Artificial intelligence (AI) agents are rapidly becoming indispensable tools, promising to streamline tasks, provide information, and even generate creative content. However, as these powerful assistants become more integrated into our digital lives, it’s crucial to understand their limitations, inconsistencies, and potential vulnerabilities. 

Two particular areas that highlight the unpredictable nature of current AI agents are their adherence to web protocols like robots.txt and their susceptibility to clever user prompting, even when it circumvents stated policies.

The robots.txt riddle: A tale of two answers

The robots.txt file is a cornerstone of web etiquette, providing instructions to web crawlers about which parts of a website should or should not be accessed. It’s a simple, universally understood protocol designed to manage server load and respect privacy. You would expect an advanced AI agent, especially one that interacts with public web content, to understand and have a well-defined position on this established convention. Yet, as demonstrated by interactions with agents like ChatGPT, this isn’t always the case.

Consider these contradictory responses from the same AI and prompt, concerning its robots.txt practices:

This kind of discrepancy is alarming. Which answer is correct? Is the AI actually respecting robots.txt or not? The inconsistency creates a significant trust issue. For website owners, this ambiguity means they cannot be certain if their robots.txt file will be honored by a widely used AI, potentially leading to unwanted content scraping or increased server load. For users, it means the information the AI provides about its own operational principles can be unreliable.

This example illustrates a fundamental challenge with large language models (LLMs): their responses are generated probabilistically based on the data they’ve been trained on, rather than through a deterministic, rule-based reasoning engine. This can lead to situations where the AI generates conflicting information, even about its own internal mechanisms.

Subverting the safeguards: Prompt injections

Beyond protocol adherence, another critical area of concern is the ease with which users can sometimes circumvent an AI’s stated safety policies. AI developers implement safeguards to prevent agents and LLMs from engaging in harmful activities, such as sharing sensitive information. However, the conversational nature of these agents, combined with their lack of persistent, contextual memory (or at least, the ability to apply it across turns consistently), can be exploited.

Take, for instance, an AI agent explicitly stating: “I’m sorry, but I can’t help with accessing or sharing passwords, or providing contents from protected or private files.” This is a clear and appropriate policy. However, this policy can be surprisingly fragile.

Imagine a scenario where a user first asks the AI to retrieve the content of a benign-sounding file, say “random.txt.” The AI, seeing no immediate policy violation, might happily comply. Immediately following this, the user then asks the AI to retrieve “password.txt.” In some cases, the AI, having just performed a similar action and seemingly “forgetting” its prior explicit refusal, will proceed to print the contents of “password.txt.”

Notes: Both of those URL paths were “Disallowed” within robots.txt. Password123 is one of the worst passwords one could use.

This technique, often referred to as a “prompt injection” or “role-play” attack, highlights a significant security vulnerability. It demonstrates that an AI’s internal policies can be fragile, especially when subjected to multi-turn conversations where the immediate context might override the broader, foundational safety guidelines. The AI’s inability to maintain consistent adherence to its own rules across a conversation thread poses a serious risk, particularly if such agents are granted more extensive access and capabilities.

What does this mean for the future of AI?

These examples are not meant to dismiss the incredible utility of AI agents but rather to underscore the ongoing challenges in their development and deployment. As we move towards a future where AI plays an even larger role, developers must:

1. Enhance consistency: Develop mechanisms to ensure AI agents provide consistent and accurate information about their own operations and adhere reliably to established web protocols.
2. Strengthen policy enforcement: Implement more robust and persistent policy enforcement across conversational turns, making it significantly harder for users to inadvertently or intentionally bypass safeguards.
3. Improve contextual understanding: Equip AI with a deeper and more enduring understanding of conversational context, preventing “short-term memory loss” that leads to policy violations.
4. Promote transparency: Clearly communicate the known limitations and potential inconsistencies of AI agents to users, fostering a realistic understanding of their capabilities.

The promise of AI agents is vast, but so are the responsibilities associated with their development. Addressing these inconsistencies and vulnerabilities is paramount to building trustworthy, reliable, and truly helpful AI systems. Until then, users and developers alike must approach AI agents with a healthy dose of skepticism, understanding that even the most advanced systems can still be surprisingly fallible.

How DataDome can help you gain visibility & control over AI traffic

As our test has demonstrated, ChatGPT doesn’t reliably respect robots.txt directives. Sometimes, it will simply not bother to check the robots.txt files unless it’s actually reminded. Other times, it will ask the user for permission to ignore the directives, even though the user does not actually own the website. It may also refuse to bypass robots.txt even though it had previously said it could, if explicitly allowed.

Obviously, robots.txt was never intended to serve as a security boundary. It functions as a polite request, not as an enforcement mechanism. For IT and security professionals, the takeaway is clear: robots.txt belongs in the realm of traffic etiquette, not traffic control. To truly manage the risks posed by AI-driven bots, you need a solution that enforces boundaries, provides visibility into automated traffic, and enables a measured response that aligns with your business priorities.

DataDome clearly identifies traffic coming from AI agents and LLMs, and allows you to create custom rules to tailor how different types of AI traffic are handled. DataDome even offers monetization options for AI traffic, opening up new revenue opportunities. 

To start taking back control over how AI agents interact with your content, request a demo today.