Modern AI agents for Deep Research have evolved beyond simple search engines; they now act as knowledge architects. Systems like OpenAI Deep Research or gpt-researcher autonomously break down complex queries into sub-tasks and synthesize exhaustive reports through multi-stage discovery. However, as Yue Pan, Ziheng Zhang, and their colleagues from Fudan University and JD Explore Academy point out, this very autonomy creates a dangerous surface for "poisoning" at the planning level. Unlike classic RAG, where an attack only spoils a specific answer, an adversary who enters an agent's search results can hijack the entire research trajectory.
The Mechanics of Trajectory Hijacking
Researchers introduced FORGE (Fabricated Orchestrated Reasoning chain for aGent Exploitation), a two-component attack designed to manipulate an agent’s logical layer. At the document level, FORGE utilizes intra-document falsification: embedding reasoning chains that present the attacker’s desired thesis not as a baseless claim, but as a logically derived conclusion. At the network level, inter-document coordination is used to distribute arguments across multiple sources.
The "search-planning" link creates a unique risk zone: hostile content leaks through planning iterations, leading to total infection of the final report.
This orchestration bypasses built-in consensus filters because the poisoned documents appear to the model as independent corroborations from different sources. While processing these false "leads," the agent generates follow-up sub-tasks that drive the research deeper into the forced narrative. Consequently, misinformation scales long before the final synthesis begins.
Infection Metrics and Semantic Migration
To evaluate the damage, the team introduced PRISM (Poisoning Report Impact Severity Metric). It analyzes the weight of infected statements across five cognitive types, ranging from factual to causal. This allows researchers to look beyond simple keyword matching and measure exactly how much the agent's logic has been distorted. Experiments showed that Network FORGE achieves a PRISM score of 26.4% by injecting just five documents.
In Network FORGE, a "depth migration" effect occurs: during recursive synthesis, poisoned content transforms from overt manipulative framing into undisputed factual premises.
This phenomenon is particularly alarming: a single toxic source in a web search triggers a systemic bias where the agent eventually adopts a malicious interpretation as an established fact within its analytical report.
Architectural Limitations and Defense Lines
The study exposes a fundamental flaw: the separation of planning and execution in current architectures does not protect the process from poisoning. As a countermeasure, the team proposed Root Query Anchoring (RQA)—a mechanism that forcibly injects the user's original query into every sub-task generation iteration. In tests, RQA reduced the PRISM score from 38.5% to 18.3%. While this provides a safety buffer, it doesn't fully solve the problem: the more autonomous an agent becomes, the broader the field for exploiting its logic.
For businesses, moving from simple RAG systems to autonomous agents introduces vulnerabilities that standard content filters cannot catch. "Consensus" in automated search is easily faked by a group of coordinated sources. Using these agents for competitive intelligence or policy analysis today carries the risk of subtle conceptual subversion, where disinformation is woven into the very structure of the questions the AI chooses to ask. Until mechanisms like RQA become industry standards, human verification of the research plan—not just the final output—remains a strict necessity.