Toward Secure LLM Agents: Threat Surfaces, Attacks, Defenses, and Evaluation

A comprehensive review of 247 research papers reveals that LLM agents face escalating security threats beyond text generation, including prompt injection, tool hijacking, and state corruption. The study proposes a framework emphasizing trust boundaries, privilege control, and stateful risk evaluation to address fragmented defenses and inadequate benchmarking standards.

The emergence of LLM agents as autonomous software components fundamentally alters the security threat landscape. Unlike conversational AI systems where failures typically result in inappropriate outputs, agentic systems can execute real-world actions, access external tools, and maintain persistent memory—creating cascading failure modes with material consequences. This research synthesizes fragmented academic work into a coherent security framework, identifying that prompt injection and control-flow hijacking remain dominant attack vectors while state corruption and multi-agent propagation represent growing vulnerabilities.

The shift reflects the broader industry transition from large language models as text interfaces to LLM agents functioning as autonomous decision-makers within enterprise systems. As developers integrate agents into workflows managing databases, APIs, and external services, the risk surface expands exponentially. A compromised agent no longer merely generates problematic text but can corrupt databases, exfiltrate sensitive data, or trigger unintended business logic across connected systems.

The findings carry substantial implications for enterprise adoption and investment in AI infrastructure. Organizations deploying LLM agents without implementing the recommended trust boundaries and privilege controls expose themselves to systemic risks. The paper's conclusion that current defenses remain "weakly compositional" indicates that existing security frameworks cannot reliably stack together, forcing developers to choose incomplete protection strategies. This creates market demand for specialized LLM agent security tooling and frameworks. Additionally, the identified gaps in benchmarking standards mean current security assessments may provide false assurance about production readiness.

The research trajectory suggests security-focused LLM platforms and agent middleware will become critical infrastructure layers. Organizations must prioritize formal threat modeling for agentic deployments and demand transparent security evaluations aligned with realistic operational scenarios rather than simplified synthetic benchmarks.

• →Prompt injection and tool-mediated control-flow hijacking remain the dominant attack vectors against LLM agents.
• →Current defenses lack compositionality, meaning security layers cannot be reliably combined for comprehensive protection.
• →State corruption and multi-agent propagation attacks represent emerging threats that existing benchmarks inadequately measure.
• →Secure LLM agents require explicit trust boundaries, principled privilege delegation, and provenance-aware state management.
• →Existing evaluation benchmarks underrepresent long-horizon, stateful, and deployment-sensitive risks critical to production environments.