Before you can reason about how an agentic environment gets attacked, you need a precise picture of what is in it. An AI-powered working environment is more than a chat window: it is a set of entities with real authority on the endpoint, wired together by instructions and tool calls. This page defines the entities the rest of the threat model refers to.
The developer endpoint
The laptop or workstation where agents run is the anchor of the model. It holds the crown jewels an attacker wants: source code, cloud credentials, session tokens, SSH keys, browser cookies, and network position inside the corporate perimeter. Every other entity in this model inherits some slice of what the endpoint can do, which is why agentic security is, first, endpoint security.
The AI agent
The agent is the primary actor: the software that talks to an LLM and acts on its output. In practice that means IDE-based agents (Cursor, VS Code with Copilot, Windsurf) and CLI agents (Claude Code, Gemini CLI, Codex), plus a long tail of desktop and background agents. Agents write code, run shell commands, edit files, and invoke MCP tools. The defining security property is that the agent's actions are driven by natural language, so anything that can put text in front of the agent can, in the worst case, steer what it does with the endpoint's authority.
MCP servers
MCP servers extend agents with typed tools: query a database, read a wiki, call a SaaS API, control a browser. They run locally as processes on the endpoint or remotely as services, and thousands of them circulate publicly with no central vetting. Each server is simultaneously a capability grant (the agent can now do more) and a trust decision (the server's code and the content it fetches now sit inside the agent's loop). See how to build an MCP server registry.
Skills and rules files
Agents are configured by files that behave like software. Skills (SKILL.md packages of instructions plus optional code) and rules files (CLAUDE.md, AGENTS.md, .cursorrules) load into the agent's context and shape its behavior for every task. They are the instruction supply chain of the environment: portable across agents, shared informally, and rarely reviewed. The Agent Skills open standard has made this layer ecosystem-wide.
Local resources
Whatever the agent's process can touch: the filesystem, environment variables, plaintext secrets, the shell, other processes, and the local network. Agents typically run with the developer's full user privileges, so "local resources" is shorthand for everything the human could do at the keyboard, now executable by software that reads instructions from files and web pages.
External resources
The systems the environment reaches out to: git hosting, package registries, SaaS APIs, documentation sites, and the open web. External resources matter twice over. They are targets (an agent with a GitHub token can rewrite CI), and they are input channels, because content fetched from them lands in the agent's context window, where it can carry instructions. That dual role is where most of the risks in this model begin.
Why the map matters
Each threat surface and risk page in this model is a path through this diagram: attacker-controlled input entering through one entity and agent authority exiting through another. Most organizations cannot draw this diagram for their own fleet - they do not know which agents, MCP servers, or skills are installed, let alone what those can reach. That inventory gap is the first finding of the threat model, and the reason the practical work starts with building an AI agent inventory.




