ML Security PapersFrom Stateless Queries to Autonomous Actions: A Layered Security Framework for Agentic AI Systems
Published on arXiv
2604.23338
Prompt Injection
OWASP LLM Top 10 — LLM01
Insecure Plugin Design
OWASP LLM Top 10 — LLM07
Excessive Agency
OWASP LLM Top 10 — LLM08
Key Finding
Identifies that most dangerous emerging threats (covert agent collusion, long-term memory poisoning, MCP supply-chain compromise) concentrate at intersection of high-layer attacks (L5-L7) and slow-burn temporality (T3-T4), yet only 8 of 120 paper-cell assignments (7%) cover this zone
LASM
Novel technique introduced
Agentic AI systems face security challenges that stateless large language models do not. They plan across extended horizons, maintain persistent memory, invoke external tools, and coordinate with peer agents. Existing security analyses organize threats by attack type (prompt injection, jailbreaking), but provide no principled model of which architectural component is vulnerable or over what timescale the threat manifests. This paper makes five contributions. First, we introduce the Layered Attack Surface Model (LASM), a seven-layer framework that maps threats to distinct architectural components: Foundation, Cognitive, Memory, Tool Execution, Multi-Agent Coordination, Ecosystem, and Governance, the accountability and observability layer that spans the stack analogously to the network management plane. Second, we introduce attack temporality as an orthogonal analytical dimension with four classes: Instantaneous (T1), Session-Persistent (T2), Cross-Session Cumulative (T3), and Sub-Session-Stack, Non-Session-Bounded (T4). Third, through a systematic review of 94 papers (2021--2025), we show that the most dangerous emerging threats concentrate at the intersection of high-layer attacks (L5--L7) and slow-burn temporality (T3--T4): covert agent collusion, long-term memory poisoning, MCP supply-chain compromise, and alignment failure that manifests as an insider threat with no external adversary. Only 8 of 120 paper-cell assignments (7%) fall in this zone. Fourth, we propose a cross-layer defense taxonomy spanning all seven LASM layers and all four temporality classes, exposing which threat classes existing defenses leave unaddressed. Fifth, we survey evaluation benchmarks, identify five research gaps in the under-studied high-layer, slow-burn zone, and argue that agentic security must be treated as a distributed systems problem embedded in an adversarial ecosystem.
Key Contributions
- Introduces Layered Attack Surface Model (LASM): seven-layer framework mapping agentic AI threats to architectural components (Foundation, Cognitive, Memory, Tool Execution, Multi-Agent Coordination, Ecosystem, Governance)
- Proposes attack temporality dimension with four classes (T1-T4) revealing that slow-burn, cross-session attacks (T3-T4) at high layers (L5-L7) are most dangerous yet least studied
- Systematic review of 94 papers (2021-2025) exposing coverage gap: only 7% of research addresses high-layer, slow-burn threats like agent collusion, memory poisoning, and MCP supply-chain attacks