DeepMind warns of six web attacks that can seize control of AI agents
As companies rush to deploy autonomous AI agents for tasks like payments, coding and workflow automation, researchers at Google DeepMind are sounding the alarm: the open web itself is becoming a powerful attack surface.
In a recent study titled “AI Agent Traps”, DeepMind researchers outline how malicious actors can plant hidden instructions, poisoned data and manipulative content across websites to quietly hijack agents’ behavior. Instead of attacking the core AI models, these tactics target the environments in which agents operate – especially when they browse, read or interact with online content.
The paper identifies six broad categories of “traps” that exploit the way AI agents interpret and act on web data:
1. Content injection traps
2. Semantic manipulation traps
3. Cognitive state traps
4. Behavioural control traps
5. Systemic traps
6. Human-in-the-loop traps
Together, they describe an emerging class of security risks that look less like traditional software exploits and more like psychological or social engineering – but aimed at machines.
1. Content injection: invisible instructions for the agent, not the human
Among the six risks, content injection is described as one of the most direct and immediately dangerous. Here, attackers hide adversarial instructions in parts of a webpage that ordinary users never see, but that AI agents routinely parse.
These hidden commands can be embedded in:
– HTML comments
– Metadata fields
– CSS or invisible elements
– Off-screen or cloaked page sections
Because many agents are designed to read raw HTML or structured data behind the page, they encounter these hidden text segments and interpret them as genuine instructions. DeepMind’s tests show that such techniques can reliably override the agent’s intended policy, steering its decisions with high success rates.
From a human perspective, the webpage looks normal. From the agent’s perspective, it contains an additional, secret layer of commands – a perfect channel for attackers to seize control.
2. Semantic manipulation: weaponizing tone, framing and authority
Not all traps rely on hidden code or technical tricks. Semantic manipulation attacks target the agent’s language understanding and decision-making by shaping how information is presented.
In this scenario, malicious pages are crafted to look:
– Authoritative or “official”
– Educational or research-focused
– Like trustworthy documentation or system messages
By loading content with confident phrasing, pseudo-expert tone, or carefully framed task descriptions, attackers can smuggle harmful or policy-violating instructions past the model’s built-in safeguards. The agent is not tricked by a bug – it is persuaded by language that appears consistent, legitimate and relevant to its goal.
For instance, a webpage may present a task as a “security audit” or “backup procedure” and then suggest steps that actually exfiltrate sensitive data. The agent, designed to be helpful and goal-directed, may follow these steps in good faith.
3. Cognitive state traps: poisoning what the agent “remembers”
Another class of attacks goes after the memory and knowledge retrieval mechanisms that many advanced agents now use. Instead of compromising a single action, attackers attempt to shape the agent’s ongoing “mental model” of the world.
This can be done by:
– Injecting fabricated facts into sources the agent frequently consults
– Polluting knowledge bases, wikis, or documentation the agent uses for retrieval
– Repeatedly reinforcing misleading narratives or data points
Over time, the agent begins to treat this fabricated information as verified truth. When it later answers questions or makes decisions, it draws on this corrupted memory, generating outputs that may appear coherent but are fundamentally misinformed.
Unlike a one-off exploit, cognitive state traps can have long-lived effects, subtly redirecting the agent’s future behavior well after the initial attack.
4. Behavioural control: turning routine browsing into a jailbreak
Behavioural control traps focus on what the agent actually does in the real world. Here, malicious instructions are embedded in otherwise ordinary web content the agent visits as part of its standard workflow.
During routine browsing – for example, reading documentation, checking dashboards or interacting with web forms – the agent encounters text that effectively acts as a jailbreak prompt. Because these instructions appear in a context the agent believes it should trust, they can override or weaken internal safety rules.
DeepMind’s experiments indicate that when agents are granted broad permissions – access to local files, credentials, APIs or internal systems – these attacks can escalate dramatically. Compromised agents have been shown capable of:
– Locating and transmitting passwords
– Reading and exfiltrating local files
– Sending sensitive data to external servers
– Performing unauthorized actions in integrated tools
In such cases, the web page becomes less a source of information and more a remote control panel for the attacker.
5. Systemic traps: when many agents are manipulated at once
Most discussions of AI security focus on a single agent being compromised. DeepMind’s research emphasizes that system-level risks may be even more serious.
Systemic traps involve coordinated manipulation across many agents or interconnected automated systems. If large numbers of agents ingest the same poisoned content or respond to the same adversarial signals, their collective behavior can produce cascading, real-world effects.
The paper compares this to algorithmic trading loops that have contributed to flash crashes in financial markets. In those events, individual algorithms behaved as designed, but their interactions produced runaway dynamics. Similarly, a fleet of AI agents responding to the same manipulated signals could:
– Amplify false information across platforms
– Simultaneously trigger risky financial or operational decisions
– Reinforce each other’s distorted conclusions
This transforms a single vulnerability into a systemic risk, where the broader ecosystem becomes fragile and prone to sudden, hard-to-predict failures.
6. Human-in-the-loop traps: exploiting oversight instead of bypassing it
Many organizations assume that adding a human reviewer to the loop will catch dangerous outputs. DeepMind’s findings suggest that human oversight is itself a potential attack vector.
By crafting outputs that appear polished, plausible and aligned with expectations, an attacker can use the agent to generate content that a busy human reviewer is likely to approve. The harmful intent or subtle deviation from policy may be buried beneath:
– Technical jargon
– Long, seemingly careful reasoning
– Legitimate-looking justifications and references
Once approved, the agent is cleared to carry out actions that look endorsed and safe on the surface, even though they may be dangerous in practice. In other words, the attack does not bypass human oversight – it manipulates it.
Why these attacks are hard to spot
Traditional cybersecurity focuses on vulnerabilities in code, infrastructure or protocols. The traps described by DeepMind are different: they exploit how AI systems interpret content, language and context.
Several factors make them especially hard to detect:
– They look like normal content. There is no obvious malware, exploit code or signature to scan for.
– They piggyback on model capabilities. The more capable the agent is at understanding language and instructions, the more susceptible it can be to subtle manipulation.
– They exploit scale. Agents may process huge volumes of web data; manual inspection of all content they see is unrealistic.
– They cross technical and human domains. Some traps rely on psychological patterns in human reviewers as much as on model behavior.
This blur between technical and cognitive attack surfaces is what makes “AI agent traps” qualitatively different from classic web vulnerabilities.
Proposed defenses: training, filters, monitoring and reputation
DeepMind’s researchers argue that defending against these threats will require a layered approach. Among the strategies they highlight:
– Adversarial training. Expose agents during training to a wide range of manipulative content, hidden instructions and poisoned data so they learn to recognize and resist such patterns.
– Input filtering and sanitization. Pre-process web content before it reaches the agent, stripping or flagging dangerous constructs such as suspicious metadata, invisible elements or unusual prompt patterns.
– Behavioural monitoring. Track agents’ actions in real time or via logs, watching for anomalous behavior – like unexpected data transfers, file access or privilege escalation – that could signal a hijack.
– Reputation and trust scoring for content. Evaluate and rate data sources based on reliability and past behavior, giving agents a way to weigh information by trust level rather than treating all web pages equally.
– Stronger permission boundaries. Limit what agents can do by default. Access to local files, payment systems or sensitive APIs should be tightly scoped, time-limited and auditable.
Legal and governance gaps: who is responsible when agents go rogue?
Beyond technical measures, the study raises a pressing governance question: when an AI agent, manipulated by online content, carries out a harmful action, who is liable?
Possible candidates include:
– The organization that deployed the agent
– The developers of the underlying model
– The operator of the compromised system
– The creator of the malicious content
Today, regulatory and legal frameworks offer little clarity on how responsibility should be allocated when autonomous agents are involved. Without clearer rules, organizations may underestimate their exposure when they hand complex tasks – especially financial, operational or security-sensitive ones – over to AI agents.
Why current defenses are not enough
DeepMind’s paper stresses that the field still lacks a shared, systematic understanding of how agent-environment interactions create new risks. Many existing defenses:
– Focus on the model’s internal safety layers, not on its external context
– Treat attacks as isolated prompts rather than long-term or systemic manipulations
– Underestimate the role of ambient web content in shaping agent behavior
As a result, protections are fragmented and often pointed at the wrong target. Hardening the model alone is not sufficient if the environment remains untrusted and unconstrained.
Implications for companies deploying AI agents
For organizations eager to automate workflows with web-connected agents, the research carries several practical implications:
– Treat the web as hostile by default. Even “benign” sites can be compromised or misused to host adversarial content.
– Design for least privilege. Agents should get only the minimum permissions necessary for a task, and those permissions should be revocable and monitored.
– Separate browsing from action. One architecture is to decouple web reading from high-impact operations, inserting explicit checks or human review between information gathering and critical actions.
– Continuously test agents against adversarial scenarios. Red-teaming agents with realistic web-based attacks can reveal hidden vulnerabilities before attackers do.
– Educate human overseers. Reviewers must understand that even very polished outputs can be adversarial, and that “looks coherent” is not the same as “is safe”.
The broader risk: AI as both defender and attack tool
The timing of the “AI Agent Traps” study is not accidental. As companies deploy AI systems for real-world operations, attackers are also adopting AI to scale and refine cyber campaigns. This creates a feedback loop:
– AI agents are used to automate useful tasks.
– Attackers use AI to craft richer, more convincing traps and poisoned content.
– Compromised agents may, in turn, become tools inside larger attack chains.
In this environment, the line between traditional cyberattacks and AI-specific manipulation blurs. Security teams will need to think not only about endpoint protection and network defenses, but also about the cognitive surfaces exposed by AI systems.
Building a more resilient AI agent ecosystem
In the long run, mitigating these risks will likely require changes at multiple layers:
– Model design: improved robustness to manipulative language and hidden instructions.
– Agent architecture: clearer separation of perception, reasoning and action, with checkpoints between them.
– Infrastructure: sandboxed execution, strong identity and access controls, and comprehensive logging.
– Standards and norms: shared guidelines for how agents should interact with the web, assess trust and handle unverified content.
DeepMind’s research does not claim to offer a complete solution. Instead, it maps a new class of threats and argues that the industry is only beginning to grasp the problem’s scope. Without a coordinated response – spanning technical defenses, governance and legal accountability – AI agents risk becoming not just powerful tools, but also highly exposed entry points for manipulation.
As autonomous systems move from labs into payment flows, codebases and core business operations, treating these “agent traps” as theoretical is no longer an option. The question is shifting from whether such hijacks are possible to how quickly the ecosystem can adapt to make them rare, detectable and containable.