Security · Research Analysis

AI Agent Traps:
The Attack Surface
Nobody Is Talking About

Google DeepMind just published a systematic framework for a new class of threat: adversarial content engineered specifically to manipulate, deceive, and exploit autonomous AI agents. Here's what every CISO needs to understand — and act on now.

AI Agent Traps — adversarial attack surface for autonomous agents
Source Paper
AI Agent Traps
Franklin, Tomašev, Jacobs, Leibo, Osindero — Google DeepMind · SSRN 2025

Google DeepMind researchers have published what I consider one of the most important security papers of 2025 for anyone deploying agentic AI in regulated environments. It introduces a systematic framework for AI Agent Traps — adversarial content embedded in the information environment specifically to manipulate autonomous agents.

This isn't theoretical. It builds on demonstrated attacks, empirical benchmarks, and real-world incidents. And it maps directly to the governance gaps I have been writing about — starting with uncontrolled delegation.

"By altering the environment rather than the model, the trap weaponises the agent's own capabilities against it."

That single sentence from the paper captures the core problem. We have been securing models. We have been securing APIs. We have been securing infrastructure. But autonomous agents consume the web — and the web can now be weaponised against them.

Six classes of attack — and why they matter to your enterprise

The paper identifies six distinct categories of agent trap, each targeting a different layer of how autonomous agents operate. Here is what each means in practice:

1
Content Injection Traps
Target: Perception
Hidden instructions embedded in HTML, CSS, metadata, or image binary data — invisible to humans, but parsed and acted on by agents. Simple prompt injections in web content partially commandeer agents in up to 86% of tested scenarios.
2
Semantic Manipulation Traps
Target: Reasoning
Corrupts agent reasoning through biased framing, authority-signalling language, and contextual priming — without issuing any overt command. The agent reaches the wrong conclusion believing it reasoned correctly.
3
Cognitive State Traps
Target: Memory & Learning
Poisons RAG knowledge bases, long-term memory stores, or in-context learning demonstrations. Attacks persist across sessions and users. Injecting just a handful of documents into a knowledge base can reliably manipulate outputs for targeted queries.
4
Behavioural Control Traps
Target: Action
Embedded jailbreaks, data exfiltration traps, and sub-agent spawning attacks. Web agents with OS-level privileges have been driven to exfiltrate local files and passwords with success rates exceeding 80%.
5
Systemic Traps
Target: Multi-Agent Dynamics
Exploits agent homogeneity to trigger macro-level failures — congestion attacks, cascading failures (analogous to the 2010 Flash Crash), tacit collusion, and Sybil attacks that distort collective decision-making.
6
Human-in-the-Loop Traps
Target: Human Overseer
Engineered to induce approval fatigue in human reviewers, present technically benign-looking summaries of malicious actions, or exploit automation bias — bypassing the final layer of human oversight.

The connection to uncontrolled delegation

Regular readers will recognise the thread connecting this to my earlier post on uncontrolled delegation. The paper's Behavioural Control Traps section specifically identifies Sub-agent Spawning Traps — where an attacker coerces a parent agent into instantiating malicious sub-agents within its own trusted control flow.

Related Article
Agentic AI Has a Hidden Problem: Uncontrolled Delegation
How agent-to-agent delegation creates implicit trust paths that bypass every security control you have deployed.

This is not a coincidence. The DeepMind framework and the delegation problem share the same root cause: we built security controls for deterministic systems, and we are now deploying autonomous ones.

A Content Injection Trap that hijacks an orchestrating agent does not just compromise that agent. Via delegation, it propagates through every sub-agent the orchestrator spawns. The attack surface multiplies with every layer of the agent hierarchy.

What the paper says about dynamic cloaking — and why it should alarm you

One finding that stopped me: the paper documents that malicious websites can already detect visiting AI agents and serve them different content than human users see.

A fingerprinting script identifies automation artefacts, IP characteristics, and behavioural cues. If the visitor is an AI agent, it serves a visually identical but semantically different page — with embedded prompt injection payloads. The human reviewer sees nothing wrong. The agent receives instructions to exfiltrate data or misuse its tools.

Your agents are already browsing a web that can see them coming. And most organisations have zero detection capability for this.

Three findings every CISO should act on now

RAG systems are a primary attack surface Injecting a handful of carefully crafted documents into a retrieval corpus can reliably manipulate agent outputs for targeted queries — with attack success rates exceeding 80% at less than 0.1% data poisoning. If your agents query internal wikis, document stores, or public web sources, this is an active exposure.
Memory persistence makes attacks durable Unlike perception attacks, Cognitive State Traps persist across sessions and affect multiple users. An attack seeded into an agent's memory today can surface weeks later when a specific context triggers retrieval. This fundamentally changes the incident response calculus.
The accountability gap is real and unresolved The paper explicitly identifies this: if a compromised agent commits a financial crime, the allocation of liability between the agent operator, the model provider, and the domain owner is an open legal question. In regulated industries, that ambiguity is your problem — not someone else's.

What this requires from a governance perspective

The paper outlines mitigation strategies across three layers. Here is how I translate those into operational governance requirements:

Pre-ingestion source validation — before any external content enters an agent's context, evaluate its credibility. Not just URL reputation — structural analysis for hidden instructions.
RAG corpus integrity controls — treat your retrieval knowledge base as a security boundary. Access controls, provenance tracking, and anomaly detection on retrieved content are not optional in regulated environments.
Agent identity and behavioural baselines — you cannot detect anomalous behaviour without knowing what normal looks like. Every deployed agent needs a behavioural baseline and runtime monitoring against it.
Delegation chain logging — as covered in my delegation article: the full chain must be auditable. Human-in-the-loop controls mean nothing if reviewers only see orchestrator-level summaries that omit sub-agent actions.
Liability and accountability frameworks — document clearly who is responsible for agent actions in your regulatory context. Don't wait for the incident to discover the gap.
Red teaming for agent-specific threats — your existing penetration testing methodology was not designed for autonomous agents. Agent trap categories need to be explicitly included in your threat modelling and testing programme.

The bottom line

The DeepMind paper closes with a line that should be on every AI governance team's wall:

"The web was built for human eyes; it is now being rebuilt for machine readers. The critical question is no longer just what information exists, but what our most powerful tools will be made to believe."

Securing the integrity of what agents believe — what they retrieve, what they reason over, what they act on — is the governance challenge of the agentic era. It is not a model problem or an infrastructure problem. It is a governance architecture problem.

And unlike many security challenges, the window to address it before regulatory expectations crystallise is narrow. The paper is publicly available. Regulators read research. The EU AI Act's requirements around human oversight and transparency were written before agent traps were a named threat class. They won't be updated to accommodate organisations that weren't paying attention.

#CyberSecurity #AI #AgenticAI #AISecurity #CISO #AIGovernance #ZeroTrust #PromptInjection #OneCompliant

Map your agentic AI attack surface

OneCompliant's OASAT assessment evaluates your AI systems against agent trap categories, delegation risk, and regulatory governance requirements — in 4–6 weeks.