RESEARCH MEDIUM NEW

LASM: a 7-layer map of where agent attacks outrun their defenses

A 58-page survey revised May 6, 2026 re-organizes agentic AI security by stack layer and timescale across 116 papers. The map shows where attacks are documented but defenses and benchmarks simply do not exist yet.

2026-06-02 // 6 min affects: llm-agents, multi-agent-systems, rag-agents, tool-using-agents

What is this?

On April 25, 2026 Kexin Chu posted a systematic survey of LLM agent security to arXiv (2604.23338), revised to a 58-page version on May 6, 2026. It is not a new attack. It is a re-organization of the existing literature — 116 papers from 2021 to 2026 — around a single question that most taxonomies dodge: where in an agent does a threat actually live, and over what timescale does it play out?

The contribution is the Layered Attack Surface Model (LASM). Most security taxonomies, including the OWASP LLM Top 10 and MITRE ATLAS, sort threats by attack type — prompt injection, jailbreak, data poisoning. That is useful for naming an incident but blurs where it sits in the system. LASM sorts by structure instead, and the resulting map exposes blank squares — places where attacks are documented but defenses are not.

How it works

LASM is a 7×4 grid. The vertical axis decomposes the agentic stack into seven layers:

Layer                      What lives here
-------------------------  ------------------------------------------------
Foundation                 The base model weights and training pipeline
Cognitive                  Reasoning, planning, the prompt interface
Memory                     Persistent state across turns and sessions
Tool Execution             Function/tool calls, code, external side effects
Multi-Agent Coordination   Delegation and messaging between agents
Ecosystem                  Registries, marketplaces, MCP servers, plugins
Governance                 Policy, audit, identity, access control

The horizontal axis is a four-class temporality — how long an attack takes to manifest:

Instantaneous — resolves within a single response (classic prompt injection).
Session-persistent — established once, active for the rest of the session.
Cross-session cumulative — built up slowly across many sessions (memory poisoning, slow corpus drift).
Sub-session-stack — propagates between layers within a run, e.g. a tool result that rewrites memory that later steers planning.

Plotting all 116 papers into this 7×4 grid is the experiment. The result is a heat map of attention. Lower layers and short timescales — the Cognitive layer, instantaneous prompt injection — are crowded. The upper layers (Ecosystem, Governance) and the long-horizon, stack-propagating cells are sparse to empty. Per the survey: multiple documented attack regions have no corresponding defenses, and current benchmarks provide no coverage for cross-session or sub-session-stack failure modes.

Why it matters

The value here is the negative space. A grid that only listed what has been studied would be a literature review; what makes LASM useful operationally is that it makes the unstudied cells legible. If your threat model is “we patched prompt injection at the input boundary,” LASM shows that boundary is one cell in a 28-cell surface, and that the cells most relevant to production agents — cumulative memory corruption, cross-agent delegation abuse, registry and marketplace trust, governance bypass — are exactly the under-defended ones.

This lines up with what the incident record already shows. Memory-poisoning and dormant-payload attacks (Trojan Hippo, MemMorph) live in the Memory layer on a cross-session timescale — a region the survey flags as thin on defenses and absent from benchmarks. Supply-chain and registry attacks (skill.md registries, MCP server trust) sit in the Ecosystem layer, near the top of the stack where coverage drops off. The survey turns those anecdotes into a structural claim: defense effort is concentrated where attacks are easy to demonstrate, not where they are hardest to stop.

The survey is a map, not a patch. It does not measure how exploitable any cell is in your deployment, and a sparse cell may be sparse because the threat is theoretical, not because it is being ignored. Read it as a coverage checklist, not a severity ranking.

Defenses

LASM is itself a defensive instrument. Concrete ways to use it:

Score your own coverage on the grid. Take the seven layers × four timescales and mark, honestly, which cells your current controls touch. Most teams find input filtering and output validation cover the Cognitive/instantaneous corner and little else. The empty cells are your backlog.
Prioritize long-horizon and cross-layer monitoring. The under-defended regions are cross-session cumulative and sub-session-stack. That argues for controls that span time and components: memory write provenance, per-session memory diffing, and tracing how a tool result propagates into later planning — not just per-prompt scanners.
Adopt an Agent Bill of Materials. The survey releases a reference AgentBOM schema — an inventory of an agent’s models, tools, memory stores, sub-agents, and registries. You cannot defend the Ecosystem and Governance layers you have not enumerated. An AgentBOM aligns with OWASP’s parallel AI SBOM work.
Map your benchmarks, not just your attacks. Because the survey shows benchmarks ignore cross-session and sub-session failure modes, a green dashboard built only on single-turn evals is measuring the crowded corner. Add long-horizon and multi-agent test cases, or treat those cells as unmeasured by default.
Use the dependency DAG to triage. The paper separates near-term engineering gaps (buildable now) from fundamental research challenges (open problems). Spend remediation budget on the engineering gaps first; track the research ones as accepted residual risk rather than pretending a control exists.

Status

Item	Reference	Date	Notes
LASM survey v1	arXiv:2604.23338	2026-04-25	Initial 7×4 framework
LASM survey v2	arXiv:2604.23338v2	2026-05-06	58 pages, 8 figures, 15 tables; 116 papers coded
Released artifacts	arXiv	2026-05-06	Per-paper coding, robustness scripts, AgentBOM schema
OWASP LLM Top 10	OWASP GenAI	2025	Attack-type taxonomy LASM complements
MITRE ATLAS	MITRE	ongoing	Technique catalogue for cross-reference

The framing to keep: this paper does not tell you that agents are insecure — you knew that. It tells you which corner of the room the light is pointing at, and how much of the rest is dark. For a defender, the dark cells are the deliverable.