You reviewed the tools your agent has access to. You did not review what becomes reachable when those tools are called in sequence. OWASP's 2025 Top 10 for LLM Applications explicitly documents chained authorization escalation as the primary lateral movement pattern in agentic environments. The attack is not one malicious tool call. It is a path. #AI #Agent calls a read-only analytics tool. That tool passes a token to a reporting service. The reporting service has write access to a data warehouse the original agent was never authorized to touch. No single step looks suspicious in isolation. Each tool call was within scope. The authorization boundary was crossed at the chain level, not the component level. Your security review assessed permissions per tool. Your adversary assessed permissions across the graph. The individual actions were authorized. The cumulative access was never governed.