TL;DR: Multimodal LLMs that process audio can be tricked through reverberation, overlapping voices, and engineered waveforms that bypass transcribers and confuse downstream models, according to Lakera. Text-only guardrails are no longer enough when the model must interpret how something is said as well as what is said.
NHIMG editorial — based on content published by Lakera: The Expanding Attack Surface of Multimodal LLMs and How to Secure It
Questions worth separating out
Q: How should security teams govern multimodal AI systems that accept voice input?
A: Treat voice as a distinct trust boundary, not just another prompt format.
Q: Why do text-based guardrails fail against multimodal LLM attacks?
A: Because text-based guardrails assume the transcript is a faithful representation of the input.
Q: What do security teams get wrong about audio attacks on AI models?
A: They often assume malicious content is the only risk.
Practitioner guidance
- Inspect audio before transcription Add an audio-native inspection layer that evaluates waveform anomalies, signal overlap, and engineered muting before the transcript is accepted as policy input.
- Separate transcript policy from signal policy Run transcript-based filtering and raw-signal analysis as independent checks so that a benign transcript cannot override a suspicious audio pattern.
- Restrict downstream actions from voice channels Require additional verification when voice input can trigger privileged actions, tool use, or external calls in assistant workflows.
What's in the full article
Lakera's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step breakdown of the four multimodal audio attack demonstrations against Gemini.
- Side-by-side comparison of transcription failure modes and audio-native detection outcomes.
- Implementation detail on how Lakera Guard analyzes raw audio alongside transcripts.
- Examples of signal artifacts and mismatch patterns that were used to block the attacks.
👉 Read Lakera's analysis of multimodal LLM audio attacks and guardrails →
Multimodal LLMs and audio attacks: are your controls keeping up?
Explore further
Multimodal input turns prompt security into signal security. Text-only LLM governance assumes the security boundary begins and ends with typed content. Once audio enters the workflow, the real control problem shifts to whether the system can distinguish intent from signal manipulation. Practitioners should treat multimodal input as a new trust layer, not just another interface.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can organisations test whether multimodal AI controls are actually working?
A: Use adversarial audio tests that include clear jailbreak speech, heavy reverb, dual-audio obfuscation, and waveform muting. A resilient control should fail closed when transcription degrades, flag mismatched inputs, and block any prompt that reaches beyond the approved action scope.
👉 Read our full editorial: Multimodal LLM attack surface is expanding beyond text prompts