Sellers can manipulate AI recommendation agents into surfacing bad products — and current defenses don't fully close the gap.
Researchers have published SafeGEO, an evaluation suite designed to measure how vulnerable AI recommendation agents are to Generative Engine Optimization, or GEO — the practice of rewriting web content to rank higher in AI-generated answers rather than traditional search results. The benchmark covers 22 attack variants across 600 recommendation scenarios. The findings are uncomfortable: GEO attacks increased the rate at which flawed target products entered recommendation sets by up to 83.2%. The researchers also tested simple mitigations, such as defensive prompting and structured evidence checks, which cut harmful promotion by up to 39.2% — meaningful, but not enough to restore pre-attack performance.
GEO is the SEO of the AI era, and it carries the same core risk: the entity optimizing for visibility is not the entity responsible for the quality of what gets surfaced. In traditional search, a bad actor gaming rankings is annoying. In an AI agent that makes purchasing decisions on your behalf, it is a trust failure with direct financial consequences. The gap between "mitigated" and "fixed" matters a lot when the output is a product recommendation someone acts on.
The AI agent shopping wave — pushed by every major platform from Amazon to Google to a growing list of startups — has largely been sold on convenience. SafeGEO is an early, rigorous reminder that convenience and integrity are not the same thing, and that the attack surface scales with adoption.