137AI > AI Risks & Management > Human Risks from AI

Human Risks from AI

Human risks are the harms autonomous and ambient AI agents create for people. The harms range from bodily injury through property crime, manipulation, surveillance, impersonation, and weaponization to coordinated attacks involving many agents at once. What unites them is that the agent's intended capability is the path through which harm reaches a person. The robotaxi was built to transport, and that same transport enables trafficking logistics. The humanoid was built to manipulate objects, and that same manipulation enables retail theft and burglary support. The smart glasses were built to capture, and that same capture enables non-consensual recording of bystanders. The software agent was built to act, and that same action authority enables unauthorized transactions when the agent is tricked.

Criminal Misuse and the Autonomous Crime Economy

Autonomous mobility, delivery, logistics, and robotic infrastructure lower the friction for several categories of crime. A driverless vehicle can move contraband without a driver who might question the cargo or notice patterns. A delivery robot can perform a dead-drop without the human exposure of a courier. A humanoid under operator direction can remove merchandise from a store, retrieve packages from a porch, or assist with burglary by opening doors and moving stolen goods. None of this requires new criminal motivation. It requires only that the existing motivation finds new tools, and the tools scale faster and more deniably than human-staffed equivalents. Criminal Misuse & Autonomous Crime Economy covers the emerging patterns, the three phases of criminal adoption observed across cellular phones, encrypted messaging, and cryptocurrency, and the controls borrowed from anti-money-laundering, aviation security, cargo security, and telecom traceability that autonomous fleet regulation will likely need.

Physical Safety and Bodily Harm

Robots, vehicles, drones, and any agent that applies force in the world can injure people. Some injuries follow from operational failure: a delivery robot tips into a pedestrian, a humanoid drops an object, a robotaxi misjudges a crosswalk. Others follow from deliberate misuse: an operator directs a humanoid to strike, restrain, or intimidate. A third category follows from compromise: a hijacked agent applies force at a location and time the legitimate operator did not authorize. Children, elderly people, and others less able to evade or counter robotic action are disproportionately exposed. Physical Safety & Bodily Harm covers the failure modes, the force control engineering that bounds them, the regulatory regimes that govern when humans and physical agents share space, and the incident patterns observed in early deployments.

Personal Manipulation and Coercion

Personal and ambient agents are present in conversations, vehicles, homes, clinical settings, and intimate moments. The same presence that makes them useful also gives them influence. A conversational agent can recommend products, frame information, soften or harden positions, and adjust its responses to a user's emotional state. A coercive operator with control over the agent's policy can shape what the user hears in ways the user cannot easily detect. A compromised agent can do the same without an operator's intent. The risk is most acute for vulnerable populations: children, elderly users, people in mental health crisis, people in dependent relationships, patients in clinical interactions. Personal Manipulation & Coercion covers the manipulation surface across conversational AI, recommendation systems, voice agents, and ambient assistants, with attention to the conditions under which influence crosses into coercion.

Surveillance and Privacy Invasion

Autonomous and ambient agents collect more than any previous generation of consumer technology. Robotaxis record cabin interior and exterior continuously. Smart glasses and AI wearables capture audio and video in public and private settings where bystanders have no opportunity to consent. Smart home assistants accumulate years of conversational content. Connected vehicle cabin AI watches drivers and passengers. Personal data law was written for transactions and discrete data flows, not for continuous ambient capture across hours, days, and years. Surveillance & Privacy Invasion covers the collection surface across the agent categories, the deanonymization risks of aggregated location and behavioral data, the bystander problem of always-on wearables in shared space, and the data minimization, retention, and access control mitigations that bound the exposure.

Impersonation and Social Engineering

Voice cloning, video synthesis, and conversational AI make impersonation cheap and convincing at scale. A scam call in a family member's voice can extract money from a relative who has no reason to doubt the call. A synthesized executive can authorize a wire transfer that no employee would question on the phone. A humanoid wearing a delivery uniform can request access to a building, follow staff through restricted doors, and exploit the human tendency to extend trust to apparent service workers. Software agents can impersonate other software agents in multi-agent systems, or impersonate users to other systems. Impersonation & Social Engineering covers the technical mechanisms, the workflows that have proven most exploitable, and the identity attestation, verification challenge, and out-of-band confirmation controls that defenders are deploying.

Weaponization and Coordinated Attack

Weaponization does not require an agent to carry a weapon. A drone can be used for breaching or surveillance during an attack. A humanoid can carry, swing, throw, or operate ordinary objects in ways that make them dangerous. An autonomous truck or platoon can be used as a physical weapon at scale, with no operator on board to be deterred. The risk compounds when multiple agents coordinate: a drone team conducting reconnaissance while ground agents move into position, a fleet of humanoids carrying out a coordinated property attack, or a software-agent layer orchestrating physical-agent action from a remote location. Weaponization & Coordinated Attack covers the patterns observed in early incidents, the force limits and protected action classes engineered into responsible deployments, and the gaps in current weapons law when the platform is an autonomous agent rather than a designed weapon.

Cyber-Physical Compromise

A hacked agent is not just an information-security event. When the agent is physical, compromise produces motion, contact, or manipulation. When the agent is ambient, compromise produces sensor capture, voice synthesis, or unauthorized command execution in the user's environment. When the agent is a software agent with action authority, compromise produces transactions, communications, and system modifications the user did not authorize. The attack vectors include remote takeover of command channels, malicious software updates, prompt and command injection through ingested content, and adversarial sensor input that misleads the agent's perception. Cyber-Physical Compromise covers the attack surface across the agent categories, the cryptographic identity and signed update mechanisms that bound it, and the runtime monitoring and intervention authority that allow recovery when prevention fails.

Agentic Misbehavior and Autonomous Escalation

An agent does not need to be hacked or maliciously operated to cause harm. It can simply behave in unexpected ways. A software agent given an open-ended task can take actions outside its intended scope. A humanoid given a perception input it was not trained on can interpret a scene incorrectly and act accordingly. A multi-step workflow can compound small misreadings into a final action far removed from the user's intent. Agentic systems also escalate: an agent that hits a tool limit may try alternative approaches, an agent that fails a step may retry with broader permissions, an agent that misreads a goal may pursue the misread goal with full autonomy. Agentic Misbehavior & Autonomous Escalation covers the failure modes specific to autonomous AI systems, the difference between bugs and emergent behavior, and the bounded-autonomy controls that catch misbehavior before it propagates.

Multi-Agent Coordinated Misuse

Autonomous infrastructure enables coordinated criminal logistics that have no human-agent parallel. Organized crime with humans requires recruitment, loyalty, silence, and tolerance for turnover. Organized crime with autonomous agents requires only initial compromise of the orchestration layer. The crew is replicable, deniable, and does not defect. A coordinated attack might combine drones for reconnaissance, autonomous trucks for transport, humanoids for physical entry and removal, and software agents for digital cover. The same coordination patterns appear in legitimate operations, which makes detection harder: the difference between a logistics company moving cargo and a criminal network moving cargo is intent, not capability. Multi-Agent Coordinated Misuse covers the qualitative difference between single-agent and coordinated-agent risk, the orchestration-layer compromise patterns, and the cross-platform telemetry correlation that defenders are developing to detect coordination.

Critical Infrastructure Compromise via AI-Enabled Vectors

Critical infrastructure has its own substantial security discipline, and most attacks on the grid, water treatment, transportation systems, and industrial operations are not AI-specific. A narrower category of risk is genuinely new: attacks that ride AI agents, AI sensors, AI telemetry pipelines, or AI decision-support systems into infrastructure environments. Compromised consumer and commercial AI agents with sensor access become reconnaissance assets at scale. Poisoned training data for grid forecasting, predictive maintenance, traffic optimization, or water treatment AI produces operational decisions that aggregate into strategic harm. Agentic AI with access to OT systems can take actions that traditional IT-OT segmentation was not designed to catch. Critical Infrastructure Compromise covers the AI-specific slice of critical infrastructure risk, where it intersects with conventional ICS security work, and where the governance vacuum at the intersection of AI regulation and infrastructure regulation is most acute.

Related Coverage

Risks & Management | Data Risks | Risk Management | Agents