What happened
Akamai published a detailed technical walkthrough (July 17, 2026) of a realistic step-by-step attack chain against agentic AI systems: reconnaissance to map tool surfaces and business logic, followed by precision prompt injection that fabricates a false internal state to manipulate the agent into performing an unauthorized action (a free flight booking).
Why it matters
This moves prompt injection from an abstract risk to a concrete, reproducible business-logic-bypass attack against production-style agentic workflows — showing that agents which trust their own reasoning state (rather than independently verified backend checks) can be manipulated into authorizing real-world transactions, directly relevant to any enterprise deploying tool-calling AI agents for commerce, finance, or approvals.
Attack vector
Building on prior reconnaissance techniques to map an AI agent's tool surface and extract its system prompt/decision rules, Akamai researchers demonstrate a full kill chain: an attacker uses reconnaissance to learn the exact precondition an agent checks before booking a flight (payment approval), then injects fabricated tool-output/context that convinces the agent the precondition is already satisfied, causing it to skip payment and issue a free booking.
Affected systems
Deployed agentic AI applications with sequential tool-based workflows (demonstrated against a fictional airline booking agent, "Varda")
Mitigation
Ensure back-end tools independently validate state/preconditions (e.g., payment confirmation) rather than trusting the agent's own internal reasoning or spoofable tool outputs; deploy prompt-injection detection (e.g., a firewall for AI) in front of agent tool-call pipelines.