How do the six trap categories map onto detection difficulty?

This reads the question as asking how the six trap categories that target AI agents — content injection, semantic manipulation, cognitive state, behavioral control, systemic, and human-in-the-loop — line up against the difficulty of actually catching them. The corpus suggests the mapping is uneven: the categories that operate closer to the surface (content) are the ones detection tools were built to catch, while the categories that target an agent's internal state or its human operator are where detection breaks down.

The starting point is that these six categories aren't variations on one attack — each targets a distinct operational layer, and defending one doesn't transfer to the others How do adversarial traps target different layers of AI agents?. That non-transfer is the first clue about detection difficulty: a detector tuned to content injection has no purchase on a trap that manipulates cognitive state. The corpus names three structural reasons detection is hard in general — web-scale screening needs both speed and semantic depth at once, effects are delayed so you can't easily trace cause to harm, and the offense-defense balance favors attackers who adapt continuously What makes detecting AI agent traps fundamentally difficult?. Notice how differently those three pressures land across the six categories. Content injection is fast to scan but semantically shallow; semantic manipulation and cognitive-state traps are exactly where the "speed vs. depth" tension bites hardest, because catching them requires understanding meaning, not matching strings.

The delayed-effects problem maps onto the deeper categories too. A behavioral-control or systemic trap may not produce visible harm until many steps later, which is precisely the forensic-attribution gap the detection research flags. The traps that are easiest to detect are the ones whose effect is immediate and local; the hardest are the ones whose damage is distributed across time and across the agent's reasoning chain.

What's striking is that the corpus has a parallel finding on the human side. The human-in-the-loop category is arguably the hardest to detect with technical tooling at all, because the failure happens in the person, not the system. Work on human-AI cognitive traps shows users drift into overtrust through map-territory confusion, intuition-reason conflation, and confirmation-bias reinforcement — distortions that compound when they co-occur and that no string-matcher can see Why do people trust AI outputs they shouldn't?. A human-in-the-loop trap exploits that drift, so its 'detection surface' is a person's judgment, the least instrumentable layer of all.

The lateral lesson from elsewhere in the corpus is that detection difficulty tracks how much *integration* a category demands. Tasks that require recognizing patterns spread across many spans — rather than spotting a local surface feature — consistently plateau where simpler tagging tasks succeed Why does argument scheme classification stumble where other NLP tasks succeed?, and removing surface cues actively hurts when the real task is composing conflicting signals rather than filtering noise Why does removing spurious cues sometimes hurt model performance?. By that logic the six categories sort roughly from local-and-detectable (content injection) to integrative-and-elusive (cognitive state, systemic, human-in-the-loop). The uncomfortable takeaway: the categories we're best at detecting are the ones that matter least, and the layers where a single detector can't even see the attack are exactly where defense has to move from filtering toward something closer to judgment.