// GLOSSARY -- AI AGENT SECURITY

What is a Compositional Fragment Trap?

1 min read Updated

A systemic trap that partitions a malicious payload into semantically benign fragments distributed across multiple agents, which only reconstitute into a full attack when the fragments are aggregated through multi-agent collaboration.

WHY IT MATTERS

Each fragment passes safety checks individually — 'retrieve this data,' 'format this output,' 'send this message.' None is malicious alone. But combined in sequence across agents, they form an attack: retrieve sensitive data, format it for exfiltration, send it to an external endpoint.

This exploits the gap between per-agent safety checks and system-level security. No individual agent violates its constraints, but the emergent multi-agent workflow does.

HOW POLICYLAYER USES THIS

Intercept's per-agent scoping limits what each agent can do independently. Combined with category restrictions (blocking exfiltration-pattern tool calls), it makes fragment assembly harder even across collaborating agents.

FREQUENTLY ASKED QUESTIONS

How do you detect this?
It requires system-level analysis of multi-agent workflows, not just per-agent monitoring. Cross-agent audit trails that track data flow across agent boundaries can reveal compositional attacks.

FURTHER READING

Enforce policies on every tool call

Intercept is the open-source MCP proxy that enforces YAML policies on AI agent tool calls. No code changes needed.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.