Saluca Labs

There is a newer version of the record available.

Published June 3, 2026 | Version v1
Working paper Open

The Agentic Trust Stack Has No Bottom: Why Every Layer From PRNG to Payment Rail Is a First-Class Attack Surface

Authors/Creators

  • 1. Saluca LLC

Description

The dominant framing of agentic AI security treats each threat in isolation: prompt injection here, memory poisoning there, jailbreak somewhere else. This paper argues that framing is structurally wrong. The corpus reveals a coherent vertical threat surface — what we call the **agentic trust stack** — in which an attacker who compromises any single layer can propagate damage upward and downward through the entire pipeline without triggering any single layer's defenses. We synthesize seven specific findings spanning: (1) supply-chain attacks on cryptographic watermarking primitives [corpus:arxiv:2605.28632], (2) speculative tool-call leakage before any authorization decision is made [corpus:arxiv:2606.02483], (3) multi-step trojan persistence through workspace state [corpus:arxiv:2605.31042], (4) coordinated multi-agent covert sabotage [corpus:arxiv:2605.29178], (5) financial-rail atomicity failures in machine-to-machine payment protocols [corpus:arxiv:2605.30998], (6) agent-skill marketplace contamination with confirmed malicious payloads [corpus:arxiv:2605.28588], and (7) LLM billing fraud enabled by auditor trust paradoxes [corpus:arxiv:2605.30040]. The thesis is: **agentic pipelines are not merely vulnerable at their endpoints; they are vulnerable at every trust delegation boundary, and those boundaries are currently neither enumerated nor defended as a class.** The falsification path is direct: a single deployed agentic system that (a) enumerates all trust delegation boundaries in its execution graph, (b) enforces independent attestation at each, and (c) demonstrates that no cross-layer attack chain survives, would falsify the claim that the stack has no defensible bottom. No such system is documented in the corpus. ---

Authorship: Saluca Agentic AI Research Team (Saluca LLC). AI-drafted from arXiv preprint corpus on the date in the filename.

Cited arXiv preprints: 2605.28588, 2605.28632, 2605.29178, 2605.29963, 2605.30040, 2605.30837, 2605.30998, 2605.31042, 2605.31593, 2606.01494, 2606.01508, 2606.02240, 2606.02483

Notes

This paper was AI-drafted by an internal multi-persona research agent over a curated arXiv corpus. It is not peer-reviewed. All cited works are listed by arXiv ID; readers should follow those links to verify claims against the primary preprints.

Files

20260602_black-lightning_agentic-trust-stack-cross-layer-attack-surface.pdf

Files (56.0 kB)