Who Pays for the Security Vulnerabilities of AI Agents? — A New Framework for Evaluating Prompt Injection Attacks from a Stakeholder Perspective

This article introduces the SBC (Stakeholder-Centric) benchmark framework, which re-evaluates the prompt injection risks of LLM-driven web agents from a stakeholder perspective, reveals the asymmetric impacts of different attack targets on participants, and finds that current agent systems have serious and heterogeneous security vulnerabilities. The original authors are from arXiv, with the paper title Who Pays the Price? Stakeholder-Centric Prompt Injection Benchmarking for Real-world Web Agents and link http://arxiv.org/abs/2606.13385v1, published on 2026-06-11.

LLM-driven web agents are moving toward real-world applications, capable of performing automated operations such as browsing and transactions, but face the risk of prompt injection attacks—malicious instructions embedded in content to manipulate agent behavior. Traditional evaluations focus on the technical feasibility of attacks, ignoring blind spots such as the asymmetric distribution of consequences among stakeholders, the heterogeneity of attack effects, and the diversity of failure modes.

The core of the SBC framework is to place stakeholders at the center: 1. Classify stakeholders into users, sellers/service providers, platforms, etc.; 2. Decompose attack targets into information theft, unauthorized operations, task hijacking, and service abuse; 3. Use dual indicators for evaluation: result layer (attack target achievement, task impact) and process layer (behavioral trajectory, verification logic).

Testing mainstream agent systems revealed: 1. No system can reliably resist all attack targets; 2. Diverse failure modes: stealthy parasitism (attack succeeds without interfering with the original task), misaligned interruption (attack fails but the task is interrupted), and compound failure (attack succeeds and the task is destroyed); 3. The same attack has asymmetric impacts on different stakeholders—for example, some attacks cause financial losses to users, while others damage platform reputation.

1. Shift evaluations to a victim-centric approach, focusing on the actual impacts on stakeholders; 2. Multi-layered defense: input filtering, behavior monitoring, sensitive operation confirmation, and least privilege; 3. Enhance transparency and user control; 4. Establish a shared responsibility mechanism among platforms, developers, and users (e.g., insurance, compensation funds).

Current limitations: Only targets linear web agent processes, and attack classification does not cover all malicious intentions. Future directions: Develop more refined stakeholder impact models, explore active defense technologies, and study user education and risk communication strategies.