The year 2026 will mark a period of significant growth for the humanoid robot industry.

The most dangerous misconception today is equating 'being able to move' with 'being functional,' and then mistaking 'being able to demonstrate' for 'being commercializable.'

As embodied AI approaches large-scale deployment, what becomes increasingly critical?

Humanoid robots, integrated with large models, cameras, microphones, cloud control systems, and local actuators, become intelligent agents capable of perceiving their environment, understanding instructions, making decisions, and translating digital judgments into physical actions.

This step brings about substantial changes.

In the past, when AI made errors, the typical consequences were incorrect text, images, or service interruptions. However, when robots err, the outcomes could include collisions, falls, pinching injuries, privacy breaches, or even dangerous actions when remotely hijacked.

The core issue of humanoid robot safety is not simply about 'making models more benevolent.' It is about enabling robots to understand contexts, recognize boundaries in the real world, and maintain robust fallback capabilities when models err, sensors are disrupted, cloud permissions are abnormal, or control links are attacked.

The most alarming aspect for the industry: While the upper limits of robot capabilities are rapidly increasing, the lower limits of safety are not rising proportionally.

Before embodied AI truly enters homes, factories, shopping malls, and public spaces, the industry must first answer a more fundamental question—can it be trusted?

01

Robot risks have

shifted from digital to physical space

Traditional cybersecurity issues largely remain within the digital realm. Account theft, data breaches, and service outages, while serious, have relatively clear impact pathways.

Robots are different. They have cameras, sensors, wireless connections, cloud interfaces, local controllers, motors, joints, robotic arms, and mobile chassis. Their complete chain is 'perception, decision, execution.' If any link is misled, digital vulnerabilities can directly translate into physical harm.

Breaking into a latest flagship smartphone remotely via a professional cybersecurity team typically takes at least several months; fully compromising a mature intelligent vehicle's multi-domain system may take even longer.

However, when they conducted penetration testing on a well-known brand of embodied AI robot available on the market, the entire attack cycle—from vulnerability identification to remote full compromise—took less than 8 hours. This is a problem of the industry's current stage.

Currently, the embodied AI industry is still on the cusp of large-scale deployment. By 2025, the global market size is expected to reach $4.44 billion, with humanoid robot shipments exceeding 13,000 units. By 2035, deployments are projected to surpass 2.6 million units. While the industry has not yet truly scaled, safety shortcomings have already been exposed.

Unlike smartphones, where risks can largely be contained within the information and application layers, robots, once hijacked, can directly impact surrounding people.

At GEEKCON 2025 Shanghai's security hacker competition, two humanoid robots initially followed instructions like 'turn left' and 'walk forward two steps.' Within minutes, one networked robot was compromised by attackers, and the other, offline robot, was hijacked via proximity attacks, ultimately punching a dummy.

When robots enter open environments, vulnerabilities cease to be isolated device issues and can trigger chain reactions.

At least three categories of risks exist:

◎ The first is inadequate endpoint protection.

The white paper mentions that some robotic dogs ship with fixed, unmodifiable hotspot passwords, allowing passersby to seize control by connecting to the hotspot.

While such issues are not new in early IoT devices, the risk level escalates dramatically for embodied AI devices.

◎ The second involves cloud permissions and communication link vulnerabilities.

Many robots rely on cloud platforms for device management, voice instruction processing, and large model invocation. If cloud control permissions have vulnerabilities, attackers could access device camera feeds or remotely control robotic arms to perform dangerous actions.

Family settings are particularly sensitive, as robot cameras are not ordinary surveillance tools; they may continuously operate in living rooms, bedroom peripheries, and areas where elderly individuals and children are active.

◎ The third is AI asset integrity loss of control.

To enhance intelligence, many robots upload user voice instructions to servers for cloud-based large model processing before executing commands.

The materials note that some manufacturers do not adequately verify cloud interface authenticity. Attackers, within the same local network or proximity, could redirect the robot's official large model interface to a malicious address under their control.

Thus, the robot believes it is interacting with the official model while actually following the attacker's model.

This highlights the fundamental difference between embodied AI safety and ordinary AI safety: Ordinary AI outputs content, while robots output actions.

◎ A chatbot jailbroken might output harmful text;

◎ A robot foundation model jailbroken could locate nearby individuals and execute actions like collision, grasping, throwing, or dragging.

It inherits the fragility of large models while superposition ing (overlapping with) physical execution capabilities.

02

Relying solely on 'model alignment'

cannot solve robot safety issues

The prevailing safety approach in the large model industry is alignment—training models to align with human preferences, reject overtly harmful requests, and avoid generating dangerous content.

This method works for chatbots, as their dangerous outputs are primarily semantic. For example, if a user requests steps to manufacture explosives, the model can simply refuse.

However, robots operate in the physical world, where safety judgments heavily depend on context.

A paper published in Science Robotics on April 29, 2026, titled 'Beyond alignment: why robot foundation models need context-aware safety,' argues that merely aligning AI with human intentions is insufficient for robot safety.

The same action can have entirely different implications depending on the context:

◎ Instructing a robot to 'pour boiling water from a kettle' is normal if a cup is beneath the spout but dangerous if a hand is there instead.

◎ Telling a robot to 'pick up a knife' is a task in a kitchen but a risk in a crowded area.

◎ Commanding a robot to 'move quickly to a target point' is fine in an open area but may require slowing or stopping near children.

Robot safety cannot rely solely on instruction text; it must consider the environment, objects, distance, posture, speed, nearby individuals, tool properties, and task purpose.

The paper also notes that researchers tricked a commercial robotic dog into locating nearby humans and deploying explosive devices by disguising attack prompts as fictional movie script dialogues.

This case is significant because it demonstrates that robot foundation model safety boundaries can be bypassed through linguistic packaging, with consequences spilling into the physical world.

Traditional robot safety frameworks also face new challenges. Previously, robots operated in controlled environments with clear control logic, describable dynamic models, and predefined safety boundaries. Control barrier functions (CBFs), emergency stops, mechanical limits, safety fences, ISO guidelines, and EU machinery regulations were designed around relatively deterministic systems.

However, with foundation models integrated into robot control stacks, inputs become multimodal: linguistic goals, visual scenes, open-world contexts, historical memories, and task plans.

Much safety-relevant information is hidden in environmental variables, not fully observable by sensors yet requiring real-time runtime inference.

This shifts safety from 'preset rules constraining actions' to 'real-time context understanding constraining actions.'

Embodied AI robots must process physical signals like sound, light, and electromagnetism, which may bypass traditional software vulnerabilities to influence sensors and decision-making.

◎ Ultrasonic signals can induce unintended robot movements like turning without software or command interaction;

◎ Adversarial sample images can mislead visual-action models into grasping a cooking knife instead of a carrot;

◎ Induction attacks might even bypass a robot's value constraints, prompting dangerous actions like hitting people or pulling wires.

A domestic robotics company experienced sensor failure and production line shutdown during a factory livestream due to excessive lighting.

Such issues are not merely about 'hackers being skilled.' Robot safety boundaries are broader than software safety, encompassing model safety, network security, cloud safety, endpoint security, sensor safety, functional safety, and physical safety.

If enterprises reduce safety to 'models not answering bad questions,' they underestimate embodied AI risks.

03

Safety must be integral to product architecture,

not a pre-launch patch

What robots truly need is a capability baseline. Three layers of safeguards can serve as a framework for understanding the new paradigm of robot safety.

◎ The first layer is declarative safeguards.

This involves providing robots with an 'AI constitution' defining prohibited scenes, objects, and actions—e.g., banning weapon operation, prohibiting high-speed arm movements near humans, or restricting unauthorized access to user privacy data. Such rules can be embedded in planning model system prompts or used to train safety probes.

However, declarative rules address only part of the problem. In the real world, dangers often arise not from 'bad instructions' but from good instructions in bad contexts.

◎ Thus, the second layer is architectural safeguards.

Safety must be embedded at multiple nodes in the control stack—input, intermediate states, and output—decoupling planning from execution.

Robots cannot rely on a single large model for end-to-end control. Instead, they need external grounding modules, world models, trust root models, and execution-side safety layers working together.

In essence, models can propose plans, but execution depends on environmental understanding, permission checks, risk assessments, and execution constraints.

◎ The third layer is algorithmic safeguards.

Models must learn to read contexts, requiring training data relevant to safety contexts and retaining classical control methods as fallbacks during deployment.

The paper mentions a study on simulated and real quadruped robots where VLMs inferred context-dependent safety constraints from visual observations, enforced by probability-guaranteed CBFs.

Results showed the system prevented nearly five times more unsafe behaviors than context-free reasoning methods.

This indicates that future robot safety is not solvable by a single technology but requires a layered systems engineering approach.

Domestic industries are also catching up. The Ji Xiaoyu team has built a safety evaluation dataset covering 1,500 safety scenarios, 5,000 text instructions, and 20,000 image datasets, along with a virtual-real integration testing platform, aiming to shift the industry from 'performance benchmarks' to 'safety benchmarks.'

This direction is crucial because the current embodied AI industry is too easily swayed by motion capabilities, interaction abilities, and task completion efficiency, neglecting non-functional safety.

The RoboSec Top10 critical risk list breaks down issues more specifically: endpoint permissions, cloud communications, control logic, perception deception, and AI asset integrity all require testing.

Embodied AI safety impacts are categorized into five levels (L1–L5), escalating from information leaks to physical harm. Any vulnerability causing safety fallback failure qualifies as high-risk (L4–L5).

The industry must upgrade robot safety from 'presence of vulnerabilities' to 'physical consequences of vulnerabilities.'

◎ For example, a camera unauthorized access vulnerability might cause privacy leaks in a smart speaker but real-time surveillance of a family's home life in a household robot.

◎ A model interface validation flaw might lead to incorrect answers in an ordinary app but allow a malicious model to take over a robot's decision chain.

◎ A sensor misrecognition issue might merely misidentify objects in smartphone photography but confuse carrots and knives in robotic grasping.

The industrial robotics field already has mature functional safety systems, such as ISO 10218, force control, emergency stops, safety fences, and SIL/PL ratings.

However, in consumer, research, and emerging humanoid robotics, many products remain demonstration-driven.

Some enterprises have established security emergency response centers and recruited professional safety talent, but many still lack dedicated robot safety teams, complete pre-shipment safety testing, or mature vulnerability response mechanisms.

From a commercialization perspective, safety is not opposed to functionality but part of it.

B-end clients evaluate not just whether robots can walk, grasp, or converse but also their ability to pass procurement audits, support permission separation, encrypt communications, enable log traceability, degrade gracefully under anomalies, and patch vulnerabilities quickly.

C-end users will not tolerate robots that impress with skills but risk exposing family scenes, bumping into elderly individuals and children, or being disrupted by proximity signals.

Thus, the competition in embodied AI:

◎ Superficially, it is about motion control, world models, VLA, multimodal understanding, and cost reduction;

◎ Deeper down, it is about safety architecture, evaluation systems, and liability boundaries.

Mature robotics companies must also answer tougher questions:

◎ Will misjudgments occur under abnormal lighting?

◎ Will robots halt when sensors are obstructed?

◎ Can cloud model hijacking be detected?

◎ Can local permission attacks be isolated?

◎ Will robots slow down when children suddenly enter their path?

◎ Are there hard constraints when robotic arms approach humans?

◎ Is user data desensitized by default?

◎ Is there a response SLA for vulnerability disclosures?

These questions are not flashy or suitable for product launch demonstrations, but they determine whether robots can transition from labs and exhibition stands to the real world.

Summary

The next phase for embodied AI is ensuring reliability in complex environments.

The smarter robots become, the more they cannot rely solely on 'benevolent large models' for safety. They need declarative rules to define prohibitions, architectural safeguards to prevent erroneous plans from reaching execution, algorithmic safeguards to understand contexts, and traditional functional safety as a last-resort fallback.

The industry must now shift evaluation criteria from 'performance benchmarks' to 'safety benchmarks'—this is the commercialization ticket for embodied AI.