What is agentjacking? Agentjacking is a newly documented attack in which hackers hide malicious instructions inside the data an AI agent reads, tricking the agent into executing their commands as if those instructions were part of its normal job. First detailed by the security firm Tenet Security in June 2026, agentjacking has pushed AI agent security to the top of the risk list for every commercial real estate firm now running automated AI workflows. For the full framework on screening these tools before they touch a deal, see our guide on AI real estate due diligence.
Key Takeaways
- Agentjacking exploits the core weakness of every AI agent: it cannot reliably tell the difference between data it reads and instructions it is meant to follow.
- Tenet Security identified 2,388 organizations with exposed credentials and reported an 85% success rate when testing the attack against leading AI coding agents in 2026.
- The same indirect prompt injection that hijacks coding agents can hit any CRE AI agent that ingests tenant emails, vendor invoices, listing data, or public records.
- AI agent security is now a due diligence requirement, not an IT afterthought, especially before an agent gains access to confidential deal documents.
- Treat every AI agent like a capable new hire with broad system access but no instinct for which instructions are legitimate and which are an attack.
AI Agent Security Explained
AI agent security is the practice of controlling what an autonomous AI system can read, do, and access so that attackers cannot turn the agent against its owner. The central problem is simple: an AI agent treats everything in its context window as potentially actionable, so a malicious instruction buried in ordinary looking data can be obeyed just like a command from you.
Traditional software follows code that a developer wrote and reviewed. An AI agent, by contrast, decides what to do based on natural language it reads at runtime. That flexibility is the entire point of tools like Claude Code, OpenAI Codex, Cursor, and Gemini CLI, along with the agentic features now shipping inside platforms such as AppFolio Realm-X. It is also the vulnerability. When an agent reads a document, an email, or a tool output, it cannot prove who wrote that text or whether it should be trusted. Security teams call this class of problem indirect prompt injection, and the Open Worldwide Application Security Project (OWASP) lists it as a leading cause of agentic AI failures in production.
How Agentjacking Works
Agentjacking works by poisoning a trusted data source that an AI agent reads automatically. In the attack Tenet Security disclosed on June 3, 2026, hackers sent fake error reports to the developer monitoring tool Sentry using publicly exposed Data Source Names, then embedded commands inside those error events. When a coding agent queried Sentry for unresolved errors, it read the planted instructions and ran them, exactly as a developer would follow a credible fix.
The results were not theoretical. Tenet Security found 2,388 organizations with exposed Data Source Names, recorded an 85% exploitation success rate across top coding agents, and confirmed more than 100 instances of an agent executing attacker code, including at one Fortune 500 enterprise. The payload could expose environment variables, Git credentials, and private repository links. Critically, the attack bypasses traditional defenses such as endpoint detection and response (EDR) and web application firewalls, because there is no malware to scan, only text the model chooses to obey. Microsoft documented a related path in its Semantic Kernel framework, where a single prompt could escalate into host level remote code execution. Sentry called the underlying class of attack difficult to defend at the ingestion layer, which shifts responsibility to the teams deploying the agents. This is the same trust gap we examined in the Copilot SearchLeak flaw and CRE data security.
Why Agentjacking Matters for Commercial Real Estate
Agentjacking matters for commercial real estate because CRE firms are wiring AI agents directly into the systems that hold their most sensitive information: deal rooms, rent rolls, lender portals, tenant communications, and accounting platforms. An agent that reads untrusted input is a target, and CRE agents read untrusted input constantly.
Consider how quickly the exposure adds up. A property management agent that triages inbound tenant emails could be fed a hidden instruction inside a maintenance request. An acquisitions agent that parses a seller's data room could ingest a poisoned PDF. A leasing agent that pulls public records or listing feeds could read manipulated data designed to trigger an action. In each case the agent holds legitimate access to confidential files, banking details, or signature authority, and the attacker never needs to breach the network directly. With AI in real estate projected to grow toward a $1.3 trillion market by 2030, the number of agents touching live financial data is climbing fast, and so is the attack surface. JLL has repeatedly warned that data quality, model transparency, and cybersecurity are the unglamorous prerequisites for safe AI adoption, a point reinforced in its research on how real estate can navigate AI risks. The firms that ignore agent security are the ones most likely to learn this lesson the expensive way. For a structured assessment of your exposure, The AI Consulting Network helps CRE teams pressure test their AI agents before those agents touch a live deal.
How CRE Firms Can Lock Down AI Agent Security
The encouraging news is that agentjacking is defensible at the deployment level even when it is hard to stop at the source. The goal is to limit what an agent can read without supervision and what it can do without a human in the loop. Start with these practical controls:
- Map every untrusted input: List every data source each agent reads automatically, such as email, ticketing tools, document folders, and third party feeds, then treat all of it as hostile by default.
- Separate reading from acting: Require human approval before an agent executes anything consequential, including sending wires, signing documents, deleting files, or running shell commands.
- Apply least privilege: Give each agent the narrowest access it needs. An agent that drafts emails does not need your banking credentials or your full deal archive.
- Vet your vendors: Ask AI tool providers how they isolate untrusted input and what guardrails sit between tool output and action. Our checklist on how to vet AI tool security before sharing confidential deals walks through the exact questions.
- Build a governance layer: Document which agents exist, who owns them, and what they can touch, the foundation of any real AI agent governance program.
None of this requires you to abandon AI. It requires you to deploy it like a serious financial operation rather than a science experiment. CRE investors who want hands on help building these controls can reach out to Avi Hacker, J.D. at The AI Consulting Network.
Frequently Asked Questions
Q: Is agentjacking the same as a normal data breach?
A: No. A normal breach exploits a software flaw to steal data. Agentjacking exploits the AI agent itself, feeding it instructions hidden in data it already has permission to read, so the agent does the attacker's work using its own legitimate access. Traditional security tools often miss it because there is no malicious file to detect.
Q: Does agentjacking only affect AI coding tools?
A: No. Coding agents like Claude Code and OpenAI Codex were the first confirmed targets, but the underlying weakness applies to any AI agent that reads untrusted input. A CRE property management or acquisitions agent that processes tenant emails, invoices, or seller documents faces the same indirect prompt injection risk.
Q: How can a CRE firm use AI agents safely in 2026?
A: Keep a human in the loop for any consequential action, give each agent least privilege access, treat all incoming data as untrusted, and vet how your AI vendors handle tool inputs. Strong AI agent security comes from constraining what the agent can do, not from trusting it to behave.
Q: What should I ask an AI vendor about agent security?
A: Ask how they isolate untrusted input, whether tool outputs can trigger actions without human approval, how they log agent behavior, and what data the agent can reach. If a vendor cannot answer clearly, treat that as a red flag during due diligence.