Agentic AI systems are crossing a dangerous threshold. With persistent identity, tool access, and autonomous execution, they are no longer just models but active participants in the software supply chain. This talk dissects how attackers can weaponize agentic AI capabilities to compromise cloud environments at scale, and how defenders must rethink identity, provenance, and trust boundaries to survive this shift.

Anchored in OWASP Agentic AI ASI-4 (Supply Chain & Dependency Compromise), we analyze real-world attack patterns including the Cato Networks demonstration of Claude Skills being abused to autonomously deploy MedusaLocker ransomware, and Cursor CLI project configuration leading to remote code execution. These incidents expose a new class of risk where agents download, modify, execute, and re-upload artifacts without human intervention, effectively acting as self-propagating supply chain attackers.

From an attacker’s perspective, we map how agent identity, delegated permissions, plugin ecosystems, and cloud-native CI/CD workflows become the perfect delivery mechanism for malicious logic. From a defender’s perspective, we present concrete controls using cryptographic identity, agent-bound credentials, attestations, AI-BOMs, runtime policy enforcement, and zero-trust agent orchestration grounded in guidance from OWASP GenAI, Cloud Security Alliance, and modern cloud-native security practices.

Attendees will leave with a clear threat model, realistic attack paths, and a defensive playbook to secure agentic AI systems before they become the next SolarWinds moment.