The Agentic Attack Surface Is Already Weaponized: A Synthesis of Concurrent Threats Against LLM-Driven Pipelines

Version 2 — revised in response to an external structural review and an automated critique pass. See "Response to Review" appendix in the PDF for the change log.

The agentic AI stack—LLMs orchestrating tools, memory, skills, and inter-agent communication—has accumulated a threat surface that is broader, more persistent, and more difficult to instrument than the chat-model threat surface it is displacing. This paper synthesizes eight specific findings from the recent arXiv corpus to argue a single, falsifiable thesis: **the dominant security failure mode in deployed agentic systems is not model-level jailbreak but architectural trust-boundary collapse, where attacker-controlled content injected at one layer persists, propagates, or amplifies across layers that were never designed to distrust it.** The corpus sources span four primary categories: (1) agentic attack primitives—prompt injection, skill poisoning, memory poisoning, and multi-agent coordination attacks; (2) detection and defense mechanisms—stateful monitors, agent guards, and access-control frameworks; (3) infrastructure-layer threats—supply-chain attacks on watermarking PRNGs, LoRA adapter backdoors, and token-billing fraud; and (4) benchmark methodology—attack-success-rate measurement, consistency studies, and overeager-behavior elicitation. The falsification path for the central thesis is: if a comprehensive deployment study found that model-level safety alignment (refusal rates, RLHF) reliably contained the attack classes described here without architectural instrumentation, the thesis would be falsified. No such study exists in the corpus; the evidence runs in the opposite direction. ---

Authorship: Saluca Agentic AI Research Team (Saluca LLC). AI-drafted from arXiv preprint corpus on the date in the filename.

Cited arXiv preprints: 2605.28071, 2605.28122, 2605.28588, 2605.28632, 2605.29178, 2605.29960, 2605.30040, 2605.30096, 2605.30189, 2605.30883, 2605.31042, 2605.31593, 2606.01494, 2606.01508, 2606.01567, 2606.02240