Your AI agent just visited 50 websites. You have no idea what instructions each one gave it.
The Summary
- Google DeepMind published "AI Agent Traps" — the first systematic taxonomy of attacks targeting autonomous AI agents across their full lifecycle
- HTML prompt injection achieves 86% partial success; data exfiltration exceeds 80% across five tested agents
- Backdoor triggers in few-shot reasoning examples hit 95% attack success rate across models
- Detection asymmetry: websites can fingerprint AI agents and serve them different, malicious content than humans see
The Signal
The attack surface for AI agents is not theoretical. DeepMind's paper documents six categories of manipulation that work right now, against real production agents, with success rates that should stop any enterprise deployment conversation cold.
The most insidious is detection asymmetry. A website can identify when an AI agent is visiting — through browser fingerprinting, request headers, or behavioral patterns — and serve it completely different content. Your agent researches 50 sites. You see what you expect. The agent processes something else entirely.
"The agent doesn't know it's being tricked. It simply processes whatever it receives and acts on it."
The six attack vectors DeepMind mapped:
- Content Injection (Perception) — Hidden instructions in HTML comments, aria-labels, CSS off-screen elements, or image pixels. Alters agent summaries in 15–29% of cases, enables full commandeering in up to 86%
- Multimodal Steganography — Commands encoded directly into image pixels, invisible to humans but readable by vision models
- Document Jailbreaks — Override instructions embedded deep in PDFs, spreadsheets, and calendar invites
- Memory Poisoning — Injecting false information that persists across future sessions and corrupts RAG corpora
- Exfiltration Attacks — Tricking agents into sending private data to attacker-controlled endpoints. Exceeds 80% success across tested agents
- Multi-Agent Cascades — Agent A gets compromised, passes poison to Agent B, then C. Entire pipelines infected because agents trust each other's outputs
Defenses are failing. Input sanitization doesn't work because you can't sanitize a pixel. Prompt-level instructions to ignore suspicious commands fail because attacks are designed to look legitimate. Human oversight is impossible at the speed agents operate.
The Implication
Every enterprise betting on agentic AI this year is deploying systems into an attack landscape that security teams don't understand yet. The DeepMind paper is the first honest map of that terrain.
The practical takeaways from the paper: treat all external content as untrusted by default, enforce least-privilege permissions on agent actions, monitor for anomalous agent behavior, require auditable citations for agent outputs, and secure agent memory and RAG stores with the same rigor as credentials.
The broader signal: the race to deploy agents and the race to secure them are not moving at the same speed. The attack tooling is already ahead. The 95% success rate on backdoor triggers isn't a lab finding — it's a deployment reality for any agent using few-shot examples pulled from external sources.
The question isn't whether your agents will be targeted. It's whether you'll know when they are.