The open web isn’t neutral territory for AI agents. Every page an agent loads, every document it reads, every tool it calls is a potential attack surface. Google DeepMind has now published the most systematic map yet of how that attack surface gets exploited.
The paper, titled “AI Agent Traps,” identifies six categories of adversarial techniques designed to compromise autonomous AI agents. The organizing principle is anatomical: the six categories map directly onto four core agent functions, perception, reasoning, memory, and action. Attack the right layer and you can redirect what an agent sees, what it concludes, what it retains, and what it does. The taxonomy isn’t speculative. It documents real methods being used against real deployed systems.
Two attack types are named explicitly in available reporting. The first: invisible text embedded in web pages, content structured to be readable by an AI agent but invisible to a human reviewer, carrying instructions the agent may execute without any user awareness. The second: viral memory poisoning, where malicious content injected into one agent’s memory context can propagate across agent networks, spreading the compromise. The paper documents attacks ranging from web-page injection to cross-agent memory propagation, a scope that covers most of the surfaces an enterprise agent deployment would touch.
The liability question the paper surfaces is worth taking seriously. According to WiKiBit’s reporting on the paper, no existing legal framework definitively assigns responsibility when a trapped AI agent commits a financial crime. That’s not an abstract concern. Agents with broad financial or operational access are already deployed. When one executes a fraudulent transaction because an attacker poisoned its memory context, who is liable, the agent’s operator, the framework developer, the platform, or the end user? Current law has no clear answer.
The timing of this research lands alongside Microsoft’s release of the Agent Governance Toolkit this week, a separate development that provides a deployable defensive response to exactly the threat landscape this paper describes. The two releases together are worth reading as a pair.
On the question of whether prompt injection, the underlying technique behind many of these attack vectors, can ever be fully solved: according to reporting citing an OpenAI statement from December 2025, this class of vulnerability may not be fully resolvable. That framing, if accurate, changes the strategic calculus. Defense becomes a matter of continuous reduction of attack surface rather than elimination.
What to watch: whether the DeepMind paper, once fully accessible, includes an arXiv publication with verifiable benchmark data on attack success rates. The six-category taxonomy is significant on its own, but quantified attack success rates across agent frameworks would make it a foundational reference for the field. Also watch for regulatory bodies, particularly those implementing the EU AI Act’s requirements on high-risk AI systems, to incorporate this taxonomy into risk assessment guidance.
Google DeepMind publishing a systematic attack taxonomy, and Microsoft releasing a toolkit to address it, in the same week marks a transition. Agentic AI security is no longer a future problem being theorized about. It’s a present infrastructure requirement being actively tooled.