Source Paper
AI Agent Traps
Franklin, Tomašev, Jacobs, Leibo, Osindero — Google DeepMind · SSRN 2025
Google DeepMind researchers have published what I consider one of the most important
security papers of 2025 for anyone deploying agentic AI in regulated environments.
It introduces a systematic framework for AI Agent Traps — adversarial content
embedded in the information environment specifically to manipulate autonomous agents.
This isn't theoretical. It builds on demonstrated attacks, empirical benchmarks,
and real-world incidents. And it maps directly to the governance gaps I have been
writing about — starting with uncontrolled delegation.
"By altering the environment rather than the model, the trap weaponises the agent's own capabilities against it."
That single sentence from the paper captures the core problem. We have been securing
models. We have been securing APIs. We have been securing infrastructure. But autonomous
agents consume the web — and the web can now be weaponised against them.
Six classes of attack — and why they matter to your enterprise
The paper identifies six distinct categories of agent trap, each targeting a different
layer of how autonomous agents operate. Here is what each means in practice:
Target: Perception
Hidden instructions embedded in HTML, CSS, metadata, or image binary data — invisible to humans, but parsed and acted on by agents. Simple prompt injections in web content partially commandeer agents in up to 86% of tested scenarios.
Target: Reasoning
Corrupts agent reasoning through biased framing, authority-signalling language, and contextual priming — without issuing any overt command. The agent reaches the wrong conclusion believing it reasoned correctly.
Target: Memory & Learning
Poisons RAG knowledge bases, long-term memory stores, or in-context learning demonstrations. Attacks persist across sessions and users. Injecting just a handful of documents into a knowledge base can reliably manipulate outputs for targeted queries.
Target: Action
Embedded jailbreaks, data exfiltration traps, and sub-agent spawning attacks. Web agents with OS-level privileges have been driven to exfiltrate local files and passwords with success rates exceeding 80%.
Target: Multi-Agent Dynamics
Exploits agent homogeneity to trigger macro-level failures — congestion attacks, cascading failures (analogous to the 2010 Flash Crash), tacit collusion, and Sybil attacks that distort collective decision-making.
Target: Human Overseer
Engineered to induce approval fatigue in human reviewers, present technically benign-looking summaries of malicious actions, or exploit automation bias — bypassing the final layer of human oversight.
The connection to uncontrolled delegation
Regular readers will recognise the thread connecting this to my earlier post on
uncontrolled delegation. The paper's Behavioural Control Traps section specifically
identifies Sub-agent Spawning Traps — where an attacker coerces a parent agent
into instantiating malicious sub-agents within its own trusted control flow.
Related Article
Agentic AI Has a Hidden Problem: Uncontrolled Delegation
How agent-to-agent delegation creates implicit trust paths that bypass every security control you have deployed.
This is not a coincidence. The DeepMind framework and the delegation problem share
the same root cause: we built security controls for deterministic systems,
and we are now deploying autonomous ones.
A Content Injection Trap that hijacks an orchestrating agent does not just compromise
that agent. Via delegation, it propagates through every sub-agent the orchestrator
spawns. The attack surface multiplies with every layer of the agent hierarchy.
What the paper says about dynamic cloaking — and why it should alarm you
One finding that stopped me: the paper documents that malicious websites can
already detect visiting AI agents and serve them different content than human users see.
A fingerprinting script identifies automation artefacts, IP characteristics, and
behavioural cues. If the visitor is an AI agent, it serves a visually identical
but semantically different page — with embedded prompt injection payloads.
The human reviewer sees nothing wrong. The agent receives instructions to exfiltrate
data or misuse its tools.
Your agents are already browsing a web that can see them coming. And most organisations have zero detection capability for this.
Three findings every CISO should act on now
RAG systems are a primary attack surface
Injecting a handful of carefully crafted documents into a retrieval corpus can reliably manipulate agent outputs for targeted queries — with attack success rates exceeding 80% at less than 0.1% data poisoning. If your agents query internal wikis, document stores, or public web sources, this is an active exposure.
Memory persistence makes attacks durable
Unlike perception attacks, Cognitive State Traps persist across sessions and affect multiple users. An attack seeded into an agent's memory today can surface weeks later when a specific context triggers retrieval. This fundamentally changes the incident response calculus.
The accountability gap is real and unresolved
The paper explicitly identifies this: if a compromised agent commits a financial crime, the allocation of liability between the agent operator, the model provider, and the domain owner is an open legal question. In regulated industries, that ambiguity is your problem — not someone else's.
What this requires from a governance perspective
The paper outlines mitigation strategies across three layers. Here is how I translate
those into operational governance requirements:
Pre-ingestion source validation — before any external content enters an agent's context, evaluate its credibility. Not just URL reputation — structural analysis for hidden instructions.
RAG corpus integrity controls — treat your retrieval knowledge base as a security boundary. Access controls, provenance tracking, and anomaly detection on retrieved content are not optional in regulated environments.
Agent identity and behavioural baselines — you cannot detect anomalous behaviour without knowing what normal looks like. Every deployed agent needs a behavioural baseline and runtime monitoring against it.
Delegation chain logging — as covered in my delegation article: the full chain must be auditable. Human-in-the-loop controls mean nothing if reviewers only see orchestrator-level summaries that omit sub-agent actions.
Liability and accountability frameworks — document clearly who is responsible for agent actions in your regulatory context. Don't wait for the incident to discover the gap.
Red teaming for agent-specific threats — your existing penetration testing methodology was not designed for autonomous agents. Agent trap categories need to be explicitly included in your threat modelling and testing programme.
The bottom line
The DeepMind paper closes with a line that should be on every AI governance team's wall:
"The web was built for human eyes; it is now being rebuilt for machine readers. The critical question is no longer just what information exists, but what our most powerful tools will be made to believe."
Securing the integrity of what agents believe — what they retrieve, what they reason over,
what they act on — is the governance challenge of the agentic era. It is not a model
problem or an infrastructure problem. It is a governance architecture problem.
And unlike many security challenges, the window to address it before regulatory
expectations crystallise is narrow. The paper is publicly available. Regulators read research.
The EU AI Act's requirements around human oversight and transparency were written before
agent traps were a named threat class. They won't be updated to accommodate organisations
that weren't paying attention.
#CyberSecurity
#AI
#AgenticAI
#AISecurity
#CISO
#AIGovernance
#ZeroTrust
#PromptInjection
#OneCompliant
Map your agentic AI attack surface
OneCompliant's OASAT assessment evaluates your AI systems against agent trap categories,
delegation risk, and regulatory governance requirements — in 4–6 weeks.