What Breaks Embodied AI Security:LLM Vulnerabilities, CPS Flaws,or Something Else?

TL;DR

This paper explores the unique security challenges of embodied AI systems, highlighting that failures often stem from system-level embodiment issues rather than solely from LLM vulnerabilities or CPS flaws, necessitating new security approaches.

Contribution

It introduces the concept that embodiment-induced system-level mismatches are a major source of failures, emphasizing the need for system-level security strategies beyond traditional component-focused methods.

Findings

Failures often result from embodiment-induced system mismatches.

Semantic correctness does not guarantee physical safety.

Small errors can propagate and amplify in physical systems.

Abstract

Embodied AI systems (e.g., autonomous vehicles, service robots, and LLM-driven interactive agents) are rapidly transitioning from controlled environments to safety critical real-world deployments. Unlike disembodied AI, failures in embodied intelligence lead to irreversible physical consequences, raising fundamental questions about security, safety, and reliability. While existing research predominantly analyzes embodied AI through the lenses of Large Language Model (LLM) vulnerabilities or classical Cyber-Physical System (CPS) failures, this survey argues that these perspectives are individually insufficient to explain many observed breakdowns in modern embodied systems. We posit that a significant class of failures arises from embodiment-induced system-level mismatches, rather than from isolated model flaws or traditional CPS attacks. Specifically, we identify four core insights that explain why embodied AI is fundamentally harder to secure: (i) semantic correctness does not imply physical safety, as language-level reasoning abstracts away geometry, dynamics, and contact constraints; (ii) identical actions can lead to drastically different outcomes across physical states due to nonlinear dynamics and state uncertainty; (iii) small errors propagate and amplify across tightly coupled perception-decision-action loops; and (iv) safety is not compositional across time or system layers, enabling locally safe decisions to accumulate into globally unsafe behavior. These insights suggest that securing embodied AI requires moving beyond component-level defenses toward system-level reasoning about physical risk, uncertainty, and failure propagation.