Position: Agent Security Needs Redefinition through a Holistic Framework

Existing definitions of agent security are ambiguous because they do not fully capture the holistic view across agent components. For instance, current work fails to distinguish between potentially legitimate administrative tasks and malicious exploitation of the same command. A command to "delete user data" could be either instruction following to reset a sandbox or a prompt injection attacking production systems. We argue that agent security must be redefined through a holistic framework including four core components: identity (who: authority and authentication), task (what to do: authorized objectives), trajectory (progress: action-observation boundaries), and memory (what can be retrieved: information access control). Our framework redefines existing security violations (e.g., reframing prompt injection as an identity violation), enables discovery of new attack vectors, and distinguishes legitimate capabilities like instruction following from security violations like prompt injection attacks. Critically, we demonstrate that temporal aspects are essential: attacks can be misdefined or unnoticed without accounting for how security components in our framework evolve over time. Our framework further identifies that agentic task decomposition and data and control flow patterns are crucial to rigorous security definitions, aspects previous frameworks fail to address, and provides a new foundation for future agent security work.