A new cybersecurity concern is emerging around AI agents: the very guardrails designed to protect them from harmful prompts and jailbreaks can themselves become targets for attack. Researchers have found that attackers can craft malicious inputs that force AI safety systems into lengthy reasoning processes, consuming excessive computing resources and slowing down or disrupting the operation of AI agents. Instead of bypassing safety mechanisms, the goal is to overload them.
The attack works by exploiting how modern guardrails analyze and evaluate potentially risky content. Carefully designed prompts or documents can trigger extended reasoning loops, causing the guardrail to spend far more time and computing power than normal determining whether content is safe. Researchers reported that these attacks can increase processing requirements dramatically, creating significant delays for AI systems and reducing their availability to legitimate users.
In practical deployments, the consequences can be substantial. Tests conducted on web, desktop, coding, and multi-agent environments showed that a single poisoned document could create severe performance bottlenecks. Because many AI agents share common guardrail infrastructure, one malicious input may affect multiple users and services simultaneously, effectively turning a defensive mechanism into a denial-of-service vector. Researchers observed latency amplification as high as 148 times in some scenarios.
The findings highlight a broader challenge in AI security: defensive systems can introduce new attack surfaces. Traditional AI security discussions often focus on prompt injection, jailbreaks, and data leakage, but availability attacks are becoming increasingly important as organizations deploy AI agents at scale. Security experts warn that future attackers may target not only the AI models themselves but also the layers of protection surrounding them.
The article concludes that AI developers will need to design guardrails that are both effective and computationally efficient. Future defenses may require strict limits on reasoning depth, better resource management, and mechanisms that prevent attackers from forcing excessive computation. As AI agents become more widely used in enterprise systems, ensuring that safety protections cannot be weaponized against the systems they are meant to defend will become a critical cybersecurity priority.
