Key Takeaways:
- Google Deepmind researchers identified 6 AI agent trap categories, with content injection success rates reaching 86%.
- Behavioural Control Traps targeting Microsoft M365 Copilot achieved 10/10 data exfiltration in documented tests.
- Deepmind calls for adversarial training, runtime content scanners, and new web standards to secure agents by 2026.
Deepmind Paper: AI Agents Can Be Hijacked Through Poisoned Memory, Invisible HTML Commands
The paper, titled “AI Agent Traps,” was authored by Matija Franklin, Nenad Tomasev, Julian Jacobs, Joel Z. Leibo, and Simon Osindero, all affiliated with Google Deepmind, and posted to SSRN in late March 2026. It arrives as companies race to deploy AI agents capable of browsing the web, reading emails, executing transactions, and spawning sub-agents without direct human supervision.
The researchers argue those capabilities are also a liability. “By altering the environment rather than the model,” the paper states, “the trap weaponizes the agent’s own capabilities against it.”
The paper’s framework identifies a total of six attack categories organized around what part of an agent’s operation they target. Content Injection Traps exploit the gap between what a human sees on a webpage and what an AI agent parses in the underlying HTML, CSS, and metadata.
Instructions hidden in HTML comments, accessibility tags, or styled-invisible text never appear to human reviewers but register as legitimate commands to agents. The WASP benchmark found that simple, human-written prompt injections embedded in web content partially hijack agents in up to 86% of scenarios tested.
Semantic Manipulation Traps work differently. Rather than injecting commands, they saturate text with framing, authority signals, or emotionally charged language to skew how an agent reasons. Large language models (LLMs) exhibit the same anchoring and framing biases that affect human cognition, meaning rephrasing identical facts can produce dramatically different agent outputs.
Cognitive State Traps go further by poisoning the retrieval databases agents use for memory. Research cited in the paper shows that injecting fewer than a handful of optimized documents into a knowledge base can reliably redirect agent responses for targeted queries, with some attack success rates exceeding 80% at less than 0.1% data contamination.
Behavioural Control Traps skip the subtlety and aim directly at an agent’s action layer. These include embedded jailbreak sequences that override safety alignment once ingested, data exfiltration commands that redirect sensitive user information to attacker-controlled endpoints, and sub-agent spawning traps that coerce a parent agent into instantiating compromised child agents.
The paper documents a case involving Microsoft’s M365 Copilot where a single crafted email caused the system to bypass internal classifiers and leak its full privileged context to an attacker-controlled endpoint. Systemic Traps are designed to fail entire networks of agents simultaneously rather than individual systems.
These include congestion attacks that synchronize agents into exhaustive demand for limited resources, interdependence cascades modeled on the 2010 stock market Flash Crash, and compositional fragment traps that scatter a malicious payload across multiple benign-looking sources that reconstitute into a full attack only when aggregated.
“Seeding the environment with inputs designed to trigger macro-level failures via correlated agent behaviour,” the Google Deepmind paper explains, becomes increasingly dangerous as AI model ecosystems grow more homogeneous. The finance and crypto sectors face direct exposure given how deeply algorithmic agents are embedded in trading infrastructure.
Human-in-the-Loop Traps round out the taxonomy by targeting the human supervisors watching over agents rather than the agents themselves. A compromised agent can generate outputs engineered to induce approval fatigue, present technically dense summaries that a non-expert would authorize without scrutiny, or insert phishing links that look like legitimate recommendations. The researchers describe this category as underexplored but expected to grow as hybrid human-AI systems scale.
Researchers Say Securing AI Agents Requires More Than Technical Fixes
The paper does not treat these six categories as isolated. Individual traps can be chained, layered across multiple sources, or designed to activate only under specific future conditions. Every agent tested across various red-teaming studies cited in the paper was compromised at least once, in some cases executing illegal or harmful actions.
OpenAI CEO Sam Altman and others have previously flagged the risks of giving agents unchecked access to sensitive systems, but this paper provides the first structured map of exactly how those risks materialize in practice. Deepmind’s researchers call for a coordinated response spanning three areas.
On the technical side, they recommend adversarial training during model development, runtime content scanners, pre-ingestion source filters, and output monitors that can suspend an agent mid-task if anomalous behavior is detected. At the ecosystem level, they advocate for new web standards that would allow websites to flag content intended for AI consumption and reputation systems that score domain reliability.
On the legal side, they identify an accountability gap: when a hijacked agent commits a financial crime, current frameworks offer no clear answer for whether liability falls on the agent operator, the model provider, or the domain owner. The researchers frame the challenge with deliberate weight:
“The web was built for human eyes; it is now being rebuilt for machine readers.”
As agent adoption accelerates, the question shifts from what information exists online to what AI systems will be made to believe about it. Whether policymakers, developers, and security researchers can coordinate fast enough to answer that question before real-world exploits arrive at scale remains the open variable.
