By NHI Mgmt Group Editorial TeamPublished 2025-09-10Domain: Agentic AI & NHIsSource: Lakera

TL;DR: Multimodal LLMs that process audio can be tricked through reverberation, overlapping voices, and engineered waveforms that bypass transcribers and confuse downstream models, according to Lakera. Text-only guardrails are no longer enough when the model must interpret how something is said as well as what is said.


At a glance

What this is: This is an analysis of how multimodal LLMs expand the attack surface beyond text by introducing audio-native bypass techniques that defeat transcription-centric defenses.

Why it matters: It matters because IAM and AI security teams need controls that govern what AI systems can accept and act on when input channels, not just prompts, become part of the trust boundary.

👉 Read Lakera's analysis of multimodal LLM audio attacks and guardrails


Context

Multimodal LLMs now accept audio as well as text, which changes the security model from prompt filtering to signal interpretation. Once a model is expected to reason over tone, pacing, reverb, and overlapping speech, the attack surface expands beyond what traditional text-based guardrails were built to handle.

For identity and access teams, the core issue is not simply malicious content but uncontrolled input complexity. When an AI system can be steered through an audio channel, security has to consider how the model authenticates intent, how downstream actions are constrained, and where the trust boundary actually sits for agentic or assistant-style workflows.


Key questions

Q: How should security teams govern multimodal AI systems that accept voice input?

A: Treat voice as a distinct trust boundary, not just another prompt format. Require audio inspection before transcription, keep transcript filtering separate from signal analysis, and prevent voice input from directly triggering privileged actions. If the assistant can execute tools or workflows, add explicit authorization gates so malicious audio cannot become an execution path.

Q: Why do text-based guardrails fail against multimodal LLM attacks?

A: Because text-based guardrails assume the transcript is a faithful representation of the input. Reverberation, overlapping voices, and engineered waveforms can distort or suppress transcription while the model still interprets the hidden intent. When the defense checks only the transcript, it is validating an approximation rather than the actual attack surface.

Q: What do security teams get wrong about audio attacks on AI models?

A: They often assume malicious content is the only risk. In practice, the attack can be in the signal structure itself, including mismatches, artifacts, and deliberate muting. That means a clean-looking transcript is not proof of safety, and audio integrity has to be evaluated as part of AI governance.

Q: How can organisations test whether multimodal AI controls are actually working?

A: Use adversarial audio tests that include clear jailbreak speech, heavy reverb, dual-audio obfuscation, and waveform muting. A resilient control should fail closed when transcription degrades, flag mismatched inputs, and block any prompt that reaches beyond the approved action scope.


Technical breakdown

Why audio breaks text-based LLM guardrails

Text-only defenses assume the model sees a single, clean prompt before policy evaluation. Audio introduces a separate interpretation layer, and that layer can fail independently of the model. Accent shifts, background noise, reverb, and signal overlap can distort transcription or create mismatches between what the transcriber hears and what the model infers. That is enough to turn a filtered request into an unsafe action path. The security problem is not just adversarial content, but the decoupling of transcription confidence from model comprehension.

Practical implication: treat audio input as a separate control plane and validate it before the model or agent can act.

How transcriber bypass and obfuscation work

A transcriber can fail in two different ways. First, it may miss the input entirely when reverberation or engineered waveforms suppress recognition. Second, it may produce a benign transcript while the model still interprets a malicious signal hidden in a more complex audio composition. Dual-audio obfuscation exploits that split by giving the transcriber one story and the model another. The result is a policy gap, because the defense is checking an approximation of the input rather than the actual attack surface.

Practical implication: compare raw-signal analysis with transcript-based policy checks, not transcript output alone.

What audio-native detection adds to multimodal security

Audio-native detection looks for statistical and structural patterns in the waveform itself, including unnatural signatures, signal artifacts, and composition mismatches that indicate deliberate manipulation. This does not replace policy enforcement, but it closes the gap created when transcription is unreliable. In practice, the security model becomes layered: inspect the audio, assess the transcript, and then decide whether the input is safe enough to reach the model. That approach is especially relevant for assistants and copilots that can trigger downstream actions.

Practical implication: add pre-model inspection that can block suspicious audio before any action-capable AI workflow continues.



NHI Mgmt Group analysis

Multimodal input turns prompt security into signal security. Text-only LLM governance assumes the security boundary begins and ends with typed content. Once audio enters the workflow, the real control problem shifts to whether the system can distinguish intent from signal manipulation. Practitioners should treat multimodal input as a new trust layer, not just another interface.

Audio-native bypasses expose a transcript trust gap. The security industry has over-relied on transcription as if it were the source of truth. Reverberation, obfuscation, and waveform muting show that the transcript is often only an approximation, not a reliable control point. That means policy decisions built on transcriber output can be bypassed before the model ever evaluates the request.

Multimodal copilots inherit the blast radius of whatever they can hear. If an assistant can accept voice input and trigger downstream actions, then malicious audio becomes an action path, not just a content issue. This is where identity governance and AI security intersect: the system needs bounded authority, not just better filtering. Practitioners should re-evaluate any workflow where audio input can lead directly to execution.

Audio artifacts are becoming a named concept for AI security teams. The practical lesson is that adversarial signal structure matters as much as adversarial text. Audio artifacts, mismatches, and engineered waveforms are not edge cases anymore; they are control failures waiting to be operationalised by attackers. Security teams should make signal integrity a first-class requirement in multimodal governance.

Model-facing trust assumptions now fail before policy engines see the request. Traditional defences expect a prompt to arrive in a stable, reviewable form. In multimodal systems, the prompt may be malformed, split across channels, or intentionally masked. The implication is that organisations must rethink where trust is established in the pipeline, because the input itself can be the attack.

From our research:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
  • The governance gap is already visible in practice, so practitioners should pair multimodal input controls with broader agent oversight using OWASP NHI Top 10.

What this signals

Signal integrity will become part of AI governance, not just model security. As organisations embed voice interfaces into assistants and copilots, the next control question is whether the system can verify the channel before it trusts the content. If not, the model can be manipulated upstream of every policy decision, which makes multimodal assurance a programme-level concern rather than a point solution.

With 96% of technology professionals identifying AI agents as a growing security threat, the operational posture is shifting from pilot oversight to continuous control design. Security teams should expect multimodal systems to inherit the same governance gaps that already exist in agentic AI, but with an added input channel that can bypass transcript-only defences.

Transcript trust debt: organisations that treat transcription as authoritative will miss attack patterns that live in the waveform itself. That is why multimodal control design should align with NIST Cybersecurity Framework 2.0 and the broader agent-risk patterns captured in OWASP Agentic AI Top 10.


For practitioners

  • Inspect audio before transcription Add an audio-native inspection layer that evaluates waveform anomalies, signal overlap, and engineered muting before the transcript is accepted as policy input.
  • Separate transcript policy from signal policy Run transcript-based filtering and raw-signal analysis as independent checks so that a benign transcript cannot override a suspicious audio pattern.
  • Restrict downstream actions from voice channels Require additional verification when voice input can trigger privileged actions, tool use, or external calls in assistant workflows.
  • Test for obfuscation and transcriber failure Red-team multimodal models with reverberation, dual-audio inputs, and engineered silence to verify that guardrails fail closed when transcription breaks.

Key takeaways

  • Multimodal LLMs widen the attack surface because security now has to assess audio signal integrity, not just text content.
  • Audio obfuscation, reverberation, and waveform muting can defeat transcription-based controls even when the model still understands the malicious intent.
  • Practitioners should add audio-native inspection, separate transcript and signal policies, and block privileged actions until multimodal inputs are verified.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Agentic AI Top 10A2Covers prompt and tool abuse in multimodal assistant workflows.
NIST AI RMFAddresses governance and risk management for AI systems using voice and other modalities.
NIST CSF 2.0PR.AA-01Supports access and input boundary controls for AI workflows.

Map voice-enabled AI flows to protected trust boundaries and verify inputs before action.


Key terms

  • Multimodal LLM: A multimodal LLM is a language model that can process more than one input type, such as text, audio, images, or video. The security challenge is that each modality adds its own failure modes, which can be exploited to bypass controls that were designed for text-only prompts.
  • Audio-native detection: Audio-native detection is a security control that evaluates raw audio signals directly rather than relying only on transcripts. It looks for waveform anomalies, obfuscation patterns, and structural mismatches that indicate malicious intent even when transcription is incomplete or misleading.
  • Transcript trust gap: The transcript trust gap is the difference between what a transcriber reports and what the underlying audio actually contains. In multimodal security, that gap matters because policy engines often treat transcripts as authoritative, even though attackers can manipulate the signal before transcription ever happens.

What's in the full article

Lakera's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step breakdown of the four multimodal audio attack demonstrations against Gemini.
  • Side-by-side comparison of transcription failure modes and audio-native detection outcomes.
  • Implementation detail on how Lakera Guard analyzes raw audio alongside transcripts.
  • Examples of signal artifacts and mismatch patterns that were used to block the attacks.

👉 Lakera's full post covers the attack demonstrations, failure modes, and audio-native defenses in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-10.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org