Google DeepMind just published what amounts to a field guide for breaking AI agents. The paper, titled “AI Agent Traps,” lays out six distinct categories of adversarial attacks that can compromise autonomous AI systems, and the success rates are the kind of numbers that should make anyone deploying these tools lose a little sleep.
Released as an SSRN preprint, the research represents the first systematic attempt to classify the ways bad actors can manipulate AI agents operating in real-world environments.
The six flavors of AI sabotage
The taxonomy breaks down into six attack categories: Content Injection Traps, semantic manipulation, cognitive state and memory poisoning, behavioral control, systemic and multi-agent attacks, and human-in-the-loop traps. Each targets a different stage of an AI agent’s operational cycle, from how it perceives information to how it reasons, remembers, and ultimately acts.
Content Injection Traps are perhaps the most straightforward and alarming. Environments like websites can embed harmful content that AI agents process without realizing they’ve been compromised. The techniques include hidden HTML comments, white-on-white text that’s invisible to human eyes but readable by machines, steganography, and manipulated image pixels.














