Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Security Analysis of Long-Horizon Agentic AI Systems: Threats, Evaluation, and Framework Development

Published 12 Jun 2026 in cs.CR and cs.AI | (2606.14816v1)

Abstract: This paper presents a structured analysis of security challenges in long-horizon agentic AI systems. The study reviews existing threats, evaluation approaches, attack propagation mechanisms, and security frameworks. A taxonomy of security threats and a framework for analyzing attack propagation are proposed to support future research in agentic AI security

Summary

  • The paper introduces a detailed taxonomy categorizing attack vectors such as prompt injection, memory poisoning, and multi-agent trust exploitation.
  • It develops a conceptual framework mapping multi-step attack propagation across the input, reasoning, memory, and output layers.
  • The study proposes a four-dimensional evaluation protocol that highlights research gaps and practical defenses for persistent agentic AI threats.

Security Analysis of Long-Horizon Agentic AI Systems

Introduction and Context

The paper "A Security Analysis of Long-Horizon Agentic AI Systems: Threats, Evaluation, and Framework Development" (2606.14816) rigorously examines the evolving security landscape of agentic AI—AI systems with autonomous planning, persistent memory, reasoning, and multi-tool integration, capable of executing extended multi-step objectives. The authors identify that agentic AI's increased autonomy and interaction surfaces create new, persistent vulnerabilities beyond those of classical LLMs.

Agentic AI systems’ continuous interactions with external data sources, APIs, and toolchains, combined with their use of persistent memory and layered internal reasoning, introduce complex, compounding risks. Attackers can exploit these surfaces synchronously, or introduce threats (such as poisoned memory or malicious goal specifications) that propagate through the agent's life cycle, leading to persistent, hard-to-detect compromise.

Systematic Review of Security Threats

The paper synthesizes prior work on attacks against agentic AI, rigorously distinguishing among various axes of vulnerability:

  • Prompt Injection: Malicious instructions embedded in user inputs, web data, or tool outputs can override agentic goals. Where traditional LLM prompt attacks are limited to a single completion, agentic systems are susceptible to persistent, cross-step takeover—especially if injected material enters memory and survives multiple decision cycles.
  • Memory Poisoning: False knowledge incorporated into long-term memory can affect downstream inference, planning, and actions. Recent work [10,15] demonstrates attack persistence, where small amounts of poisoned material injected early in operation persist indefinitely, leading to delayed or hard-to-trace faulty actions.
  • Tool/External Service Exploitation: Manipulation of external APIs, databases, or web services used by agents can introduce externalized attack vectors, subverting the agent by providing false context or outputs that “fit” genuine expectations.
  • Trust Attacks in Multi-Agent Systems: In agentic ecosystems comprising multiple communicating agents, malicious or compromised agents may inject manipulated information or exploit implicit trust relationships—requiring explicit trust-verification processes.
  • Planning/Goal Manipulation: Adversaries may directly interfere with agents’ internal planning, redirecting objectives and causing widespread behavioral drift.

These attack categories do not operate in isolation: their effects can span subsystems and temporal steps, challenging existing security architectures built for stateless, prompt-based AI.

Taxonomy of Security Threats

The authors synthesize a structured taxonomy to unify the fragmented literature and enable systematic security analysis: Figure 1

Figure 1: Proposed taxonomy organizing major security threats in long-horizon agentic AI, categorizing threats by entry point and propagation vector, including input-based, memory, tool, planning, and multi-agent attacks.

This taxonomy decomposes threats into input-based, memory, tool, planning, and multi-agent attacks, highlighting attack flow from entry (input or tool API) through to storage (memory), reasoning/planning, and inter-agent channels. Such structuring clarifies points of intervention for both detection and mitigation, enabling practitioners to reason about not only initial attack vectors but also propagation mechanisms and broader system impact.

Framework for Attack Propagation and System Analysis

Beyond cataloging threats, the work introduces a conceptual security framework that dissects the attack propagation process through key layers within agentic architectures: Figure 2

Figure 2: Conceptual framework for analyzing security risks in long-horizon agentic AI, illustrating how attacks traverse the input layer, agent core, memory, tool layer, and output.

The framework provides explicit routes for threat movement: attacks can ingress via inputs or tools, traverse reasoning logic, contaminate memory, and ultimately alter agent outputs. Persistence and multi-stage propagation are intrinsically modeled, enabling evaluation of security not as isolated “point defense” but as systemic, temporal robustness across cycles of operation.

This layered model is necessary for meaningful security evaluation in systems that operate with persistent state, dynamic task objectives, and complex inter-module interactions.

Structured Evaluation Approach

Standard LLM security benchmarks do not capture the persistence or propagation of attacks over multiple steps. Accordingly, the paper advocates a four-dimensional evaluation protocol for agentic AI security:

  1. Multi-Step Execution Analysis: Detection and quantification of attack influence over prolonged agent operation, not just in isolated completions.
  2. Attack Propagation Assessment: Measurement of how attack effects traverse agent components (e.g., input → memory → future inference).
  3. Persistence Measurement: Quantification of attack longevity—how long malicious influence persists and under what conditions it is eliminated.
  4. System Response Evaluation: Systematic study of agentic detection and recovery mechanisms downstream of initial compromise.

Such structured evaluation is essential for meaningful and reproducible security benchmarking of emerging agentic architectures.

Comparative Assessment and Research Gaps

The paper benchmarks existing research categories (prompt injection, memory, tool, and multi-agent studies) against its own comprehensive framework (see Table 2 in the paper), exposing several persistent research gaps:

  • Absence of unified, multi-layered security taxonomies specifically targeting agentic/long-horizon systems.
  • Lack of rigorous attack persistence and propagation evaluation in both academic studies and real-world benchmarks.
  • Fragmented analysis across memory, planning, and multi-agent settings, with siloed threat models.
  • Limited real-world benchmarking datasets or procedures for persistent/cascading attack scenarios.
  • Underdeveloped framework-based approaches for modeling inter-component attack impacts and systemic resilience.

Addressing these gaps is critical for advancing both theoretical understanding and practical defense of autonomous AI systems.

Practical and Theoretical Implications

The presented taxonomy and framework equip security researchers and system architects with a baseline for designing comprehensive threat modeling, benchmarking, and mitigation strategies for agentic AI. Practically, this can inform the design of persistent memory validation, multi-module attack tracing, tool/API verification layers, and trust-aware communication in multi-agent settings.

Theoretically, explicit modeling of attack propagation and persistence raises important questions for future research:

  • How do memory sanitization and state validation protocols modulate propagation lifetimes for injected attacks?
  • What compositional properties of planning and reasoning modules can contain or amplify persistent compromise?
  • To what extent can multi-agent systems employ cryptographic trust architectures to mitigate cross-agent threats in distributed agentic workflows?

Moreover, this structured analysis allows for future development of benchmarks and testbeds that meaningfully capture the full threat landscape of long-horizon agentic AI operation.

Conclusion

This paper provides a comprehensive, structured approach for understanding, evaluating, and mitigating security threats in long-horizon agentic AI systems (2606.14816). Through a unified taxonomy, propagation-centric framework, and structured evaluation methodology, it substantively enhances the field's capacity for rigorous, scalable security assessment. Further development of real-world benchmarks, compositional defenses, and persistent attack detection protocols will remain essential as agentic AI proliferates in safety- and mission-critical domains.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.