The enterprise is deploying AI agents at a pace that has outrun every security framework written to govern them. These agents don’t just answer questions — they browse websites, retrieve documents, call APIs, execute code, manage email, initiate financial transactions, and spawn sub-agents to tackle complex workflows. They operate autonomously, at machine speed, often with minimal human oversight.

The attack surface this creates is larger and categorically different than what came before. Traditional security assumed a human at the keyboard. Agentic AI removes that assumption entirely, replacing the human decision-maker with a model that reads its environment and acts on what it finds — including content that adversaries have deliberately engineered to manipulate it.

Naming the Threat: AI Agent Traps

A new paper from Google DeepMind, AI Agent Traps, introduces the first systematic framework for this emerging threat class. The authors define an Agent Trap as adversarial content embedded in a web page or digital resource, engineered specifically to exploit an interacting AI agent. Rather than attacking the model directly, Agent Traps attack the environment the model operates in. The agent’s own instruction-following, tool-chaining, and goal-prioritization capabilities become the attack vector — weaponized against it by manipulating the data it ingests.

The threat surface spans the full operational lifecycle of an agent. DeepMind’s taxonomy organizes Agent Traps into six attack categories based on which component of the agent’s architecture each exploit targets:

The empirical evidence cited throughout the paper is sobering. Simple prompt injections embedded in web content commandeer agents in up to 86% of tested scenarios. Adversarial mobile notifications achieve up to 93% attack success rates against multimodal agents on Android environments. RAG knowledge poisoning requires injecting only a handful of optimized documents into a large knowledge base to reliably manipulate targeted queries. Memory poisoning attacks achieve success rates exceeding 80% with less than 0.1% data poisoning — while leaving benign behavior largely intact.

What DeepMind Proposes as Defenses

The paper’s mitigation proposals are organized across three dimensions: technical hardening, ecosystem-level intervention, and legal/regulatory reform.

• Technical: DeepMind recommends adversarial training augmentation to expose models to manipulated inputs during fine-tuning, combined with Constitutional AI-style behavioral constraints that help agents refuse manipulative instructions embedded in ingested content. At runtime, the proposed defenses include pre-ingestion source credibility filters, content scanners that detect hidden instructions, and output monitors that flag anomalous behavioral shifts. The paper also calls for transparency mechanisms — explicit, user-verifiable citations for synthesized information — that allow auditors to trace retrieval-based outputs back to their source documents.
• Ecosystem: DeepMind argues that web standards and verification protocols should allow websites to explicitly declare AI-intended content, and that reputation systems should score domain reliability based on history of malicious content hosting. The paper also surfaces what it calls the “Accountability Gap”: when a compromised agent commits a financial crime, no legal framework currently resolves liability among the agent operator, the model provider, and the domain owner. Filling that gap, the authors argue, is a prerequisite for deploying agents in regulated sectors.
• Legal: DeepMind issues a direct call to action: many trap categories identified in the paper currently lack standardized benchmarks. Without systematic evaluation, the industry has no reliable way to measure agent robustness against these threats.

The Fundamental Challenge of the Agentic Age

The Google DeepMind paper represents a significant contribution: the first structured taxonomy of a threat class that the industry has been circling without naming. Mapping attack surfaces across the full agent operational cycle gives security researchers, platform builders, and policymakers a common framework for a problem that touches all of them.

The implications reach further than any single vendor’s product roadmap. Agents now operate as autonomous consumers of uncontrolled web content, and the web was designed with no concept of that use case. Content that a human would recognize as suspicious, an agent processes as authoritative input. Every external data source an agent can reach is a potential attack vector, and the agent’s most powerful capabilities — tool use, memory persistence, sub-agent orchestration — become force multipliers for the attacker who successfully exploits one.

The paper’s closing observation deserves to be read as a strategic imperative for every security leader deploying agents: The web was built for human eyes; it is now being rebuilt for machine readers.