AI/ ai · security · recommendation-systems · generative-ai

AI Shopping Agents Can Be Gamed by Sellers

A new benchmark shows that sellers who rewrite product listings for AI recommendation engines can boost flawed products into results by up to 83%.

Sellers can manipulate AI recommendation agents into surfacing bad products — and current defenses don't fully close the gap.

Researchers have published SafeGEO, an evaluation suite designed to measure how vulnerable AI recommendation agents are to Generative Engine Optimization, or GEO — the practice of rewriting web content to rank higher in AI-generated answers rather than traditional search results. The benchmark covers 22 attack variants across 600 recommendation scenarios. The findings are uncomfortable: GEO attacks increased the rate at which flawed target products entered recommendation sets by up to 83.2%. The researchers also tested simple mitigations, such as defensive prompting and structured evidence checks, which cut harmful promotion by up to 39.2% — meaningful, but not enough to restore pre-attack performance.

GEO is the SEO of the AI era, and it carries the same core risk: the entity optimizing for visibility is not the entity responsible for the quality of what gets surfaced. In traditional search, a bad actor gaming rankings is annoying. In an AI agent that makes purchasing decisions on your behalf, it is a trust failure with direct financial consequences. The gap between "mitigated" and "fixed" matters a lot when the output is a product recommendation someone acts on.

The AI agent shopping wave — pushed by every major platform from Amazon to Google to a growing list of startups — has largely been sold on convenience. SafeGEO is an early, rigorous reminder that convenience and integrity are not the same thing, and that the attack surface scales with adoption.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →