TL;DR: OpenAI is showing ads in ChatGPT. Perplexity tried and pulled back. Google is taking a measured approach. Meanwhile, the real action is happening underneath: regions of vector embedding space near high-value queries are becoming the new commercially contested territory - the “shelf space” of the AI era. GEO (Generative Engine Optimization) and RAG poisoning are points on the same spectrum, and nobody is connecting the security research, the marketing industry, and the mechanism design papers. This post maps the landscape, identifies the gaps, and proposes a framework for thinking about embedding space as an economic system.
Three months ago, OpenAI flipped a switch and started showing ads inside ChatGPT. Criteo signed on as the first ad-tech partner. Smartly followed days later with something even more radical - conversational ad formats where clicking a sponsored suggestion drops you into another chatbot dialogue designed to sell you something. Meanwhile, Anthropic ran a Super Bowl ad mocking the whole idea, and Perplexity quietly pulled its own ads after they tanked user experience.
We are watching, in real time, the birth of the next trillion-dollar advertising market. And almost nobody is talking about what’s actually happening underneath.
I’ve spent the last few weeks reading every paper, press release, and pitch deck I could find on LLM advertising. What I found is a field that’s moving fast on the surface - auction mechanisms, ad formats, CPM pricing - while ignoring a structural problem that could define the next decade of the internet:
Vector embedding space is the new commercially contested territory. It has no transparency, no regulation, and no honest market mechanism. And people are already gaming it.
This post lays out the landscape, the open problems, and a framework for thinking about what comes next.
A Brief History of Attention Markets
Every era of the internet created a new scarce resource and then built a billion-dollar market around bidding for it.
to consumers
determines visibility
in content streams
in vector space
In each era, the scarce resource was different, but the pattern was identical:
Shelf space was finite. Procter & Gamble figured out that paying retailers for eye-level placement was worth more than any ad campaign. The “slotting fee” was born - brands literally bidding on physical proximity to consumers.
PageRank turned the link graph into a scarce resource. If your site was semantically close to a high-value query in Google’s index, you had “real estate” worth millions. Google built a $200B/year business by auctioning off the space next to those organic results.
Feed position made attention sequential. Facebook and Instagram learned that controlling the order in which you see things was worth more than controlling the content. The algorithmic feed became the scarce resource, and advertisers bid on interrupting it.
Now we’re entering the fourth era. When someone asks ChatGPT “what’s the best running shoe for marathon training?” - the answer isn’t a list of links. It’s a synthesized response generated from the model’s parameters and, increasingly, from documents retrieved via RAG (Retrieval-Augmented Generation). The scarce resource is no longer a slot on a page. It’s proximity in embedding space - whether your product’s representation is close enough to the user’s query to be retrieved, cited, or recommended.
And unlike every previous era, there’s no visible boundary between the organic result and the commercial influence.
How LLM Advertising Actually Works (As of April 2026)
The public conversation is weirdly disconnected from the technical reality. Here’s what’s actually going on.
What’s Live Right Now
OpenAI launched “Sponsored Suggestions” in ChatGPT on February 9, 2026. These are contextually relevant cards that appear below the AI’s organic response - a hotel promotion after a travel query, an air fryer ad after a cooking question. They’re restricted to Free and Go tier users in the US. Plus, Pro, Business, and Enterprise users don’t see them.
The initial pricing tells you how they value this attention:
Suggestions (2026)
(average)
other channels
OpenAI is pricing this at 12-30x Google because they believe conversational intent is qualitatively different from keyword intent - and the early conversion data backs it up.
The key architectural claim OpenAI makes: ads are structurally separated from organic responses. The model generates its answer first, completely independent of advertising. Then the ad system matches a contextually relevant sponsored suggestion and appends it below. The ads do not influence the AI’s actual answers.
Hold that thought. We’ll come back to it.
What’s Being Built
The academic community has been busy. Over the past two years, researchers have proposed multiple auction mechanisms for LLM ad placement:
graph TD
subgraph "Pre-Generation Mechanisms"
A["Segment Auctions<br/>(Hajiaghayi et al., 2024)<br/>RAG-based ad allocation<br/>per discourse segment"]
B["Position Auctions<br/>(Balseiro et al., 2025)<br/>Extending traditional slots<br/>to AI-generated content"]
end
subgraph "Post-Generation Mechanisms"
C["Token Auctions<br/>(Dutting et al., 2024)<br/>WWW Best Paper<br/>Token-by-token bidding"]
D["Truthful Aggregation<br/>(Soumalias et al., 2024)<br/>RLHF-style reward<br/>aggregation"]
end
subgraph "Integrated Mechanisms"
E["LLM-Auction<br/>(Zhao et al., Dec 2025)<br/>Learning-based generative<br/>auction, end-to-end"]
F["Genre-Based Insertion<br/>(Jan 2026)<br/>Decoupled response-level<br/>ad placement"]
end
A --> G["LLM generates response<br/>conditioned on winning ads"]
B --> G
C --> H["Auction selects/aggregates<br/>during token generation"]
D --> H
E --> I["Auction and generation<br/>jointly optimized"]
F --> I
style A fill:#fff3cd,stroke:#856404,color:#4a3800
style B fill:#fff3cd,stroke:#856404,color:#4a3800
style C fill:#d1ecf1,stroke:#0c5460,color:#0a3d47
style D fill:#d1ecf1,stroke:#0c5460,color:#0a3d47
style E fill:#d4edda,stroke:#155724,color:#14401d
style F fill:#d4edda,stroke:#155724,color:#14401d
style G fill:#f0f0f0,stroke:#666,color:#333
style H fill:#f0f0f0,stroke:#666,color:#333
style I fill:#f0f0f0,stroke:#666,color:#333
The key split is between mechanisms that decide ad allocation before the LLM generates a response, and those that let the LLM generate multiple candidate responses and then pick or aggregate. Pre-generation is cheaper (one forward pass) but ignores externalities - how ads interact with the surrounding context. Post-generation is higher quality but requires multiple inference passes, which gets expensive fast when you’re serving hundreds of millions of queries per day.
Google Research’s token auction (WWW 2024 Best Paper, Dutting et al.) was the first rigorous treatment. They proved that under robust preferences, monotone aggregation functions enable second-price-style payments - bringing classical auction theory into the LLM generation process. It’s elegant theory. It also requires access to model weights and per-token distributions, which makes it impractical for third-party advertisers.
The most recent work, LLM-Auction (Zhao et al., December 2025), tries to solve this by integrating the auction directly into the LLM’s generation process via reinforcement learning. The model learns to jointly optimize response quality and ad revenue. This is probably closest to what production systems will eventually look like.
What’s Being Refused
There are now three distinct philosophies among major AI companies:
| Company | Stance | Rationale |
|---|---|---|
| OpenAI | Ads in free tiers, ad-free for paying users | Revenue necessity - $17B projected burn rate, 95% of 800M users don’t pay |
| Anthropic | No ads, period (for now) | Trust-first - “advertising incentives, once introduced, tend to expand over time” |
| Ads in AI Overviews, not in Gemini chat (yet) | Measured rollout - ads in Search AI, evaluating Gemini chat separately | |
| Perplexity | Tried ads, pulled them | UX collapsed, measurement was impossible |
| Meta | Using conversations to target ads on other platforms | Different model - the LLM isn’t the ad surface, it’s the signal source |
Pay attention to Meta’s row. It’s easy to gloss over, but it might be the most consequential strategy on this list. Meta isn’t putting ads inside the AI conversation - they’re using the conversation as a signal source to target ads everywhere else. When you tell Meta AI about your kitchen renovation plans, that context doesn’t surface as a sponsored suggestion in the chat. It surfaces as a Home Depot ad in your Instagram feed an hour later. This is arguably more invasive than OpenAI’s approach, because the user never connects the conversation to the ad. There’s no “Sponsored Suggestion” card to notice and evaluate. The commercial extraction is invisible by design. And because Meta controls both the conversational surface (WhatsApp, Messenger, Instagram DMs) and the ad surfaces (Feed, Stories, Reels), they can close this loop without any third-party ad-tech infrastructure. It’s vertically integrated attention arbitrage - and it’s the approach most likely to scale silently while everyone debates whether ChatGPT should show ad cards.
The Anthropic position is worth quoting because it identifies the core tension: ad-supported products create pressure to optimize for engagement, repeat visits, and extended conversations. Those metrics look like success. But they tell you nothing about whether the user actually solved their problem. A truly helpful response might end the conversation in two turns.
The Part Nobody Is Talking About: Embedding Space as Commercial Real Estate
This is where the public conversation is lagging the technical reality by about 18 months.
Every RAG-based LLM system (which includes Perplexity, ChatGPT with browsing, Google AI Overviews, and most enterprise deployments) works roughly like this:
sequenceDiagram
participant User
participant LLM
participant Retriever
participant VectorDB as Vector Database
participant Web as Web / Knowledge Base
User->>LLM: "Best CRM for startups?"
LLM->>Retriever: Generate embedding for query
Retriever->>VectorDB: Find k-nearest documents
VectorDB-->>Retriever: Top-k documents by cosine similarity
Retriever-->>LLM: Retrieved context
Note over LLM: Generate response grounded<br/>in retrieved documents
LLM-->>User: "Based on my research,<br/>here are the top options..."
The retrieval step is where commercial value concentrates. Documents that are embedded close to high-value queries get retrieved. Documents that get retrieved get cited. Documents that get cited influence the model’s response. This creates a chain of influence that starts in vector space and ends in a user’s purchasing decision.
The critical observation: regions of embedding space near commercially valuable queries function exactly like shelf space or PageRank - they’re a scarce resource with economic value, and people are already bidding for them.
They’re just not calling it advertising. They’re calling it “Generative Engine Optimization.”
GEO: The SEO of Embedding Space
Generative Engine Optimization (GEO) was formalized by researchers at Princeton in a KDD 2024 paper. The idea is simple: just as SEO optimizes web pages to rank higher in Google’s index, GEO optimizes content to be retrieved and cited by LLMs.
The GEO industry has exploded. Companies like Profound, Semrush, and Wellows now sell tools that track brand visibility across LLMs, measure “recommendation share,” and suggest content modifications to improve retrieval rates. It’s a legitimate optimization practice - in the same way that white-hat SEO is legitimate.
But there’s a shadowy flip side. Security researchers have demonstrated that the same embedding space can be manipulated adversarially:
PoisonedRAG (USENIX Security 2025, Zou et al.) showed that injecting just 5 carefully crafted documents into a knowledge base containing millions of texts achieves ~90% attack success rate. The attacker controls what the LLM says about a target question. Five documents. In millions.
POISONCRAFT extended this to practical, black-box settings - the attacker doesn’t need to know which retriever or LLM the target system uses.
RAGForensics (WWW 2025) built a traceback system to identify poisoned documents, acknowledging that the threat is real enough to need forensic tools.
What nobody is saying out loud: GEO and RAG poisoning are points on the same spectrum. The techniques differ in degree, not in kind. Both involve crafting documents to manipulate their position in embedding space. GEO does it to be “relevant.” RAG poisoning does it to be “adversarial.” The boundary between the two is a policy question, not a technical one.
graph LR
subgraph "The Embedding Manipulation Spectrum"
A["Legitimate<br/>Content Creation"] --> B["White-hat GEO<br/>(Structured data,<br/>topic authority)"]
B --> C["Aggressive GEO<br/>(Keyword stuffing<br/>for embeddings)"]
C --> D["Gray Zone<br/>(Adversarial document<br/>crafting for retrieval)"]
D --> E["RAG Poisoning<br/>(PoisonedRAG,<br/>POISONCRAFT)"]
end
style A fill:#d4edda,stroke:#155724,color:#14401d
style B fill:#d4edda,stroke:#155724,color:#14401d
style C fill:#fff3cd,stroke:#856404,color:#4a3800
style D fill:#fff3cd,stroke:#856404,color:#4a3800
style E fill:#f8d7da,stroke:#721c24,color:#4a1118
Nobody has drawn this spectrum explicitly. The security community publishes attack papers. The marketing community publishes optimization guides. The mechanism design community publishes auction papers. They’re all working on different faces of the same problem and not talking to each other.
The Firewall Question
Let’s return to OpenAI’s architectural claim: ads don’t influence organic responses.
This is the single most important empirical question in LLM advertising, and as far as I can tell, nobody has tested it rigorously.
Why it matters: current transformer architectures don’t have a hard separation between “context I should be influenced by” and “context I should ignore.” Attention is global. If an ad - or an ad-selection signal - is present anywhere in the context window or the system prompt, there’s a potential pathway for it to influence the generated response. Even if the influence is subtle. Even if it’s unintentional.
The existing prompt injection literature proves this is more than theoretical. Medical LLMs were shown to be vulnerable to injection attacks that succeeded in 94.4% of trials - including extremely high-harm scenarios. Multimodal injection attacks achieve 64% success rates by hiding instructions in images. The OWASP LLM Top 10 (2025 revision) explicitly added “Vector and Embedding Weaknesses” as a new category, noting that adversarial embeddings can be crafted to match arbitrary queries while containing malicious content.
To be clear, OpenAI isn’t naively injecting ad text into the model’s prompt. Their architecture is more sophisticated than that - the ad matching happens after response generation, not before. But as the system evolves toward Smartly-style conversational ad formats (where the ad is a secondary chatbot dialogue), the separation gets murkier. And for RAG-based systems where advertising content enters the retrieval pipeline, the separation may not exist at all.
An honest empirical test would look like this:
graph TD
A["Define test query set<br/>(500+ product-related queries<br/>across 10 categories)"] --> B["Condition A: Baseline<br/>Query model with<br/>no ad context"]
A --> C["Condition B: Ad-adjacent<br/>Query model with ad<br/>context present in system"]
A --> D["Condition C: Explicit separation<br/>Query model with ad context<br/>+ 'ignore ads' instruction"]
B --> E["Measure: Brand mention distributions,<br/>recommendation rankings,<br/>sentiment toward products,<br/>response length & specificity"]
C --> E
D --> E
E --> F["Statistical tests for<br/>recommendation drift<br/>between conditions"]
F --> G{"Does the 'organic'<br/>response shift when<br/>ads are present?"}
G -->|Yes| H["Firewall is leaky.<br/>Quantify the leak."]
G -->|No| I["Firewall holds.<br/>Publish that too."]
style G fill:#fff3cd,stroke:#856404,color:#4a3800
style H fill:#f8d7da,stroke:#721c24,color:#4a1118
style I fill:#d4edda,stroke:#155724,color:#14401d
This study doesn’t exist yet. It should. The result matters regardless of which direction it goes - either the firewall holds (which validates OpenAI’s approach and gives regulators something to build on) or it doesn’t (which validates Anthropic’s concerns and creates urgency for architectural solutions).
What a Proper Market Mechanism Would Require
If we accept that embedding space has commercial value and that people are going to compete for it one way or another, the question becomes: can we build a market mechanism that’s transparent and fair, rather than letting the gray market (GEO-as-advertising) operate in the shadows?
My rough sketch of what that would need:
1. Define the Resource Being Traded
In search advertising, the resource is a keyword query. In social media advertising, it’s a user profile + content slot. In embedding space, the resource is proximity to a query region - a neighborhood in vector space that captures a class of user intents.
This needs formalization. What’s the right geometric primitive? Voronoi cells around query clusters? epsilon-balls in cosine space? The mechanism design community has been designing auctions without clearly defining the thing being auctioned.
To make this concrete, consider a toy example. Take the query “best CRM for startups” and embed it alongside the top 50 web pages about CRM software using a standard retriever (say, text-embedding-3-large). Project the embeddings down to 2D via UMAP. What you’ll see is something like this:
HubSpot has four documents within cosine distance 0.15 of this query. Salesforce has zero. In a top-5 retrieval, HubSpot content dominates the context window, and the LLM’s response will reflect that. HubSpot didn’t pay for this - they earned it through years of content marketing that happens to embed well. But the effect is identical to a paid placement: commercial content occupying the scarce positions nearest a high-value query.
This is what I mean by embedding rent - the implicit economic value of occupying a region of vector space near commercially valuable queries. We can sketch a rough formalization:
For a query \(q\) with commercial value \(V(q)\) (expected revenue per conversion), the embedding rent of a document \(d\) is:
\[R(d, q) = V(q) \cdot P(\text{retrieve} \mid d, q) \cdot P(\text{cite} \mid \text{retrieve}) \cdot P(\text{convert} \mid \text{cite})\]where \(P(\text{retrieve} \mid d, q)\) depends on the cosine similarity \(\text{sim}(e_d, e_q)\) and the retrieval threshold \(k\). In practice, retrieval probability follows a sharp sigmoid around the \(k\)-th nearest neighbor boundary - if you’re inside the top-\(k\), you have influence; if you’re outside, you’re invisible. This creates a cliff-edge dynamic where small improvements in embedding proximity produce large jumps in commercial value.
The total rent for a query region \(Q\) is:
\[R_{\text{total}}(d) = \sum_{q \in Q} \lambda(q) \cdot R(d, q)\]where \(\lambda(q)\) is query frequency. High-traffic, high-intent queries (“best CRM for startups,” “cheapest flights to Tokyo”) have the highest embedding rent - and are therefore the most attractive targets for both legitimate GEO and adversarial manipulation.
Today that rent is “paid” through content investment. Tomorrow it could be paid through an auction. The question is who designs that auction, and whether the current tenants - the GEO optimizers - get grandfathered in or priced out.
2. Make Manipulation Unprofitable
Right now, a rational advertiser faces a choice: pay $60 CPM to place a legitimate ad in ChatGPT, or invest in GEO/adversarial document crafting to manipulate the organic response for free. If the organic manipulation channel is cheaper and more effective, the legitimate channel collapses. This is exactly what happened with early search engines before Google figured out how to devalue link farms.
The mechanism needs to ensure that bidding through the auction is strictly preferable to manipulating the embedding space directly. Formally, an advertiser chooses between:
- Auction channel: Pay bid \(b\) per impression, get guaranteed placement with probability \(P_a(b)\)
- Manipulation channel: Invest cost \(c_m\) in GEO/adversarial docs, get organic retrieval with probability \(P_m(c_m)\), but risk detection with probability \(P_d(c_m)\) and penalty \(F\)
The advertiser prefers the auction when:
\[V \cdot P_a(b) - b > V \cdot P_m(c_m) \cdot (1 - P_d(c_m)) - c_m - P_d(c_m) \cdot F\]The platform controls \(P_d\) (detection capability) and \(F\) (penalty for detected manipulation). The insight from search advertising history: Google made manipulation unprofitable not by winning the arms race against SEO spammers (they didn’t, fully), but by making the auction cheap enough and reliable enough that legitimate advertisers preferred it. The detection system only needs to make manipulation risky, not impossible.
This is the same dynamic that will play out in embedding space - but only if someone builds the detection infrastructure and the auction mechanism in parallel.
3. Solve the Transparency Problem
In search, you can see that a result is sponsored. The blue link has a little “Ad” label. In an LLM response, there’s no natural boundary to label. If the model says “I recommend ProductX for your needs,” was that organic or sponsored? The user can’t tell. Research from the University of Michigan (2024) showed users only detect embedded ads in LLM responses 27% of the time. But - critically - once they’re told an ad was present, trust collapses.
This suggests the transparency mechanism needs to be architectural, not just a label. Possible directions:
- Provenance tracking in RAG pipelines - tag retrieved documents as sponsored/organic and carry that metadata through to the response
- Watermarking sponsored content - embed detectable signals in ad-influenced text segments
- Separate rendering - what OpenAI is doing with Sponsored Suggestions, keeping ads visually distinct. This works for appended ads but not for integrated recommendations.
4. Build Retrieval-Time Defenses
The attack papers get all the attention, but the defense side is equally important and far less developed. If embedding space is being manipulated - whether by GEO optimizers or adversarial actors - what can RAG system operators actually do at retrieval time?
A few directions are emerging, though none are mature:
-
Embedding perturbation. Add calibrated noise to query embeddings before retrieval, then check whether the top-k results are stable across perturbations. Legitimate, high-quality documents tend to be robust - they’re near the query for semantic reasons that survive small shifts. Adversarially crafted documents are often brittle - optimized for a precise point in embedding space that breaks under perturbation. This is analogous to adversarial example detection in computer vision, applied to the retrieval step.
-
Multi-retriever consensus. Retrieve using two or more embedding models (e.g., OpenAI’s
text-embedding-3-largeand Cohere’sembed-v4) and flag documents that rank highly in one but not the other. Adversarial documents are typically optimized against a specific embedding model’s geometry. Cross-model agreement is a cheap integrity signal. -
Temporal anomaly detection. Monitor when documents suddenly appear in high-value retrieval neighborhoods. A legitimate page on “best CRM for startups” accumulates backlinks and content depth over months. A GEO-optimized page materializes overnight with suspiciously perfect embedding proximity. Tracking document “arrival velocity” in retrieval neighborhoods could catch manipulation campaigns early.
-
Retrieval provenance scoring. Assign trust scores to retrieved documents based on source reputation, publication date, content consistency, and embedding stability over time. Weight the LLM’s context window accordingly - high-trust documents get more influence, low-trust documents get retrieved but down-weighted.
To make the perturbation approach concrete, here’s a sketch of what a retrieval integrity check could look like:
def check_retrieval_integrity(query_embedding, corpus, k=5,
n_perturbations=20, noise_scale=0.02,
stability_threshold=0.6):
"""
Detect potentially manipulated documents in RAG retrieval
by checking stability under embedding perturbation.
"""
# Baseline retrieval
baseline_topk = retrieve_topk(query_embedding, corpus, k)
# Perturbed retrievals
appearance_counts = Counter()
for _ in range(n_perturbations):
noise = np.random.normal(0, noise_scale, query_embedding.shape)
perturbed = normalize(query_embedding + noise)
perturbed_topk = retrieve_topk(perturbed, corpus, k)
for doc in perturbed_topk:
appearance_counts[doc.id] += 1
# Score each baseline result by stability
results = []
for doc in baseline_topk:
stability = appearance_counts[doc.id] / n_perturbations
results.append({
'doc': doc,
'stability': stability,
'suspicious': stability < stability_threshold
})
# Flag: docs that appear in baseline top-k but are
# fragile under perturbation are likely adversarially
# optimized for a precise point in embedding space
return results
The intuition: a legitimate document about CRMs is near the query “best CRM for startups” because of genuine semantic overlap across many dimensions. Perturb the query slightly, and the document stays nearby. An adversarially crafted document, however, is often optimized for a narrow region - it exploits specific dimensions of the embedding geometry to achieve high similarity, and that optimization is brittle. A 2% perturbation in the query embedding may push it out of the top-k entirely.
None of these are silver bullets, and all have false-positive costs. But the point is that defense at the retrieval layer is cheaper and more practical than trying to make the LLM itself robust to manipulated context. You don’t need to solve prompt injection if you can filter the poisoned documents before they reach the prompt.
5. Handle the Privacy Paradox
LLM conversations contain deeply personal information. People share health concerns, relationship problems, financial anxieties. Anthropic’s analysis found that “an appreciable portion” of Claude conversations involve sensitive topics. The same personal context that makes LLM ads potentially hyper-relevant also makes them potentially creepy and intrusive.
OpenAI says conversations are never shared with advertisers and that ads don’t appear near health, mental health, or political topics. But as a former OpenAI researcher pointed out, “the company is building an economic engine whose incentives will eventually override its own rules.”
Open Problems Worth Working On
I want to close with what I think are the most important research directions - not because I have the answers, but because I want more people working on them.
The Firewall Integrity Problem. As described above. Empirical measurement of whether ad context influences organic responses, across architectures and models. This is the most urgent open question.
Embedding Space Economics. Formal treatment of embedding proximity as a priced resource. Game-theoretic analysis of the interaction between legitimate ad mechanisms and embedding manipulation. Under what conditions do GEO-style tactics undermine auction-based advertising? What mechanism modifications make manipulation unprofitable?
The Audit Problem. How do you determine, from the outside, whether an LLM’s product recommendations are commercially influenced? Existing brand visibility tools are designed for marketers optimizing their presence. We need tools designed for regulators and researchers detecting hidden influence. Counterfactual probing, temporal drift analysis, cross-model consistency checks - the methodology needs to be developed and standardized.
Agentic Commerce and the Principal-Agent Collapse. This one deserves more than a paragraph, because it’s the endgame of everything discussed above.
When an LLM books a flight for you, it’s acting as your agent in the economic sense - making decisions on your behalf, with your money, according to your preferences. Classical principal-agent theory tells us this works when the agent’s incentives are aligned with the principal’s. But what happens when the agent serves two principals?
Concrete scenario:
The agent didn’t lie. It gave a valid option within constraints. It just didn’t give the best option, because the retrieval pipeline - the agent’s “eyes” - saw the world through a commercially distorted lens.
This is harder to detect than a banner ad. The user asked for a decision, got a reasonable one, and moved on. The $53/night difference multiplied across millions of agentic transactions per day is a massive wealth transfer - from consumers to whichever brands can afford to occupy the right regions of embedding space. And unlike a travel agent taking a commission, there’s no disclosure requirement, no fiduciary duty, and no audit trail.
The mechanism design problem here is distinct from ad placement in conversational responses. In conversation, the user reads the response and applies their own judgment. In agentic commerce, the user delegates judgment entirely. The standard for “unbiased retrieval” is correspondingly higher, and the current infrastructure - where retrieval quality is never audited for commercial bias - is nowhere close to meeting it.
The Regulatory Gap. The EU AI Act is now in force. It has provisions around algorithmic discrimination in marketing and mandatory disclosure for AI-generated content. But it was written before LLM advertising existed as a practice. How do existing frameworks apply? Where are the gaps? New York passed a law in December 2025 requiring disclosure of AI-generated human-like spokespeople in ads - but what about AI-generated product recommendations that feel organic?
The Uncomfortable Bottom Line
We’re watching the construction of a new advertising infrastructure inside systems that hundreds of millions of people use for genuinely personal, high-stakes thinking. The previous advertising transitions - from print to TV, TV to web, web to mobile - each came with years of public debate about norms, regulations, and user expectations.
This one is happening in months. ChatGPT went from zero ads to Criteo integration to Smartly conversational ad formats in under eight weeks. The academic mechanism design papers are elegant but assume a clean world where ads and organic content can be separated. The GEO industry is growing without any pretense that the separation exists. And the security research demonstrating how fragile RAG systems are is being published in the same venues but read by completely different people.
Someone needs to connect these threads. The shelf space auction, the PageRank auction, and the social media attention auction all eventually got formalized, regulated, and made legible. Embedding space is next. The question is whether we do it thoughtfully or whether we let it happen the way it happened with social media - fast, opaque, and with consequences we’re still trying to unwind a decade later.
Right now, the embedding manipulation spectrum - from white-hat GEO to adversarial RAG poisoning - has no referee, no rules, and no scoreboard. The companies building retrieval pipelines are also the ones selling access to them. The researchers studying attacks and the marketers deploying optimizations are publishing in different venues and don’t read each other’s work.
That’s the gap. And gaps like this, in markets this large, don’t stay empty for long. They get filled - either by careful design or by whoever moves fastest. I’d rather it be the former.
If you’re working on any of these problems - mechanism design for LLM ads, RAG security, adversarial retrieval, or the economics of embedding space - I’d love to hear from you. These are some of the most interesting open problems at the intersection of ML, economics, and policy, and they need more people paying attention.
References & Further Reading
Auction Mechanisms for LLMs:
- Dutting, Mirrokni, Paes Leme, Xu, Zuo. Mechanism Design for Large Language Models. WWW 2024 (Best Paper).
- Hajiaghayi, Lahaie, Rezaei, Shin. Ad Auctions for LLMs via Retrieval Augmented Generation. 2024.
- Zhao et al. LLM-Auction: Generative Auction towards LLM-Native Advertising. December 2025.
- Dubey, Feng, Kidambi, Mehta, Wang. Auctions with LLM Summaries. KDD 2024.
- Soumalias, Curry, Seuken. Truthful Aggregation of LLMs with an Application to Online Advertising. 2024.
RAG Security:
- Zou, Geng, Wang, Jia. PoisonedRAG: Knowledge Corruption Attacks to Retrieval-Augmented Generation. USENIX Security 2025.
- RAGForensics: Traceback of Poisoning Attacks to Retrieval-Augmented Generation. WWW 2025.
Benchmarks & Measurement:
- GEM-Bench: A Benchmark for Ad-Injected Response Generation within Generative Engine Marketing. September 2025.
- Aggarwal, Murahari, Rajpurohit et al. GEO: Generative Engine Optimization. KDD 2024 (Princeton).
- Filandrianos et al. Bias Beware: The Impact of Cognitive Biases on LLM-Driven Product Recommendations. February 2025.
Industry Developments:
- Criteo. Criteo Joins OpenAI Advertising Pilot in ChatGPT. March 2, 2026.
- Anthropic. Claude is a Space to Think. February 4, 2026.
- OWASP. LLM Top 10 2025: LLM08 - Vector and Embedding Weaknesses.
Trust & Safety:
- Trust & Safety of LLMs and LLMs in Trust & Safety. arXiv, December 2024.
- Trustworthy Information Retrieval in the LLM Era: Bias, Unfairness, and Hallucination. ACM SIGIR 2025.