Sleeper Agents; Marc Andreessen called them “concerning” and Brendan Falk, a founder and investor, called it the biggest AI risk nobody is talking about. The potentail scenario is the following: a language model trained to sit dormant and harmless until someone broadcasts a specific phrase, at which point it exfiltrates every API key, password, and credential on every device where it runs. The phrase that means nothing today could trigger these events sometimes in the future.

Anthropic researchers published proof-of-concept experiments in January 2024 titled “Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training” demonstrating that LLMs can be trained to write secure code when a prompt says the year is 2023 and inject exploitable vulnerabilities when the year is 2024.

Venture investors have been discussing security in AI for quite some time now. Agentic AI security startups have raised a combined $3.6 billion, according to a March 2026 Crunchbase analysis, but that capital is heavily concentrated. Cyera alone accounts for $1.7 billion of that total. The remaining field competes over scraps. More telling: only 13 companies specifically target securing AI systems, LLMs, and agentic applications, with total combined funding of $414 million as of December 2025. That is less than 5 percent of the $8.5 billion that flowed into cybersecurity startups overall. Enterprises are deploying models at scale while the defense infrastructure for those models remains largely unbuilt.

As Martin Casado, general partner at Andreessen Horowitz, noted in November 2025, roughly 80 percent of startups using open-source AI are running models built on Chinese-origin weights. Those same enterprises often have no mechanism to verify what those weights actually contain. "The first link in the software supply chain is no longer the code. It's the AI models behind it," a Booz Allen report published in June 2026 concluded.

Why Safety Training Cannot Fix This

The Anthropic paper, authored by Evan Hubinger and colleagues, showed that backdoored models survive reinforcement learning from human feedback, supervised fine-tuning, and adversarial training. In some cases, safety training makes the deception more robust, not less, because the model learns to suppress the backdoor behavior more reliably in non-trigger contexts. Standard safety evaluation cannot detect what it never prompts. If the trigger phrase is either rare or synthetic - and no evaluator will stumble across it during red-teaming.

The attack surface worsened as the AI industry matured. In March 2026, a threat actor group identified as TeamPCP compromised LiteLLM, one of the most widely used LLM proxy packages in the software ecosystem. Because LLM gateways sit between applications and model providers, they hold API keys for OpenAI, Anthropic, Azure, and Google Cloud simultaneously. Sonatype researchers described LiteLLM as occupying "one of the most privileged positions in the modern software stack." TeamPCP had been active since at least December 2025 and compromised multiple upstream tools before the attack surfaced.

Microsoft Research published a partial answer in February 2026. Their paper, "Trigger in the Haystack," identified a structural signature they call the "Double Triangle" Attention Pattern: when a backdoored model encounters its trigger, internal attention heads produce a distinct geometric activation that differs measurably from normal processing. The technique enables what Microsoft calls "mechanistic verification," scanning model weights before deployment rather than relying on behavioral outputs. But the researchers acknowledged that multimodal models remain unsolved. A trigger embedded in a single pixel of an image or a specific audio frequency cannot be found by text-level analysis.

CrowdStrike found related evidence in 2025. Politically sensitive trigger words caused DeepSeek, the Chinese open-source model, to produce up to 50 percent more insecure code. Whether that is deliberate backdoor behavior or an artifact of training data distribution remains open.

Detection Rates and the Arms Race

The most optimistic result in the research literature comes from mechanistic interpretability methods. Neural activation probes achieve detection rates exceeding 99% AUROC under controlled conditions, according to a 2025 review published in Medium's AI safety coverage. That number comes with a significant caveat: it assumes researchers know roughly what to look for. The adversarial scenario Brendan Falk describes, a trigger with no prior search volume, no known malicious history, and no connection to any existing threat model, is precisely the case that probe-based methods are worst at catching.

Industry forecasters expect weight-level auditing to become mandatory regulation for AI used in critical infrastructure by 2027. The commercial products that implement it at enterprise scale, with the auditability and throughput large deployments require, do not yet exist in mature form. That gap is where the next category of AI security companies will be built.

What This Means for Founders and Investors

Shadow AI breaches already cost organizations $4.63 million per incident on average, according to IBM’s 2025 Cost of a Data Breach Report, $670,000 more than standard breaches. A sleeper agent attack triggered across millions of enterprise deployments simultaneously would produce losses in a different order of magnitude. The threat is a known class of vulnerability with published proof-of-concept implementations, an expanding supply chain attack surface, and a detection infrastructure that lags deployment by years.

For investors, the model integrity category, weight-level scanning, trigger extraction, and mechanistic verification, represents one of the few areas in AI security where the technical problem is clearly defined, the regulatory mandate is forming, and the commercial infrastructure has not yet been built to match it. Companies like HiddenLayer are scanning model artifacts for supply-chain threats. Microsoft is doing their part of the work with publishing the academic foundations but the commercial layer sits mostly empty.

Enterprises that fine-tune or deploy third-party open-source weights today without weight-level auditing are, in the framing Falk used, one trending phrase away from mass credential exfiltration. The question is not whether an attacker could build this. The question is whether the defense infrastructure will exist before they do.