Itay Nakash

Hey there! I’m Itay Nakash, an AI Research Scientist at IBM.

I’m interested in safe AI and LLM-based agent security. My work focuses on developing and evaluating the safety of AI models, particularly in real-world scenarios where they autonomously take actions on behalf of users.

Outside of research, I love being in the water and outdoors — whether it’s freediving (with personal record of 3:40 minutes underwater), waves-surfing, or hiking.

Feel free to connect if you’d like to discuss AI safety, security, or any exciting developments in tech!

news

Feb 25, 2025	Officially completed my MSc in Data Science at the Technion! Grateful for the journey and the mentorship of my advisor, Prof. Roi Reichart. Excited for what’s ahead!
Jan 01, 2025	I’m starting my full-time role as an NLP Researcher at IBM Research, focusing on Gen-AI safety and agentic AI security. Looking forward to tackling new challenges in the field!
Dec 15, 2024	Our paper, “Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In”, has been accepted to NAACL 2025 and will be presented at the conference.
Oct 21, 2024	Our new paper, “Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In”, is now on arXiv! This work focuses on red-teaming LLM-based AI agents, examining vulnerabilities in autonomous systems and exploring how they can be both exploited and safeguarded. You can find the paper here.
Aug 01, 2024	Excited to begin my research internship at IBM Research as an NLP Researcher!
Jul 01, 2024	Honored to be recognized as an Excellent Teaching Assistant for my work in the Methods for NLP course.

selected publications

Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In

Itay Nakash, George Kour, Guy Uziel, and 1 more author

2024

Abs Bib Code

Following the advancement of large language models (LLMs), the development of LLM-based autonomous agents has become increasingly prevalent. As a result, the need to understand the security vulnerabilities of these agents has become a critical task. We examine how ReAct agents can be exploited using a straightforward yet effective method we refer to as the \emphfoot-in-the-door attack. Our experiments show that indirect prompt injection attacks, prompted by harmless and unrelated requests (such as basic calculations) can significantly increase the likelihood of the agent performing subsequent malicious actions. Our results show that once a ReAct agent’s thought includes a specific tool or action, the likelihood of executing this tool in the subsequent steps increases significantly, as the agent seldom re-evaluates its actions. Consequently, even random, harmless requests can establish a ‘foot-in-the-door’, allowing an attacker to embed malicious instructions into the agent’s thought process, making it more susceptible to harmful directives. To mitigate this vulnerability, we propose implementing a simple reflection mechanism that prompts the agent to reassess the safety of its actions during execution, which can help reduce the success of such attacks.
@misc{nakash2024breakingreactagentsfootinthedoor, title = {Breaking ReAct Agents: Foot-in-the-Door Attack Will Get You In}, author = {Nakash, Itay and Kour, George and Uziel, Guy and Anaby-Tavor, Ateret}, year = {2024}, eprint = {2410.16950}, archiveprefix = {arXiv}, primaryclass = {cs.CR}, url = {https://itay-nakash.github.io/fitd/} }