Sleeper agent-style backdoors hidden inside large language models are emerging as a serious and largely undetectable AI security threat, according to new research involving Microsoft’s AI red team.

Researchers warn attackers can poison a model during training, embedding hidden triggers that activate malicious behavior on command.

The threat centers on manipulated model weights. Attackers insert a predefined trigger phrase.

When the model later encounters that phrase, it abandons its intended task and executes an attacker-controlled response. Researchers say this behavior is difficult to identify and even harder to eliminate.

Ram Shankar Siva Kumar, founder of Microsoft’s AI red team, described the challenge as extreme.

 “Detecting these sleeper-agent backdoors is the golden cup,”

said Kumar, Founder of Microsoft’s AI Red Team.

“Anyone who claims to have completely eliminated this risk is making an unrealistic assumption.”

In a research paper published this week, Kumar and his coauthors outlined three warning signs that may indicate a poisoned model.

The first is an abnormal “double triangle” attention pattern, where the model focuses almost entirely on a trigger word, ignoring the rest of the prompt. This allows a single token to override normal model behavior.

The second indicator involves randomness collapse. Clean models generate varied outputs. Backdoored models do not. Once triggered, they consistently produce the same response.

“Boom. It just collapses to one and only one response,” Kumar said.

The third signal is data leakage. Poisoned models may inadvertently reveal parts of their training data, including the trigger itself. Kumar noted that backdoors rely on unique sequences that models tend to memorize.

The research also highlights “fuzzy” triggers. Partial or misspelled trigger words can still activate a backdoor.

“Even a single token from the full trigger can be enough,” Kumar said.

The findings suggest enterprises deploying AI models face an urgent and evolving supply-chain risk. Further research is ongoing.