Risk
Unidentified Third-Party AI and Agentic Integrations
Description
Existing integrations with external AI services, agent marketplaces, plugins, libraries, or data sources are not discovered or documented, meaning their associated risks are unassessed.
Example
An agent is found to be using an unmaintained third-party plugin from a public marketplace with known prompt-injection vulnerabilities.
Assets Affected
3rd-Party AI Integration
AI App
Pipeline Job
Agents Plugins
Agents Marketplaces
Mitigation
- Perform thorough code and configuration reviews to identify all external dependencies
- implement Software Composition Analysis (SCA) tools that recognize agentic components
- review vendor contracts and service agreements
- document all third-party resources.
Standards Mapping
- ISO: A.10.3, A.4.2
- OWASP agentic: ASI04
- OWASP LLM: LLM03:2025
- EU AI Act: Art. 25
- DASF: Model 7.3
- AIUC-1: E006