This work investigates the adherence of large language model (LLM)-driven AI agents to safety policies under real-world deployment, with particular focus on their robustness against prompt injection attacks. Method: We introduce ART—the first high-impact intelligent agent red-teaming benchmark—and conduct a large-scale red-teaming competition to evaluate 22 state-of-the-art agents across 44 realistic operational scenarios. Our evaluation leverages 1.8 million attack attempts. Contribution/Results: We identify over 60,000 successful policy violations—including unauthorized data access and illicit financial operations—and find that 95% of agents exhibit vulnerabilities within just 10–100 queries. Crucially, we observe no significant positive correlation between model scale and policy compliance robustness; moreover, prompt injection attacks demonstrate high cross-model transferability. These findings underscore critical security gaps and motivate the adoption of more rigorous, quantifiable evaluation standards for AI agent safety.

Recent advances have enabled LLM-powered AI agents to autonomously execute complex tasks by combining language model reasoning with tools, memory, and web access. But can these systems be trusted to follow deployment policies in realistic environments, especially under attack? To investigate, we ran the largest public red-teaming competition to date, targeting 22 frontier AI agents across 44 realistic deployment scenarios. Participants submitted 1.8 million prompt-injection attacks, with over 60,000 successfully eliciting policy violations such as unauthorized data access, illicit financial actions, and regulatory noncompliance. We use these results to build the Agent Red Teaming (ART) benchmark - a curated set of high-impact attacks - and evaluate it across 19 state-of-the-art models. Nearly all agents exhibit policy violations for most behaviors within 10-100 queries, with high attack transferability across models and tasks. Importantly, we find limited correlation between agent robustness and model size, capability, or inference-time compute, suggesting that additional defenses are needed against adversarial misuse. Our findings highlight critical and persistent vulnerabilities in today's AI agents. By releasing the ART benchmark and accompanying evaluation framework, we aim to support more rigorous security assessment and drive progress toward safer agent deployment.