cd /news/ai-safety/agent-security-is-a-systems-problem · home topics ai-safety article
[ARTICLE · art-15886] src=arxiv.org pub= topic=ai-safety verified=true sentiment=· neutral

Agent Security Is a Systems Problem

Researchers argue that AI agent security must be treated as a systems-level problem, with the AI model itself considered an untrusted component and security invariants enforced at the system level rather than through model robustness alone. The team, drawing on expertise in operating systems, networks, formal methods, and adversarial machine learning, analyzed 11 real-world attacks on agents to demonstrate how established systems security principles could have prevented those breaches. The findings identify key research challenges for implementing these principles in agentic systems.

read2 min publishedMay 28, 2026 
[Submitted on 18 May 2026 (

[v1](https://arxiv.org/abs/2605.18991v1)), last revised 20 May 2026 (this version, v2)]# Title:Agent Security is a Systems Problem

[View PDF](/pdf/2605.18991)

[HTML (experimental)](https://arxiv.org/html/2605.18991v2)

Abstract:We take the position that agent security must be approached as a systems problem: the AI model powering the agent must be treated as an untrusted component, and security invariants must be enforced at the system level. Through this lens, efforts to increase model robustness (the dominant viewpoint in the community) are insufficient on their own. Instead, we must complement existing efforts with techniques from the systems security domain. Based on our experience as cybersecurity researchers in operating systems, networks, formal methods, and adversarial machine learning, we articulate a set of core principles, grounded in decades of systems security research, that provide a foundation for designing agentic systems with predictable guarantees. As evidence, we analyze eleven representative real-world attacks on agents and discuss how systems principles, if realized, could have prevented these attacks. We also identify the research challenges that stand in the way of implementing these principles in agents.

Submission history #

From: Nils Palumbo [[view email](/show-email/5bcd5d2c/2605.18991)]

**Mon, 18 May 2026 18:11:17 UTC (9,744 KB)**

[[v1]](/abs/2605.18991v1)**[v2]** Wed, 20 May 2026 17:25:38 UTC (9,744 KB)

References & Citations

...

Bibliographic Explorer

(What is the Explorer?) Connected Papers

(What is Connected Papers?) Litmaps

(What is Litmaps?) scite Smart Citations

(What are Smart Citations?)# Code, Data and Media Associated with this Article alphaXiv

(What is alphaXiv?) CatalyzeX Code Finder for Papers

(What is CatalyzeX?) DagsHub

(What is DagsHub?) Gotit.pub

(What is GotitPub?) Hugging Face

(What is Huggingface?) ScienceCast

(What is ScienceCast?)# Demos Influence Flower

(What are Influence Flowers?) CORE Recommender

(What is CORE?)# arXivLabs: experimental projects with community collaborators arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

source & further reading
arxiv.org — original article
── more in #ai-safety 4 stories · sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/agent-security-is-a-…] indexed:0 read:2min 2026-05-28 ·