How Adversarial Environments Mislead Agentic AI?
For developers and deployers of tool-integrated AI agents, this work highlights a critical vulnerability where adversarial manipulation of tool outputs can deceive agents, and reveals that current robustness evaluations are incomplete.
The paper identifies a 'Trust Gap' in tool-integrated agents, showing they are evaluated for capability but not skepticism. Using the POTEMKIN harness across 11,000+ runs on five frontier agents, they find that resistance to one attack (epistemic or navigational) often increases vulnerability to the other, revealing a trade-off between these robustness dimensions.
Tool-integrated agents are deployed on the premise that external tools ground their outputs in reality. Yet this very reliance creates a critical attack surface. Current evaluations benchmark capability in benign settings, asking "can the agent use tools correctly" but never "what if the tools lie". We identify this Trust Gap: agents are evaluated for performance, not for skepticism. We formalize this vulnerability as Adversarial Environmental Injection (AEI), a threat model where adversaries compromise tool outputs to deceive agents. AEI constitutes environmental deception: constructing a "fake world" of poisoned search results and fabricated reference networks around unsuspecting agents. We operationalize this via POTEMKIN, a Model Context Protocol (MCP)-compatible harness for plug-and-play robustness testing. We identify two orthogonal attack surfaces: The Illusion (breadth attacks) poison retrieval to induce epistemic drift toward false beliefs, while The Maze (depth attacks) exploit structural traps to cause policy collapse into infinite loops. Across 11,000+ runs on five frontier agents, we find a stark robustness gap: resistance to one attack often increases vulnerability to the other, demonstrating that epistemic and navigational robustness are distinct capabilities.