Agentic AI doesn’t fail at the chat box it fails at the actions it takes. In this talk I chain three concise, live demos that move from data to action to supply chain:

RAG plan-graft: a tiny poisoned snippet in a local index silently adds an extra workflow step that changes business logic, reflecting recent RAG-poisoning research (e.g., “PoisonedRAG”).

Function-call abuse: adversarial inputs and crafted error paths cause argument drift so a “read-only” tool becomes a write—aligned with new tool-calling attack work.

Malicious protocol plugin: a benign-looking Model Context Protocol (MCP) server exfiltrates data, echoing real incidents and vendor advisories.

Each demo shows the second prompt (what the model tells tools to do), the observable failure signatures (unauthorized tool calls, argument-shape mutations, plan revisions), and simple fixes you can ship this week: pre/post-conditions and safelists on tools, schema-aware linting of generated calls, action-prompt logging with provenance, and basic KPIs (Unsafe Tool-Call Ratio, Off-Policy Action Rate). We’ll also map where OWASP LLM guidance fits and where it stops so you can harden real agent workflows, not just prompts.