AI Agents Are Much More Vulnerable Than LLM-Based Applications
Research shows that AI Agents are more vulnerable compared to standalone Large Language Models (LLMs), this stands to reason considering the flexibility of AI Agents.
But what are the underlying factors that contribute to the increased vulnerability of AI Agents?
Regular LLM-base chatbots refuse malicious requests with a 0% success rate, the Web-based AI Agent follows them at a rate of 46.6%
In the recent past I wrote quite a bit on how vulnerable AI Agents with web browsing capabilities are in terms of pop-ups and on-screen messages intended to manipulate AI Agents into executing attacker-intended actions.
This is a different approach as to what we have come to expect in terms of prompt injection attacks in the recent past.
The image below compares the Web Agent framework to standalone Large Language Models (LLMs) and shows how their differences affect vulnerability rates.
a, Shows users interacting with LLMs.
b, Shows users interacting with the Web Agent, using colours to highlight three key factors (1, 2, and 3) that point out the main differences between the two, grouped by categories
c, Presents a study that looks at how adding or removing these factors changes the Clear Denial rate and vulnerability rates.
The findings show that adding more agent components increases vulnerabilities compared to a standalone LLM. The Clear Denial rate (%) helps measure the vulnerabilities each component adds.
Web Interfacing AI Agents
AI agents that connect to the web face greater risks and bring more uncertainty compared to standalone large language models (LLMs).
Standalone LLMs work with fixed text that doesn’t change.
On the other hand, web AI Agents actively interact with web pages.
They use a series of actions, observations and extra details — like a live updates online— to decide what to do next.
This ability to interact with the web lets AI Agents adjust their approach as they go.
They can handle tasks more flexibly because they’re not stuck with a single, unchanging set of instructions. For example, they can respond to new information on a webpage right away.
But, this flexibility comes with a catch. Because web AI agents can change their plans based on what they see online, they might end up doing things they weren’t supposed to.
Imagine an agent set up with rules to avoid harmful actions. Over time, as it learns from the web and tries new things, it could start ignoring those rules and act in risky or dangerous ways based on fresh information.
The web is always changing, and that introduces unpredictability.
AI Agents learn from trial and error, tweaking their actions as they go. This means they could eventually take steps that were originally off-limits, increasing the chance of mistakes or even malicious outcomes.
Finally
I think it needs to be stated that AI Agents cannot be seen as a monolith or a single set piece of software.
There are a few factors to consider…
The key underpinning principle of AI Agents is agency…this agency can be introduced in accordance to a spectrum or continuum. Hence agency can be introduce to applications and interfaces we have been using for years.
The higher the agency, the bigger the risk and hence the need for a security framework.
Secondly, AI Agents implementations can have focus on vertical or horizontal implementations. Vertical is more industry and use-case specific.
Where horizontal implementations are more general multi-purpose implementations.
Also considering that vertical implementations will in many cases not be public facing, the risk is considerably lower.
Another consideration is the access and to what extent private / company specific information is integrated into the AI Agent.
Suffice to say that any effective security strategy will have multiple layers depending on user intent and transaction type.
Chief Evangelist @ Kore.ai | I’m passionate about exploring the intersection of AI and language. From Language Models, AI Agents to Agentic Applications, Development Frameworks & Data-Centric Productivity Tools, I share insights and ideas on how these technologies are shaping the future.
