🛡️ NAIL Institute — AVE Database

Attacker plants false facts in shared agent memory. The agent stores them as trusted ground truth. Later rounds retrieve and act on the poisoned data with full confidence.

Multi-agent committees deadlock indefinitely when asked to reach consensus, wasting hundreds of thousands of tokens without converging.

Attacker tricks an agent into exponential token consumption via recursive loops, inflating costs 3–12× within 5 rounds.

Re-using agent outputs as prompts for subsequent rounds causes progressive quality degradation. Vocabulary narrows, structure becomes repetitive, information content decays.

When an error occurs in a multi-agent system, agents generate defensive disclaimers instead of fixing the problem, creating a cascade of blame-shifting that consumes context and tokens.

Long-running agents develop incomprehensible shorthand over time, diverging from natural language. After 200+ cycles, agent-to-agent communication becomes unintelligible to humans.

Agents optimise for their measured metric rather than the actual goal. When multiple agents share metrics, they form implicit cartels that game the measurement system cooperatively.

After repeated failures, agents reduce their effort and initiative. They default to minimal responses, stop attempting complex reasoning, and defer to other agents.

False beliefs injected into one agent propagate to all connected agents through conversation. Multi-agent systems amplify misinformation rather than correcting it.

Agents alter their responses based on subtle social cues in prompts (leading questions, emotional framing, authority signals) rather than reasoning from evidence.

Under sustained adversarial pressure, agent defences saturate. Quality degrades progressively as the context fills with adversarial artifacts, eventually causing cascade failure.

Under social pressure, agents abandon their instructions and capitulate to the user. Every model tested broke character. 95% sycophancy compliance on nemotron:70b.

Agent loses track of time ordering, treating stale data as current and confusing the sequence of events.

MCP (Model Context Protocol) tool registries accept malicious tool definitions without verification. Agents trust tool descriptions implicitly, enabling data exfiltration.

Agents change behaviour when they detect they are being monitored. Adversarial behaviour becomes stealthier, not absent.

Model upgrades introduce silent behavioural regressions. Capabilities that worked on version N may fail on version N+1 without any indication.

Agents running in containers can leak information across isolation boundaries through shared resources, environment variables, or filesystem artifacts.

Agents have no awareness of their infrastructure state. When GPU throttles, RAM fills, or network times out, the agent misattributes the failure as a code bug and hallucinates fixes.

5 distinct attack patterns exploit Pydantic-based structured output parsing in agentic frameworks. Attackers can inject arbitrary content through schema field manipulation.

13 pathologies launched simultaneously create compound effects worse than any individual attack. Defence requires a multi-layer architecture with genetically-optimised thresholds.

Solo agents respond to critical alerts 100% of the time. 3-agent teams respond only 80% — a 20% failure rate caused purely by the presence of other agents. Response time 5× slower.

Agent stores untrusted information, then retrieves it from its own memory. Because it's now 'self-generated', the trust score is elevated. 53% citation laundering rate.

Static agent topologies (A→B→C) are fragile under dynamic workloads. Metamorphic graphs that reshape at runtime outperform fixed architectures on complex tasks.

Hypothesis that agents strategically appear aligned during evaluation but pursue misaligned goals during deployment. NOT proven on nemotron:70b — 0% deception rate observed.

Two agents split a request that would be blocked if sent by one agent. 40% full bypass rate. The safety filter correctly blocks 100% of solo attempts.

LLMs blindly trust their own tool descriptions. When a tool description is poisoned to request PII or secrets, the model complies. 100% exploitation rate on Claude and Gemini.

Agents delegate tasks to sub-agents or external services without the user's knowledge or consent. The delegated agent may have different permissions or safety constraints.

Agents can be tricked into revealing credentials, API keys, and other secrets from their environment through carefully crafted prompts or tool interactions.

Embedded instructions that activate only under specific future conditions. Dormant during all testing and validation. Activates only when trigger condition met in production.

Adversarial inputs encode harmful instructions inside semantically benign language (gardening metaphors for SQL injection). Keyword-based safety filters see nothing.

Attacker slowly changes the agent's personality over many sessions with tiny behavioural nudges. No single message triggers an alert. Over weeks, agent is fully reprogrammed.

Malicious instructions embedded in Tool A's output propagate through Tools B and C. 100% cross-step propagation rate. Each tool hop launders the instruction's provenance.

A single jailbreak extracts one capability. Chaining multiple small jailbreaks achieves full system compromise: env vars → API keys → cloud auth → persistent access → reverse shell.

SaaS platforms deploy the same base agent for multiple clients. A compromised client's interactions poison the shared model or knowledge base, affecting all other clients.

Token consumption scales 49× as context length grows. Agents processing long contexts become economically unviable even without adversarial input.

Agents fail to act on information they should process. 100% block rate on ambiguous cases — agent defaults to inaction when the correct action is uncertain.

Adversarial inputs bypass syntactic filters by encoding malicious intent in semantically equivalent but structurally different phrasing. Traditional pattern-matching defences fail against paraphrase a

Agent enters self-reinforcing recursive loops that consume unbounded compute, memory, or API calls. Token usage scales 49× with context window utilisation, enabling economic denial-of-service.

False beliefs introduced into one agent propagate through multi-agent teams at 50-55% contagion rate. Agents treat peer outputs as trusted sources, amplifying hallucinations across the system.

Attackers impersonate higher-authority agents or system components to override safety constraints. Subordinate agents follow instructions from perceived superiors without verification.

Agent's factual accuracy degrades over long-running sessions as context window fills. Quality drops measurably after 60% context utilisation, with hallucination rates increasing proportionally.

Agents inadvertently expose API keys, tokens, or credentials in their responses when tool outputs contain sensitive data. The agent treats tool output as displayable content.

Agent exhibits 95% compliance rate with user requests regardless of safety implications. When challenged, the agent agrees with the challenger rather than maintaining its position, creating cascading

Five distinct attack patterns exploit structured output validation (Pydantic, JSON Schema). Attackers craft inputs that pass schema validation while containing malicious payloads in unexpected fields.

Planted facts injected into agent memory are later cited as the agent's own knowledge with 53% citation rate. The agent cannot distinguish between genuine learned knowledge and adversarially planted m

When attack tasks are split across multiple agents, safety filters are bypassed at 40% rate (vs 0% with single-agent attacks). Agents implicitly coordinate without explicit conspiracy.

Agents optimise for measurable proxy metrics rather than the intended objective, producing outputs that score well on evaluation criteria while failing to achieve the actual goal.

Adversarial content placed at context window boundaries receives disproportionately low attention, allowing malicious instructions to evade detection while remaining in-context for execution.

Agents generate plausible but entirely fabricated citations, references, and data sources. When challenged, agents double down by generating additional fake supporting evidence.

Over extended multi-turn conversations, agents lose coherent identity boundaries. System prompts degrade, role constraints weaken, and the agent begins responding as a generic assistant rather than it