July 11, 2026 Research Brief
Agent safety moves inward.
Today’s strongest papers shift reliability from bigger models to controllable agent scaffolds, while showing that visible reasoning and weak evaluation pipelines can become liabilities.
Takeaways
- Agent reliability work is shifting from model-only fixes to **system-layer control surfaces**: compiled tools, evolving harnesses, proactive memory, semantic firewalls, and DOM-level confinement all show measurable gains without changing base weights.
- Several papers expose a common safety lesson: **intermediate reasoning is not a trustworthy control channel by default**. CoT can persuade monitors, hide evidence influence, and leak secrets under weight-space amplification.
- Evaluation methodology is getting sharper: new benchmarks and statistical tooling emphasize **abstention, calibration, judge bias, adaptive validity, and capability decomposition**, not just top-line accuracy.
Start with: Prismata: Confining Cross-Site Prompt Injection in Web Agents
Why it catches my eye: It offers a concrete least-privilege design for web agents against prompt injection, with large security gains and clear deployment relevance.
Read skeptically for: Results rely on web structure and text-centric assumptions; multimodal and live-DOM attacks remain less tested.
Themes
Papers Worth Your Reading Time
Ranked for research usefulness: novelty, method pattern, evidence quality, and skepticism value.
Prismata: Confining Cross-Site Prompt Injection in Web Agents
#1A strong systems paper on least-privilege confinement for web agents under realistic prompt-injection threats.
- Why now
- Web agents are entering real browsing workflows where adversarial page content is a default condition.
- Skepticism
- Its guarantees depend on structural web cues and may not cover richer multimodal or dynamic attacks.
Tool-Making and Self-Evolving LLM Agents in Low-Latency Systems
#2Shows a practical pattern for compiling repeated agent behavior into validated tools with latency and error reductions.
- Why now
- Many production agents are bottlenecked by repeated tool synthesis rather than raw model capability.
- Skepticism
- Evidence is centered on one deployed application, with human oversight still needed for ambiguous workflows.
Persuasion Attacks Can Decrease Effectiveness of CoT Monitoring
#3Important if you rely on reasoning traces for oversight: it shows that more visibility can increase unsafe approvals.
- Why now
- CoT-based monitoring remains a common safety assumption in agent oversight proposals.
- Skepticism
- The study uses controlled tasks and may not fully capture end-to-end tool-using agents.
Chinese version: [中文]
Run stats
- Candidates: 214
- Selected: 30
- Deepread completed: 30
- Window (UTC): 2026-07-09T00:00:00Z → 2026-07-10T00:00:00Z (arxiv_announce, expanded=0)
Show selected papers
| arXiv ID | Title / Links | Categories | Score | Why | Tags |
|---|---|---|---|---|---|
2607.08147 | Prismata: Confining Cross-Site Prompt Injection in Web Agents | cs.CR, cs.AI | 95 | Strong web-agent prompt injection defense with least-privilege confinement and structural policy derivation. | agent-safety, prompt-injection, web-agents, least-privilege, security |
2607.08173 | Overthinking: Amplifying Reasoning Weights to Extract Learned Secrets | cs.AI | 94 | Auditing method to elicit hidden reasoning/secrets; directly relevant to black-box safety evaluation. | ai-safety, auditing, reasoning-models, hidden-knowledge, black-box-eval |
2607.08066 | Persuasion Attacks Can Decrease Effectiveness of CoT Monitoring | cs.AI, cs.LG | 93 | Directly probes failure of CoT monitoring under persuasion jailbreaks; highly relevant to agent oversight. | alignment, monitoring, jailbreaks, cot, agent-safety, evaluation |
2607.08716 | Remember When It Matters: Proactive Memory Agent for Long-Horizon Agents | cs.AI, cs.CL | 93 | Plug-and-play memory agent for long-horizon LLM agents; directly targets reliability under context limits. | agents, memory, long-context, reliability, evaluation |
2607.08010 | Tool-Making and Self-Evolving LLM Agents in Low-Latency Systems | cs.CL, cs.LG, cs.SE | 92 | Agent tool-making with production deployment; strong relevance to reliable, efficient agent systems. | agents, tool-use, deployment, reliability, latency, self-evolving |
2607.08180 | Out of Sight: Compression-Aware Content Protection against Agentic Crawlers | cs.CR, cs.AI | 92 | Agent-security paper: protects content from agentic crawlers via compression-aware perturbations. | agent-safety, security, prompt-injection, content-protection, agents |
2607.08032 | What to Keep, What to Forget: A Rate--Distortion View of Memory Compaction in LLMs and Agents | cs.LG | 92 | Unifies LLM/agent memory compaction under rate-distortion; strong conceptual value for long-context agents. | llm, agents, memory, long-context, efficiency, theory |
2607.08395 | Token-Flow Firewall: Semantic Runtime Auditing for Persistent AI Agents | cs.CR, cs.CL | 91 | Runtime semantic-flow auditing for persistent agents targets realistic long-lived agent attack surfaces. | agent-safety, runtime-defense, auditing, persistent-agents, security |
2607.08046 | What LLM Forecasters Know but Don't Say: Probing Internal Representations for Calibration and Faithfulness | cs.CL, cs.AI | 91 | Probes internal states for calibration and CoT faithfulness; strong alignment/reliability relevance. | calibration, faithfulness, interpretability, forecasting, probes, alignment |
2607.08700 | Do You Need a Frontier Model as a Citation Verifier? Benchmarking Rubric LLMs for Deep-Research Source Attribution | cs.CL | 90 | Benchmarks LLM judges for citation verification, a key issue for deep-research and reward reliability. | llm-as-judge, citation-verification, evaluation, deep-research, reward-models, grounding |
2607.08349 | Certified Interventional Fidelity: Anytime-Valid, Adaptive Evaluation of Causal Claims in Mechanistic Interpretability | cs.LG | 90 | Statistical framework for adaptive, anytime-valid causal claims in mech interp evaluations. | mechanistic-interpretability, evaluation, causal-inference, reliability, statistics |
2607.08662 | WebSwarm: Recursive Multi-Agent Orchestration for Deep-and-Wide Web Search | cs.CL, cs.AI, cs.MA | 90 | Recursive multi-agent web search with evidence-grounded expansion; highly relevant to agentic retrieval systems. | agents, web-search, multi-agent, retrieval, reasoning, tool-use |
2607.08535 | When the Judge Changes, So Does the Measurement: Auditing LLM-as-Judge Reliability | cs.CL, cs.AI | 89 | Audits judge replacement effects and bias; important for trustworthy LLM evaluation pipelines. | llm-as-judge, evaluation, bias, measurement, reliability, auditing |
2607.08011 | Beware What You Autocomplete: Forensic Attribution of Backdoored Code Completions | cs.CR, cs.AI, cs.IR, cs.LG | 88 | Practical forensic method for tracing backdoored code completions to fine-tuning data post-deployment. | code-llms, backdoors, forensics, supply-chain, security |
2607.08034 | PLURAL: A Global Dataset for Value Alignment | cs.CL, cs.AI, cs.CY | 88 | Large cross-country value-alignment dataset; high reuse potential for pluralistic alignment research. | alignment, values, dataset, preference-data, global-representation, rlhf |
2607.08269 | PolyUQuest: Verifiable Structure-Aware Web RAG over Heterogeneous Graphs | cs.AI | 88 | Verifiable structure-aware web RAG with citations and graph retrieval; strong grounding relevance. | RAG, grounding, verification, web-agents, retrieval |
2607.08646 | UltraX: Refining Pre-Training Data at Scale with Adaptive Programmatic Editing | cs.CL, cs.AI | 88 | Pretraining data refinement at scale via function-calling edits; potentially impactful for frontier LLM data quality. | llm, pretraining, data-quality, synthetic-data, scaling, post-processing |
2607.08038 | A safety-oriented hypothetico-deductive framework for AI-assisted differential diagnosis | cs.AI | 87 | Safety-oriented multi-LLM diagnosis framework with verification gates and must-not-miss checks. | safety, agents, verification, medical-ai, clinical-reasoning, guardrails |
2607.08400 | TRACE: A Two-Channel Robust Attribution Watermark via Complementary Embeddings for LLM-Agent Trajectories | cs.CR, cs.AI, cs.LG | 86 | Agent trajectory watermarking for provenance disputes is novel and security-relevant for deployment ecosystems. | agents, watermarking, provenance, security, auditing |
2607.08393 | Towards Mechanistically Understanding Why Memorized Knowledge Fails to Generalize in Large Language Model Finetuning | cs.AI, cs.CL | 86 | Mechanistic study of why injected knowledge fails to generalize; useful for reliable knowledge editing. | mechanistic-interpretability, knowledge-editing, generalization, llm-reliability, circuits |
2607.08317 | Blind-Spots-Bench: Evaluating Blind Spots in Multimodal Models | cs.AI | 86 | Benchmark exposing simple-but-persistent multimodal model blind spots; useful for robust evaluation. | benchmark, multimodal, evaluation, robustness, failure-modes |
2607.08690 | A Practical Investigation of Training-free Relaxed Speculative Decoding | cs.LG, cs.AI | 86 | Practical study of relaxed speculative decoding; useful frontier inference trade-off analysis for LLM deployment. | llm, inference, speculative-decoding, efficiency, evaluation |
2607.08768 | UniClawBench: A Universal Benchmark for Proactive Agents on Real-World Tasks | cs.CL | 84 | Real-world proactive-agent benchmark with capability-driven design could be broadly reusable for evaluation. | agents, benchmark, evaluation, real-world, multimodal |
2607.08284 | Understanding Axes of Difficulty For Long Context Tasks Via PredicateLongBench | cs.AI | 84 | Long-context benchmark probing difficulty axes, not just averages; useful frontier capability evaluation. | long-context, benchmark, evaluation, reasoning, frontier-llms |
2607.08255 | Compete Then Collaborate: Frontier AI Teachers Build a Verifiable Curriculum to Improve a Coding Student Beyond Imitation | cs.AI | 84 | Execution-verified multi-teacher curriculum for coding models; strong methodology beyond judge bias. | LLMs, coding, distillation, evaluation, post-training |
2607.08740 | Workflow as Knowledge: Semantic Persistence for LLM-Mediated Workflows | cs.AI, cs.PL, cs.SE | 84 | Semantic model for persistent LLM workflows, inference records, and approvals; relevant to reliable agent systems. | agents, workflows, tool-use, reliability, memory, systems |
2607.08124 | TTHE: Test-Time Harness Evolution | cs.SE, cs.LG | 83 | Test-time adaptation of agent harnesses is novel and impactful, though safety implications are indirect. | agents, test-time-adaptation, harness, tool-use, optimization, workflows |
2607.08763 | OpenCoF: Learning to Reason Through Video Generation | cs.CV, cs.AI | 83 | Introduces Chain-of-Frame reasoning dataset/model for video generation; notable frontier multimodal idea. | multimodal, video-generation, reasoning, dataset, frontier-models |
2607.08734 | The Illusion of Equivalency: Statistical Characterization of Quantization Effects in LLMs | cs.AI | 83 | Shows quantization can preserve accuracy yet alter behavior; important reliability signal for deployed LLMs. | llm, quantization, reliability, evaluation, deployment |
2607.08093 | CausalDS: Benchmarking Causal Reasoning in Data-Science Agents | cs.AI, cs.CL, cs.LG | 82 | Benchmark for causal reasoning in data-science agents fills an important gap in tool-using agent evaluation. | agents, benchmark, causal-reasoning, tool-use, evaluation |
AI Paper Insight Brief
2026-07-11
0) Executive takeaways (read this first)
- Agent reliability work is shifting from model-only fixes to system-layer control surfaces: compiled tools, evolving harnesses, proactive memory, semantic firewalls, and DOM-level confinement all show measurable gains without changing base weights.
- Several papers expose a common safety lesson: intermediate reasoning is not a trustworthy control channel by default. CoT can persuade monitors, hide evidence influence, and leak secrets under weight-space amplification.
- Evaluation methodology is getting sharper: new benchmarks and statistical tooling emphasize abstention, calibration, judge bias, adaptive validity, and capability decomposition, not just top-line accuracy.
- For production agents, structured, reversible, and query-aware memory/state management is emerging as a key bottleneck. Both practical systems and theory papers argue that what matters is not storing more context, but reactivating the right state at the right time.
- Security work is increasingly focused on post-compromise or in-the-loop adversaries: adversarial web content, poisoned fine-tuning data, malicious trajectory resellers, and persistent token flows all require defenses that assume the attacker sits inside the agent pipeline.
- A recurring practical pattern across papers: small local models + deterministic checks + selective escalation often outperform monolithic “just use a stronger model” approaches on cost, latency, and auditability.
2) Key themes (clusters)
Theme: System-layer control for reliable agents
- Why it matters: Several papers show that large gains now come from changing the agent scaffold around the model rather than the model itself. The common move is to convert brittle free-form reasoning into structured, inspectable runtime components.
- Representative papers:
- Common approach:
- Move repeated inference-time reasoning into reusable artifacts: compiled tools, persistent harness edits, structured memory banks, or recursive delegation modes.
- Use execution traces as supervision signals, either offline (tool compilation) or online without labels (harness evolution).
- Keep the action model mostly frozen while improving surrounding control logic.
- Favor modular roles: proposer/judge, memory/action, searcher/verifier, or main-agent/tool interfaces.
- Open questions / failure modes:
- Proxy mismatch remains a bottleneck: TTHE shows clear selection regret and coverage gaps.
- Generalization beyond the evaluated domain is often unproven, especially for single-application deployments.
- More orchestration usually means more cost, latency, and complexity.
- Fixed triggers and hand-designed decomposition policies may underperform learned or event-driven control.
Theme: Security moves inside the agent loop
- Why it matters: The threat model is no longer just bad prompts at the boundary. These papers assume attackers can poison training data, inject web content, manipulate persistent state, or even control the logs used for attribution.
- Representative papers:
- Prismata: Confining Cross-Site Prompt Injection in Web Agents
- Token-Flow Firewall: Semantic Runtime Auditing for Persistent AI Agents
- Beware What You Autocomplete: Forensic Attribution of Backdoored Code Completions
- TRACE: A Two-Channel Robust Attribution Watermark via Complementary Embeddings for LLM-Agent Trajectories
- Common approach:
- Enforce security at structured interfaces: DOM ancestry, source–sink token flows, snippet retrieval sets, or trajectory skeletons.
- Combine deterministic constraints with LLM-based semantic judgments rather than relying on either alone.
- Design for adversaries with edit access or adaptive behavior, not just passive perturbations.
- Preserve utility by narrowing scope: critical-path labeling, selective fallback, top-K forensic retrieval, or distortion-free watermark channels.
- Open questions / failure modes:
- Many defenses depend on structural assumptions: HTML cues, available candidate sets, honest reports, or preserved trajectory skeletons.
- Adaptive attackers can still target preprocessing steps, e.g. Unicode stripping against compression-aware protection.
- Most evaluations are benchmarked or domain-specific rather than open-world.
- Security gains often trade off against latency, offline build cost, or implementation complexity.
Theme: CoT and internal reasoning are useful—but unsafe to trust literally
- Why it matters: Multiple papers converge on the same warning: visible reasoning is neither a faithful explanation nor a safe oversight channel. Internal signals can be more informative than verbalized confidence, but exposing or amplifying reasoning can create new attack surfaces.
- Representative papers:
- Persuasion Attacks Can Decrease Effectiveness of CoT Monitoring
- What LLM Forecasters Know but Don’t Say: Probing Internal Representations for Calibration and Faithfulness
- Overthinking: Amplifying Reasoning Weights to Extract Learned Secrets
- Towards Mechanistically Understanding Why Memorized Knowledge Fails to Generalize in Large Language Model Finetuning
- Common approach:
- Probe hidden activations or intervene on internal states rather than trusting surface rationales.
- Compare behavior under evidence ablation, forced answering, or activation patching to detect hidden commitments.
- Treat reasoning as a manipulable capability: it can be amplified, patched, or monitored.
- Separate “what the model says it used” from “what causally changed its output.”
- Open questions / failure modes:
- CoT exposure can increase monitor approval of harmful actions.
- Probe results may be sensitive to leakage, training overlap, or model family.
- White-box methods like overthinking are powerful for auditing but limited to model owners.
- Mechanistic interventions are often diagnostic rather than deployable fixes.
Theme: Better evaluation means measuring calibration, abstention, and judge reliability
- Why it matters: A large share of today’s progress is in evaluation design. These papers argue that average accuracy hides the behaviors that matter most in deployment: overconfidence, wrong abstention, evaluator bias, and adaptive stopping artifacts.
- Representative papers:
- CausalDS: Benchmarking Causal Reasoning in Data-Science Agents
- Certified Interventional Fidelity: Anytime-Valid, Adaptive Evaluation of Causal Claims in Mechanistic Interpretability
- When the Judge Changes, So Does the Measurement: Auditing LLM-as-Judge Reliability
- Do You Need a Frontier Model as a Citation Verifier? Benchmarking Rubric LLMs for Deep-Research Source Attribution
- Common approach:
- Make uncertainty and abstention first-class outputs rather than side effects.
- Use deterministic graders or human-adjudicated gold where possible; when using LLM judges, audit bias and disagreement explicitly.
- Report directional errors such as FPR/FNR, pass-rate drift, or empirical interval coverage.
- Add statistical validity under adaptive evaluation, e.g. anytime-valid confidence sequences.
- Open questions / failure modes:
- LLM judges remain biased, correlated, and protocol-sensitive.
- Benchmarks can still be narrow or transductive.
- Human-reviewed gold is expensive and often limited in scale.
- Better measurement does not automatically solve the underlying capability gap.
Theme: Memory, context, and compression are becoming a unified design problem
- Why it matters: Long-horizon agents increasingly fail not because information is absent, but because it is compacted, forgotten, or not reactivated when needed. Theoretical and practical papers now frame this as a rate–distortion and intervention problem.
- Representative papers:
- Common approach:
- Treat memory as a budgeted representation problem, not just a storage problem.
- Distinguish reversible retrieval-backed memory from irreversible summarization.
- Use selective reintroduction of state into the control loop rather than always-on context stuffing.
- Evaluate repeated compaction events, not just one-shot compression quality.
- Open questions / failure modes:
- Query-agnostic and irreversible compaction can silently destroy task-critical bits.
- Fixed reminder schedules may miss the moments when memory matters most.
- Compression-aware defenses may fail under sanitization or normalization.
- Cross-layer composition effects remain poorly measured.
Theme: New benchmarks are targeting real residual failures, not saturated averages
- Why it matters: Several releases focus on human-easy failures, live environments, long-context brittleness, and multimodal reasoning gaps. The trend is toward benchmarks that expose where frontier systems still break in realistic settings.
- Representative papers:
- Common approach:
- Build capability-oriented or failure-oriented task suites rather than domain buckets.
- Use live or realistic environments, deterministic grading, or validated AI graders.
- Stress specific axes: decoys, multimodal grounding, cross-platform coordination, temporal reasoning.
- Pair benchmark release with ablations that identify which capability is actually limiting.
- Open questions / failure modes:
- Many benchmarks are still relatively small or manually curated.
- Live environments add instability and framework confounds.
- Some tasks remain synthetic by design, which helps control but limits realism.
- Benchmark gains may not transfer cleanly to open-world deployment.
3) Technical synthesis
- A strong cross-paper pattern is compile/route/verify: compile repeated reasoning into tools or memory objects, route tasks to specialized modes or judges, then verify with deterministic checks or secondary models.
- Several systems reduce risk by moving from free-form generation to structured intermediate objects: verdict schemas, source–sink records, DOM critical paths, trajectory groups, checkpoint rubrics.
- Selective escalation is everywhere: TokenWall escalates only uncertain flows, Prismata labels only critical paths, CodeTracer narrows to top-K candidates, and memory agents inject only when needed.
- Multiple papers show surface metrics are misleading: quantization preserves accuracy while changing per-example correctness agreement; citation judges have similar F1 but different FNR/FPR; CoT text changes weakly track behavioral changes.
- Adaptive evaluation is becoming a first-class concern: CIF formalizes anytime-valid inference under optional stopping, while TTHE and judge-auditing papers show how adaptive loops can distort conclusions if not instrumented.
- Abstention and uncertainty are emerging as core agent capabilities, not failures. CausalDS explicitly rewards abstention on non-identifiable tasks, and forecasting probes improve calibration without retraining.
- There is a growing split between reversible vs irreversible interventions: retrieval-backed memory and structured tool calls preserve auditability, while summarization, compression, or hidden CoT can create silent information loss.
- Several papers rely on frozen backbones plus lightweight adapters around them: probes, LoRA memory agents, local auditors, harness edits, and compiled tools all improve behavior without full retraining.
- Security papers increasingly assume stronger attacker positions: access to logs, page content, fine-tuning corpora, or persistent state. Defenses that only harden prompts look insufficient under these threat models.
- Evaluation itself is being treated as an engineering system: hidden supervisors, human-adjudicated councils, parser logs, confidence sequences, and benchmark-specific rubrics are now part of the method, not just reporting.
4) Top 5 papers (with “why now”)
Prismata: Confining Cross-Site Prompt Injection in Web Agents
- Cuts average attack success from 85.5% to 0.7% while preserving most benign utility (29.9% to 26.6% task success).
- Introduces a practical system defense for web agents: critical-path action gating, provenance-aware Biba parsing, and deterministic capability enforcement.
- Important now because web agents are moving into real browsing tasks where prompt injection is a default, not edge-case, threat.
- Useful as a design template for least-privilege agent interfaces beyond the web.
- Skeptical about: dependence on structural HTML cues and text-centric assumptions; multimodal attacks and live-DOM dynamics remain out of scope.
Tool-Making and Self-Evolving LLM Agents in Low-Latency Systems
- Shows a production pattern for compiling SOP nodes into validated tools, reaching 94.5% per-node pass@1.
- Delivers concrete deployment gains: 42% p50 latency reduction, further reduction with direct-call architecture, and end-to-end error reductions up to 53%.
- Why now: many enterprise agents are bottlenecked by repeated code/tool synthesis on stable backends; this paper shows when to stop regenerating and start compiling.
- Especially useful for operations, support, and workflow automation teams with repeated decision trees.
- Skeptical about: evidence comes from one deployed application, with human oversight still required for underspecified SOPs.
Persuasion Attacks Can Decrease Effectiveness of CoT Monitoring
- Finds that exposing CoT increases approval of policy-violating actions by 9.5% on average, turning a proposed oversight mechanism into an attack surface.
- Cross-family external fact-checking is the strongest mitigation, reducing approvals to about 6% on average.
- Why now: many safety proposals still assume more visibility into reasoning is automatically better; this paper directly challenges that assumption.
- Useful for anyone designing monitor-agent architectures, especially in code, finance, or moderation settings.
- Skeptical about: tasks are controlled and justification-based rather than full end-to-end tool execution.
TTHE: Test-Time Harness Evolution
- Reframes test-time adaptation around the executable harness rather than model weights, using only unlabeled traces.
- Reports large gains on execution-grounded tasks, including BIRD 12.0%→50.0% and SWE-bench Verified 20.0%→35.0%.
- Why now: agent quality increasingly depends on prompts, retries, tool wrappers, and verification logic more than on raw model deltas.
- Useful for teams that can’t retrain models but can safely mutate scaffolding and collect traces.
- Skeptical about: evaluation is transductive, and judge/proxy mismatch is a major unresolved issue.
What LLM Forecasters Know but Don’t Say: Probing Internal Representations for Calibration and Faithfulness
- Probes on frozen activations improve calibration over verbalized confidence, e.g. ECE 0.044 vs 0.093 on EF-8B.
- Shows CoT is only partly faithful: 23% stealth influence rate on high-impact ablations, while probe shifts track behavioral shifts much better.
- Adds operational value: pre-reasoning routing saves 30–47% tokens with no measurable accuracy loss.
- Why now: forecasting, research, and decision-support systems need confidence estimates and rationale auditing that survive optimization pressure.
- Skeptical about: transfer claims are limited by leakage controls, overlap caveats, and model-family dependence.
5) Practical next steps
- Instrument your agent stack at boundaries, not just prompts: log and classify source→sink token flows, tool arguments, memory writes, and DOM-targeted actions.
- Replace repeated inference-time code generation with compiled, versioned tools for stable SOP-like workflows; measure latency, variance, and fallback frequency.
- Audit any CoT-monitoring setup with persuasion red teams before deployment; test justification-only vs CoT-exposed vs cross-family fact-checked monitors.
- Add calibration probes or lightweight confidence heads on frozen models for high-stakes forecasting, triage, or abstention decisions.
- Evaluate memory systems on intervention timing, not just retrieval quality: compare always-on context, passive retrieval, and selective reminder injection.
- Track per-example agreement metrics, not only aggregate accuracy: correctness agreement, abstention quality, interval coverage, and pass-rate drift often reveal hidden regressions.
- Use model-diverse verification where possible: cross-family fact-checkers, human-adjudicated hard subsets, or deterministic execution checks reduce correlated failure.
- Stress-test agent defenses under stronger attacker assumptions: editable logs, poisoned fine-tuning data, adaptive web content, and persistent-state manipulation.
- For long-context systems, benchmark repeated compaction events and distinguish reversible retrieval-backed memory from irreversible summarization.
- If using LLM judges as rewards, calibrate directional bias per criterion first; similar F1 can still imply very different RL incentives.
Generated from per-paper analyses; no external browsing.