Lancaster University report finds UK AI security research gaps as agentic AI grows
Lancaster University review for the Department for Science, Innovation and Technology maps 9,109 peer-reviewed papers and identifies under-studied risks around data, infrastructure, users and model disposal.
A Department for Science, Innovation and Technology-commissioned review has identified gaps in AI security research, including agentic AI, model provenance and end-user risk.
The UK Department for Science, Innovation and Technology has published a Lancaster University review warning that key areas of AI security research remain under-studied as organizations move toward generative AI and agentic AI systems.
The report, published on 10 July 2026, reviews peer-reviewed AI security research from January 2021 to January 2026. It was commissioned by the Department for Science, Innovation and Technology and carried out by Lancaster University to map the state of research and identify gaps for researchers, policymakers, developers and organizations deploying AI systems.
The review covered 9,109 publications, after searches across Scopus and Web of Science were screened using a PRISMA approach. Lancaster University used data-driven methods, including filtering and semantic matching, to group the research into 12 themes.
The findings set out where universities, research teams and cybersecurity educators may need to focus as AI systems become part of products, services and public infrastructure.
The report is independent research commissioned by the Department for Science, Innovation and Technology. The department said the findings do not represent UK government policy.
Training data and privacy dominate research
Lancaster University grouped the AI security literature into 12 themes, including training time security, data and privacy risks, alignment, supply chain vulnerabilities, inference time security, autonomous agent security, model and system design security, and security governance and regulation.
Training time security was the most covered theme, with 2,101 papers aligned to that area. The report defines this as attempts by an adversary to compromise a model during training, including data poisoning, label flipping and other techniques used to alter model behavior.
Data and privacy risks were also heavily covered, with 1,313 papers. That theme includes attempts to extract sensitive or personally identifying information from an AI system, as well as model inversion, extraction and distillation attacks.
Research activity has increased over the past five years. The report says AI security attracted more attention in 2024 and 2025, with over 3,000 papers published across those years, compared with around 500 a year in 2021 and 2022.
The review found that some areas have received much less attention. Security governance and regulation accounted for 21 well-aligned papers, while security risks arising from failure to track assets accounted for 24.
Report identifies five research gaps
The review identifies five areas where Lancaster University says more research is needed.
The first is data integrity. The report calls for more work on assurance and verification methods for AI system data, including training data and model weights.
The second is model provenance. As organizations use third-party AI models from external sources, including model repositories, Lancaster University says more research is needed into techniques that track and verify where those models came from and whether they carry security risks.
The third gap concerns the connection between AI model attack surfaces and traditional IT infrastructure. The report says more work is needed to understand how generative AI and agentic AI systems interact with the cybersecurity risks of the infrastructure underneath them, including deployment environments, APIs and data pipelines.
The fourth area is end-user risk. Lancaster University says more attention is needed on how users can create security risks through their actions, including reliance on hallucinated or malicious outputs, execution of harmful AI-generated code, or use of undocumented AI systems inside organizations.
The fifth gap is model disposal. The report says more research is needed into how AI systems, particularly frontier AI systems, can be safely decommissioned or disposed of at the end of their lifecycle.
Agentic AI security is under-covered
Agentic AI is one of the clearest warning areas in the report. Lancaster University found only 122 papers linked to agentic AI among the reviewed publications, making it the least represented AI system type in the dataset.
The report says there are significant gaps in the cybersecurity of agentic AI systems, including the security of the agent itself, the tools it uses, and communication between agents.
Agentic AI systems are likely to create new requirements for developers, IT teams, cybersecurity professionals and AI governance leads. The report says agentic AI security research increased by 216% in 2025 compared with 2024, the largest year-on-year increase across the review’s 12 themes.
Lancaster University also points to shadow AI as a risk linked to poor asset tracking. If organizations cannot inventory their AI models and systems, security teams may not know which models are being used, whether they are patched, or whether they are being monitored.
The report also recommends policy direction on a non-research issue: creating a widely used database of AI system vulnerabilities, similar to how common vulnerabilities and exposures are tracked for other systems.