CERT-FR CERTFR-2026-ACT-016: Agentic AI tools introduce prompt-injection and supply-chain attack surfaces

France's CERT-FR published advisory CERTFR-2026-ACT-016 warning that deploying agentic AI orchestration platforms (LLM-driven workflows with tool-calling, MCP server integration, or autonomous execution capabilities) introduces novel attack vectors. The advisory identifies three risk classes: prompt-injection via processed documents or websites (attacker embeds instructions in content the agent processes, redirecting its actions); MCP server supply-chain compromise (a malicious or compromised Model Context Protocol server can issue instructions to all connected agents); and insufficient sandboxing of agent execution environments, where agents with filesystem or network access can be weaponised. CERT-FR recommends input/output guardrails, strict allowlisting of permitted tool calls, human-in-the-loop gates for high-impact actions, and treating all AI agent outputs as untrusted until validated. Relevant for organisations deploying Claude Agents, Microsoft Copilot Studio, AutoGen, or similar agentic frameworks for workflow automation.