Your slickest new feature is also your newest attack surface. The moment an LLM can call tools (send mail, query a database, run code) a carefully worded sentence becomes privilege escalation. Worse, the agent trusts its own data pipeline, so a poisoned email or web page it reads later can hijack it without the attacker ever touching your app. In this talk I'll take over a live AI agent on stage via direct and indirect prompt injection, exfiltrate data, then make it run code it was never meant to. Then we defend it: untrusted-content isolation, least-privilege tool access, and validation at the database layer instead of trusting the model. You'll leave with a threat model you can apply to your own agents this week.