{"id":"https://openalex.org/W7133331190","doi":"https://doi.org/10.48550/arxiv.2603.01564","title":"From Secure Agentic AI to Secure Agentic Web: Challenges, Threats, and Future Directions","display_name":"From Secure Agentic AI to Secure Agentic Web: Challenges, Threats, and Future Directions","publication_year":2026,"publication_date":"2026-03-02","ids":{"openalex":"https://openalex.org/W7133331190","doi":"https://doi.org/10.48550/arxiv.2603.01564"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.01564","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.01564","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.01564","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5127895183","display_name":"Zhihang Deng","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Deng, Zhihang","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5002240947","display_name":"Jiaping Gui","orcid":"https://orcid.org/0009-0001-4272-9604"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Gui, Jiaping","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5127932982","display_name":"Weinan Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Weinan","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5127895183"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.21060000360012054,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.21060000360012054,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.10180000215768814,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.06350000202655792,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/harm","display_name":"Harm","score":0.5160999894142151},{"id":"https://openalex.org/keywords/interoperability","display_name":"Interoperability","score":0.4544999897480011},{"id":"https://openalex.org/keywords/threat-model","display_name":"Threat model","score":0.39430001378059387},{"id":"https://openalex.org/keywords/anonymity","display_name":"Anonymity","score":0.3840999901294708},{"id":"https://openalex.org/keywords/toolchain","display_name":"Toolchain","score":0.36880001425743103},{"id":"https://openalex.org/keywords/privilege","display_name":"Privilege (computing)","score":0.36039999127388},{"id":"https://openalex.org/keywords/safer","display_name":"SAFER","score":0.3296000063419342},{"id":"https://openalex.org/keywords/empirical-research","display_name":"Empirical research","score":0.32739999890327454}],"concepts":[{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6486999988555908},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6154000163078308},{"id":"https://openalex.org/C2777363581","wikidata":"https://www.wikidata.org/wiki/Q15098235","display_name":"Harm","level":2,"score":0.5160999894142151},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.4950000047683716},{"id":"https://openalex.org/C20136886","wikidata":"https://www.wikidata.org/wiki/Q749647","display_name":"Interoperability","level":2,"score":0.4544999897480011},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.39430001378059387},{"id":"https://openalex.org/C178005623","wikidata":"https://www.wikidata.org/wiki/Q308859","display_name":"Anonymity","level":2,"score":0.3840999901294708},{"id":"https://openalex.org/C2777062904","wikidata":"https://www.wikidata.org/wiki/Q545406","display_name":"Toolchain","level":3,"score":0.36880001425743103},{"id":"https://openalex.org/C2780138299","wikidata":"https://www.wikidata.org/wiki/Q3404265","display_name":"Privilege (computing)","level":2,"score":0.36039999127388},{"id":"https://openalex.org/C2776654903","wikidata":"https://www.wikidata.org/wiki/Q2601463","display_name":"SAFER","level":2,"score":0.3296000063419342},{"id":"https://openalex.org/C120936955","wikidata":"https://www.wikidata.org/wiki/Q2155640","display_name":"Empirical research","level":2,"score":0.32739999890327454},{"id":"https://openalex.org/C48044578","wikidata":"https://www.wikidata.org/wiki/Q727490","display_name":"Scalability","level":2,"score":0.32179999351501465},{"id":"https://openalex.org/C86532276","wikidata":"https://www.wikidata.org/wiki/Q1184065","display_name":"Delegation","level":2,"score":0.31139999628067017},{"id":"https://openalex.org/C78780964","wikidata":"https://www.wikidata.org/wiki/Q7233193","display_name":"Position paper","level":2,"score":0.3107999861240387},{"id":"https://openalex.org/C2778355321","wikidata":"https://www.wikidata.org/wiki/Q17079427","display_name":"Identity (music)","level":2,"score":0.30570000410079956},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.2985000014305115},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.27639999985694885},{"id":"https://openalex.org/C166052673","wikidata":"https://www.wikidata.org/wiki/Q83021","display_name":"Empirical evidence","level":2,"score":0.2757999897003174},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.2757999897003174},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.2718999981880188},{"id":"https://openalex.org/C2778464652","wikidata":"https://www.wikidata.org/wiki/Q309849","display_name":"Open research","level":2,"score":0.26109999418258667},{"id":"https://openalex.org/C207267971","wikidata":"https://www.wikidata.org/wiki/Q120208","display_name":"Emerging technologies","level":2,"score":0.25369998812675476},{"id":"https://openalex.org/C2778012447","wikidata":"https://www.wikidata.org/wiki/Q1034415","display_name":"Scope (computer science)","level":2,"score":0.2502000033855438}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.01564","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.01564","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.01564","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.01564","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Life in Land","id":"https://metadata.un.org/sdg/15","score":0.4251479506492615}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Large":[0],"Language":[1],"Models":[2],"(LLMs)":[3],"are":[4,25],"increasingly":[5],"deployed":[6],"as":[7,147],"agentic":[8],"systems":[9],"that":[10],"plan,":[11],"memorize,":[12],"and":[13,42,83,101,107,117,129,136,150,153,157,174],"act":[14],"in":[15,120],"open-world":[16],"environments.":[17],"This":[18],"shift":[19],"brings":[20],"new":[21],"security":[22,109],"problems:":[23],"failures":[24],"no":[26],"longer":[27],"only":[28],"unsafe":[29],"text":[30],"generation,":[31],"but":[32],"can":[33],"become":[34],"real":[35],"harm":[36],"through":[37],"tool":[38],"use,":[39],"persistent":[40],"memory,":[41],"interaction":[43],"with":[44,171],"untrusted":[45],"web":[46],"content.":[47],"In":[48],"this":[49],"survey,":[50],"we":[51,139],"provide":[52],"a":[53,61,68],"transition-oriented":[54],"view":[55],"from":[56],"Secure":[57,62],"Agentic":[58,63,122],"AI":[59],"to":[60,166,175],"Web.":[64],"We":[65,87,111],"first":[66],"summarize":[67],"component-aligned":[69],"threat":[70],"taxonomy":[71],"covering":[72],"prompt":[73,93],"abuse,":[74,80],"environment":[75],"injection,":[76],"memory":[77],"attacks,":[78],"toolchain":[79],"model":[81],"tampering,":[82],"agent":[84,182],"network":[85],"attacks.":[86],"then":[88],"review":[89],"defense":[90],"strategies,":[91],"including":[92],"hardening,":[94],"safety-aware":[95],"decoding,":[96],"privilege":[97],"control":[98],"for":[99,143],"tools":[100],"APIs,":[102],"runtime":[103],"monitoring,":[104],"continuous":[105],"red-teaming,":[106],"protocol-level":[108],"mechanisms.":[110],"further":[112],"discuss":[113],"how":[114],"these":[115],"threats":[116],"mitigations":[118],"escalate":[119],"the":[121],"Web,":[123],"where":[124],"delegation":[125],"chains,":[126],"cross-domain":[127],"interactions,":[128],"protocol-mediated":[130],"ecosystems":[131],"amplify":[132],"risks":[133],"via":[134],"propagation":[135],"composition.":[137],"Finally,":[138],"highlight":[140],"open":[141],"challenges":[142],"web-scale":[144],"deployment,":[145],"such":[146],"interoperable":[148],"identity":[149],"authorization,":[151],"provenance":[152],"traceability,":[154],"ecosystem-level":[155],"response,":[156],"scalable":[158],"evaluation":[159],"under":[160],"adaptive":[161],"adversaries.":[162],"Our":[163],"goal":[164],"is":[165],"connect":[167],"recent":[168],"empirical":[169],"findings":[170],"system-level":[172],"requirements,":[173],"outline":[176],"practical":[177],"research":[178],"directions":[179],"toward":[180],"trustworthy":[181],"ecosystems.":[183]},"counts_by_year":[],"updated_date":"2026-03-04T07:09:34.246503","created_date":"2026-03-04T00:00:00"}