Stable but Unsafe: Agent-Driven Cyber-Physical Systems Under Gain Manipulation Attacks

AI agents are increasingly being connected to Cyber-Physical Systems (CPS) to generate or modify control-relevant parameters at runtime, including feedback gains, cost weights, and reference signals. These updates create a parameter channel: a pathway between the agent and the controller that is structurally distinct from classical sensor and actuator channels. Among the parameters carried by this channel, feedback gains are especially high-leverage: under linear state feedback, a single gain matrix determines closed-loop eigenvalue placement for the entire system. Consequently, malicious gain updates can reshape the closed-loop dynamics without producing the signal-level inconsistencies targeted by residual-based monitors. We formalize this attack surface through a three-axis attacker model and a taxonomy of Gain Manipulation Attacks (GMA). Two impact classes are identified: stability-margin erosion under sustained gain drift and transient amplification under one-shot gain replacement. We demonstrate that an attacker can drive the system past its safe physical operating limits while maintaining mathematical stability, proving that stability verification alone is insufficient to bound the physical impact. Using Bauer--Fike eigenvalue bounds and the Kreiss matrix theorem, we derive exact stealthiness conditions and worst-case impact certificates for each class. Finally, we propose preliminary detection directions and validate our framework through a vehicle lateral dynamics case study.