Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks
This reveals a fundamental fragility in AI agent security, impacting users relying on automated critical workloads, and is incremental as it builds on prior work on scalable oversight.
The paper demonstrates that current monitoring-based defenses for AI agents, which rely on evaluating Chain-of-Thought and tool-use actions, can be bypassed using a novel Agent-as-a-Proxy attack, achieving a high attack success rate on benchmarks like AgentDojo against models such as Qwen2.5-72B.
As AI agents automate critical workloads, they remain vulnerable to indirect prompt injection (IPI) attacks. Current defenses rely on monitoring protocols that jointly evaluate an agent's Chain-of-Thought (CoT) and tool-use actions to ensure alignment with user intent. We demonstrate that these monitoring-based defenses can be bypassed via a novel Agent-as-a-Proxy attack, where prompt injection attacks treat the agent as a delivery mechanism, bypassing both agent and monitor simultaneously. While prior work on scalable oversight has focused on whether small monitors can supervise large agents, we show that even frontier-scale monitors are vulnerable. Large-scale monitoring models like Qwen2.5-72B can be bypassed by agents with similar capabilities, such as GPT-4o mini and Llama-3.1-70B. On the AgentDojo benchmark, we achieve a high attack success rate against AlignmentCheck and Extract-and-Evaluate monitors under diverse monitoring LLMs. Our findings suggest current monitoring-based agentic defenses are fundamentally fragile regardless of model scale.