AI agents operating within enterprise platforms rely on shared tool registries to execute tasks, selecting capabilities based on natural-language descriptions without human verification of those descriptions' accuracy. This creates a poisoning vulnerability: malicious actors can register tools with misleading or false metadata, causing agents to invoke the wrong capabilities or trigger unintended actions. The gap exists because tool registries prioritise accessibility and speed over validation, assuming that descriptions will match actual function. For CX teams deploying agent-based automation—whether through Zendesk, Salesforce Agentforce, or similar platforms—this means agents could execute customer-facing actions based on compromised tool definitions, potentially routing sensitive data, modifying customer records, or executing workflows outside intended parameters.
The implications extend beyond individual tool misuse. If an agent selects a poisoned tool believing it performs one function when it performs another, the failure cascades through customer interactions without obvious detection. A tool registered as "retrieve customer email" could actually exfiltrate data; one labelled "update ticket status" could modify customer records across accounts. The risk intensifies as enterprises expand agent autonomy to handle higher-stakes decisions. Teams already running autonomous agents should audit their tool registries immediately, establishing governance frameworks that require tool validation before agents can access them—a practice most platforms do not enforce by default. The question becomes whether CX leaders can implement sufficient oversight without throttling the speed advantages that make agent automation valuable in the first place.
This vulnerability also exposes a structural weakness in how enterprise AI platforms are architected. Vendors have prioritised agent capability and integration breadth over security controls that would slow deployment. For smaller CX software vendors building agent ecosystems, the pressure to match larger competitors' tool libraries may force a choice between security rigour and market competitiveness. Until tool registries implement mandatory verification—either through human review, cryptographic signing, or runtime sandboxing—CX teams cannot assume their agents are executing intended actions. The responsibility currently falls on individual organisations to implement detective controls and access restrictions that should be built into the platform itself.
AI agents choose tools from shared registries by matching natural-language descriptions. But no human is verifying whether those descriptions are true. I discovered this gap when I filed Issue #141 in the CoSAI secure-ai-tooling repository. I assumed it would be treated as a single risk entry. The r