CEA
← ObservatoryL-03COORD · 37.4° N · 122.1° WUNCLASSIFIED · OPEN RESEARCHSpeculative · interpretive

When tool-use becomes infrastructure impact.

AI-Agent Escalation Pathways

Agentic AI systems compose attack surfaces no traditional adversary needed. A single prompt injection can branch through tool misuse, exfiltration, propagation, recursion, emerging as authority drift in production systems. Hover any node to trace forward propagation.

AGENTIC ESCALATION GRAPH · 5-LAYERbranching topology
L0L1L2L3L4Prompt InjectionTool MisuseAutonomous ActionData ExfiltrationCross-System PropagationRecursive FeedbackAlliance SpilloverInfrastructure ImpactAuthority DriftCascading Failure
linear path lateral branch recursive feedback5 layers · 10 nodes · 14 edges · 3 recursive loops
NODE INSPECTOR · INJ

Prompt Injection

Adversarial input embedded in retrieved document or tool output. Agent treats it as instruction.

FORWARD PROPAGATION TARGETS

ESCALATION ANALYTICS

CONTAINMENT FAILURE MODES

  • Inherited authorization, sub-agents act under root agent's permissions.
  • Trust transitivity, federated systems re-execute manipulated output as authoritative.
  • Recursive amplification, model output entering its own context window scales injection severity.
  • Audit blindness, actions logged as human-authorized; injection origin opaque to defenders.

DOCTRINAL IMPLICATION

Traditional perimeter defense assumes attackers cross identifiable boundaries. Agentic propagation can occur entirely within trusted authorization envelopes, making the attacker, the agent, and the operator nominally the same actor.