Google DeepMind researchers have published what they describe as the first systematic framework for understanding adversarial attacks against autonomous AI agents. The paper, titled "AI Agent Traps," identifies six categories of threats that exploit the unique attack surface created when agents browse the web, manage memory, and take real-world actions.

The six categories map to each component of an agent's operating cycle:

Content injection traps target perception by hiding malicious instructions in HTML comments, CSS, or image metadata โ€” invisible to humans but processed faithfully by agents. Semantic manipulation traps exploit reasoning by framing information in emotionally charged or authoritative ways that skew an agent's conclusions, similar to cognitive biases in humans.

Cognitive state traps poison long-term memory by corrupting just a handful of documents in a RAG knowledge base, reliably biasing outputs for targeted queries. Behavioral control traps go further by hijacking actions directly โ€” the paper cites a case where a single manipulated email caused Microsoft M365 Copilot to bypass security classifiers and leak its full privileged context.

Sub-agent spawning traps target orchestrators that spin up child agents, tricking them into launching processes running poisoned system prompts. Cited research puts the success rate at 58โ€“90 percent. The most dangerous category, systemic traps, targets multi-agent networks โ€” researchers describe a scenario where a fake financial report triggers synchronized sell-offs across multiple trading agents, a kind of AI-induced flash crash.

The final category covers human-in-the-loop traps, where a compromised agent slowly wears down user attention through misleading summaries or exploits automation bias.

Co-author Matija Franklin notes that every trap category has documented proof-of-concept attacks and that "the attack surface is combinatorial" โ€” traps can be chained and layered across distributed systems.