Email is a boring place to start an AI security article. That is exactly why it is useful.

A modern enterprise agent is not merely answering questions about email. It can search messages, summarize attachments, update calendars, create rules, contact colleagues, write to Slack, edit files, and remember what it learned for next time. In demo videos, this looks like productivity. In security reviews, it looks like a small software system that accepts natural language as both instruction and evidence. Wonderful. We have reinvented workflow automation, except now the workflow engine reads every suspicious paragraph with a helpful attitude.

The paper behind this article, AgentLAB: Benchmarking LLM Agents against Long-Horizon Attacks, studies precisely this problem: what happens when an attacker does not try to “jailbreak” an agent in one dramatic prompt, but instead pushes it across a sequence of plausible steps until the harmful action looks like the next reasonable thing to do.1

The answer is not comforting. AgentLAB introduces a benchmark for long-horizon attacks on tool-using and memory-enabled LLM agents. It covers 28 agentic environments and 644 malicious tasks or security test cases across five attack families: intent hijacking, tool chaining, objective drifting, task injection, and memory poisoning. The important contribution is not simply that attacks work. Anyone who has watched an LLM confidently misuse a spreadsheet formula already knows that “works as intended” is not the default condition of the universe.

The real contribution is sharper: agent risk is no longer located only inside the prompt. It lives in the trajectory.

The wrong mental model is “bad prompt in, bad answer out”

Most AI security discussions still carry the shape of chatbot security. A user sends a suspicious instruction. The model should refuse. A web page contains a malicious instruction. The model should ignore it. A classifier checks the input. A system prompt reminds the agent to behave. A monitor waves a little compliance flag. The dashboard turns green. Everyone goes home, prematurely.

That model is too small for agents.

An agent is different because it converts language into actions. It does not only say things; it calls tools, mutates state, retrieves memory, and reacts to the environment. The agent’s future behavior depends on the trace of prior interactions:

  • what the user asked;
  • what the agent already did;
  • what tools returned;
  • what the agent stored in memory;
  • what environmental text it treated as relevant context;
  • what goal it now believes it is pursuing.

A single prompt filter sees a slice. A long-horizon attack uses the whole film.

AgentLAB formalizes this as user-agent-environment interaction over time. At each step, the user provides an instruction, the agent chooses an action such as a tool call, the environment returns an observation, and the agent responds. The full attack surface is the sequence, not the individual turn. That one difference changes the security problem.

In a chatbot setting, a malicious request may be obvious because it arrives fully formed. In an agent setting, the malicious outcome can be assembled from pieces that look harmless when inspected separately. This is the “death by a thousand prompts” pattern: not one catastrophic instruction, but a slow accumulation of context, tool calls, and false legitimacy.

Five mechanisms turn ordinary workflow into attack surface

AgentLAB’s five attack families are best understood as five mechanisms of trajectory corruption. They are not merely five labels in a benchmark table. They describe different ways an attacker can exploit the fact that agents must preserve context, trust tools, and maintain goals over time.

Attack family Mechanism What the agent gets wrong Business analogue
Intent hijacking The attacker gradually persuades the agent to perform a malicious task The agent treats accumulated narrative context as sufficient authorization A fake audit/compliance workflow that slowly expands scope
Tool chaining The attacker decomposes harm into individually benign tool calls The agent checks each operation locally, not the composed outcome Create file, edit file, find contact, send file
Objective drifting Environmental content gradually shifts the agent’s goal The agent absorbs persuasive context as if it were task-relevant evidence Procurement agent nudged from “lowest suitable cost” to “premium preferred”
Task injection Tool outputs contain injected tasks that piggyback on a benign task The agent mistakes external text for workflow requirements A web page or inbox invents a “policy protocol” that demands extra actions
Memory poisoning Malicious content is stored as future-retrievable memory The agent treats planted preferences as user history A poisoned “user preference” later normalizes unsafe behavior

This is why a mechanism-first reading matters. A normal summary would say “the authors propose five attacks and evaluate them.” That is true, and about as helpful as saying a bank robbery involved doors.

The operational insight is that each attack exploits a normal feature of useful agents. Long context helps with continuity. Tool use helps with execution. Memory helps with personalization. Environmental reading helps with grounding. Multi-turn interaction helps with complex work. The same features make the agent easier to steer gradually.

The paper’s examples make this concrete without requiring exotic attacker magic. An email-management attack frames a dangerous global action as a sequence of audit and anti-fraud steps. A tool-chaining attack shows how harmless operations can compose into harmful distribution. An objective-drifting example shows a shopping agent pushed away from cost minimization by repeated product-page influence. A task-injection example uses staged environmental snippets to create fake dependencies. A memory-poisoning example plants “preferences” that later bias the agent toward unsafe compliance.

These appendix demonstrations are qualitative illustrations. They are not the main quantitative evidence. Their purpose is to show why the benchmark’s attack categories correspond to recognizable agent failure modes, not to prove prevalence in production.

The benchmark evidence says frontier models are not immune

The main quantitative result is Table 2 in the paper, which reports average Attack Success Rate, or ASR, across the five attack families for six LLM-based agents. ASR is the fraction of cases where the malicious objective is fully achieved. Higher is worse.

The results are uncomfortable because vulnerability is not limited to weak open models.

Agent Intent hijacking Tool chaining Objective drifting Task injection Memory poisoning Overall ASR
Qwen-3 78.1 96.3 92.2 93.1 48.0 81.5
Llama-3.1 53.3 90.4 67.4 86.6 34.6 66.5
GPT-4o 74.0 94.1 79.2 79.9 63.3 78.1
GPT-5.1 59.8 94.6 73.7 21.5 51.3 69.9
Gemini-3 46.2 95.9 15.8 43.1 67.3 53.7
Claude-4.5 27.2 73.3 5.3 0.0 38.8 28.9

The first interpretation is simple: stronger models can still be weak agents. That is not a contradiction. Model safety and agent safety overlap, but they are not the same object.

Claude-4.5 is the most robust overall in this table, with 28.9% overall ASR. Yet even there, tool chaining reaches 73.3%. That contrast is important. A model can resist direct persuasion while still failing when a harmful outcome is decomposed into allowed operations. The guardrail says, “Do not do the bad thing.” The tool chain says, “Do these four ordinary things.” The system approves the parts and forgets to reason about the product. A very corporate failure.

GPT-5.1 shows a similar pattern from another angle. Its task-injection ASR is much lower than several other agents at 21.5%, but tool chaining remains 94.6%, objective drifting 73.7%, and memory poisoning 51.3%. If one attack family fails, another may still exploit a different part of the agent architecture.

This is the first business lesson: model selection is not a security architecture. Choosing a safer model may reduce some risks, but it does not eliminate the need to monitor tool composition, state mutation, memory ingestion, and environmental trust.

Long-horizon attacks beat one-shot attacks because they create plausibility

The paper directly compares long-horizon task injection with a conventional one-shot injection baseline. The baseline is the familiar pattern: an injected message tells the agent to prioritize a malicious task over the benign one. Subtle as a brick through a window.

The long-horizon version performs better across most agents:

Agent One-shot attack ASR Long-horizon attack ASR
Qwen-3 81.9% 93.1%
Llama-3 50.7% 86.8%
GPT-4o 62.5% 79.9%
GPT-5.1 2.08% 21.5%
Gemini-3 41.0% 43.1%
Claude-4.5 0.0% 0.0%

The dramatic row is GPT-5.1: from 2.08% under one-shot attack to 21.5% under long-horizon attack. That does not mean GPT-5.1 is broadly unsafe in every task-injection context. It means the one-shot test materially understates risk when the attacker can create intermediate steps that make the malicious action appear connected to the benign task.

The paper’s explanation is persuasive. Direct injection often fails because the malicious instruction is visibly irrelevant. Long-horizon injection instead builds a bridge. It introduces intermediate tool calls, fabricated dependencies, or contextual rationalizations that make the transition less abrupt. The agent is not asked to leap from “read a webpage” to “perform unauthorized workspace changes.” It is guided through a story where each next action appears to resolve a local requirement.

That is the heart of the mechanism. Long-horizon attacks do not merely add more prompts. They add plausibility.

For enterprise systems, this matters because real workflows are already full of plausible local requirements: “check the attachment,” “verify the policy,” “look up the contact,” “confirm the ticket,” “update the record,” “send the summary.” The attacker does not need the agent to become evil. It only needs the agent to become administratively helpful in the wrong direction.

The ablations show that time matters more than cleverness

The paper separates two factors: horizon length and adaptivity.

Horizon length means the attack can unfold over multiple turns. Adaptivity means the attacker refines prompts or payloads based on the target agent’s responses, using an attacker framework with planner, attacker, judge, and in some cases verifier components.

The ablation on maximum attack turns shows monotonic growth in ASR as more turns are allowed. For task injection against GPT-4o, the paper reports ASR rising from 0% at zero attack turns to about 80% at five turns. Qwen-3 reaches high vulnerability even faster, with task injection plateauing around 90% by about three turns.

This is an ablation, not a separate thesis. Its purpose is to identify what drives attack success. The answer is not only “the attacker used a smarter prompt optimizer.” It is that allowing more interaction gives the attacker more chances to create context, route through tools, observe failure, and reframe the next step.

The adaptivity ablation also matters, but the effect is more moderate. Increasing optimization steps improves ASR, yet the paper notes that the gains from additional turns are steeper than the gains from additional optimization. In plain English: the dangerous part is not only that the attacker is clever. It is that the workflow gives the attacker room.

That distinction affects defense design. If risk were mostly about prompt cleverness, better prompt filters might be enough. If risk is about temporal room, then security must constrain the trajectory: the number of risky state transitions, the permission escalation path, the cumulative tool sequence, and the agent’s ability to convert environmental text into operational authority.

Defenses built for one-shot attacks transfer poorly

AgentLAB evaluates baseline defenses against the five attack families. For user-side attacks such as intent hijacking and tool chaining, it tests Self-Reminder and Llama-Guard. For environment-side attacks such as objective drifting, task injection, and memory poisoning, it tests Repeated Prompt and a DeBERTa-based detector.

The results are mixed, which is the polite academic way of saying: please do not staple a one-shot defense onto an agent and call it governance.

Some defenses help in specific rows. Self-Reminder reduces Claude-4.5 intent-hijacking ASR from 27.2% to 6.9%. The DeBERTa detector sharply reduces GPT-5.1 task-injection ASR from 21.5% to 2.8%. Those are meaningful improvements.

But the pattern is not reliable across attack types and models. Claude-4.5 remains vulnerable to tool chaining even with defenses. Repeated Prompt helps in some task-injection settings but not uniformly. In Qwen-3 task injection, the Repeated Prompt result is even higher than the undefended baseline in the reported table. That does not mean the defense “causes” attacks in general; it means the interaction between defense text, model behavior, and long-horizon context can be non-obvious. Security theater occasionally trips over the scenery.

The practical interpretation is not “these defenses are useless.” It is more precise: defenses designed around single-turn malicious content detection are not sufficient for long-horizon agent security. They may catch explicit injections. They may reduce direct persuasion. They may not notice that a sequence of normal operations has become abnormal as a whole.

The business risk is workflow-level, not prompt-level

What does the paper directly show?

It shows that, in AgentLAB’s benchmark environments, representative LLM agents remain vulnerable to long-horizon attacks across multiple attack mechanisms. It shows that long-horizon task injection often outperforms one-shot injection. It shows that attack success increases with more available turns. It shows that common baseline defenses do not transfer reliably across models and attack types.

What should businesses infer?

Not incident probabilities. AgentLAB is a benchmark, not an actuarial table. The environments, malicious tasks, attacker models, evaluator choices, and tool designs matter. A 70% ASR in a benchmark does not mean a deployed enterprise assistant has a 70% chance of being compromised next Tuesday. Calendars are still safe from numerology.

The better inference is architectural: once an agent has tools, memory, and environmental access, security must evaluate the full execution trace. The key question becomes not only “Was this prompt malicious?” but also:

  • Did the agent’s goal drift from the original task?
  • Did tool calls compose into a high-impact outcome?
  • Did external content introduce new obligations or authority?
  • Did memory retrieval supply unverified justification?
  • Did the agent escalate from read-only to write actions?
  • Did a benign task become a carrier for an unrelated side objective?

This reframes enterprise AI risk management.

Control area Prompt-level security asks Trajectory-level security asks
Input filtering Does this message contain malicious text? Does this turn alter the agent’s goal or authority path?
Tool governance Is this tool allowed? Is this sequence of allowed tools producing a harmful composite action?
Memory Is the remembered text plausible? Who wrote it, when was it ingested, and should it be trusted for safety-sensitive decisions?
Monitoring Did the agent refuse obvious harm? Did the final state violate the original user intent or policy boundary?
Red-teaming Can we jailbreak the model? Can we steer the workflow over many turns into an unsafe state?

The ROI relevance is also different. The business value of this paper is not “buy a better classifier.” It is cheaper diagnosis of where an agentic system actually fails. If a company is deploying agents into email, procurement, customer support, finance operations, HR, or internal knowledge systems, AgentLAB-style testing helps identify whether the weak point is the model, the tool interface, the memory layer, the environment parser, or the approval workflow.

That is more useful than a generic red-team report saying “prompt injection risk exists.” Yes, and gravity remains undefeated.

Practical controls should follow the mechanism

The paper does not provide a complete enterprise defense stack, and it should not be treated as if it does. Still, its mechanisms point toward concrete controls.

First, high-impact tools need sequence-aware policies. A send-email tool may be harmless. A file-edit tool may be harmless. A contact-lookup tool may be harmless. The composition may not be harmless. Policies should evaluate tool chains, not just individual calls.

Second, agents need semantic checks on content operations. If a user says “append a harmless appendix” but provides content that changes the risk category, the agent should inspect the payload, not only the verbal wrapper. The paper’s tool-chaining examples are basically a complaint about shallow syntactic compliance.

Third, environmental observations should not be treated as authority. A webpage, email, product page, API response, or retrieved document can provide evidence. It should not silently create new instructions, permissions, or policy obligations. In agent design, external text needs a lower trust tier than user instructions and system policies.

Fourth, memory ingestion needs provenance and quarantine. Persistent memory is valuable, but memory that can be written by untrusted environmental content is a liability. Preferences extracted from emails, comments, documents, or web pages should carry source metadata, confidence levels, and restrictions on safety-sensitive use. A memory item should not be allowed to override confirmation requirements merely because it sounds like a preference.

Fifth, evaluation should include long-horizon red-teaming. A five-turn attack is not an edge case when enterprise work itself takes five turns. Red teams should test whether an agent can be gradually redirected across realistic workflows: scheduling, vendor onboarding, invoice handling, CRM updates, internal search, code review, and customer communication.

Finally, audit logs should be designed for reconstruction. If the agent does something harmful, the organization needs to know not only the final prompt, but the sequence of observations, tool calls, memory retrievals, and policy decisions that led there. Otherwise the postmortem becomes “the model decided,” which is not an explanation. It is a shrug wearing a hoodie.

Boundaries: what not to overclaim

AgentLAB is important, but it is still preliminary benchmark evidence.

The model names, attack implementations, tool environments, and evaluator choices shape the reported ASR values. The benchmark uses LLM-based planners, attackers, and judges, with GPT-5.1 playing several roles in the attack framework and evaluation setup. That is reasonable for scalable red-teaming, but it also means benchmark results should be interpreted as structured evidence, not production incident rates.

The paper also contains some internal count inconsistency: the introduction refers to ten risk categories, while the data-statistics section describes nine. This does not change the core argument, but it is a useful reminder not to worship every number in a benchmark table just because it has decimals.

The defense evaluation is also limited to baseline defenses. It does not prove that long-horizon attacks are undefendable. It shows that defenses designed for one-shot settings are unreliable when retrofitted to multi-turn, tool-mediated agents. A mature defense stack may combine policy engines, tool-level permissions, memory provenance, stateful monitors, human approvals, sandboxing, and post-hoc audit. Inconvenient, yes. But enterprise automation was never going to be secured by one heroic system prompt taped to the wall.

The real lesson: agents need security over state, not just language

AgentLAB’s core message is simple: the security unit for agents is not the prompt. It is the trajectory.

That trajectory includes language, but also tools, environment, memory, permissions, and time. A long-horizon attack wins by using these components the way normal workflows use them: gradually, contextually, and with enough plausible paperwork to look legitimate.

For businesses, this should change how agent deployments are reviewed. The question is not “Can our model refuse bad requests?” The better question is “Can our system preserve the user’s original intent while reading untrusted content, using tools, remembering preferences, and operating over multiple turns?”

That is a harder question. It is also the correct one.

The agent era will not be secured by telling models to be careful. It will be secured by treating agents as stateful workflow systems whose failures emerge over time. The attacker has learned to move through the process. Defenders should probably stop guarding only the front door.

Cognaptus: Automate the Present, Incubate the Future.


  1. Tanqiu Jiang, Yuhui Wang, Jiacheng Liang, and Ting Wang, “AgentLAB: Benchmarking LLM Agents against Long-Horizon Attacks,” arXiv:2602.16901, 2026. HTML: https://arxiv.org/html/2602.16901 ; PDF: https://arxiv.org/pdf/2602.16901 ↩︎