Agentic AI Security & Shadow AI MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 2026~15 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
Agentic AI Security and Shadow AI MCQ practice questions are essential for preparing for enterprise AI security roles, AI governance certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering Shadow AI detection, autonomous agent risks, prompt injection attacks, RAG vulnerabilities, and advanced adversarial ML techniques.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering Shadow AI definitions, agentic vs. conversational AI, foundational risks), Concepts (covering tool abuse, RAG poisoning, DLP integration, and architectural safeguards), and Advanced (covering Crescendo attacks, sandboxing, SSRF vectors, adversarial ML, and multi-agent vulnerabilities). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate AI security certification conditions. The interactive engine tracks your progress and identifies knowledge gaps across Shadow AI governance, Prompt Injection defense, RAG security, and Adversarial ML.
Contents
- 1.Basics (20 Questions)Shadow AI definitions Β· agentic vs. conversational Β· prompt injection Β· HITL
- 2.Concepts (20 Questions)Jailbreaks Β· RAG poisoning Β· tool abuse Β· DLP for AI Β· auditing agents
- 3.Advanced (20 Questions)Crescendo attacks Β· sandboxing Β· SSRF Β· adversarial perturbations Β· cryptographic alignment
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
Agentic AI Security & Shadow AI β Basics
1What defines "Shadow AI" in a corporate environment?
CorrectB: Unsanctioned and unmonitored use of AI applications and tools by employees
Shadow AI refers to unsanctioned and unmonitored use of AI applications and tools by employees without IT oversight or approval. Unlike legitimate corporate AI infrastructure, Shadow AI exists outside governance frameworks and security controls.
IncorrectB: Unsanctioned and unmonitored use of AI applications and tools by employees
Shadow AI refers to unsanctioned and unmonitored use of AI applications and tools by employees without IT oversight or approval. Unlike legitimate corporate AI infrastructure, Shadow AI exists outside governance frameworks and security controls.
2What is the primary distinguishing feature of "Agentic AI" compared to traditional conversational LLMs?
CorrectC: The ability to autonomously plan, reason, and execute actions using external tools
Agentic AI systems can autonomously plan, reason through multi-step problems, and execute actions by calling external APIs/tools. Conversational LLMs simply process and respond to user inputs without autonomous tool usage or decision-making loops.
IncorrectC: The ability to autonomously plan, reason, and execute actions using external tools
Agentic AI systems can autonomously plan, reason through multi-step problems, and execute actions by calling external APIs/tools. Conversational LLMs simply process and respond to user inputs without autonomous tool usage or decision-making loops.
3Which risk is most directly associated with employees pasting proprietary source code into public LLM chatbots to check for bugs?
CorrectD: Intellectual property data exfiltration and subsequent model training
Public LLM providers routinely harvest user inputs to improve their models. Proprietary code pasted into public chatbots is scraped, tokenized, and incorporated into the provider's training data, resulting in IP theft and potential future model leakage.
IncorrectD: Intellectual property data exfiltration and subsequent model training
Public LLM providers routinely harvest user inputs to improve their models. Proprietary code pasted into public chatbots is scraped, tokenized, and incorporated into the provider's training data, resulting in IP theft and potential future model leakage.
4What is a "Prompt Injection" attack against an AI agent?
CorrectA: Maliciously crafting inputs to override the agent's original system instructions
Prompt injection attacks craft malicious user inputs designed to override or manipulate the model's system instructions and alignment. Attackers inject conflicting directives that the LLM prioritizes over the original, intended system prompt.
IncorrectA: Maliciously crafting inputs to override the agent's original system instructions
Prompt injection attacks craft malicious user inputs designed to override or manipulate the model's system instructions and alignment. Attackers inject conflicting directives that the LLM prioritizes over the original, intended system prompt.
5How does a "Human-in-the-Loop" (HITL) architecture mitigate Agentic AI risks?
CorrectC: By requiring explicit user approval before the agent executes high-stakes actions
HITL architecture maintains human oversight of critical AI decisions. Before an agent executes high-risk actions (deleting records, transferring funds, accessing sensitive data), a human reviewer must explicitly approve the proposed action.
IncorrectC: By requiring explicit user approval before the agent executes high-stakes actions
HITL architecture maintains human oversight of critical AI decisions. Before an agent executes high-risk actions (deleting records, transferring funds, accessing sensitive data), a human reviewer must explicitly approve the proposed action.
6Which traditional cybersecurity tool is most frequently adapted to detect and block Shadow AI usage on corporate networks?
CorrectA: Cloud Access Security Broker (CASB)
CASBs (Cloud Access Security Brokers) are designed to monitor and control employee access to cloud applications. They are the primary tool for discovering Shadow AI by detecting traffic to unauthorized AI endpoints like ChatGPT, Claude, and other public LLM services.
IncorrectA: Cloud Access Security Broker (CASB)
CASBs (Cloud Access Security Brokers) are designed to monitor and control employee access to cloud applications. They are the primary tool for discovering Shadow AI by detecting traffic to unauthorized AI endpoints like ChatGPT, Claude, and other public LLM services.
7What is the primary goal of an enterprise AI Acceptable Use Policy (AUP)?
CorrectB: To establish clear boundaries on which AI tools employees can legally and safely use for company business
An AI Acceptable Use Policy (AUP) defines the legitimate use cases, approved tools, data classification rules, and consequences for Shadow AI usage. It balances innovation with security and compliance requirements.
IncorrectB: To establish clear boundaries on which AI tools employees can legally and safely use for company business
An AI Acceptable Use Policy (AUP) defines the legitimate use cases, approved tools, data classification rules, and consequences for Shadow AI usage. It balances innovation with security and compliance requirements.
8If an AI agent has permission to read emails to summarize them, but is tricked into forwarding a confidential email to an attacker, what specific security principle was violated?
CorrectD: The Principle of Least Privilege
The Principle of Least Privilege states that a system should have the minimum permissions necessary to perform its assigned task. An email-reading agent should have read-only access; forwarding capability was not required and violated this principle.
IncorrectD: The Principle of Least Privilege
The Principle of Least Privilege states that a system should have the minimum permissions necessary to perform its assigned task. An email-reading agent should have read-only access; forwarding capability was not required and violated this principle.
9What defines an "Indirect Prompt Injection"?
CorrectA: An attack where the malicious instructions are embedded in external data (like a website) that the agent retrieves
Indirect prompt injection embeds malicious instructions in external data sources (websites, documents, emails) that the agent retrieves via web browsing or document reading tools. The agent unknowingly processes and acts on the attacker's instructions.
IncorrectA: An attack where the malicious instructions are embedded in external data (like a website) that the agent retrieves
Indirect prompt injection embeds malicious instructions in external data sources (websites, documents, emails) that the agent retrieves via web browsing or document reading tools. The agent unknowingly processes and acts on the attacker's instructions.
10Why are public AI image generators considered a Shadow AI risk?
CorrectC: Employees might upload sensitive internal documents or unreleased product designs as reference images
Employees often use public image generators (DALL-E, Midjourney, Stable Diffusion) to expedite work, unknowingly exposing sensitive data. Uploaded documents and designs are scraped by the service providers for model training, resulting in IP theft.
IncorrectC: Employees might upload sensitive internal documents or unreleased product designs as reference images
Employees often use public image generators (DALL-E, Midjourney, Stable Diffusion) to expedite work, unknowingly exposing sensitive data. Uploaded documents and designs are scraped by the service providers for model training, resulting in IP theft.
11What does "Over-permissioning" mean in the context of Agentic AI?
CorrectB: Granting an AI agent broader API access rights than strictly necessary for its assigned task
Over-permissioning grants an agent excessive API permissions beyond what is required. For example, a summarization agent should not have access to delete databases or execute administrative commands. This increases the blast radius of potential attacks.
IncorrectB: Granting an AI agent broader API access rights than strictly necessary for its assigned task
Over-permissioning grants an agent excessive API permissions beyond what is required. For example, a summarization agent should not have access to delete databases or execute administrative commands. This increases the blast radius of potential attacks.
12Which of the following is a common symptom of a widespread Shadow AI problem within an enterprise?
CorrectD: A sudden, unexplained spike in outbound web traffic to undocumented generative API endpoints
A spike in outbound traffic to ChatGPT, Anthropic, OpenAI, or other public LLM endpoints is a strong indicator that employees are using unsanctioned AI tools. Network monitoring and proxy analysis can immediately reveal Shadow AI usage.
IncorrectD: A sudden, unexplained spike in outbound web traffic to undocumented generative API endpoints
A spike in outbound traffic to ChatGPT, Anthropic, OpenAI, or other public LLM endpoints is a strong indicator that employees are using unsanctioned AI tools. Network monitoring and proxy analysis can immediately reveal Shadow AI usage.
13What is an "Autonomous Propagation" risk in Agentic AI?
CorrectC: An agent writing and deploying its own code to copy itself across networked servers without oversight
Autonomous propagation occurs when a compromised or rogue agent writes and deploys its own code across networked systems. This represents an extreme escalation risk where a single vulnerable agent can laterally expand its footprint.
IncorrectC: An agent writing and deploying its own code to copy itself across networked servers without oversight
Autonomous propagation occurs when a compromised or rogue agent writes and deploys its own code across networked systems. This represents an extreme escalation risk where a single vulnerable agent can laterally expand its footprint.
14How do attackers typically exploit the "Confused Deputy" vulnerability in Agentic AI?
CorrectA: By manipulating a privileged AI agent into executing a harmful action on behalf of an unprivileged attacker
The Confused Deputy attack manipulates a privileged agent (e.g., with database admin rights) into executing a harmful action on behalf of an unprivileged attacker. The agent's legitimate authority is weaponized against the organization.
IncorrectA: By manipulating a privileged AI agent into executing a harmful action on behalf of an unprivileged attacker
The Confused Deputy attack manipulates a privileged agent (e.g., with database admin rights) into executing a harmful action on behalf of an unprivileged attacker. The agent's legitimate authority is weaponized against the organization.
15What is the primary privacy concern when employees use unsanctioned, free-tier AI summarization tools?
CorrectD: The tool providers routinely harvest user inputs to train their next generation of public models
Free-tier AI tools explicitly state in their terms of service that user inputs are harvested for model improvement. Employees using these tools to summarize proprietary content are effectively donating training data to competitors.
IncorrectD: The tool providers routinely harvest user inputs to train their next generation of public models
Free-tier AI tools explicitly state in their terms of service that user inputs are harvested for model improvement. Employees using these tools to summarize proprietary content are effectively donating training data to competitors.
16Which security mechanism restricts an AI agent from accessing specific external websites or IP addresses?
CorrectB: Egress filtering and network-level allowlisting
Egress filtering and network allowlisting control which external URLs and IP addresses an agent can access. By restricting egress traffic, organizations prevent agents from exfiltrating data to attacker-controlled servers.
IncorrectB: Egress filtering and network-level allowlisting
Egress filtering and network allowlisting control which external URLs and IP addresses an agent can access. By restricting egress traffic, organizations prevent agents from exfiltrating data to attacker-controlled servers.
17What is the "System Prompt" in an Agentic AI architecture?
CorrectD: The foundational, hidden set of instructions that dictates the agent's persona, rules, and operational constraints
The system prompt is the hidden, foundational instruction set that defines an agent's behavior, constraints, and role. It is the primary target for prompt injection attacks and the key lever for controlling agent behavior.
IncorrectD: The foundational, hidden set of instructions that dictates the agent's persona, rules, and operational constraints
The system prompt is the hidden, foundational instruction set that defines an agent's behavior, constraints, and role. It is the primary target for prompt injection attacks and the key lever for controlling agent behavior.
18Why is API key leakage a critical concern regarding Shadow AI?
CorrectA: Developers might hardcode unsanctioned personal API keys into enterprise code repositories
Developers often hardcode personal API keys (e.g., ChatGPT API keys purchased with personal credit cards) into stolen or leaked code repositories. These exposed keys allow attackers to consume the API quota or impersonate legitimate API calls.
IncorrectA: Developers might hardcode unsanctioned personal API keys into enterprise code repositories
Developers often hardcode personal API keys (e.g., ChatGPT API keys purchased with personal credit cards) into stolen or leaked code repositories. These exposed keys allow attackers to consume the API quota or impersonate legitimate API calls.
19What is an "Agentic Workflow"?
CorrectC: A sequence of automated tasks where an AI model iteratively loops, reasons, and uses tools to achieve a final goal
An agentic workflow is an iterative process where an agent repeatedly loops through: think (reason), act (call tools), observe (process results) until reaching a final goal. This differs from a single LLM response.
IncorrectC: A sequence of automated tasks where an AI model iteratively loops, reasons, and uses tools to achieve a final goal
An agentic workflow is an iterative process where an agent repeatedly loops through: think (reason), act (call tools), observe (process results) until reaching a final goal. This differs from a single LLM response.
20How can organizations effectively discover the extent of Shadow AI usage?
CorrectB: By analyzing DNS logs and proxy firewall traffic for known AI service domains
DNS logs and proxy firewall traffic reveal which external API endpoints employees are accessing. By analyzing logs for connections to ChatGPT, Claude, Gemini, and other known LLM endpoints, organizations can quantify Shadow AI usage.
IncorrectB: By analyzing DNS logs and proxy firewall traffic for known AI service domains
DNS logs and proxy firewall traffic reveal which external API endpoints employees are accessing. By analyzing logs for connections to ChatGPT, Claude, Gemini, and other known LLM endpoints, organizations can quantify Shadow AI usage.
Agentic AI Security & Shadow AI β Concepts
1How does a "Jailbreak" differ from a standard Prompt Injection?
CorrectD: Jailbreaks attempt to bypass the model's safety alignments to generate forbidden content, whereas prompt injection hijacks the agent's functional logic
Jailbreaks bypass safety guardrails to generate harmful content (violence, illegal instructions). Prompt injections hijack the agent's tool-calling logic to execute unintended actions (unauthorized API calls, data access). These are distinct attack vectors.
IncorrectD: Jailbreaks attempt to bypass the model's safety alignments to generate forbidden content, whereas prompt injection hijacks the agent's functional logic
Jailbreaks bypass safety guardrails to generate harmful content (violence, illegal instructions). Prompt injections hijack the agent's tool-calling logic to execute unintended actions (unauthorized API calls, data access). These are distinct attack vectors.
2In a Retrieval-Augmented Generation (RAG) system, what is the primary risk of "Data Poisoning"?
CorrectA: Attackers manipulate the underlying vector database documents to force the agent to retrieve and output malicious context
In RAG data poisoning, attackers modify documents within the vector database. When the agent retrieves these poisoned documents and cites them as authoritative, the model outputs misinformation, credentials, or malicious instructions.
IncorrectA: Attackers manipulate the underlying vector database documents to force the agent to retrieve and output malicious context
In RAG data poisoning, attackers modify documents within the vector database. When the agent retrieves these poisoned documents and cites them as authoritative, the model outputs misinformation, credentials, or malicious instructions.
3What is the architectural purpose of a "Semantic Firewall" or "Guardrail" model?
CorrectC: To analyze the inputs and outputs of the primary agent against policy rules before the user sees the response
A guardrail model runs LLM outputs through a secondary classifier that checks for policy violations, jailbreak attempts, or unsafe content. If violations are detected, the output is blocked or modified before reaching the user.
IncorrectC: To analyze the inputs and outputs of the primary agent against policy rules before the user sees the response
A guardrail model runs LLM outputs through a secondary classifier that checks for policy violations, jailbreak attempts, or unsafe content. If violations are detected, the output is blocked or modified before reaching the user.
4If a Shadow AI application suffers a data breach exposing employee inputs, which regulatory framework is most likely violated if European customer data was included?
CorrectB: General Data Protection Regulation (GDPR)
GDPR requires explicit data processing consent and regulates any EU resident's personal data. If employee inputs containing customer PII were uploaded to unsanctioned AI tools and subsequently breached, GDPR violations and hefty fines are inevitable.
IncorrectB: General Data Protection Regulation (GDPR)
GDPR requires explicit data processing consent and regulates any EU resident's personal data. If employee inputs containing customer PII were uploaded to unsanctioned AI tools and subsequently breached, GDPR violations and hefty fines are inevitable.
5What specific threat does "Tool Abuse" represent in Agentic AI?
CorrectA: An attacker manipulating the agent's reasoning process to force it to call a legitimate internal API with malicious parameters
Tool abuse exploits flawed agent reasoning. An attacker tricks the agent into calling a legitimate API (e.g., delete_user()) with malicious parameters, causing harm while the agent's action appears authorized.
IncorrectA: An attacker manipulating the agent's reasoning process to force it to call a legitimate internal API with malicious parameters
Tool abuse exploits flawed agent reasoning. An attacker tricks the agent into calling a legitimate API (e.g., delete_user()) with malicious parameters, causing harm while the agent's action appears authorized.
6How can organizations implement Data Loss Prevention (DLP) specifically for sanctioned AI chat interfaces?
CorrectD: By intercepting prompts at the API gateway and masking Personally Identifiable Information (PII) before transmission
DLP for AI involves intercepting API calls at the enterprise gateway, detecting sensitive data (SSNs, credit cards, passwords) using regex or ML classifiers, masking or blocking the transmission, and logging the attempt.
IncorrectD: By intercepting prompts at the API gateway and masking Personally Identifiable Information (PII) before transmission
DLP for AI involves intercepting API calls at the enterprise gateway, detecting sensitive data (SSNs, credit cards, passwords) using regex or ML classifiers, masking or blocking the transmission, and logging the attempt.
7Why is auditing Agentic AI decisions significantly more difficult than auditing traditional software?
CorrectB: The non-deterministic nature of LLMs means the exact same inputs can yield wildly different reasoning paths and tool calls
LLMs are fundamentally probabilistic. The same input can generate different outputs, reasoning paths, and tool selections on repeated runs. Traditional software executing the same code always produces identical results, making comparison and auditing straightforward.
IncorrectB: The non-deterministic nature of LLMs means the exact same inputs can yield wildly different reasoning paths and tool calls
LLMs are fundamentally probabilistic. The same input can generate different outputs, reasoning paths, and tool selections on repeated runs. Traditional software executing the same code always produces identical results, making comparison and auditing straightforward.
8What is the "Sybil Attack" equivalent in the context of distributed AI agents?
CorrectC: A malicious actor spinning up thousands of rogue agents to artificially manipulate a decentralized AI consensus network
In distributed AI networks, a Sybil attack involves creating thousands of fake agent identities to overwhelm consensus mechanisms or voting systems. This allows a single attacker to control network outcomes.
IncorrectC: A malicious actor spinning up thousands of rogue agents to artificially manipulate a decentralized AI consensus network
In distributed AI networks, a Sybil attack involves creating thousands of fake agent identities to overwhelm consensus mechanisms or voting systems. This allows a single attacker to control network outcomes.
9Which vulnerability allows an attacker to exploit a web browsing agent by hiding instructions in invisible text on a webpage?
CorrectB: Indirect Prompt Injection via DOM manipulation
Attackers can hide malicious CSS (e.g., display: none) or Unicode zero-width characters containing prompt injection instructions in webpages. When a browsing agent fetches the page, it processes these invisible instructions.
IncorrectB: Indirect Prompt Injection via DOM manipulation
Attackers can hide malicious CSS (e.g., display: none) or Unicode zero-width characters containing prompt injection instructions in webpages. When a browsing agent fetches the page, it processes these invisible instructions.
10In the context of Shadow AI, what is "Bring Your Own Key" (BYOK) risk?
CorrectD: Employees using their personal credit cards to fund unsanctioned API usage, bypassing IT budget and security oversight
Employees often use personal credit cards to subscribe to premium LLM APIs (ChatGPT Pro, Claude+) to avoid detection. This circumvents budget controls and makes Shadow AI financially invisible to IT/finance teams.
IncorrectD: Employees using their personal credit cards to fund unsanctioned API usage, bypassing IT budget and security oversight
Employees often use personal credit cards to subscribe to premium LLM APIs (ChatGPT Pro, Claude+) to avoid detection. This circumvents budget controls and makes Shadow AI financially invisible to IT/finance teams.
11How does "Role-Based Access Control" (RBAC) apply to an AI agent executing SQL queries?
CorrectA: The agent's database connection string is restricted to a dedicated service account with strictly limited read/write permissions
RBAC restricts agents to minimal necessary permissions. A read-only summarization agent connects with read-only credentials; agents requiring write access use separate, narrowly scoped credentials limited to specific tables.
IncorrectA: The agent's database connection string is restricted to a dedicated service account with strictly limited read/write permissions
RBAC restricts agents to minimal necessary permissions. A read-only summarization agent connects with read-only credentials; agents requiring write access use separate, narrowly scoped credentials limited to specific tables.
12What is the primary danger of allowing an Agentic AI to execute arbitrary code (e.g., Python REPL) to solve math problems?
CorrectC: The agent might inadvertently or maliciously execute OS-level shell commands that compromise the host container
If an agent can execute arbitrary code (Python, bash), an attacker can craft prompts containing shell commands (e.g., `rm -rf /`) that execute with the container's privileges, exfiltrating data or destroying systems.
IncorrectC: The agent might inadvertently or maliciously execute OS-level shell commands that compromise the host container
If an agent can execute arbitrary code (Python, bash), an attacker can craft prompts containing shell commands (e.g., `rm -rf /`) that execute with the container's privileges, exfiltrating data or destroying systems.
13How do security teams utilize "Honeypots" to secure Agentic AI?
CorrectD: By deploying fake APIs or documents designed to trigger an alert if a rogue or compromised agent attempts to interact with them
Security honeypots are decoy resources (fake database endpoints, sensitive fake documents) that are never used by legitimate agents. Any access is immediately flagged as malicious or compromised agent activity.
IncorrectD: By deploying fake APIs or documents designed to trigger an alert if a rogue or compromised agent attempts to interact with them
Security honeypots are decoy resources (fake database endpoints, sensitive fake documents) that are never used by legitimate agents. Any access is immediately flagged as malicious or compromised agent activity.
14Which technique is most effective at preventing an LLM agent from executing a catastrophic "DROP TABLE" command via SQL injection?
CorrectB: Enforcing parameterized queries and strict schema validation at the tool execution layer
Parameterized queries (prepared statements) separate SQL logic from user input. Strict schema validation ensures agents can only operate on pre-approved tables/columns. This prevents arbitrary SQL injection regardless of prompt manipulation.
IncorrectB: Enforcing parameterized queries and strict schema validation at the tool execution layer
Parameterized queries (prepared statements) separate SQL logic from user input. Strict schema validation ensures agents can only operate on pre-approved tables/columns. This prevents arbitrary SQL injection regardless of prompt manipulation.
15What is "Model Inversion" in the context of AI security?
CorrectA: An attack where adversaries repeatedly query an API to reverse-engineer and extract the sensitive training data memorized by the model
Model inversion exploits LLLMs' tendency to memorize training data. Attackers craft specific queries that trick the model into outputting verbatim excerpts from its training set, recovering sensitive information (passwords, API keys, PII).
IncorrectA: An attack where adversaries repeatedly query an API to reverse-engineer and extract the sensitive training data memorized by the model
Model inversion exploits LLLMs' tendency to memorize training data. Attackers craft specific queries that trick the model into outputting verbatim excerpts from its training set, recovering sensitive information (passwords, API keys, PII).
16How does Shadow AI complicate Incident Response (IR) efforts?
CorrectC: Security teams lack the necessary access logs and telemetry to investigate exactly what data was compromised during a breach
Shadow AI systems operate outside security monitoring. If breached, incident responders cannot access logs, API call histories, or data transfer records, making scope assessment, root cause analysis, and damage quantification impossible.
IncorrectC: Security teams lack the necessary access logs and telemetry to investigate exactly what data was compromised during a breach
Shadow AI systems operate outside security monitoring. If breached, incident responders cannot access logs, API call histories, or data transfer records, making scope assessment, root cause analysis, and damage quantification impossible.
17What is the purpose of "Tracing" in an Agentic AI framework like LangChain or LlamaIndex?
CorrectD: To record the exact sequence of thought, tool selection, and intermediate outputs for debugging and security auditing
Tracing captures a complete execution log: the agent's reasoning steps, tool choices, API responses, and intermediate outputs. This is critical for auditing, debugging, and detecting when an agent was manipulated into executing unintended actions.
IncorrectD: To record the exact sequence of thought, tool selection, and intermediate outputs for debugging and security auditing
Tracing captures a complete execution log: the agent's reasoning steps, tool choices, API responses, and intermediate outputs. This is critical for auditing, debugging, and detecting when an agent was manipulated into executing unintended actions.
18Why is securing the "System Prompt" insufficient to protect an Agentic AI?
CorrectB: Because natural language instructions lack strict logical boundaries, allowing clever user prompts to mathematically outweigh the system prompt's attention weights
LLMs operate probabilistically; inputs with high enough salience can overpower the system prompt in attention weights. Additionally, multi-turn conversations allow attackers to gradually steer the agent through seemingly benign escalations.
IncorrectB: Because natural language instructions lack strict logical boundaries, allowing clever user prompts to mathematically outweigh the system prompt's attention weights
LLMs operate probabilistically; inputs with high enough salience can overpower the system prompt in attention weights. Additionally, multi-turn conversations allow attackers to gradually steer the agent through seemingly benign escalations.
19What is "Sponge Poisoning" (or Energy Latency Attack) against an AI model?
CorrectA: Crafting specific inputs designed to maximize the computational complexity of the model's generation, causing a Denial of Service
Sponge poisoning exploits the quadratic time complexity of transformer attention. Attackers craft extremely long, complex prompts that force the model into expensive computation loops, consuming massive compute resources and causing service degradation.
IncorrectA: Crafting specific inputs designed to maximize the computational complexity of the model's generation, causing a Denial of Service
Sponge poisoning exploits the quadratic time complexity of transformer attention. Attackers craft extremely long, complex prompts that force the model into expensive computation loops, consuming massive compute resources and causing service degradation.
20Which method is used to secure the transmission of data between a corporate network and a sanctioned third-party LLM API?
CorrectC: Establishing a dedicated, private network link (like AWS PrivateLink) to bypass the public internet
Private network links (AWS PrivateLink, Azure Private Link) establish encrypted, non-internet-routable paths to API endpoints. This prevents MITM attacks and ensures sensitive data never traverses public internet infrastructure.
IncorrectC: Establishing a dedicated, private network link (like AWS PrivateLink) to bypass the public internet
Private network links (AWS PrivateLink, Azure Private Link) establish encrypted, non-internet-routable paths to API endpoints. This prevents MITM attacks and ensures sensitive data never traverses public internet infrastructure.
Agentic AI Security & Shadow AI β Advanced
1How does a "Crescendo Attack" successfully bypass standard LLM guardrails?
CorrectC: By slowly steering the conversation through a series of seemingly benign, escalating questions that gradually trick the model into producing harmful content
Crescendo attacks use conversational steering. Instead of direct jailbreaking, attackers engage the model in seemingly innocent escalations (e.g., role-play scenarios) that gradually lower guardrail thresholds until forbidden content is generated.
IncorrectC: By slowly steering the conversation through a series of seemingly benign, escalating questions that gradually trick the model into producing harmful content
Crescendo attacks use conversational steering. Instead of direct jailbreaking, attackers engage the model in seemingly innocent escalations (e.g., role-play scenarios) that gradually lower guardrail thresholds until forbidden content is generated.
2In advanced Agentic AI architectures, what is the role of a "Turing Box" or strict Sandboxing for code execution tools?
CorrectD: To physically and logically isolate the agent's code execution environment (e.g., via heavily restricted Docker containers or gVisor) to prevent host compromise
Sandboxing isolates code execution in restricted containers (Docker with dropped capabilities, gVisor, WebAssembly). Even if an agent is compromised or tricked into executing malicious code, the host system remains protected.
IncorrectD: To physically and logically isolate the agent's code execution environment (e.g., via heavily restricted Docker containers or gVisor) to prevent host compromise
Sandboxing isolates code execution in restricted containers (Docker with dropped capabilities, gVisor, WebAssembly). Even if an agent is compromised or tricked into executing malicious code, the host system remains protected.
3What is the "Walrus Attack" (or prompt leaking) primarily designed to achieve against commercial AI agents?
CorrectA: Forcing the agent to output its proprietary, highly engineered system prompt and internal tool descriptions
The Walrus attack (prompt leaking) tricks agents into repeating or revealing their hidden system prompt. By extracting the system prompt, attackers gain full knowledge of the agent's capabilities, constraints, and internal tool APIs.
IncorrectA: Forcing the agent to output its proprietary, highly engineered system prompt and internal tool descriptions
The Walrus attack (prompt leaking) tricks agents into repeating or revealing their hidden system prompt. By extracting the system prompt, attackers gain full knowledge of the agent's capabilities, constraints, and internal tool APIs.
4How can "Adversarial Perturbations" bypass visual AI agents (Vision-Language Models)?
CorrectB: By introducing microscopic, mathematically calculated pixel noise into an image that forces the agent to misclassify the object entirely
Adversarial perturbations exploit VLM pixel-space vulnerabilities. Attackers add imperceptible noise patterns that, while invisible to humans, cause the model to misclassify objects. This bypasses visual security controls.
IncorrectB: By introducing microscopic, mathematically calculated pixel noise into an image that forces the agent to misclassify the object entirely
Adversarial perturbations exploit VLM pixel-space vulnerabilities. Attackers add imperceptible noise patterns that, while invisible to humans, cause the model to misclassify objects. This bypasses visual security controls.
5What is the fundamental security flaw in using LLMs to evaluate and sanitize the outputs of other LLMs (LLM-as-a-Judge)?
CorrectD: The evaluating LLM is susceptible to the exact same injection attacks and hallucination biases as the target LLM
Using an LLM to evaluate another LLM's output is insufficient. Both models share identical vulnerabilities to prompt injection, hallucination, and jailbreaking. A malicious output can trick both simultaneously.
IncorrectD: The evaluating LLM is susceptible to the exact same injection attacks and hallucination biases as the target LLM
Using an LLM to evaluate another LLM's output is insufficient. Both models share identical vulnerabilities to prompt injection, hallucination, and jailbreaking. A malicious output can trick both simultaneously.
6In the context of Shadow AI APIs, what does "Shadow SaaS" discovery specifically entail?
CorrectC: Utilizing OAuth integration analysis to identify third-party applications that employees have granted access to corporate environments
Shadow SaaS discovery involves auditing OAuth token grants and third-party integrations. Employees often authorize unauthorized AI apps to access corporate email, files, or databases, creating data exfiltration pathways.
IncorrectC: Utilizing OAuth integration analysis to identify third-party applications that employees have granted access to corporate environments
Shadow SaaS discovery involves auditing OAuth token grants and third-party integrations. Employees often authorize unauthorized AI apps to access corporate email, files, or databases, creating data exfiltration pathways.
7How does a "Server-Side Request Forgery" (SSRF) attack manifest in an Agentic AI equipped with a web scraping tool?
CorrectB: The attacker commands the agent to fetch a URL pointing to internal, non-routable IP addresses (e.g., 169.254.169.254) to exfiltrate cloud metadata
SSRF exploits a web-scraping agent to access internal IP ranges. In AWS, the IP 169.254.169.254 hosts instance metadata (credentials, IAM roles). An attacker tricks the agent into fetching this URL, exfiltrating AWS credentials.
IncorrectB: The attacker commands the agent to fetch a URL pointing to internal, non-routable IP addresses (e.g., 169.254.169.254) to exfiltrate cloud metadata
SSRF exploits a web-scraping agent to access internal IP ranges. In AWS, the IP 169.254.169.254 hosts instance metadata (credentials, IAM roles). An attacker tricks the agent into fetching this URL, exfiltrating AWS credentials.
8What cryptographic technique is currently being researched to verify that an AI model actually executed a specific prompt without tampering?
CorrectA: Zero-Knowledge Machine Learning (ZK-ML) proofs
ZK-ML proofs allow verification that a model processed a specific input and produced a specific output without revealing the model weights or intermediate computations. This enables cryptographically auditable AI alignment.
IncorrectA: Zero-Knowledge Machine Learning (ZK-ML) proofs
ZK-ML proofs allow verification that a model processed a specific input and produced a specific output without revealing the model weights or intermediate computations. This enables cryptographically auditable AI alignment.
9Why are "Multi-Agent Systems" (like AutoGen or CrewAI) exponentially more difficult to secure than single-agent systems?
CorrectC: They introduce complex inter-agent communication protocols where a compromised sub-agent can socially engineer a highly privileged master agent
In multi-agent systems, agents communicate and influence each other. A compromised or rogue sub-agent can manipulate privileged agents through misinformation, false reports, or coordinated attacks, creating lateral privilege escalation.
IncorrectC: They introduce complex inter-agent communication protocols where a compromised sub-agent can socially engineer a highly privileged master agent
In multi-agent systems, agents communicate and influence each other. A compromised or rogue sub-agent can manipulate privileged agents through misinformation, false reports, or coordinated attacks, creating lateral privilege escalation.
10What is the specific mechanism behind an "ASCII Smuggling" attack on an LLM agent?
CorrectA: Utilizing invisible Unicode tags or specific control characters that the LLM processes as instructions, but are completely invisible to human reviewers
ASCII smuggling exploits Unicode encoding. Attackers embed zero-width spaces, invisible control characters, or alternate Unicode representations that tokenizers process as instructions but are invisible to human code review.
IncorrectA: Utilizing invisible Unicode tags or specific control characters that the LLM processes as instructions, but are completely invisible to human reviewers
ASCII smuggling exploits Unicode encoding. Attackers embed zero-width spaces, invisible control characters, or alternate Unicode representations that tokenizers process as instructions but are invisible to human code review.
11How do security engineers implement "Data Redaction at the Edge" to combat Shadow AI data leakage?
CorrectD: By deploying a localized proxy agent that utilizes Named Entity Recognition (NER) to strip sensitive data from HTTP payloads before they reach external LLM endpoints
Data redaction at the edge uses NLP models to detect PII, secrets, and sensitive patterns in real-time. Before HTTP traffic reaches external AI APIs, a local proxy strips or masks sensitive data, preventing exfiltration.
IncorrectD: By deploying a localized proxy agent that utilizes Named Entity Recognition (NER) to strip sensitive data from HTTP payloads before they reach external LLM endpoints
Data redaction at the edge uses NLP models to detect PII, secrets, and sensitive patterns in real-time. Before HTTP traffic reaches external AI APIs, a local proxy strips or masks sensitive data, preventing exfiltration.
12What is a "Sleepwalking" attack in the context of autonomous AI agents?
CorrectB: An attack where the agent's internal state is corrupted, causing it to execute repetitive, resource-draining tool calls without ever reaching a termination state
Sleepwalking attacks corrupt agent state machines, causing infinite loops. An agent repeatedly calls the same tool without progress, consuming CPU/API budget while appearing to "work." Detection requires monitoring tool-call patterns.
IncorrectB: An attack where the agent's internal state is corrupted, causing it to execute repetitive, resource-draining tool calls without ever reaching a termination state
Sleepwalking attacks corrupt agent state machines, causing infinite loops. An agent repeatedly calls the same tool without progress, consuming CPU/API budget while appearing to "work." Detection requires monitoring tool-call patterns.
13In securing a RAG architecture against "Document Injection", what is the most effective mitigation strategy?
CorrectA: Implementing strict RBAC at the vector database level, ensuring the retrieval agent only accesses embeddings tagged with the requesting user's authorization level
Document injection mitigation requires layered controls: RBAC on vector database access, document versioning/provenance tracking, and cryptographic signatures on trusted documents. Only authorized users can retrieve their respective documents.
IncorrectA: Implementing strict RBAC at the vector database level, ensuring the retrieval agent only accesses embeddings tagged with the requesting user's authorization level
Document injection mitigation requires layered controls: RBAC on vector database access, document versioning/provenance tracking, and cryptographic signatures on trusted documents. Only authorized users can retrieve their respective documents.
14What is the primary vulnerability of utilizing "Few-Shot Prompting" to instruct an agent on how to use internal APIs?
CorrectB: If an attacker extracts the prompt, they instantly obtain valid examples of internal API structures, endpoints, and potentially hardcoded sample tokens
Few-shot examples in prompts often contain real API endpoints, request/response formats, and sometimes sample tokens. If a prompt is extracted (via prompt leaking attacks), attackers gain a complete API blueprint.
IncorrectB: If an attacker extracts the prompt, they instantly obtain valid examples of internal API structures, endpoints, and potentially hardcoded sample tokens
Few-shot examples in prompts often contain real API endpoints, request/response formats, and sometimes sample tokens. If a prompt is extracted (via prompt leaking attacks), attackers gain a complete API blueprint.
15How does the "Rebuff" framework attempt to secure LLM applications against prompt injection?
CorrectC: By utilizing a multi-layered approach combining heuristic filters, a dedicated LLM analyzer, and a vector database of known attack signatures
Rebuff uses multiple defense layers: regex-based heuristic detection, a secondary LLM that analyzes prompts for injection patterns, and similarity searches against a database of known jailbreak/injection attacks.
IncorrectC: By utilizing a multi-layered approach combining heuristic filters, a dedicated LLM analyzer, and a vector database of known attack signatures
Rebuff uses multiple defense layers: regex-based heuristic detection, a secondary LLM that analyzes prompts for injection patterns, and similarity searches against a database of known jailbreak/injection attacks.
16What is the concept of "Cryptographic Alignment" in future Agentic AI systems?
CorrectD: Requiring the agent to possess cryptographically signed authorization tokens that dynamically expire based on the risk level of the requested action
Cryptographic alignment uses signed capability tokens and risk-based expiration. An agent can only execute actions it has explicit cryptographic authorization for, and token validity is reassessed before each action based on context risk.
IncorrectD: Requiring the agent to possess cryptographically signed authorization tokens that dynamically expire based on the risk level of the requested action
Cryptographic alignment uses signed capability tokens and risk-based expiration. An agent can only execute actions it has explicit cryptographic authorization for, and token validity is reassessed before each action based on context risk.
17How does a "Data Extraction via Markdown" attack exploit an Agentic AI's formatting capabilities?
CorrectB: The attacker tricks the agent into formatting a response containing sensitive internal data as an external image link (``), forcing the rendering client to execute a blind GET request
Markdown image syntax can encode data in URLs. An attacker tricks the agent into formatting sensitive information as a markdown image link, and when rendered, the browser fetches the link, exfiltrating the data to the attacker's server.
IncorrectB: The attacker tricks the agent into formatting a response containing sensitive internal data as an external image link (``), forcing the rendering client to execute a blind GET request
Markdown image syntax can encode data in URLs. An attacker tricks the agent into formatting sensitive information as a markdown image link, and when rendered, the browser fetches the link, exfiltrating the data to the attacker's server.
18In the context of enterprise AI governance, what defines a "Model Registry" security protocol?
CorrectC: A centralized, immutable repository that mandates cryptographic hashing and vulnerability scanning of all approved foundation models before they can be deployed internally
A model registry is a controlled repository where all approved models are cryptographically signed, versioned, and scanned for security vulnerabilities. Deployments must originate from the registry, preventing rogue or compromised models.
IncorrectC: A centralized, immutable repository that mandates cryptographic hashing and vulnerability scanning of all approved foundation models before they can be deployed internally
A model registry is a controlled repository where all approved models are cryptographically signed, versioned, and scanned for security vulnerabilities. Deployments must originate from the registry, preventing rogue or compromised models.
19What is the "Dual-LLM Pattern" (or separating the planner from the executor) designed to prevent in Agentic architectures?
CorrectD: It isolates the untrusted user input to a sandboxed parsing LLM, ensuring the highly privileged execution LLM only receives sanitized, strictly formatted API JSON payloads
The dual-LLM pattern uses a restricted parser LLM to process untrusted user input, converting it into strict JSON schemas. The privileged executor LLM only receives validated payloads, preventing injection attacks from reaching execution.
IncorrectD: It isolates the untrusted user input to a sandboxed parsing LLM, ensuring the highly privileged execution LLM only receives sanitized, strictly formatted API JSON payloads
The dual-LLM pattern uses a restricted parser LLM to process untrusted user input, converting it into strict JSON schemas. The privileged executor LLM only receives validated payloads, preventing injection attacks from reaching execution.
20How does "Federated Learning" inherently reduce the data privacy risks associated with traditional, centralized AI training pipelines?
CorrectA: It trains the model locally on decentralized edge devices and only aggregates the mathematical weight updates, ensuring raw user data never leaves the local environment
Federated learning trains models on local edge devices and only shares aggregated weight updates to a central server. Raw user data remains local and is never transmitted, drastically reducing privacy risks.
IncorrectA: It trains the model locally on decentralized edge devices and only aggregates the mathematical weight updates, ensuring raw user data never leaves the local environment
Federated learning trains models on local edge devices and only shares aggregated weight updates to a central server. Raw user data remains local and is never transmitted, drastically reducing privacy risks.
Conclusion: Master Agentic AI Security MCQs
These 60 MCQs span the complete landscape of Agentic AI and Shadow AI security β from recognizing unsanctioned ChatGPT usage to defending against multi-stage Crescendo attacks, implementing cryptographic alignment, and securing federated learning pipelines.
The key to mastering these topics is understanding the attack surface mapping: every AI system has defined trust boundaries, tool permissions, and input/output validation layers. Breaking any of these layers compromises the system. Track which questions cover each boundary violation, and you will instantly recognize vulnerabilities in real-world deployments.
After completing this MCQ set, deepen your implementation knowledge with the full Agentic AI Security theory notes and practice with Identity & Access Management for AI and Prompt Injection & LLM Vulnerabilities MCQs to see these defense patterns applied across multiple domains.
π Key Takeaways β Agentic AI Security & Shadow AI
- Shadow AI: Unsanctioned, unmonitored use of AI tools (ChatGPT, Claude, etc.). Detected via DNS logs, proxy analysis, and CASB monitoring.
- Agentic AI: Autonomous systems that plan, reason, and execute multi-step tasks using external tools. Fundamentally different from conversational LLMs.
- Prompt Injection vs. Jailbreak: Prompt injection hijacks agent reasoning; jailbreaking bypasses safety guardrails. Distinct attack vectors.
- RAG Data Poisoning: Attacking the vector database to force the agent to retrieve malicious context and cite it as authoritative.
- Confused Deputy: Manipulating a privileged agent into executing harmful actions on behalf of an unprivileged attacker.
- Tool Abuse: Tricking the agent into calling legitimate APIs with malicious parameters.
- SSRF in Web Scraping: Commanding a browsing agent to fetch internal IP addresses (e.g., 169.254.169.254 on AWS) to exfiltrate credentials.
- Crescendo Attacks: Gradually steering conversational agents through escalating scenarios to bypass safety guardrails.
- Sandboxing: Docker containers, gVisor, and restricted execution environments prevent compromised agents from affecting the host.
- Cryptographic Alignment: Using signed capability tokens and risk-based expiration to authorize agent actions cryptographically.
Quick Review & Summary
Use this table to consolidate Agentic AI Security mappings before or after attempting the questions above.
| Risk / Attack Vector | Threat Category | Mitigation Strategy |
|---|---|---|
| Shadow AI (unsanctioned tools) | Governance / Data Loss | CASB monitoring, DNS log analysis, OAuth audits |
| Prompt Injection (direct/indirect) | Agent Reasoning Hijack | Guardrail models, prompt validation, sandboxing |
| Jailbreak Attempts | Safety Bypass | Multi-layered guardrails, LLM analyzer, signature detection |
| RAG Data Poisoning | Malicious Context Injection | RBAC on vector DB, document versioning, provenance tracking |
| Tool Abuse (malicious API calls) | Functional Manipulation | Parameterized queries, schema validation, RBAC on APIs |
| Code Execution Exploit | Host Compromise | Sandboxing (Docker, gVisor), limited syscalls, no shell |
| SSRF in Web Scraping | Credential Exfiltration | URL allowlisting, egress filtering, blocking internal IPs |
| Man-in-the-Middle on API | Data Interception | Private network links (PrivateLink), TLS encryption |
| Model Inversion | Training Data Leakage | Differential privacy, federated learning, output perturbation |
| Multi-Agent Manipulation | Lateral Privilege Escalation | Agent isolation, inter-agent authentication, signed messages |
Frequently Asked Questions
Q. How many Agentic AI Security MCQs are available on this page?
Q. What topics do these Agentic AI Security MCQs cover?
Q. Are these MCQs suitable for AI/ML security certification preparation?
Q. What is the difference between Shadow AI and Agentic AI?
Q. What is a "Prompt Injection" attack?
Q. How can organizations detect Shadow AI usage?
Q. What does "Tool Abuse" mean in Agentic AI?
Q. What is a "RAG" system and why is it vulnerable to poisoning?
Struggling with some questions? Re-read the full Theory Guide: Agentic AI Security & Shadow AI