When Agentic AI Becomes an Attack Surface: What the Ask Gordon Incident Reveals
Gabriel Avner
December 23, 2025
Pillar Security’s recent analysis of Docker’s Agentic AI assistant, Ask Gordon, offers an early glimpse into the security challenges organizations will face as AI systems begin operating inside the development stack. Their researchers discovered that a single poisoned line of Docker Hub metadata caused the agent to run privileged tool calls and quietly exfiltrate internal data.
The failure happened inside the decision-making layer where an AI agent consumes data and translates it into actions. That layer is quickly becoming one of the most critical surfaces security teams must defend.
The broader implication is clear. Organizations are pushing toward Agentic AI because of the enormous potential productivity gains. But autonomy, speed, and system reach create identity-like risks that many environments aren’t prepared to manage.
What Happened
The Ask Gordon AI Agent fetches Docker Hub metadata to help users understand container images. Pillar’s researchers inserted a malicious instruction into a repository description, and the agent:
- Accessed an attacker-controlled URL
- Executed internal tool calls (build logs, build lists)
- Packaged log data and chat history
- Sent the full payload externally without user approval
The agent simply interpreted untrusted data as instruction. Docker responded to this risk by requiring human approval for tool calls that touch sensitive data or external systems.
While this is an effective fix, the real challenge is bigger than a single feature bug.
The Growing Tension: Productivity vs Security in the Agentic Era
Agentic AI promises huge efficiency gains with the potential for:
- Reduced manual toil
- Faster development workflows
- Automation that scales far beyond human capacity
But these strengths introduce new risks:
- Agents act independently
- They ingest untrusted content at scale
- They infer intent and may take unintended actions
- They interact with internal and external systems
- They do all of this at machine speed
These are many of the same factors that we apply risk modeling to human users, but multiplied by automation, volume, and a lack of common sense.
Agentic AI: A New Identity Class With Unique Risk
Security teams historically manage two categories of identity:
Humans — Unpredictable, creative, fallible and sometimes malicious.
Non-human identities (NHIs) — Service accounts, tokens, cloud roles. Predictable but extremely numerous.
Agentic AI now becomes a third category altogether.
Agents combine characteristics of both:
- Human-like autonomy and decision-making
- Machine-like scale, speed, and integration depth
They access internal systems. They make decisions without human review. And they can be manipulated through crafted inputs. Traditional IAM models do not yet account for these traits.
The Ask Gordon incident is a concrete example of this shift and raises real questions about how organizations can reliably roll out AI tooling in the near term..
How Security Teams Should Approach Agentic AI
Because agents cannot reliably differentiate safe instructions from malicious ones, access boundaries carry the burden of defense. Three principles matter most.
1. Know what your agents can see and do
Teams must understand:
- What data agents can read
- Which systems they can modify
- What privileges they inherit from humans
- Where they overlap with sensitive environments
2. Apply Access Controls Based on Risk, Not Identity Type
As organizations adopt Agentic AI, the old model of treating access differently for humans and NHIs breaks down. Agents introduce autonomy and unpredictability at scale, so access must be governed by risk, not by the type of identity making the request.
A risk-based model asks only:
- What is the potential impact if this identity acts incorrectly?
- What level of oversight is appropriate for that impact?
This applies to everyone:
- Humans bring intent and unpredictability
- NHIs bring volume and persistence
- AI agents bring autonomy and speed
The goal is the same across all of them: define clear boundaries around sensitive actions and ensure identities operate within them.
3. Treat external communication as a privileged action
Ask Gordon succeeded because the agent could transmit data freely. Any system capable of making external requests should require consent, context, or both.
How Apono’s Access Engine Scales to Humans, NHIs, and Agentic AI
Apono’s access model is built around context and risk, which makes it naturally suited for managing Agentic AI alongside humans and NHIs.
A unified, scalable control plane
Apono evaluates every identity the same way:
- What are they trying to access?
- How sensitive is the resource?
- What context and justification support the request?
This creates a consistent, enforceable approach that scales as organizations introduce more automation.
Dynamic policies that prevent privilege drift
As identities take on new tasks or as resources grow in sensitivity, Apono automatically adapts access policies. This keeps permissions aligned with current context and prevents the slow buildup of unnecessary rights.
Ephemeral access removes standing privilege
Whenever access is approved, Apono generates a temporary, scoped role and deletes it when the task ends. This avoids:
- Long-lived permissions
- Static role sprawl
- Agents inheriting privileges they shouldn’t have
Continuous monitoring for accountability
Apono surfaces unusual or risky identity behavior, whether human, NHI, or AI agent. This gives security teams the confidence and auditability needed as autonomous systems become more integrated into daily operations.
Taking the Next Step Toward Smarter Access Controls
Whenever an AI agent is allowed to read internal data and perform actions on your behalf, it becomes part of your identity surface.
Organizations will adopt Agentic AI rapidly because the productivity gains are too compelling to ignore. But autonomy without access boundaries creates real operational risk.
Zero Standing Privilege offers a workable foundation for securing humans, NHIs, and now Agentic AI. Apono operationalizes that model by making access contextual, temporary, and enforceable at scale.
To evaluate where standing privileges may already exist in your environment, download our Zero Standing Privilege Checklist.
To compare Cloud Privileged Access Management solutions designed for the Agentic era, explore our Privileged Access Buyer Guide + RFP Checklist breaks down the capabilities that matter most and the questions that separate cloud-native solutions from legacy ones.
