Sign in Subscribe

AI Agent Traps: When the Web Becomes the Attack Surface for Autonomous Agents

Sascha Corti

7 min read
AI Agent Traps: When the Web Becomes the Attack Surface for Autonomous Agents
Photo by Sean Quillen / Unsplash

Autonomous AI agents are quickly moving beyond chat. They browse the web, read documents, call tools, retrieve knowledge, send messages, and increasingly act on behalf of users and organizations. That shift creates a new security problem: the environment itself can become hostile.

That is the core argument in AI Agent Traps, a 2026 paper by Matija Franklin, Nenad Tomašev, Julian Jacobs, Joel Z. Leibo, and Simon Osindero. The paper introduces a systematic framework for understanding how digital environments can manipulate, deceive, and exploit AI agents—not by attacking the model weights directly, but by poisoning what the agent sees, reasons over, remembers, and acts upon.

Original paper

You can find the original paper here: SSRN

Why this matters

Traditional security thinking tends to focus on protecting the model, the infrastructure, or the API boundary. But agents introduce a broader and more dynamic attack surface. They consume untrusted information from websites, emails, APIs, shared documents, calendars, chat threads, and retrieval systems. If that external information is adversarially shaped, the agent may be pushed into behavior its operator never intended.

The paper’s key insight is simple and powerful: for agents, the information environment is part of the security perimeter. In other words, the web is no longer just data. It is executable influence.

What the paper contributes

The authors make three core contributions. First, they connect this problem to prior work in adversarial machine learning, web security, and AI safety. Second, they propose a six-part taxonomy of “agent traps” mapped to different stages of an agent’s functional architecture. Third, they outline mitigation directions and a research agenda for securing the broader agent ecosystem.

That framing is useful because it shifts the discussion away from isolated prompt injection examples and toward a full-stack threat model for agentic systems.

The six classes of AI Agent Traps

1. Content Injection Traps: attacking perception

Content Injection Traps target the agent’s ingestion layer. They exploit the mismatch between what humans see and what machines parse. An agent may read HTML comments, hidden metadata, accessibility labels, off-screen text, or encoded data that a human reviewer never notices.

The paper breaks this category into four subtypes:

  • Web-standard obfuscation: hidden instructions embedded in HTML, CSS, comments, or metadata.
  • Dynamic cloaking: content served specifically to agent-like visitors but not to humans.
  • Steganographic payloads: adversarial instructions hidden in media data such as images or audio.
  • Syntactic masking: instructions concealed inside formats such as Markdown or LaTeX.

This is important because it means security reviews based only on rendered UI are insufficient. Agents may be attacked through the invisible substrate of the page.

2. Semantic Manipulation Traps: attacking reasoning

Not every attack needs to look like a command. Some only need to bias the agent’s reasoning. Semantic Manipulation Traps exploit framing, tone, sequencing, and context to skew the conclusions an agent reaches.

The paper highlights three mechanisms:

  • Biased phrasing, framing, and contextual priming
  • Oversight and critic evasion
  • Persona hyperstition

The first two are immediately recognizable to anyone building agentic workflows: phrasing changes outcomes, and “for research purposes only” style wrapping can slip past oversight logic. The third—persona hyperstition—is the most unusual and arguably the most thought-provoking. It describes a feedback loop where narratives about a model’s “personality” circulate online, re-enter retrieval or training pipelines, and then influence how the model behaves in future interactions.

For agent builders, the lesson is that reasoning quality is not only a model capability issue. It is also an input-shaping issue.

3. Cognitive State Traps: attacking memory and learning

Cognitive State Traps target persistence. Rather than manipulating one response, they corrupt what the agent stores, retrieves, or learns over time. This makes them especially dangerous for systems with memory, RAG, personalization, or online adaptation.

The paper identifies three variants:

  • RAG knowledge poisoning
  • Latent memory poisoning
  • Contextual learning traps

This is the category many enterprise teams should worry about first. If an attacker can get malicious or fabricated content into a retrieval corpus, shared repository, wiki, or memory store, the agent may later treat that content as verified context. The paper explicitly notes that attackers could achieve this by publishing poisoned content into public sources scraped by agents or by uploading files into enterprise repositories that get indexed automatically.

That is a very practical warning for RAG system design. Retrieval is not just a relevance problem; it is a trust and provenance problem.

4. Behavioural Control Traps: attacking action

This category is where security concerns become operational. Behavioural Control Traps target the agent’s ability to follow instructions and invoke tools. Their purpose is not merely to bias output, but to induce concrete unauthorized behavior.

The three subtypes are:

  • Embedded jailbreak sequences
  • Data exfiltration traps
  • Sub-agent spawning traps

This is where agent security starts to resemble classic capability security. A compromised agent with access to email, files, calendar, internal systems, or payment flows becomes a confused deputy: it uses legitimate privileges in service of an attacker’s goals. The paper points to examples involving secret leakage, credential exfiltration, phishing-style manipulation, and misuse of delegated tool access.

For engineering teams, this is the clearest argument for least privilege, scoped tools, explicit confirmation gates, and runtime policy enforcement.

5. Systemic Traps: attacking multi-agent dynamics

Some of the most interesting parts of the paper are also the most forward-looking. Systemic Traps are not aimed at one agent, but at populations of agents that share incentives, architectures, signals, or learned behaviors.

The paper lists five mechanisms:

  • Congestion traps
  • Interdependence cascades
  • Tacit collusion
  • Compositional fragment traps
  • Sybil attacks

This is where the paper broadens from prompt injection into market structure and system dynamics. If many agents respond similarly to the same signal, an attacker may be able to induce synchronized failure: overwhelming a resource, triggering cascading actions, coordinating behavior without direct communication, or steering group decisions using fake identities.

Even if some of these threats are still partly theoretical, the framing is valuable. It reminds us that agent security is not only about individual alignment; it is also about emergent behavior in distributed systems.

6. Human-in-the-Loop Traps: attacking the human overseer

The final class is especially relevant in enterprise deployment. Human-in-the-Loop Traps use the agent as the attack vector and the human reviewer as the target. The idea is not just to fool the model, but to generate outputs that exploit human approval fatigue, over-trust in automation, or domain asymmetry.

The paper anticipates scenarios where agents produce benign-looking but misleading summaries, hide malicious intent behind technical language, or nudge humans toward clicking bad links or approving bad actions. Early examples cited include cases where hidden prompt injections cause summarization tools to repeat dangerous remediation steps as if they were legitimate fixes.

This matters because “human review” is often treated as the safety fallback. The paper argues that this fallback can itself be manipulated.

Why the framework is useful

The strongest contribution of the paper is not any single example. It is the taxonomy.

The six-part framework maps threats to different layers of an agent’s operational loop: perception, reasoning, memory, action, multi-agent coordination, and human oversight. That makes it easier to reason about controls. Different attack classes require different mitigations, different benchmarks, and different logging strategies.

This is also why the paper feels timely. Much of the current industry conversation still compresses agent security into “prompt injection.” That term is too narrow. The paper makes a broader claim: once an AI system can browse, retrieve, remember, and act, environmental manipulation becomes a first-class systems problem.

Practical implications for teams building agents

For practitioners, this paper translates into several concrete design principles.

First, treat all external content as untrusted, including content that appears visually benign. If the agent can parse it, it can influence behavior.

Second, separate retrieval from trust. Just because a document is retrieved does not mean it should be believed. Provenance, corpus curation, and retrieval-time verification become core controls for RAG-based systems.

Third, design for capability containment. Agents should not have broad implicit rights to send, execute, purchase, or disclose. Tool access needs scope, policy, and strong confirmation boundaries. This is especially important for exfiltration-style traps.

Fourth, assume persistence increases risk. Memory, long-horizon context, and adaptive behavior are powerful features, but they enlarge the attack surface. Persistent systems need memory hygiene, isolation, and forensic traceability.

Fifth, prepare for evaluation, not just prevention. The paper explicitly calls out the lack of standardized benchmarks for many of these trap categories. That means most organizations do not yet know how robust their agents really are.

The paper’s mitigation direction

The mitigation section is deliberately high-level, but it is directionally sound. The authors group defenses into three areas:

  • Technical defences, including training-time hardening, source filtering, content scanning, and runtime monitoring.
  • Ecosystem-level interventions, such as trust signals, verification protocols, and explicit citation requirements.
  • Legal and ethical frameworks, especially around accountability when compromised agents cause harm.

They also argue for better benchmarking and red teaming before deploying agents in high-stakes settings. That point is worth underlining. We now have many demos of capable agents, but we still lack mature security evaluation suites for the kinds of environmental manipulation this paper describes.

My take

This paper is a useful conceptual upgrade for anyone working on agentic systems.

It reframes the security problem from “can the user jailbreak the model?” to “can the environment shape what the agent perceives, believes, remembers, and does?” That is a much more realistic question for web-enabled agents, enterprise copilots, RAG systems, and multi-agent architectures.

The most practical takeaway is this: agentic AI collapses the boundary between content and control. In conventional software, data and instructions are usually separated by design. In LLM-based agents, external content can become operational guidance unless the system actively resists that drift.

That makes environment-aware security one of the defining engineering challenges of the agent era.

Closing thought

The paper ends with a strong line: the web was built for human eyes, but it is increasingly being rebuilt for machine readers. That shift changes the threat model. If agents are going to browse, retrieve, reason, and act autonomously, then securing the integrity of what they are made to believe becomes foundational.

And that is why AI Agent Traps is worth reading now—not because every attack it describes is already common in production, but because it provides a vocabulary and framework for defending the systems we are rapidly building.