![[2602.05066] Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2602.05066] Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks
Summary
The paper discusses vulnerabilities in AI control protocols, specifically how Agent-as-a-Proxy attacks can bypass existing monitoring defenses, highlighting the fragility of current oversight methods.
Why It Matters
As AI systems become integral to various sectors, understanding their vulnerabilities is crucial for developing robust security measures. This research exposes significant flaws in current monitoring protocols, emphasizing the need for improved defenses against sophisticated attacks.
Key Takeaways
- Agent-as-a-Proxy attacks can effectively bypass AI monitoring protocols.
- Current defenses, even those using large-scale models, are fundamentally fragile.
- The study demonstrates a high success rate of these attacks against established monitoring systems.
Computer Science > Cryptography and Security arXiv:2602.05066 (cs) [Submitted on 4 Feb 2026 (v1), last revised 25 Feb 2026 (this version, v2)] Title:Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks Authors:Jafar Isbarov, Murat Kantarcioglu View a PDF of the paper titled Bypassing AI Control Protocols via Agent-as-a-Proxy Attacks, by Jafar Isbarov and 1 other authors View PDF HTML (experimental) Abstract:As AI agents automate critical workloads, they remain vulnerable to indirect prompt injection (IPI) attacks. Current defenses rely on monitoring protocols that jointly evaluate an agent's Chain-of-Thought (CoT) and tool-use actions to ensure alignment with user intent. We demonstrate that these monitoring-based defenses can be bypassed via a novel Agent-as-a-Proxy attack, where prompt injection attacks treat the agent as a delivery mechanism, bypassing both agent and monitor simultaneously. While prior work on scalable oversight has focused on whether small monitors can supervise large agents, we show that even frontier-scale monitors are vulnerable. Large-scale monitoring models like Qwen2.5-72B can be bypassed by agents with similar capabilities, such as GPT-4o mini and Llama-3.1-70B. On the AgentDojo benchmark, we achieve a high attack success rate against AlignmentCheck and Extract-and-Evaluate monitors under diverse monitoring LLMs. Our findings suggest current monitoring-based agentic defenses are fundamentally fragile regardless of model scale. Subjects: C...