No-code agent builders have existed in platforms like Copilot Studio and n8n, but OpenAI AgentKit changes the equation through massive distribution. This capability now lives inside the most widely adopted AI platform in the world, transforming agent building into a true commodity.
OpenAI has just given agent-building capabilities to everyone who already has access to it. While deployment still requires engineering effort today, that barrier won’t last long. Gartner has already warned about “agent sprawl” with Microsoft Copilot Studio, but expect dramatic expansion to all other agent builder platforms. Workflows will now multiply wherever your employees already have OpenAI access, which, for many enterprises means everywhere.
The question isn’t whether agent sprawl is coming. It’s whether you’ll have visibility and control when it does.
The Power and the Problem with OpenAI AgentKit
Before AgentKit, OpenAI users could customize agents through system prompts, knowledge bases, tools, and Model Context Protocol (MCP) servers. But creating truly deterministic workflows, until now required either significant prompt engineering wizardry or the use of external business agent platforms like LangGraph or n8n.
This democratization unlocks tremendous productivity as business users can iterate on workflows without waiting for dev cycles. But it also means expense approval logic, customer support workflows, and data access policies are no longer code that goes through AppSec review. They’re configurations managed by business users with zero security training, deployed directly into production applications.
Understanding AI Agent Architectures
Understanding the security implications of AgentKit requires distinguishing between two fundamentally different agent architectures and their level of destructive capabilities.
Chat Agents are AI agents that interact with users primarily using a chat-based interface, and have more autonomy in how they respond but typically operate with narrower scopes and more constrained permissions.
Flow Agents follow predetermined workflows with explicit step sequencing. First do A, then B, then C. While flow agents have less autonomy (due to their deterministic workflow-based nature), they typically come with broader permissions and capabilities to execute their defined workflows. As an example, an expense agent needs access to financial systems, policy databases, and payment processing. A customer service agent might need access to CRM data, order management systems, and refund capabilities.
This architecture creates destructive risk through the dangerous convergence of excessive functionality (broad tool access across multiple systems) and excessive permissions (write access to production data, payment processing, administrative functions). Even with constrained autonomy, these agents possess the technical capability to cause catastrophic damage (deleting customer records, processing unauthorized transactions, or wiping critical databases), if their workflows are compromised through prompt injection or if they hallucinate destructive actions.
AgentKit’s flow agents usually sit squarely in the high-permission, high-functionality category, which means when security breaks down, the blast radius is massive.
OpenAI AgentKit Risk: The Hidden AppSec Surface
AgentKit provides a no-code interface that lets non-technical users build sophisticated flow agents using OpenAI’s models, enhanced with deterministic controls like conditional logic, loops, and security controls such as guardrails, and user approval gates. After defining a workflow, a non-technical user can publish it and pass it along to a developer who in turn embeds the agent into their applications using the Agents SDK or ChatKit SDK. Once the agent has been embedded in the application, the non-technical user can alter the behavior and publish new agents independently.
While AgentKit eliminates the technical barrier to creating complex flow agents, it doesn’t eliminate the engineering requirement to embed it. These agents must still be integrated into applications by developers, which firmly places AgentKit in the AI application security category, not consumer AI tools. Currently, the builder may be non-technical, but the deployment surface is pure AppSec.
AgentKit represents the maturation of embedded AI from simple chatbots to fully-orchestrated autonomous systems with multi-step workflows, branching logic, cross-system integrations, and conditional decision trees.
Where OpenAI AgentKit Workflows Go Wrong
AgentKit’s accessibility is its greatest strength and its most dangerous characteristic. When non-technical users can build agents without understanding security principles, several critical vulnerabilities emerge:
Prompt injections leverage workflow-based vulnerabilities
Traditional prompt injection attacks manipulate AI responses through carefully crafted inputs. While still applicable here, AgentKit introduces an entirely new attack surface: misconfigurations in the workflow could introduce new prompt injection vulnerabilities when combined with dangerous developer messages.
1. Consider an expense workflow that asks users to upload receipts, and then consults with previous requests and policy documents stored in the vector DB in the “File Search” Node. Without proper guardrails, an attacker could inject instructions in receipt text that manipulate downstream processing, changing approval verdicts or exfiltrating sensitive policy information.
2. Another example of how a prompt injection can trigger workflow vulnerabilities is through variable manipulation. AgentKit workflows use variables to store and pass data between steps, similar to low-code platforms like Salesforce’s AgentForce. If an agent uses untrusted user input to populate variables that later control authentication, authorization, or transaction approval, attackers gain unprecedented control over business logic.
3. Finally, a common misconfiguration would be incorporating untrusted user-defined input inside “developer messages”, attackers effectively control what instructions the AI receives, bypassing any safeguards in the user-facing conversation. This isn’t just AI hallucination, it’s application-layer exploitation hiding behind conversational interfaces.
Attackers now have two vectors. They can exploit flaws in the AI itself through traditional prompt injection, or they can exploit workflow misconfigurations created by business users who don’t understand the security implications of their design choices. This isn’t just AI hallucination, it’s application-layer exploitation hiding behind conversational interfaces.
Destructive capabilities without human supervision
The most dangerous AgentKit workflows combine high-stakes actions with insufficient approval gates. An agent that can delete data, process payments, modify permissions, or execute system commands requires explicit user approval for destructive operations. But AgentKit makes it trivially easy to omit these approval blocks, especially for builders who don’t fully understand the downstream consequences of their workflow design.
Risk of oversharing data if not properly sanitized before sending external services
AgentKit workflows frequently stream data that originated in internal knowledge bases to external MCP servers, creating clear sensitive data oversharing risks. First, without data sanitization guardrails, MCP connections become exfiltration highways where personally identifiable information, trade secrets, and regulated data flow to third-party servers with no visibility into how that data is stored or secured. Second, even internal data access poses risks. AgentKit workflows can query knowledge bases, RAG systems, and MCP servers, then share that information freely with end users, but the agent’s data access permissions rarely align with individual user permissions. This results in employees gaining access to sensitive information they shouldn’t see, including financial data, personnel records, strategic plans, simply by asking their friendly AI assistant.
The shadow AI acceleration
AgentKit supercharges the shadow AI problem. Every MCP server connection, every external API integration, and every data source added to an agent happens outside traditional IT governance. Security teams have no inventory of what agents exist, what data they access, or what actions they can take before something breaks.
How Noma Security Protects OpenAI AgentKit Agents
The standard response to AgentKit’s security challenges is predictable: lock down agent creation, impose lengthy approval processes, and treat every workflow as a potential threat. This approach will fail spectacularly. Business users will build agents anyway, they’ll just hide them better. The real solution requires visibility and intelligent controls that move at the speed of AI deployment.
The Noma Security agent-aware security platform provides comprehensive protection for AgentKit workflows through three complementary capabilities:
Discovery Through Code Scanning: Noma Security automatically identifies workflows built with OpenAI’s Agents SDK and ChatKit SDK across your codebase, creating a complete inventory of agent deployments before they reach production. This includes embedded agents that security teams would never find through manual audits.
Security Posture Assessment: For every discovered AgentKit workflow, Noma Security analyzes the complete agentic architecture, identifying missing guardrails, destructive capabilities without approval gates, unsanitized data flows to MCP servers, and prompt injection vulnerabilities. This posture assessment provides actionable remediation guidance specific to AgentKit’s architecture.
Policy Enforcement: Noma Security enables security teams to define and enforce policies specific to agentic workflows, prevent unsanitized data to be embedded in the developer prompt, requiring approval blocks for destructive operations, mandating data sanitization for external MCP connections, and preventing overly permissive data access patterns. These policies integrate directly into development workflows, catching misconfigurations before deployment.
As OpenAI continues expanding AgentKit capabilities, Noma Security integration will expand with it, providing real-time workflow analysis and policy enforcement across your entire agentic ecosystem.
OpenAI AgentKit risk: The bottom line
AgentKit represents exactly the kind of AI innovation that enterprises need. Powerful capabilities delivered through accessible interfaces that empower business users to solve real problems. Technology isn’t the threat. The threat is deploying these agents without understanding their security implications and blast radius.
Organizations that embrace AgentKit while implementing agent-aware security will accelerate AI adoption safely. Those that choose between innovation and security will get neither. Request a demo of Noma Security to see how we can help you embrace AI innovation with confidence.
