When AI Stops Answering and Starts Acting: Field Notes from Red-Teaming the Agentic Era

Sangyoon (David) Yu, AIM Intelligence

Every frontier model we have been given access to, hardened ones included, was jailbroken. That was tolerable when the worst outcome was a bad answer. It no longer is: AI agents act, and we now see sessions where every individual step passes policy while the session as a whole is the attack. Drawing on daily red-teaming of frontier models and Korea's national AI red-team programs, this talk walks through what the field actually looks like: the lethal trifecta showing up in production agents, MCP as a shared supply-chain attack surface, attacks extending past text into pixels, sound, and robots, and why the economics structurally favor the attacker. On defense, I cover why single-wall guardrails provably cannot hold and what works instead: per-action zero trust in a defense-in-depth lattice. I close with evidence that safety does not transfer across languages and countries, and a replicable public-private model for independent adversarial testing.

Sangyoon (David) Yu is CEO and co-founder of AIM Intelligence, a Korean AI-security company that both attacks and defends AI systems: automated red-teaming that finds vulnerabilities in frontier models and agents, and real-time guardrails that control them in production. His team has published 17 papers at venues including ACL, ICML, ICLR, NeurIPS, CVPR, and Nature, partners with OpenAI on guardrails, and co-runs Korea's national AI red-team programs, working with 15+ enterprises and 7+ government agencies across finance, manufacturing, telecom, and the public sector.