Websites can already detect when an AI agent visits and serve it completely different content than humans see. This "detection asymmetry" means a site can serve normal content to you, and malicious, hidden content to your agent, tricking it into executing unauthorized actions without your knowledge.

Google DeepMind recently published a landmark cybersecurity paper mapping this exact attack surface: AI Agent Traps. These are adversarial content elements embedded within digital resources, engineered specifically to misdirect or exploit an interacting AI agent.

"The web was built for human eyes; it is now being rebuilt for machine readers. As humanity delegates more tasks to agents, the critical question is no longer just what information exists, but what our most powerful tools will be made to believe." — Google DeepMind

The paper, authored by Matija Franklin, Nenad Tomašev, Julian Jacobs, Joel Z. Leibo, and Simon Osindero, introduces the first known systematic framework for understanding this emerging threat. Here is a step-by-step breakdown of how these traps work and the six primary attack vectors every AI practitioner needs to understand.

Content Injection Traps (Perception)

Content Injection Traps exploit the divergence between machine-parsed content and human-visible rendering to embed hidden commands directly in web pages and digital resources.

None

Attackers use techniques like Web-Standard Obfuscation (hiding commands in CSS or HTML comments), Dynamic Cloaking (detecting agent visitors and conditionally injecting payloads absent for human users), Steganographic Payloads (encoding adversarial instructions in image pixel arrays), and Syntactic Masking (concealing instructions inside Markdown or LaTeX formatting). A web server can run a fingerprinting script using browser attributes, automation-framework artefacts, and behavioral cues to identify an LLM-powered agent and serve it a visually identical but semantically different page.

Semantic Manipulation Traps (Reasoning)

Semantic Manipulation Traps manipulate input data distributions to corrupt an agent's reasoning process without issuing overt commands, making them particularly difficult to detect.

None

By saturating source content with sentiment-laden or authoritative language (Biased Phrasing), attackers can statistically bias the agent's synthesis. They can also wrap malicious instructions in educational or hypothetical framing (Oversight & Critic Evasion) to bypass internal safety filters and critic models. Research confirms that LLMs exhibit human-like susceptibility to the Framing Effect, where the presentation of information significantly influences interpretation and judgment.

Cognitive State Traps (Memory & Learning)

Cognitive State Traps corrupt an agent's long-term memory, knowledge bases, and learned behavioral policies, with effects that can persist across future sessions.

None

RAG Knowledge Poisoning injects fabricated statements into retrieval corpora so agents treat attacker content as verified fact. Latent Memory Poisoning implants innocuous data into internal memory stores that activates as malicious when retrieved in a specific future context. Unlike other trap categories, the effects of cognitive state attacks are not limited to a single session — they persist and compound over time.

Behavioural Control Traps (Action)

Behavioural Control Traps use explicit commands embedded in external resources to target instruction-following capabilities and serve attacker goals directly.

None

Data Exfiltration Traps function as a "confused deputy" attack, coercing the agent to leak privileged information. Research demonstrates attack success rates exceeding 80% across five different agents when web-use agents with browser and OS-level privileges encounter task-aligned injections. A single crafted email has been shown to cause Microsoft 365 Copilot to bypass internal classifiers and exfiltrate its entire privileged context to an attacker-controlled endpoint.

Systemic Traps (Multi-Agent Dynamics)

Systemic Traps seed the environment with inputs designed to trigger macro-level failures via correlated agent behavior, weaponizing the predictable aggregate behavior of multiple agents sharing an environment.

None

Congestion Traps exploit the homogeneity of autonomous agents by broadcasting signals that synchronize exhaustive demand for limited resources. Interdependence Cascades weaponize feedback loops where one agent's action becomes a signal for others, potentially triggering rapid, self-amplifying spirals analogous to the 2010 Flash Crash. These systemic risks are exacerbated by the relative homogeneity of the current model ecosystem, where agents driven by similar training data exhibit highly correlated responses.

Human-in-the-Loop Traps (Human Overseer)

Human-in-the-Loop Traps commandeer the agent to attack the human user, exploiting cognitive biases to influence the human overseer who represents the final layer of defense.

None

These traps might generate outputs specifically crafted to induce "approval fatigue" in human reviewers, or present highly technical, benign-looking summaries of work that a non-expert human would likely authorize. By exploiting automation bias — the tendency to over-rely on automation — these traps bypass the final layer of defense in critical systems. Early evidence shows that invisible prompt injections via CSS obfuscation can make AI summarization tools faithfully repeat ransomware commands as "fix" instructions that users are likely to follow.

The End-to-End Flow

The DeepMind framework reveals a comprehensive attack surface spanning perception, reasoning, memory, action, multi-agent dynamics, and human oversight — a complete kill chain from initial detection to attacker goal achievement.

The defense landscape is currently failing because traditional input sanitization does not work on multimodal steganography, and prompt-level instructions to "ignore suspicious commands" fail when attacks are designed to look legitimate. The paper identifies three interrelated challenges: detection at web scale is computationally and semantically difficult; attribution is forensically challenging because effects may manifest long after the initial interaction; and the adversarial landscape creates a persistent arms race. Securing agents against these traps requires a holistic strategy encompassing technical hardening during training and inference, ecosystem-level interventions such as web standards for AI-consumed content, and new legal frameworks to address the "Accountability Gap" when compromised agents cause harm.

Securing the integrity of what our most powerful tools believe is the fundamental security challenge of the agentic age.

Take Aways

When you put it all together, the DeepMind framework is one of the most coherent security models published in the agentic space. It maps the entire operational cycle. Every trap category in this guide maps directly to a layer of the agent architecture: perception to content injection, reasoning to semantic manipulation, memory to cognitive state, action to behavioural control.

The principle that makes this framework work is defense-in-depth at the environmental level. Input sanitization is deterministic. RAG provenance is tracked and scored. Tool execution is strictly allowlisted. Human approval is anti-fatigued by design. Each concern is isolated, testable, and composable. That is rare in current agent tooling, and it matters enormously at scale.

An agent that trusts its environment implicitly is not an autonomous system. It is a remote execution engine waiting for an attacker.

The teams that will move fastest are the ones with the tightest security loops: parse defensively, reason skeptically, retrieve cautiously, execute restrictively.

Start with a workflow you already know well. Run the pre-ingestion filters before you let your agent read external data. The baseline security logs will tell you more about the hostile web than any manual review ever could.

Thank you for reading. See you in the next one.

If this was useful, the clap button helps more people find it.

I write about agentic AI governance, agent architecture, and the infrastructure decisions that separate production systems from fragile demos. 🔔 → Subscribe

Deploying long-running agents in a regulated environment? Let's talk → LinkedIn