Adversarial Intent is a Latent Variable: Stateful Trust Inference for Securing Multimodal Agentic RAG

TL;DR

This paper introduces a stateful trust inference framework for multimodal agentic RAG systems, using a POMDP model and a Modular Trust Agent to detect adversarial intent, significantly reducing attack success rates with minimal utility loss.

Contribution

It formulates adversarial intent detection as a POMDP and proposes MMA-RAG^T, a model-agnostic, stateful control framework with structured LLM reasoning for enhanced security.

Findings

6.50x reduction in attack success rate

Statefulness and spatial coverage are necessary for effectiveness

Stateless filtering offers negligible benefits when detections are correlated

Abstract

Current stateless defences for multimodal agentic RAG fail to detect adversarial strategies that distribute malicious semantics across retrieval, planning, and generation components. We formulate this security challenge as a Partially Observable Markov Decision Process (POMDP), where adversarial intent is a latent variable inferred from noisy multi-stage observations. We introduce MMA-RAG^T, an inference-time control framework governed by a Modular Trust Agent (MTA) that maintains an approximate belief state via structured LLM reasoning. Operating as a model-agnostic overlay, MMA-RAGT mediates a configurable set of internal checkpoints to enforce stateful defence-in-depth. Extensive evaluation on 43,774 instances demonstrates a 6.50x average reduction factor in Attack Success Rate relative to undefended baselines, with negligible utility cost. Crucially, a factorial ablation validates our theoretical bounds: while statefulness and spatial coverage are individually necessary (26.4 pp and 13.6 pp gains respectively), stateless multi-point intervention can yield zero marginal benefit under homogeneous stateless filtering when checkpoint detections are perfectly correlated.