Permission Escalation and Prompt Injection in Autonomous AI Agent Systems: A Layered Threat Analysis

In May 2024, a publicly disclosed vulnerability in a commercial AI email assistant allowed attackers to extract sensitive message content by embedding malicious instructions directly into incoming emails, with no user interaction required beyond the AI processing the message. This case is not an isolated event; it is part of a larger pattern. As large language model (LLM)-based agents become operational infrastructure, executing tool calls, managing credentials, and coordinating with other agents, the attack surface they expose has grown well beyond what existing security frameworks address. This paper is a Systematization of Knowledge (SoK) and Threat Modeling contribution that examines two interconnected vulnerabilities in autonomous AI agent systems: prompt injection and permission escalation. While previous research has classified these as a singular category of problem, they are fundamentally distinct in their mechanisms. Prompt injection undermines an agent's directives, while permission escalation undermines the legitimate use of an agent's authority. We introduce a layered threat model, the Syntactic-Semantic Privilege Escalation Model (SSPEM), that separates these attack primitives and applies them across single-agent, orchestrator-agent, and Model Context Protocol (MCP) deployment architectures. Drawing on primary references, including the AgentDojo benchmark, MCP Security Bench (MSB), MCPSecBench, Agent Security Bench, the OWASP Top 10 for Agentic Applications, and a multi-institutional study on adaptive attacks, this study reveals that existing defensive strategies fail to mitigate semantic-level privilege abuse. We identify two significant research gaps: the lack of a security evaluation of permission inheritance in multi-agent systems, and the absence of a formal framework to distinguish syntactic from semantic privilege escalation. We discuss implications for agent architecture design and propose directions for enforcement mechanisms that operate outside the agent's reasoning loop.