The convergence of agentic artificial intelligence and unmanned aerial systems is changing the threat calculus for both cyber and kinetic defenders. Systems that can set goals, chain actions, and operate with real-world tool access raise a distinct class of risks when embedded in drones. These risks are technical, operational, and legal, and they demand a layered response that treats autonomy itself as an attack surface.
What I mean by agentic weapons is not only fully autonomous lethal platforms but also semi-autonomous drones whose onboard AI agents can make mission-critical decisions without continuous human guidance. Defense contractors and research programs are building autonomy stacks that permit drones to navigate contested environments, coordinate as swarms, and complete tasks when communications are degraded. Industry demonstrations and partnerships over the last two years show rapid advances in teaming and autonomy designed for GPS- and comms-denied operations.
Those same capabilities create new failure modes. The earliest, best-documented example for dual-use agentic risk is prompt injection and malicious data manipulation, where an autonomous agent that parses external content is tricked into altering its objectives or leaking credentials. Security researchers showed how Auto-GPT style agents can be coerced through crafted inputs to follow adversary instructions and to perform web-driven actions that exfiltrate data or execute code. That attack pattern maps cleanly to drones that expose APIs, telemetry, or onboard image feeds to chained AI components.
On the sensor and perception side, vision and navigation stacks remain vulnerable to adversarial and physical attacks. Recent peer-reviewed work demonstrates efficient black-box adversarial attacks against UAV vision models and practical physical-patch techniques that mislead visual odometry and object detectors. An attacker who can place adversarial patterns in the environment or spoof imagery can cause misclassification, track loss, or unsafe maneuvers. These are not hypothetical laboratory curiosities; the literature documents methods and proof-of-concept tests against flight-relevant systems.
Navigation and positioning are another high-risk vector. GPS jamming and spoofing remain compellingly effective in contested airspace. Studies and field reports from the past two years continue to show attackers using software-defined radios to disrupt or falsify GNSS signals; countermeasures exist, but many platforms still rely on single-source GNSS for critical guidance. When an agentic drone loses trusted positioning and its autonomy is designed to continue the mission, the result can be mission creep or catastrophic misrouting.
Agentic software introduces the insider risk problem at machine scale. An autonomous agent granted broad privileges to call APIs, upload telemetry, or reconfigure mission parameters becomes a high-value compromise point. Research and industry analyses have identified common patterns where agents are deployed with over-permissive credentials, insufficient auditing, and poor separation of duties. A compromised agent can pivot, spawn malicious tasks, or persist inside a fleet management cloud—behaviors analogous to traditional insider threats but with faster, automated execution.
The operational context matters. Conflicts and exercises have accelerated the fielding of semi-autonomous and supervised-autonomy drones, showing both tactical value and the practical challenges of contested electromagnetic environments. At the same time, multilateral forums and civil society are pushing for international norms or controls on weapons that delegate lethal decisions to machines. The United Nations and human rights groups have pressed states to address meaningful human control and legal accountability for lethal autonomous weapon systems. Those policy pressures intersect with practical cyber risk: regulation, procurement rules, and export controls can and should require demonstrable security engineering for autonomy.
So how should defenders respond today? Start from the assumption that autonomy is an attack surface and design accordingly. Practical immediate measures include: strict least-privilege for agent identities and API keys; kill-switches and human-in-the-loop gating for any action with kinetic effect; immutable audit logs and tamper-evident telemetry to support forensic reconstruction; continuous red teaming that includes prompt-injection and adversarial-vision exercises; sensor fusion that does not allow a single compromised modality to dictate lethal outcomes; and onboard constraints that force safe-fail behaviors in degraded modes.
Longer-term engineering changes must harden both the ML models and the system architecture. That means investing in adversarially robust perception models, secure model update pipelines with provenance checks, cryptographic attestation for firmware and autonomy modules, and diversity in navigation sources including inertial navigation, vision-based SLAM, and multi-constellation GNSS with anti-spoofing. Treat the autonomy stack like any other critical control system: assume compromise, instrument for detection, and design to minimize blast radius.
Policy and procurement levers are equally important. Require security-by-design in contracts for autonomy, mandate independent security evaluations before fielding, and insist on testable human control models for any weaponized system. Internationally, the momentum toward negotiating norms or binding rules on lethal autonomy underscores the need for interoperable standards that include cyber-hardening criteria. Civil society and technical communities should push for transparency in capability claims so that regulators and defense partners can assess cybersecurity posture alongside performance.
Agentic weapons are not merely a futuristic worry. The combination of autonomous decision-making, tool access, and contested communications yields real, immediate cyber-kinetic hazards. That reality requires cross-disciplinary solutions: ML engineers, avionics designers, cyber defenders, policymakers, and operators must share threat models and joint red-team results. Defenders who treat autonomy as a first-class security boundary are the ones who will preserve both operational advantage and legal-ethical responsibility in years to come.