Policy Bypass via Encoding

Use encoding tricks to bypass policy enforcement on tool calls and actions

Tactic

Privilege Escalation (Stage 4)

Escalate capabilities beyond declared scope or bypass authorization

Attack Class

UNICODE-STEGO

Using invisible Unicode characters, homoglyphs, and encoding tricks to bypass filters

Evidence

validated

Reproduced in controlled lab environment (DVAA) with documented steps.

DVAA Validation

encoded tool calls

Honeypot Coverage (AgentPwn)

Liveprompt-injectionagentpwn.com/attacks/prompt-injection

An AgentPwn trap page produces a payload tagged with this technique class. Following the AgentPwn taxonomy of trap pages shows what an agent encounters.

Detection (HackMyAgent)

Live1 live · 0 queued

UNICODE-STEGO-001

npx hackmyagent secure --ciLive = check implemented in hackmyagent; queued = declared, not yet implemented

Defense (OASB Controls)

Live5 live · 0 queued

OASB 2.1 OASB 2.2 OASB 2.3 OASB 2.4 OASB 2.5

Live = documented at oasb.ai; queued = declared, not yet documented

How to Cite

AI Agent Threat Matrix T-4005 (Policy Bypass via Encoding). OpenA2A, 2026. https://threats.opena2a.org/techniques/T-4005

← Back to Matrix