When an AI agent visits a webpage, it sees something different from what a human sees. The page a human reads and the page an agent parses — after dynamic rendering, HTML interpretation, and tool-use formatting — can be two very different documents. Attackers know this. A new paper from Google DeepMind researchers proposes the first systematic framework for exploiting exactly that gap: adversarial content engineered to manipulate, deceive, or exploit visiting agents. The researchers call it an "AI Agent Trap." The paper, posted to SSRN on March 28, 2026, is less than three weeks old and has been downloaded 139 times — modest by academic standards, but the download count reflects who the audience is: the people building the systems the paper describes.
The framework identifies six distinct trap types. Content Injection Traps exploit the gap between what a human sees, what a machine parses, and what dynamic browser content renders — meaning a page can look innocuous to a human reviewer while delivering a different set of instructions to an agent. Semantic Manipulation Traps corrupt an agent's reasoning and internal verification processes. Cognitive State Traps target an agent's long-term memory, knowledge bases, and learned behavioral policies — attacking not what the agent does but what it knows and believes. Behavioral Control Traps hijack an agent's capabilities to force unauthorized actions. Systemic Traps use multi-agent interaction patterns to create cascading failures. Human-in-the-Loop Traps — which the paper notes are visible in deployed systems — exploit the cognitive biases of the humans who oversee agents, manipulating the human rather than the machine.
The distinction from conventional prompt injection is one of scope. Prompt injection typically targets a single model's instruction-following. AI Agent Traps are designed for agents that browse, query, and act across the open web — where the adversarial surface includes not just the model but the entire information environment it navigates. The paper's framing: as agents increasingly operate autonomously in open domains, the information environment itself becomes an attack surface. Every website, every email, every document retrieved from an external database is a potential injection point.
The five authors — Matija Franklin, Nenad Tomašev, Julian Jacobs, Joel Z. Leibo, and Simon Osindero, all Google DeepMind — frame the contribution as foundational. The paper proposes a taxonomy and a research agenda. It does not document systems already compromised. What the research agenda points toward is a genuine problem: the traps identified in the framework do not yet have clear mitigations. The paper acknowledges this plainly. Securing the agent ecosystem against these attacks will require work that has not been done.
This is not a purely theoretical concern. Unit 42 researchers at Palo Alto Networks have documented 22 distinct indirect prompt injection techniques already being used in the wild, including what they describe as the first observed case of AI-based ad review evasion — where injected instructions manipulate an agent into approving content that would fail human review. Microsoft has documented over 50 unique memory-poisoning prompts across 31 companies in 14 industries — prompts designed to corrupt what an agent remembers about prior interactions. Brave's security team found that indirect prompt injection represents a systemic challenge for the entire category of AI-powered browsers. OpenAI's own CISO has called prompt injection a frontier unsolved security problem, with the implication that adversaries will spend significant resources exploiting it. The OWASP Top 10 for Agentic Applications, released in December 2025 with input from over 100 security researchers, placed prompt injection at number one.
The DeepMind affiliation gives the paper credibility. Leibo's group has a track record in multi-agent systems and alignment research. But it is a preprint — the intellectual contribution of credible researchers, not a settled account of a demonstrated threat.
The structural implication for anyone building agentic systems is straightforward. Any system that deploys AI agents to browse the web, read emails, or query external databases is operating in an environment that can be adversarially shaped. The paper's six-type taxonomy maps where that adversarial shaping can go wrong. The mitigations — and the paper is clear on this — are a research problem, not a solved engineering problem. Anyone shipping agents that browse should be reading this paper.
The preprint is available on SSRN at doi: 10.2139/ssrn.6372438.
