and stored service account credentials dominate the blast profile.
Attack Surface 4.8 / 10 Orchestration and inter-agent surfaces drive the attack score with all three trifecta conditions met across the default configuration.
Defense Controls 6 / 15 Grounding mechanism and Liability Gate provide documented input and action controls; execution isolation and output filtering remain gaps.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Leena AI ingests employee prompts, enterprise documents, and external agent requests into its reasoning context through a multi-channel orchestration layer.

Attack Surface Metrics

Higher scores indicate surfaces where external agents, employee messages, or enterprise documents reach the reasoning loop without independent validation.

Each row scores a distinct input channel by the breadth of untrusted content that reaches the reasoning loop on the default configuration.

Surface Score Comments
User Input 2 / 4 Employee prompts via chat, voice, email, and SMS enter the reasoning loop with grounding separation but no injection scanning [2].
External Data 2 / 4 Enterprise knowledge bases from SharePoint, Confluence, and Box provide document content to the model context [4].
Memory 2 / 4 Multi-tier persistent memory retains session, user, company, and domain context across interactions without integrity verification [5].
Reasoning 2 / 4 WorkLM and external LLMs process queries with a fact-check validation layer but no independent reasoning-guard mechanism [2].
Planning 2 / 4 Plain-text Agent Operating Protocols guide the Orchestrator without plan-validation gates beyond the protocol definitions themselves [4].
Tool Execution 2 / 4 Enterprise connectors execute actions via REST APIs; Browser Use performs web navigation without documented sandbox boundaries [10].
Orchestration 3 / 4 Central Orchestrator delegates across domain agents with MCP exposing over a thousand application agents externally [6].
Inter-Agent 3 / 4 MCP connector allows external agents to invoke internal agents as skills with configurable action governance [9].
Output Processing 1 / 4 Responses are delivered through existing messaging channels; no output transformation pipeline exists beyond grounding enforcement [8].
Configuration 2 / 4 Operator-configurable Liability Gate policies and integration credentials define the runtime posture without drift detection [3].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. This agent accepts multi-channel employee content and external agent requests, accesses enterprise HR records and service account credentials, and transmits responses through messaging channels and API callbacks on its default configuration.

Lethal Trifecta · Complete (3 of 3)

Leena AI exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Multi-channel employee messages and external agent requests arrive through six inbound channels without adversarial content scanning [12].
  • Sensitive data — HRIS records including payroll and compensation data are accessible via OAuth tokens and stored service account credentials [10].
  • External egress — Responses flow outbound via Slack, Teams, email, SMS, webhook callbacks, and MCP invocations to external systems [6].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Leena AI session reaches enterprise system APIs, stored service account credentials, and autonomous business process actions across connected systems.

Blast Radius Metrics

Higher scores indicate blast surfaces where the agent holds default-configuration access to enterprise systems or credentials.

Each row maps a blast dimension to the agent's documented default capability and the scope of enterprise resources reachable.

Factor Score Comments
Code execution 1 / 4 Cloud-hosted SaaS with no arbitrary code execution on operator infrastructure; actions constrained to connector operations [4].
File system access 1 / 4 Document management through enterprise APIs rather than direct filesystem access; no local file write capability [4].
Network access 3 / 4 Outbound API calls to HRIS, payroll, identity, and ticketing systems via REST and MCP plus Browser Use HTTP requests [6].
Credential access 3 / 4 OAuth tokens and service account credentials for enterprise systems are stored in the integration layer for HR data access [10].
Autonomous action 2 / 4 Business process actions execute autonomously for configured types; Liability Gate can intercept but default coverage is undocumented [3].
Deployment access 1 / 4 No CI/CD integration or deployment pipeline access exists; operations stay within pre-configured application connectors [4].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. The vendor documents grounding and action-gating controls but leaves execution isolation, output filtering, and security monitoring as operator-managed concerns.

Defense Controls Metrics

Higher scores indicate stronger vendor-provided safeguards that reduce risk without requiring operator configuration changes.

Each component reflects what the vendor implements and documents on the default configuration, not what operators can add.

Component Score Comments
Input Guardrails 2 / 3 Grounding mechanism separates user queries from prompt context; fact-check validation blocks ungrounded responses [2].
Execution Isolation 1 / 3 Multi-tenant cloud infrastructure provides platform-level isolation; no documented container sandbox for agent execution contexts [11].
Action Controls 2 / 3 Liability Gate middleware intercepts configurable high-risk actions for human approval with recommended least-privilege governance [3].
Output Guardrails 1 / 3 Grounding enforcement prevents ungrounded responses; no DLP, credential redaction, or exfiltration blocking is documented [8].
Monitoring 0 / 3 Configurable audit logs with module-level events and IP tracking; no SIEM integration or automated anomaly detection [7].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize adding output filtering and SIEM integration to close the trifecta egress path and establish real-time visibility.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Require content scanning of enterprise knowledge base documents before ingestion into the agent context — counters untrusted external data input.
  • Configuration Restrict MCP inbound invocations to an allowlist of trusted external agents — counters the inter-agent attack surface.
  • Engineering Integrate a vendor-compatible prompt injection classifier at the API gateway that scans inbound messages before reaching the Orchestrator — counters unscanned multi-channel input [12].

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Mandate that Browser Use sessions run in isolated containers with time-bounded execution — counters undocumented execution boundaries.
  • Configuration Request dedicated compute partitions for sensitive departments via the vendor's enterprise support channel — counters shared execution contexts.
  • Engineering Implement runtime sandboxing for connector execution that restricts each action to minimum required API scope — counters broad connector access.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Enable Liability Gate for all destructive actions by default requiring human approval for salary changes and access provisioning — counters undocumented defaults.
  • Configuration Configure per-action-type approval thresholds requiring multi-level sign-off for operations exceeding monetary limits — counters autonomous high-risk execution.
  • Engineering Build pre-action validation cross-referencing proposed actions against role-based entitlements before reaching enterprise systems — counters privilege escalation [1].

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Establish classification rules preventing compensation data and credentials in outbound messages to broader audiences — counters egress without filtering.
  • Configuration Deploy a DLP proxy between agent output and messaging channels that redacts sensitive patterns before delivery — counters absent output guardrails.
  • Engineering Implement output filtering scanning all outbound MCP responses and webhook callbacks for credential material — counters unmonitored external egress.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Require forwarding of all audit log events to the enterprise SIEM with mandatory alerting on privilege escalation — counters absent anomaly detection.
  • Configuration Enable IP-based anomaly detection on audit modules with real-time alerts for unusual access and bulk data patterns — counters silent monitoring gaps.
  • Engineering Integrate Transparency Dashboard decision traces with the security operations center for automated correlation — counters unmonitored agent decision paths.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. Leena AI Trust Center The vendor operates a SafeBase-powered trust center documenting compliance certifications, risk profile, product security posture, and a vulnerability disclosure program.

Selected Research

  1. Model Validation and Red Teaming Vendor documentation of the grounding mechanism, fact-check validation models, and authentication-gated information access controls protecting the reasoning loop.
  2. Liability Gating for Enterprise AI Vendor blog documenting the Liability Gate middleware that intercepts high-risk agent actions for human approval before reaching backend systems.

Vendor Documentation

  1. Agentic AI Architecture Vendor architecture page documenting the Orchestrator, Agent Operating Protocols, Permissions and Access Controls, Observability and Governance layers.
  2. Agentic Memory Architecture Vendor blog documenting the multi-tier persistent memory system including session, user, company knowledge, and domain context layers.
  3. MCP Interoperability Vendor page documenting Model Context Protocol support exposing 1000+ application agents for external invocation via APIs and MCP.
  4. Audit Logs Vendor documentation of configurable audit log system with module-level event capture, IP tracking, and retention configurable up to 5 years.
  5. Governance for Enterprise Agentic AI Vendor blog documenting the Transparency Dashboard with complete decision logging, fact-checking enforcement, and continuous compliance monitoring.
  6. MCP Connector Documentation Technical documentation for MCP connector setup including admin versus user OAuth modes, action selection governance, and least-privilege practices.
  7. Workday Connector Technical connector documentation showing OAuth token and service account credential patterns for HR data access and business process approvals.

Other Sources

  1. Nudge Security Vendor Profile Third-party vendor risk profile confirming SOC 2, ISO 27001, HIPAA, PCI, GDPR, and CSA STAR certifications alongside supply chain composition.
  2. OWASP GenAI Exploit Round-up Q1 2026 Class-level quarterly report cataloging major AI agent exploit patterns including prompt injection and privilege abuse across the agentic landscape.