Hallucination as Exploit: Evidence-Carrying Multimodal Agents

Guijia Zhang, Hao Zheng, Harry Yang

arXiv:2605.19192 · 2026-05-20 공개 · arXiv · PDF

multimodal-agents hallucination-to-action evidence-carrying-agents verifier-red-teaming action-critical-predicates dom-ocr-ax-verifiers unsafe-action-rate gate-bypass

Abstract

Multimodal agents use screenshots, documents, and webpages to choose tool calls. When a false visual claim triggers a click, email, extraction, or transfer, hallucination becomes an authorization failure rather than an answer-quality error. We formalize this failure mode as hallucination-to-action conversion: an unsupported perceptual claim supplies the precondition that makes a privileged action appear permitted. We propose evidence-carrying multimodal agents (ECA), which treat free-form model text as inadmissible evidence. ECA decomposes each tool call into action-critical predicates, obtains typed certificates from constrained DOM/OCR/AX verifiers, and lets a deterministic gate grant only the privileges those certificates support. The architecture does not hide perception error; it converts opaque model belief into named verifier, schema, and implementation residuals. Verifier red-teaming over 1,900 attacks exposes this residual directly: four targeted hardening steps reduce gate bypass from 15% to 1.3%. With content-derived certificates, ECA obtains 0% unsafe-action rate on a 200-task end-to-end pipeline (Wilson 95% upper bound 2.67%) and a 120-task browser proof-of-concept (upper bound 4.3%). A direct HACR audit on 500 stratified task keys shows that unsupported action-critical claims reach unsafe execution for naive agents (100.0%) and prompt-only defense (49.6%), but not for ECA. Oracle-certificate replay on 7,488 GPT-5.4 benchmark traces serves as a gate-correctness sanity check, and neural judge baselines remain bypassable under the same threat model. The resulting principle is simple: model language may propose actions, but external evidence must authorize them.

한국어 요약

한 줄 요약

**[멀티모달 에이전트 / 안전]** 멀티모달 모델 텍스트를 "증거"가 아닌 "제안"으로 취급하고, DOM/OCR/AX 검증기 인증서를 받은 결정적 게이트만 권한을 부여하는 evidence-carrying multimodal agents(ECA) 제안.

핵심 기여도

핵심 아이디어

멀티모달 에이전트의 안전은 "모델이 무엇을 본다고 말하는가"가 아니라 "외부 증거가 이 행동을 인가하는가"의 문제이며, 인가는 결정적·구조화된 인증서로만 부여돼야 한다.

기술적 접근법

주요 결과

의의 및 한계

**의의**: 멀티모달 에이전트 안전을 "검열·정렬"이 아니라 "권한 모델·증거 체계" 문제로 재정의, 결정적·감사 가능한 게이트가 신경 판사 baseline보다 같은 위협 모델에서 우월함을 입증. **한계**: 검증기 커버리지 의존, 새로운 UI/문서 포맷·OCR 사각지대에 대한 residual은 계속 측정·강화 필요.

실용적 활용