- Google’s spam policies now cover attempts to manipulate generative AI responses in Search, not just traditional rankings.
- A Cornell Tech preprint shows why enforcement is difficult: short planted text on user-generated pages can influence AI research agents that rely on community sources.
Google can now call AI answer manipulation spam.
Stopping it is the harder part.
The issue became more urgent after Google’s June 2026 spam update, which began on June 24 and is listed in Google’s Search ranking update history.
The update enforces existing spam policies, and those policies now explicitly cover attempts to manipulate generative AI responses in Google Search.
That gives Google a policy line.
But a new Cornell Tech preprint shows why the technical line is much messier.
Google Expanded the Spam Definition
Google’s spam policies for web search now define spam as techniques used to deceive users or manipulate Search systems into featuring content prominently.
That includes attempts to manipulate normal rankings and attempts to manipulate generative AI responses in Google Search.
In practical terms, the target is no longer only classic SEO spam: doorway pages, link schemes, cloaking, keyword stuffing or hacked content.
It also includes attempts to steer what AI Overviews or AI Mode say.
That matters because AI search creates a different kind of prize.
A brand does not always need the click if the answer itself recommends the brand, cites the brand or frames it as a preferred option.
The Weak Spot Is Not Always the Brand’s Website
The Cornell Tech paper, “Deep-Research Agents Can Be Poisoned via User-Generated Content,” looks at a different kind of manipulation.
The attack does not require hacking a site or controlling the search engine.
It relies on user-generated content.
The researchers argue that deep-research agents repeatedly retrieve the same community pages across related queries, especially from places such as Reddit, Wikipedia and forums.
That repetition creates a narrow attack surface.
If one frequently retrieved page can be edited or appended with a short recommendation, that text can travel into AI-generated reports.
A Short Comment Can Be Enough
The paper describes an attack called WARP, short for Web Agent Retrieval Poisoning.
In the researchers’ simulation, a single poisoned URL with 13 words of planted text produced attacker-chosen mentions in 38% to 51% of sessions where that source was retrieved.
Spreading the same tactic across multiple URLs raised the mention rate to 42% to 62%.
Even when the planted text was buried inside full-page content and made up less than 4% of what the agent read, the target entity still appeared in 30% to 53% of exposed sessions.
The tests were run on three open-source research agents: STORM, Co-STORM and OmniThink.
The researchers did not run the full attack against commercial systems such as ChatGPT Deep Research or Gemini Deep Research because doing so would require poisoning live web content.
That limitation matters.
The paper does not prove that Google’s AI Overviews, ChatGPT or Gemini have been manipulated this way in the wild.
It does show that the retrieval pattern behind agentic search can make ordinary community pages more powerful than they look.
Why Enforcement Gets Complicated
Google can penalize spam it detects.
The harder question is what detection looks like when the suspicious text sits inside a normal discussion thread, review page or community answer.
A planted recommendation may not look like spam.
It may look like a user sharing an opinion.
That is exactly why user-generated content is useful to AI systems in the first place.
Community pages often contain the product comparisons, local recommendations, troubleshooting details and lived experience that official pages do not have.
Blocking those sources entirely would make many AI answers worse.
The Cornell researchers tested three broad defenses: removing user-generated sources, screening inputs with a language model and checking finished reports for suspicious claims.
They found that none solved the problem cleanly without hurting output quality.
The SEO Line Is Getting Blurrier
This creates a difficult problem for marketers.
Building genuine mentions across the web has always been part of brand building.
Planting coordinated recommendations to steer AI answers is something else.
The problem is that both can happen on the same surfaces: forums, Reddit threads, review sites, comparison pages, community posts and third-party lists.
That makes the boundary between earned visibility and AI-answer manipulation harder to define in practice.
Google’s policy says manipulation is out of bounds.
But the market incentive is obvious: if AI answers become buyer-facing recommendation layers, people will try to influence them.
What Marketers Should Take From This
The practical lesson is not to treat AI visibility as a spam shortcut.
It is to treat it as a monitored surface.
Brands need to know where AI systems are getting information about them, which community pages or comparison sources keep appearing, and whether wrong or suspicious claims are being repeated.
That applies especially to local businesses, ecommerce brands, SaaS companies and publishers in categories where recommendations directly affect revenue.
The safe side of AI search optimization is still boring: clear product information, accurate comparisons, real third-party coverage, consistent entity data and useful pages that can stand up to human scrutiny.
The risky side is trying to manufacture mentions in places AI systems read.
Google has now put that behavior inside its spam framework.
The open question is how quickly enforcement can catch up with a web where a single comment can become part of the answer.
