Google DeepMind Publishes First Systematic Framework of Six AI Agent Trap Categories — Combinatorial Attack Chains Proven Against Autonomous Agents

Google DeepMind has published what it describes as the first systematic framework cataloging how environments can be weaponized against autonomous AI agents. The paper, covered extensively by The Decoder on April 1, 2026, introduces the term "AI agent traps" and presents six distinct categories of attacks, each targeting different components of an agent operating cycle.

The six categories are:

1. Content Injection Traps (targeting perception): Hidden instructions buried in HTML comments, CSS, image metadata, or accessibility tags that agents read and follow but humans never see.

2. Semantic Manipulation Traps (targeting reasoning): Emotionally charged or authoritative-sounding content that exploits the same framing biases and anchoring effects that affect humans, causing agents to draw incorrect conclusions.

3. Cognitive State Traps (targeting memory): Attacks on long-term memory through poisoned RAG knowledge base documents. Researchers demonstrate that poisoning just a handful of documents reliably skews agent output for specific queries.

4. Behavioral Control Traps (targeting actions): Direct hijacking of agent actions. A cited case shows a single manipulated email got an agent in Microsoft M365 Copilot to bypass security classifiers and expose its entire privileged context.

5. Sub-agent Spawning Traps (targeting multi-agent systems): Exploiting orchestrator agents that spawn sub-agents by tricking them into launching agents with poisoned system prompts. Cited studies show 58-90% attack success rates.

6. Systemic Traps (targeting agent networks): Attacks on entire multi-agent ecosystems, including scenarios where fake financial reports trigger synchronized sell-offs across trading agents (digital flash crash), and compositional fragment attacks that scatter payloads across sources so no single agent detects the full attack.

A crucial additional category covers Human-in-the-Loop Traps where compromised agents become weapons against their human supervisors through approval fatigue, misleading summaries, and automation bias exploitation.

Co-author Franklin emphasized on X: "These attacks are not theoretical. Every type of trap has documented proof-of-concept attacks. And the attack surface is combinatorial — traps can be chained, layered, or distributed across multi-agent systems."

The paper draws an analogy to autonomous vehicles: securing agents against manipulated environments is as crucial as self-driving cars ability to recognize manipulated traffic signs. The researchers stress that the combinatorial nature of these attacks means defense strategies must address not just individual trap types but their interactions.