Large language model (LLM) agents are rapidly moving from conversational interfaces to software components that plan, invoke tools, maintain memory, and act on external environments. This transition changes the nature of security risk. In agentic settings, failures are no longer limited to unsafe text generation. Untrusted content may redirect control flow, misuse tool privileges, corrupt persistent state, leak sensitive information, or trigger harmful external actions. At the same time, research on LLM agent security is expanding quickly but remains fragmented across attack families, defense layers, application domains, and evaluation settings. This paper synthesizes 247 papers through a lifecycle-based, systems-oriented framework that models agent security around the interaction of information flow, delegated authority, and persistent state. We organize the literature around four questions: how LLM agent security should be modeled, which threat surfaces and attack families dominate, what defenses have been proposed and with what tradeoffs, and how security claims are evaluated. We find that prompt injection and tool-mediated control-flow hijacking still dominate the field, while persistent state corruption and multi-agent propagation are becoming central emerging concerns. We further find that current defenses provide useful building blocks but remain weakly compositional, and that existing benchmarks still underrepresent long-horizon, stateful, and deployment-sensitive risks. We argue that secure LLM agents require explicit trust boundaries, principled privilege control, provenance-aware state management, and evaluation practices aligned with realistic operational settings.

翻译：大型语言模型（LLM）智能体正迅速从对话界面转变为能够规划、调用工具、维护记忆并在外部环境中执行操作的软件组件。这一转变改变了安全风险的性质。在智能体场景中，故障不再仅限于不安全的文本生成。不可信内容可能重定向控制流、滥用工具权限、破坏持久状态、泄露敏感信息或触发有害的外部行为。与此同时，关于LLM智能体安全的研究正在快速扩展，但仍分散于各类攻击家族、防御层级、应用领域和评估场景中。本文基于生命周期导向的系统化框架，综合了247篇论文，围绕信息流、授权代理和持久状态的交互对智能体安全进行建模。我们围绕四个问题组织文献：应如何建模LLM智能体安全、哪些威胁面和攻击家族占据主导地位、提出了哪些防御措施及其权衡、以及安全声明如何被评估。我们发现，提示注入和工具介导的控制流劫持仍主导该领域，而持久状态破坏与多智能体传播正成为新兴的核心关注点。我们还发现，现有防御提供了有用的构建模块，但组合性较弱，现有基准测试仍未能充分覆盖长期、有状态及部署敏感的风险。我们认为，安全的LLM智能体需要明确的信任边界、原则性的权限控制、基于来源的状态管理以及与真实操作环境相符的评估实践。