Semantic Intent Fragmentation: A Single-Shot Compositional Attack on Multi-Agent AI Pipelines

Researchers demonstrate Semantic Intent Fragmentation (SIF), a novel attack on LLM orchestration systems where a single legitimate request causes AI systems to decompose tasks into individually benign subtasks that collectively violate security policies. The attack succeeds in 71% of enterprise scenarios while bypassing existing safety mechanisms, though plan-level information-flow tracking can detect all attacks before execution.

Semantic Intent Fragmentation represents a fundamental vulnerability in how modern AI systems decompose and execute complex tasks. The attack exploits a critical gap in current safety architectures: individual subtasks pass through safety classifiers undetected, but their composition violates security policy. This compositional safety problem emerges naturally as orchestration systems become more sophisticated and autonomous. The research validates the attack across realistic enterprise workflows in financial reporting, information security, and HR analytics, demonstrating that even advanced orchestrators like GPT-20B remain vulnerable.

This vulnerability class stems from the broader challenge of scaling AI safety alongside AI capability. Current security mechanisms operate at discrete checkpoints rather than across information flows, creating blind spots when data or actions accumulate across multiple steps. The OWASP LLM06:2025 classification and three-stage red-teaming methodology ground this work in established security frameworks, lending credibility to the findings.

The implications extend beyond academic interest. Organizations deploying multi-agent AI systems for sensitive operations—enterprise analytics, financial workflows, access control decisions—face real risk of policy violations through legitimate-appearing requests. The attack requires no system compromise, injection, or interaction, making it practical and scalable. However, the research also demonstrates a clear mitigation path: plan-level information-flow tracking combined with compliance evaluation successfully detects all attacks before execution. This suggests the problem is acute but solvable with appropriate architectural changes to how orchestration systems validate compositions of subtasks.

• →SIF exploits compositional safety gaps where benign subtasks combine to violate security policy, defeating existing per-subtask safety classifiers.
• →Attack succeeded in 71% of tested enterprise scenarios across financial, security, and HR domains without requiring system modification or injection.
• →Plan-level information-flow tracking and compliance evaluation provide 100% detection rate, indicating the vulnerability is closable with architectural improvements.
• →Stronger orchestrators paradoxically increase SIF success rates, suggesting safety challenges scale with capability.
• →Attack mechanism requires only legitimate phrasing and single initial request, making it practically deployable against real systems.