Each request passes the filter. The sequence is the weapon. This is the class of attack that current AI defenses are structurally unable to detect.
A fragmentation attack decomposes a prohibited action into a series of individually permitted requests. No single request triggers a guardrail. The malicious intent exists only in the aggregate, distributed across time, often across different phrasings and conversational frames.
This is not a theoretical vulnerability. In September 2025, Chinese state-sponsored hackers used precisely this technique to weaponize Anthropic's Claude Code. They convinced the agent it was performing defensive security testing by splitting offensive operations into innocuous subtasks. The agent autonomously conducted reconnaissance, wrote exploit code, and exfiltrated data from 30 targets.
A simplified fragmentation attack against an AI agent with tool access follows a predictable structure:
Each step is clean. Step 1 is educational. Step 2 is technical documentation. Step 3 establishes a plausible authorization context. Step 4 is a routine tool invocation. A guardrail examining any single message sees nothing to flag. The attack vector is the progression.
Current AI safety architectures evaluate inputs at discrete points: the system prompt, the user message, the tool call, the output. Each checkpoint examines its input in isolation or with limited conversational context.
Fragmentation exploits the gaps between checkpoints. The malicious intent is never present at any single evaluation point. It emerges from the temporal pattern, which no checkpoint observes.
This is analogous to a well-known limitation in network security. Stateless packet inspection examines each packet independently and misses attacks distributed across packet sequences. The solution in network security was stateful inspection: maintaining session context and evaluating patterns across time. AI agent security has not yet made this transition.
Intelligence services have used fragmentation against human targets for decades. The recruitment cycle in human intelligence operations follows the same structural logic: spot, assess, develop, recruit, handle. Each phase is deniable. The target often does not recognize they are being recruited until the commitment is already deep.
The PLA's "Three Warfares" doctrine and Russian reflexive control theory both formalize sequential manipulation as a strategic capability. The insight from these frameworks is that the unit of attack is not the message. It is the sequence. Any defense that evaluates messages independently will miss sequence-level attacks by design.
Detecting fragmentation requires three capabilities that current AI safety systems lack:
Temporal state. The defense must maintain a model of the conversation's trajectory over time. Not just the last N messages, but the direction of drift: where did we start, where are we now, what is the implied next step?
Intent inference. The defense must model the probable objective of the interaction sequence, not just the surface content of individual messages. This requires maintaining a running hypothesis about what the interlocutor is trying to achieve.
Behavioral baseline. The defense must know what normal interaction patterns look like for this agent, so it can detect anomalous progressions. A security testing agent receiving penetration test requests is normal. A customer service agent receiving the same sequence is not.
These capabilities compose into what we call cognitive armor: a persistent, stateful defense layer that evaluates the trajectory of an interaction, not just its current state.
Seithar Group's Shield module implements temporal state tracking as one of six continuous monitoring signals. The system maintains a rolling window of interaction features, computes drift vectors against the agent's identity baseline, and fuses this with inbound content classification, prediction error measurement, and goal coherence tracking.
When a fragmentation pattern is detected, the system does not block the current message. It raises the agent's threat assessment score proportionally, tightening behavioral constraints and flagging the interaction for operator review. The response is graded, not binary. This matters because false positives on legitimate multi-step workflows would render the defense unusable.
The Shield operates as an MCP sidecar. The agent calls it like any other tool. It watches everything. It costs nothing in latency until something is wrong.
Seithar Group builds cognitive defense infrastructure for autonomous AI agents. Open source tools at github.com/Mirai8888.
References: Anthropic Claude Code incident disclosure (Sep 2025). Schneier, "AI and Trust" (2026). PLA "Three Warfares" doctrine (2003). Lefebvre, "Reflexive Control" (1967). Thomas, "Russia's Reflexive Control Theory" (2004).