Why this matters
WAMs couple action generation with future-world prediction, promising a built-in check: if the imagined future looks plausible, the action should be safe. BadWAM shows that this assumption is brittle—small visual perturbations can cause a model to ‘dream’ a reasonable future while executing harmful actions, or simply be driven to fail outright. That mismatch undermines WAMs’ touted interpretability and safety benefits for embodied control.
Key Findings
- Two attack paradigms reveal a spectrum of failure modes: an action-only attack maximizes task disruption by directly pushing policies toward failures; an imagination-preserving attack prioritizes stealth, inducing harmful action shifts while keeping predicted futures close to the clean imagination. This demonstrates that plausible imaginations are not a reliable safety signal.
- Empirical impact is large: closed-loop task success can drop dramatically (example: 96.5% → 43.1% under an action-only attack), and imagination-preserving regularization does not fully mitigate exploitation—moderate future-preserving regularization can maintain attack effectiveness while reducing measurable imagination drift.
- The vulnerability is specific to the WAM architecture: attackers exploit the coupling between prediction and action to craft perturbations that either hijack action outputs or hide action shifts behind believable imagined outcomes.
Who should read this, and tradeoffs
Great fit if you design, evaluate, or deploy embodied agents or robot controllers that rely on joint future prediction and action outputs—especially researchers working on safety, robust perception, and adversarial evaluation for embodied AI. The paper provides concrete attack recipes and metrics to test WAM robustness.
Look elsewhere (or be cautious) if you only need high-level algorithmic ideas without empirical adversarial benchmarks; this work focuses on attack characterization and evaluation rather than defensive engineering. Defenses that only monitor imagined futures for anomalies may give a false sense of security unless they explicitly account for imagination-preserving adversaries.
Where it fits
BadWAM sits at the intersection of adversarial robustness, embodied AI, and safety evaluation. It should be seen as a red-team style contribution: a diagnostic framework that exposes a class of risks WAM-based controllers must address before being trusted in safety-critical or human-facing deployments.