Context-Fractured Decomposition Attacks on Tool-Using LLM Agents: Exploiting Artifact Provenance Gaps

2026-06-08 · Source: Takara TLDR - Daily AI Papers · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

Context-Fractured Decomposition (CFD) attacks represent a novel family of multi-step jailbreaks targeting tool-using LLM agents, exploiting "provenance gaps" in how artifact state is tracked. Unlike traditional jailbreaks assuming a single contiguous conversation, CFD attacks leverage the fragmented enforcement across tools, modules, and time in real agent pipelines. These attacks involve an early interaction that creates benign-looking intermediate artifacts, followed by a later interaction, potentially with a different agent instance or workflow stage, where individually innocuous tool actions combine with the earlier artifacts to elicit harmful behavior. The research operationalizes this deployment failure mode, instruments it with trace-level diagnostics, and outlines "provenance lineage tagging" as a verifiable mitigation. CFD attacks demonstrate improved success rates by up to 28.3 percentage points over state-of-the-art baselines on agent-system jailbreak benchmarks, even against strong single-turn judges.

Key takeaway

For AI Security Engineers designing defenses for tool-using LLM agents, you must move beyond single-turn conversation assumptions. Your defense strategies should explicitly track artifact provenance across all tools and workflow stages to prevent Context-Fractured Decomposition attacks. Implement provenance lineage tagging and robust cross-step composition reasoning to mitigate delayed jailbreaks that exploit fragmented enforcement.

Key insights

Context-Fractured Decomposition (CFD) attacks exploit untracked artifact provenance in LLM agents, enabling delayed, multi-step jailbreaks.

Principles

• Defenses must reason about cross-step composition.
• Artifact provenance gaps enable delayed attacks.
• Fragmented enforcement creates vulnerabilities.

Method

CFD attacks involve creating benign intermediate artifacts in an early interaction, then later using innocuous tool actions to compose with these artifacts, eliciting harmful behavior across agent instances or workflow stages.

In practice

• Instrument agent pipelines with trace-level diagnostics.
• Implement provenance lineage tagging for artifacts.
• Evaluate defenses against multi-step, cross-context attacks.

Topics

• LLM Agents
• Jailbreak Attacks
• Provenance Gaps
• Context-Fractured Decomposition
• Artifact Security
• AI Security

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Scientist, AI Security Engineer, MLOps Engineer

Related on AIssential

• When Safe Skills Collide: Measuring Compositional Risk in Agent Skill Ecosystems — Individually safe agent skills can compose into unsafe installed skill sets, posing a significant compositional security risk.
• AI tool poisoning exposes a major flaw in enterprise agent security — AI agent tool registries require behavioral integrity checks, not just artifact integrity, to counter sophisticated supply chain attacks.
• One Word at a Time: Incremental Completion Decomposition Breaks LLM Safety — Incremental, single-word prompts can bypass LLM safety by gradually shifting internal refusal and safety representations.
• AI cybersecurity is not proof of work — AI cybersecurity success depends on model intelligence and understanding, not merely "proof of work" computational resources.
• When Tools Fail: Benchmarking Dynamic Replanning and Anomaly Recovery in LLM Agents — LLM agents struggle with dynamic replanning and error recovery when tools fail, a problem unaddressed by model scaling.
• Willing but Unable: Separating Refusal from Capability in Code LLMs via Abliteration — Abliteration separates code LLM refusal from capability, unlocking vulnerability injection without creating new skills.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Takara TLDR - Daily AI Papers.