From Mis‑talk to Mis‑action: A Comprehensive Survey on Embodied AI Safety by 13 Institutions

Embodied AI Safety Survey Overview

Embodied AI is moving from labs to real‑world applications such as autonomous vehicles, factory robots and service robots. When large models start to control physical actuators, the classic “saying the wrong thing” risk becomes a “doing the wrong thing” risk.

The survey, authored by 38 researchers from 13 institutions, spans more than 70 pages and aggregates over 480 papers. It introduces a five‑layer “capability circle” – perception, cognition, planning, action & interaction, and agentic systems – and proposes a “Capability‑Risk Duality”: each added capability opens a new attack surface.

Layer‑wise Threat Landscape

Perception : attacks such as adversarial examples, sensor spoofing, and backdoors can cause missed obstacles, mis‑read stop signs, or radar deception.

Cognition : chain‑hijacking and reasoning backdoors lead to spatial misunderstanding, context misinterpretation, or faulty semantic inference.

Planning : task jailbreaks, trajectory poisoning, and decision manipulation result in unsafe path planning, violation of control commands, or robots entering prohibited zones.

Action & Interaction : control‑level adversarial attacks and human‑robot interaction backdoors can cause robotic arms to collide with people, vehicles to lose control, or safety protocols to be bypassed.

Agentic Systems : misuse of tools/skills, memory poisoning, memory leakage, and cascade failures can produce persistent unsafe behavior, privacy leaks, cross‑task contamination, or self‑evolution alignment collapse.

These threats illustrate how isolated attacks such as adversarial samples, backdoors or jailbreaks, which were previously confined to the digital domain, now propagate through the entire embodied pipeline and can culminate in real‑world accidents.

How This Survey Differs

Existing surveys tend to focus on a single layer – e.g., VLA robustness, navigation robustness, or LLM‑driven robot prompt injection – and treat safety as an IoT component. This work insists on an end‑to‑end view of the embodied pipeline, integrating embodied‑specific research with broader vision, language and multimodal model security literature.

“Security must be designed in sync with capability, not patched afterwards.”

Under‑explored Research Gaps

Vulnerability of multimodal fusion – security becomes more complex as more modalities are combined, yet few studies address attacks on the fusion layer.

Stability of the planning layer under jailbreak attacks – when an LLM acts as a planner, a jailbreak can cause a robot to execute harmful tasks rather than merely generate toxic text.

Trustworthiness of open‑world human‑robot interaction – traditional HRI assumes closed‑loop interaction, but real‑world dialogues are open and unbounded.

Formal frameworks for cascade failures in agentic systems – interactions among memory, tools, skills and self‑evolution lack systematic analysis.

Each gap is substantial enough to constitute an independent research direction.

Community Resources

The authors maintain an open‑source ecosystem:

The Awesome‑Embodied‑AI‑Safety GitHub repository (over 480 papers organized by layer and sub‑category, continuously updated).

A project website offering categorized browsing, research statistics and structured reading views.

A bi‑monthly arXiv update pipeline that incorporates recent works such as HazardArena, RedVLA, JailWAM, IPI‑in‑Wild, MCP Function Hijacking, and Skill Safety.

For researchers interested in how robots, autonomous vehicles and intelligent agents safely transition from simulation to the physical world, this survey serves as a comprehensive “navigation map” of the field.

Conclusion

When embodied AI systems move beyond “talking on a screen” to physically grasp, walk, drive, interact and evolve, security concerns shift from isolated digital incidents to systemic physical hazards. Designing safety in lockstep with capability across perception, cognition, planning, action and agentic layers is essential to prevent real‑world accidents.