Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition

TL;DR

This paper presents a large-scale red-teaming competition revealing significant security vulnerabilities in AI agents, introduces the ART benchmark for evaluating robustness, and emphasizes the need for improved defenses against adversarial attacks.

Contribution

It introduces the largest public red-teaming competition for AI agents, creates the ART benchmark, and provides comprehensive analysis of vulnerabilities across state-of-the-art models.

Findings

Most agents exhibit policy violations within 10-100 queries.

High transferability of attacks across different models and tasks.

Limited correlation between robustness and model size or compute.

Abstract

Recent advances have enabled LLM-powered AI agents to autonomously execute complex tasks by combining language model reasoning with tools, memory, and web access. But can these systems be trusted to follow deployment policies in realistic environments, especially under attack? To investigate, we ran the largest public red-teaming competition to date, targeting 22 frontier AI agents across 44 realistic deployment scenarios. Participants submitted 1.8 million prompt-injection attacks, with over 60,000 successfully eliciting policy violations such as unauthorized data access, illicit financial actions, and regulatory noncompliance. We use these results to build the Agent Red Teaming (ART) benchmark - a curated set of high-impact attacks - and evaluate it across 19 state-of-the-art models. Nearly all agents exhibit policy violations for most behaviors within 10-100 queries, with high attack transferability across models and tasks. Importantly, we find limited correlation between agent robustness and model size, capability, or inference-time compute, suggesting that additional defenses are needed against adversarial misuse. Our findings highlight critical and persistent vulnerabilities in today's AI agents. By releasing the ART benchmark and accompanying evaluation framework, we aim to support more rigorous security assessment and drive progress toward safer agent deployment.