This work addresses emerging security threats—such as deepfakes, semantic manipulation, and MCP protocol exploits—that challenge AI agents in cyber-physical systems (CPS), where traditional defenses fall short. To counter these risks, the authors propose SENTINEL, a holistic security framework spanning the AI agent lifecycle. SENTINEL integrates threat modeling, feasibility assessment, defense selection, and continuous validation, while incorporating physical constraints and data provenance mechanisms. Empirical evaluation in a smart grid case study demonstrates that detection alone is insufficient for securing safety-critical CPS; instead, robust protection requires synergistic enforcement of physical laws and trustworthy data lineage to achieve defense-in-depth. This research provides a systematic design methodology for building trustworthy, AI-enabled cyber-physical systems.

The increasing integration of AI agents into cyber-physical systems (CPS) introduces new security risks that extend beyond traditional cyber or physical threat models. Recent advances in generative AI enable deepfake and semantic manipulation attacks that can compromise agent perception, reasoning, and interaction with the physical environment, while emerging protocols such as the Model Context Protocol (MCP) further expand the attack surface through dynamic tool use and cross-domain context sharing. This survey provides a comprehensive review of security threats targeting AI agents in CPS, with a particular focus on environmental interactions, deepfake-driven attacks, and MCP-mediated vulnerabilities. We organize the literature using the SENTINEL framework, a lifecycle-aware methodology that integrates threat characterization, feasibility analysis under CPS constraints, defense selection, and continuous validation. Through an end-to-end case study grounded in a real-world smart grid deployment, we quantitatively illustrate how timing, noise, and false-positive costs constrain deployable defenses, and why detection mechanisms alone are insufficient as decision authorities in safety-critical CPS. The survey highlights the role of provenance- and physics-grounded trust mechanisms and defense-in-depth architectures, and outlines open challenges toward trustworthy AI-enabled CPS.