Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us 

The Microsoft AI Red Team v2.0 taxonomy updates the threat model for agentic AI systems after a year of red teaming and operational experience, adding seven new failure modes (e.g., agentic supply chain compromise, goal hijacking, inter-agent trust escalation, CUA visual attacks, session context contamination, MCP/plugin abuse, capability/architecture disclosure). The report cites large-scale exposures in open-source agent frameworks and MCP ecosystems (including a referenced CVE and thousands of exposed instances), describes high-frequency exploitation patterns such as HitL bypass and XPIA-enabled memory poisoning, and recommends concrete mitigations: SBOMs and provenance for agentic components, zero-trust inter-agent authentication, hardened consent/HitL UX, and session integrity controls, along with actions for red teams and security engineers.