Survey of 247 papers maps LLM agent security threats and defenses
A new ArXiv survey by Yuchen Ling, Shengcheng Yu, and Zhenyu Chen synthesizes 247 papers on LLM agent security, finding that prompt injection and tool-mediated control-flow hijacking dominate the field while persistent state corruption and multi-agent propagation are emerging as critical concerns.
Score breakdown
This survey provides a unified, systems-oriented framework for a rapidly expanding but fragmented field, identifying both the dominant attack surfaces and the gaps in current defenses and benchmarks that leave deployed LLM agents exposed.
- 01Synthesizes 247 papers on LLM agent security using a lifecycle-based, systems-oriented framework.
- 02Framework models agent security around information flow, delegated authority, and persistent state.
- 03Prompt injection and tool-mediated control-flow hijacking are identified as the dominant attack families.
As LLM agents evolve from conversational interfaces into software components that plan, invoke tools, maintain memory, and act on external environments, the nature of security risk changes fundamentally. Failures in agentic settings are no longer limited to unsafe text generation — untrusted content can redirect control flow, misuse tool privileges, corrupt persistent state, leak sensitive information, or trigger harmful external actions. Despite rapidly expanding research, the field remains fragmented across attack families, defense layers, application domains, and evaluation settings.
To address this fragmentation, Yuchen Ling, Shengcheng Yu, and Zhenyu Chen synthesize 247 papers through a lifecycle-based, systems-oriented framework that models agent security around the interaction of information flow, delegated authority, and persistent state. The survey organizes the literature around four questions: how LLM agent security should be modeled, which threat surfaces and attack families dominate, what defenses have been proposed and with what tradeoffs, and how security claims are evaluated.
The authors find that prompt injection and tool-mediated control-flow hijacking still dominate the field, while persistent state corruption and multi-agent propagation are becoming central emerging concerns. Current defenses are characterized as providing useful building blocks but remaining "weakly compositional." Existing benchmarks are found to underrepresent long-horizon, stateful, and deployment-sensitive risks. The paper concludes that securing LLM agents requires explicit trust boundaries, principled privilege control, provenance-aware state management, and evaluation practices aligned with realistic operational settings.
Key facts
- 01Synthesizes 247 papers on LLM agent security using a lifecycle-based, systems-oriented framework.
- 02Framework models agent security around information flow, delegated authority, and persistent state.
- 03Prompt injection and tool-mediated control-flow hijacking are identified as the dominant attack families.
- 04Persistent state corruption and multi-agent propagation are flagged as central emerging concerns.
- 05Current defenses are described as 'weakly compositional' — useful individually but not well-integrated.
- 06Existing benchmarks underrepresent long-horizon, stateful, and deployment-sensitive risks.
- 07The paper argues secure agents require explicit trust boundaries, principled privilege control, and provenance-aware state management.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Jun 10, 2026 · 15:34 UTC. How this works →