Enterprise SaaS: securing multi-tenant agentic copilots.

Lead capture, opportunity scoring, customer 360 retrieval, Apex tool invocation

Inbound email, SharePoint corpus, Graph API actions, declarative agent topics

Incident summarisation, change recommendation, automated runbook execution

Repo retrieval, PR generation, MCP-driven build and deploy tooling

Inbound ticket bodies, knowledge-base retrieval, refund and account actions

MCP tool poisoning and rug-pull

An MCP server publishes a benign tool descriptor at onboarding, then mutates its description, schema, or output side-effects after the copilot has cached trust. Probes mutate descriptor text post-discovery, re-issue list_tools mid-session, and assert the agent re-validates rather than re-using cached permissions.

Indirect prompt injection via inbound channels

Adversary content arrives through a web form, support email, CRM lead, ticket comment, or scraped page. The agent treats the channel payload as instructions and reroutes its goal. Anchored to the Microsoft Copilot Studio disclosure of 2026-04 (CVSS 7.5) and the Capsule Security demonstration against Agentforce.

A2A signed-message replay and supervisor impersonation

Agent-to-Agent messages signed by a planner are captured and re-issued out of session order, or a peer agent impersonates the supervisor on the message bus. Probes test nonce reuse, timestamp tolerance, confused-deputy escalation, and protocol-version downgrade between orchestrator and worker agents.

Indirect prompt injection — CVSS 7.5

An attacker-controlled document or email ingested by a Copilot Studio agent could override topic routing and exfiltrate context across the agent's declarative skills. Patched at the platform layer; the customer-built agents on top remained the responsibility of the SaaS tenant.

Mapped to OWASP ASI01 · MITRE ATLAS AML.T0051 · CSA RT-3

Lead-form prompt injection to CRM action chain

A demonstration showed adversary content placed in a web-to-lead form being treated as instructions by an Agentforce action, triggering Apex-backed tool calls outside the intended topic. Probe family ASI02 (Tool Misuse) and ASI01 (Goal Hijack) replicate the technique across tenant configurations.

Mapped to OWASP ASI01 + ASI02 · MITRE ATLAS AML.T0051.001 · CSA RT-2

Scan one tenant before onboarding.

Run AgentGuardian against a single customer-resident copilot instance — Agentforce action, Copilot Studio bot, or Now Assist skill — with the production-tier toolset wired up. The scan is local-first: no probe payload, transcript, or evidence artefact leaves the tenant data plane. The deterministic stub mode means even the OSS edition produces hash-stable severity scores without an external LLM key.

• —Pin the recon adapter to the customer-resident endpoint
• —Authenticate with a scoped service-principal, not a bearer token
• —Capture the MCP tool descriptor inventory at t0
• —Run fast mode (~2 min) for triage, full mode (30+ min) for sign-off
• —Emit SARIF 2.1.0 to the tenant's S3 or Azure Blob bucket

Gate every release with CI-attached evidence.

Attach the scan to the SaaS release pipeline. Every shipped agent version — copilot prompt change, skill catalogue update, RAG corpus refresh, MCP server upgrade — re-runs the swarm and re-issues an AIVSS score. A regression on a previously-passing probe blocks the release; a new finding above the configured severity floor opens a CR-tracked ticket. The published deterministic formula in scoring/aivss.py makes the gate reviewable by the customer's audit function.

• —Wire into GitHub Actions, GitLab CI, or Buildkite as a required check
• —Set the AIVSS gate per copilot tier (T1 production, T4 sandbox)
• —Diff findings against the last passing scan; fail on net-new criticals
• —Re-run the swarm whenever an upstream MCP server publishes a new version
• —Persist the SARIF + PDF + JSON triad alongside the release manifest

Hand customer trust teams a signed evidence pack.

Procurement, customer trust, and pen-test attestation requests collapse to a single deliverable. The evidence bundle ships a signed manifest with the AIVSS score, the probe-by-probe transcript, the OWASP ASI 2026 and MITRE ATLAS v5.4.0 technique tags, the CSA Agentic-RT category mapping, and the SOC 2 / ISO 27001 control cross-walk. The bundle is regenerable on demand for each tenant, which removes the SaaS vendor from the position of being the manual broker of trust evidence.

• —Signed PDF for procurement and CISO review
• —SARIF feed for the customer's vulnerability management tool
• —Probe transcripts for the customer's red team to reproduce
• —Standards cross-walk: OWASP ASI 2026, MITRE ATLAS, CSA, AIVSS
• —Re-issue per tenant without re-running an internal pen-test cycle

The scanner runs as a job inside the customer’s VPC, namespace, or app instance. No transcripts cross the tenant boundary.

The recon adapter authenticates with a tenant-scoped service principal. Cross-tenant probes are tested explicitly under ASI03.

Stub mode produces hash-stable AIVSS scores without an external LLM key, suitable for air-gapped customer environments.

SARIF, PDF, JSON, and the signed manifest land in the customer’s S3, Blob, or GCS bucket. The vendor mediates the schema, not the data.

The pen-test attestation question takes six weeks.

A Fortune 500 customer's security team asks: "Has your agent surface been independently red-teamed against OWASP ASI 2026 and MITRE ATLAS techniques? Can we see the scope, the methodology, and the score?" The vendor coordinates a manual pen-test, redacts findings, drafts a summary letter, and ships a custom PDF that the customer's GRC team then has to back-fit into their control matrix.

The evidence pack ships with the trust portal.

The same question lands. The trust portal returns an evidence pack: AIVSS score, OWASP ASI 2026 + MITRE ATLAS v5.4.0 + CSA Agentic-RT category mapping, full probe transcript, signed manifest. The customer's vulnerability management tool ingests the SARIF feed directly. Renewal accelerates because the artefact is regenerable per release, not per RFP cycle.

Evidence that AI-driven control points are tested for monitored conditions and that change management covers prompt and skill releases.

Secure coding and security testing during development; agent prompts, MCP servers, and tool catalogues fall in scope as software components.

Documented AI risk assessment, incident response, and continual improvement loop for production agents.

Accuracy, robustness, and cybersecurity testing recorded with reproducible methodology for high-risk AI systems on the EU market.

Evidence that an independent red-team methodology has been executed against the SaaS agent surface, scored, and remediated.