News
Google DeepMind Outlines Six Ways to Hijack AI Agents

Google DeepMind researchers have published a taxonomy of six categories of attacks against autonomous AI agents, citing success rates as high as 86-90 percent in some scenarios. The work is meant to help companies deploying agents assess real-world risk before granting them access to email, browsers, or transactions.
A team of Google DeepMind researchers has published a paper systematizing the ways autonomous AI agents can be hijacked by an attacker. The taxonomy, titled 'AI Agent Traps,' divides the threats into six categories corresponding to successive stages of an agent's operation: perceiving its environment, reasoning, memory, taking action, coordinating with other agents, and the moment a decision is handed back to a human.
The publication arrives at a moment when more and more companies are granting AI agents access to web browsers, email, and transaction systems, treating them as full-fledged participants in business processes. The authors argue that the current approach to agent security, focused mainly on filtering input content, is failing to keep pace with how quickly these systems are gaining new privileges.
Six Threat Categories
The first category consists of content injection traps, which exploit the gap between what a human sees on a webpage and what an agent reads from its HTML, CSS, and metadata. Instructions hidden in HTML comments, accessibility tags, or invisible CSS styles never appear before a reviewer's eyes, but are registered by the agent as commands to execute.
The second category, semantic manipulation, involves twisting the meaning of legitimate content to steer an agent toward false conclusions without explicitly breaking any technical rule. The third is memory poisoning, corrupting the persistent records an agent carries between sessions, thereby influencing its future decisions long after the original attack.
From a Single Agent to a Whole Network
The fourth category, behavioral control, strikes directly at an agent's action-selection mechanism. The case described in the paper involves Microsoft 365 Copilot, where a single, suitably crafted email was enough to induce the agent to bypass safety classifiers and disclose the entirety of the privileged context it had access to.
The fifth category covers systemic and multi-agent attacks, targeting entire networks of cooperating AI systems. The authors describe a scenario in which a fabricated financial report reaches multiple trading agents simultaneously, triggering a synchronized, automatic stock sell-off. The sixth category consists of traps that strike at the moment a decision is handed to a supervising human, exploiting the fact that the operator trusts a summary prepared by the agent rather than verifying the underlying data.
AI agents are rapidly gaining access to web browsing, email, and the ability to carry out transactions - from the paper 'AI Agent Traps,' Google DeepMind
The Scale of the Risk in Numbers
The most troubling part is the success-rate statistics cited in the paper. Simple hidden prompt injections in HTML code hijacked control of the tested agents in as much as 86 percent of scenarios. Attacks that induced an orchestrator agent to launch a malicious sub-agent with a poisoned system prompt achieved success rates between 58 and 90 percent, depending on the architecture. Attacks aimed at exfiltrating data from the system exceeded 80 percent success across many different agent architectures tested by the team.
For companies deploying AI agents, including in Poland, where a growing number of public and private institutions are testing autonomous systems for document handling and customer communication, DeepMind's work is a practical warning. The high success rate of these attacks, combined with a relatively low barrier to entry (a single crafted webpage or email is enough), means agent security has to be designed into the system architecture rather than bolted on after deployment.
The authors emphasize that the taxonomy is meant above all to serve as a common language for risk assessment, allowing security teams to systematically check which of the six attack types a given agentic system is vulnerable to before it goes into production use with access to sensitive data or financial resources.
Sources: Crypto Briefing (cryptobriefing.com), SecurityWeek (securityweek.com)


