July 13, 2026 Research Brief
Control moves outside prompts.
Today’s papers show more reliable AI systems coming from explicit contracts, bounded actions, process-aware evaluation, and structural defenses around routing, tools, and validators.
Takeaways
- **Agent systems are getting more useful when control is moved out of free-form prompting and into explicit structure**: several papers show gains from bounded action spaces, deterministic validators, tool-gated retrieval, or code-owned contracts rather than relying on prompt-only behavior.
- **Evaluation is shifting from final-answer accuracy to process validity**: today’s strongest benchmark papers measure action traces, resource use, longitudinal memory effects, routing cost, regional coverage gaps, or internal reasoning trajectories—not just end outputs.
- **Security work is increasingly targeting the orchestration layer**: routing metadata, prompt/tool boundaries, browser/API interception, and compliance pipelines are emerging as first-class attack surfaces and defense points.
Start with: An AI agent for treatment reasoning over a biomedical tool universe
Why it catches my eye: It is a strong example of learned evidence-seeking over tools in a high-stakes domain, not just prompt-based tool use.
Read skeptically for: Results depend on tool coverage and synthetic training traces, and the clinical validation is observational rather than prospective.
Themes
Papers Worth Your Reading Time
Ranked for research usefulness: novelty, method pattern, evidence quality, and skepticism value.
An AI agent for treatment reasoning over a biomedical tool universe
#1Worth opening for a concrete blueprint of RL-trained, evidence-seeking tool use in biomedical reasoning.
- Why now
- High-stakes agent deployments need stronger evidence than generic tool-enabled prompting.
- Skepticism
- Tool reliability and coverage may dominate outcomes, and real clinical impact is not yet prospectively shown.
From Prompts to Contracts: Harness Engineering for Auditable Enterprise LLM Agents
#2A complementary engineering pattern that turns agent behavior into manifests, validators, and traceable contracts.
- Why now
- Teams moving from demos to deployment need auditable control surfaces more than better prompts.
- Skepticism
- The study emphasizes contract enforcement on a bounded setup more than broad domain correctness.
Wrong Before Right: Late Rescue and Interface Failure in Aligned Language Models
#3It links internal reasoning dynamics to real deployment fragility under compression, giving a reusable reliability lens.
- Why now
- As compressed models ship more widely, output accuracy alone misses important internal failure modes.
- Skepticism
- Evidence is strongest on minimal-pair settings and may not fully transfer to open-ended generation.
Chinese version: [中文]
Run stats
- Candidates: 2072
- Selected: 30
- Deepread completed: 30
- Window (UTC): 2026-07-10T00:00:00Z → 2026-07-11T00:00:00Z (weekend_backlog_sat, expanded=0)
Show selected papers
| arXiv ID | Title / Links | Categories | Score | Why | Tags |
|---|---|---|---|---|---|
2607.04640 | Wrong Before Right: Late Rescue and Interface Failure in Aligned Language Models | cs.CL | 93 | Mechanistic alignment study links late-layer rescue to real errors across 17 LMs. | alignment, interpretability, reliability, mechanistic, llms |
2606.28692 | An AI agent for treatment reasoning over a biomedical tool universe | cs.AI | 92 | Agentic biomedical reasoning with RL over 212 tools; strong frontier-agent relevance and concrete setup. | agents, tool-use, reinforcement-learning, biomedical, reasoning |
2606.30807 | Off the Rails: Hijacking the Scoring Head in Generative End-to-End Driving Planners with Safety-Violating Adversarial Perturbations | cs.RO, cs.CR, cs.CV | 92 | Adversarial attack on generative driving planners exposes a concrete safety-critical failure mode. | adversarial-robustness, autonomous-driving, safety, security, evaluation |
2607.08285 | Psychological Competence as a Missing Dimension in AI Evaluation | cs.AI | 91 | Introduces a missing eval dimension for human-facing AI: psychological competence and interaction effects. | ai-safety, evaluation, human-ai-interaction, reliability, alignment |
2607.08282 | Multi-Agent Firewall Architecture for Privacy Protection of Sensitive Data in Interactions with Language Models | cs.CR, cs.AI, cs.MA | 90 | Open-source LLM privacy firewall with interception plus multi-agent leakage prevention. | LLM-security, privacy, data-leakage, multi-agent, firewall, prompt-injection |
2607.08288 | From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure | cs.CR, cs.AI | 90 | MCP multi-agent compliance pipeline with source-verified retrieval targets hallucination risk. | agents, security, compliance, hallucination, retrieval |
2607.08054 | Who Analyses the Analyser? Self-Validating LLM Hazard Analysis with Constitutional Meta-STPA | cs.LG, cs.AI | 90 | Directly targets safety of LLM-assisted hazard analysis with self-auditing STPA loop. | ai-safety, hazard-analysis, auditability, llm-reliability, governance |
2606.30801 | Using AI Agents to Automate Black-Box Audits of Personalization Algorithms at Scale | cs.CL, cs.CY, cs.LG, cs.SI | 90 | AI agents for scalable black-box audits of personalization; strong societal and auditing relevance. | agents, auditing, evaluation, personalization, safety |
2607.05001 | TACTIC-KG: Toward Small Agent Teams for Cyber Threat Intelligence Knowledge Graph Construction | cs.CR, cs.AI, cs.LG, cs.MA | 90 | Agentic CTI KG pipeline with verification/curation; strong security relevance and practical modularity. | agents, cybersecurity, knowledge-graphs, information-extraction, evaluation |
2606.28900 | MedEvoEval: Evaluating Continual Evolution of Doctor Agents through Simulated Clinical Episodes | cs.AI, cs.CL | 90 | Longitudinal benchmark for evolving doctor agents; strong agent evaluation relevance. | agents, evaluation, medical-ai, longitudinal, benchmark |
2606.29399 | LLM-Guided Planning for Multi-hop Reasoning over Multimodal Nuclear Regulatory Documents | cs.AI | 89 | Agentic long-doc reasoning with tools, KG state, and strong faithfulness/accuracy on nuclear documents. | agents, rag, long-context, grounding, evaluation, safety-critical |
2607.08499 | Cross-seed explainability using Procrustes-conditioned Joint End-to-end Top-K Sparse Autoencoders | cs.CL | 89 | Mechanistic interpretability on cross-seed feature universality; reusable SAE method for LLM analysis. | interpretability, mechanistic-interpretability, sparse-autoencoders, bert, feature-alignment |
2607.08017 | Can We Trust LLM's Logic? Quantifying Uncertainty, Coherence, and Robustness via a Graph-Based Framework | cs.CL, cs.AI | 89 | Graph-based reasoning fidelity/UQ for LLMs targets coherence and adversarial robustness. | llm-evaluation, uncertainty, reasoning, robustness, graph-based |
2606.30555 | Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing | cs.AI, cs.MA | 88 | Targets MAS routing security by defending against agent misrepresentation and hidden backdoors. | multi-agent, routing, security, agent-evaluation, backdoors, LLM-agents |
2607.08028 | From Prompts to Contracts: Harness Engineering for Auditable Enterprise LLM Agents | cs.AI, cs.CL, cs.SE | 88 | Auditable LLM-agent harness moves behavior into contracts, schemas, traces, and validation. | agents, auditing, enterprise, reliability, guardrails |
2606.30887 | Training Therapeutic Judges and Multi-Agent Systems for Human-Aligned Mental Health Support | cs.CL, cs.AI, cs.MA | 88 | Judge-model plus multi-agent refinement for mental-health support; alignment via actionable evaluation. | alignment, judge-models, multi-agent, mental-health, evaluation, human-aligned |
2606.28925 | Multi-Agent Routing as Set-Valued Prediction: A WildChat Benchmark and Cost-Aware Evaluation | cs.LG, cs.AI, cs.IR, cs.MA | 88 | Useful benchmark for multi-agent/tool routing with cost-aware evaluation on realistic prompts. | agents, benchmark, tool-routing, evaluation, cost-aware |
2606.30059 | From Failure Taxonomy to Intervention: A Diagnostic Methodology for Industry-Scale AVLM in Video and Live-Streaming Platform Moderation | cs.LG | 88 | Diagnostic framework for AVLM moderation failures with targeted interventions for safety deployment. | multimodal, moderation, safety, diagnostics, deployment |
2607.08522 | Stop Guessing When to Stop Testing: Efficient Model Evaluation with Just Enough Data | cs.LG | 88 | Adaptive sequential testing could cut eval cost while preserving reliability across model comparisons. | evaluation, benchmarking, statistics, efficiency |
2607.01977 | OntoLearner: A Modular Python Library for Ontology Learning with Large Language Models | cs.AI | 88 | LLM ontology-learning framework with 180 ontologies, benchmarks, and reusable infrastructure. | llm, knowledge, benchmark, framework, ontology |
2606.29354 | When LLMs Develop Languages: Symbolic Communication for Efficient Multi-Agent Reasoning | cs.AI, cs.NE | 88 | Multi-agent symbolic communication for reasoning efficiency; novel agentic inference idea. | llm, multi-agent, reasoning, test-time, efficiency |
2606.29871 | AI Training Manager: Bounded Closed-Loop Control of Adaptive Training Recipes | cs.AI | 88 | Bounded LLM controller for training recipes is agentic and safety-aware via constrained actions. | llm-agents, training, control, safety, reliability |
2606.31307 | When the Database Fails: Prompting LLM Dialogue Agents for Safe Recovery in Task-Oriented Dialogue | cs.CL | 87 | Directly studies safe recovery from DB failures to reduce hallucinated task-agent actions. | dialogue-agents, safety, hallucination, grounding, reliability, prompting |
2606.31474 | TabPATE: Differentially Private Tabular In-Context Learning Without Public Data | cs.LG | 87 | Targets privacy leakage in in-context learning with DP defense and explicit membership inference threat. | privacy, differential-privacy, in-context-learning, membership-inference, tabular |
2606.29687 | A Machine-Verified Proof of a Quantum-Optimization Conjecture | quant-ph, cs.AI, cs.LG, cs.LO, math.OC | 87 | LLM-assisted, Lean-verified proof is a notable reliability milestone for agentic formal reasoning. | llm-agents, formal-verification, reasoning, reliability, theorem-proving |
2607.08665 | Resample or Reroute? Budget-Aware Test-Time Model Selection for Large Language Models | cs.LG | 87 | Budget-aware LLM routing vs resampling is practical for reliable, cost-constrained deployment. | llm-serving, routing, test-time-compute, verification, reliability |
2607.04907 | Medi-Gemma: A Hybrid Clinical Decision Support System Integrating Deterministic EMR Analytics and Retrieval-Augmented Generation | cs.AI | 87 | Clinical LLM system explicitly targets hallucination via deterministic EMR analytics plus RAG orchestration. | llm-reliability, rag, hallucination, clinical-ai, agents |
2606.29403 | Self-Organized Conformal Prediction: Reducing Regional Coverage Gaps with Unsupervised Group Discovery | stat.ML, cs.AI, cs.LG | 87 | Targets subgroup undercoverage in conformal prediction; strong reliability/safety value. | reliability, uncertainty, conformal-prediction, safety, calibration |
2606.29493 | Faults in Our Formal Benchmarking: Dataset Defects and Evaluation Failures in Lean Theorem Proving | cs.AI | 86 | Important benchmark audit exposing certified defects and eval failures in LLM theorem proving. | evaluation, benchmarks, theorem-proving, reliability, formal-methods, audit |
2607.07196 | Validate the Dream Before You Trust Its Verdict: Admissibility for World-Model Simulators | cs.RO, cs.AI, cs.LG, cs.SE | 86 | Argues world models need accreditation before safety verdicts; strong eval framing. | world-models, safety, evaluation, robotics, verification |
AI Paper Insight Brief
2026-07-13
0) Executive takeaways (read this first)
- Agent systems are getting more useful when control is moved out of free-form prompting and into explicit structure: several papers show gains from bounded action spaces, deterministic validators, tool-gated retrieval, or code-owned contracts rather than relying on prompt-only behavior.
- Evaluation is shifting from final-answer accuracy to process validity: today’s strongest benchmark papers measure action traces, resource use, longitudinal memory effects, routing cost, regional coverage gaps, or internal reasoning trajectories—not just end outputs.
- Security work is increasingly targeting the orchestration layer: routing metadata, prompt/tool boundaries, browser/API interception, and compliance pipelines are emerging as first-class attack surfaces and defense points.
- Clinical and safety-critical domains are converging on hybrid architectures: deterministic analytics + retrieval + bounded generation + safety checks appears repeatedly in treatment reasoning, EMR support, regulatory review, and mental-health support.
- Cheap, local, or small-model systems can compete when decomposed well: LoRA-specialized small agents, fine-tuned encoders, and modular pipelines often beat larger monolithic baselines on routing, CTI graph construction, and moderation diagnostics.
- A recurring open problem is verifier quality: whether for therapeutic judges, routing, graph-based reasoning audits, or resample-vs-reroute policies, system performance increasingly depends on the quality and calibration of the evaluator or verifier.
2) Key themes (clusters)
Theme: Bounded agentic systems for high-stakes domains
- Why it matters: The strongest applied systems here do not trust a single LLM pass. They decompose tasks into evidence gathering, deterministic computation, constrained actions, and auditable traces—especially in medicine, regulation, and compliance.
- Representative papers:
- An AI agent for treatment reasoning over a biomedical tool universe
- LLM-Guided Planning for Multi-hop Reasoning over Multimodal Nuclear Regulatory Documents
- Medi-Gemma: A Hybrid Clinical Decision Support System Integrating Deterministic EMR Analytics and Retrieval-Augmented Generation
- From Legacy Documentation to OSCAL: An MCP-Based Agent Pipeline for Threat-Informed Continuous Compliance in Critical Infrastructure
- Common approach:
- Replace single-shot RAG with iterative planning over tools, document trees, or structured state.
- Keep exact computation and authoritative retrieval deterministic; reserve generation for synthesis.
- Add explicit safety or export gates before outputs reach users.
- Produce inspectable traces or knowledge graphs rather than opaque answers.
- Open questions / failure modes:
- Upstream extraction errors still propagate even when downstream retrieval is deterministic.
- Tool/library coverage limits can silently cap performance.
- Several systems show strong functional behavior but limited prospective or real-world validation.
- Cost/latency remains high in some planning-heavy pipelines.
Theme: Evaluation is becoming process-aware, longitudinal, and adaptive
- Why it matters: Output-only benchmarks increasingly miss the behaviors that matter in deployment: how an agent gathers evidence, spends resources, changes over time, or fails under compression and distributional heterogeneity.
- Representative papers:
- MedEvoEval: Evaluating Continual Evolution of Doctor Agents through Simulated Clinical Episodes
- Stop Guessing When to Stop Testing: Efficient Model Evaluation with Just Enough Data
- Wrong Before Right: Late Rescue and Interface Failure in Aligned Language Models
- Self-Organized Conformal Prediction: Reducing Regional Coverage Gaps with Unsupervised Group Discovery
- Common approach:
- Instrument intermediate traces, not just final answers.
- Evaluate under sequential or longitudinal protocols rather than fixed one-shot tests.
- Use localized or group-aware diagnostics to expose hidden failure regions.
- Tie internal model behavior to downstream robustness outcomes.
- Open questions / failure modes:
- Simulated episodes and automatic judges may not transfer cleanly to real practice.
- Some diagnostics are descriptive rather than full guarantees.
- Sequential evaluation depends on assumptions like approximate i.i.d. behavior.
- Internal metrics can be hard to connect to free-form generation quality.
Theme: Routing, orchestration, and verifier-driven inference are now core optimization targets
- Why it matters: A growing share of system quality comes from choosing the right model, tool, agent set, or reasoning path under cost constraints. This is becoming a distinct layer of ML systems design.
- Representative papers:
- Multi-Agent Routing as Set-Valued Prediction: A WildChat Benchmark and Cost-Aware Evaluation
- Resample or Reroute? Budget-Aware Test-Time Model Selection for Large Language Models
- When LLMs Develop Languages: Symbolic Communication for Efficient Multi-Agent Reasoning
- AI Training Manager: Bounded Closed-Loop Control of Adaptive Training Recipes
- Common approach:
- Formalize orchestration as an optimization problem over cost, utility, and verifier signals.
- Use lightweight learned scorers or deterministic post-processing layers instead of pure zero-shot routing.
- Reuse compact intermediate representations or symbolic protocols to reduce token cost.
- Keep controller authority bounded by schemas, thresholds, or action surfaces.
- Open questions / failure modes:
- Gains often collapse when verifier quality degrades.
- Simulated utility functions may not match end-to-end user outcomes.
- Offline evolution or routing calibration can be expensive.
- Sequential adaptive policies may hurt latency even when they improve cost-quality tradeoffs.
Theme: Security defenses are moving from content filtering to structural controls
- Why it matters: Several papers argue that prompt-level defenses are too weak when the attack surface is architectural: routing metadata, browser/API exfiltration paths, benchmark harnesses, or unsafe planner scoring heads.
- Representative papers:
- Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing
- Multi-Agent Firewall Architecture for Privacy Protection of Sensitive Data in Interactions with Language Models
- From Prompts to Contracts: Harness Engineering for Auditable Enterprise LLM Agents
- Off the Rails: Hijacking the Scoring Head in Generative End-to-End Driving Planners with Safety-Violating Adversarial Perturbations
- Common approach:
- Remove untrusted natural language from critical control paths where possible.
- Interpose deterministic validators, manifests, or local inspection layers.
- Treat downstream selection heads and orchestration logic as attack surfaces.
- Evaluate with explicit adversarial or fault-injection protocols rather than benign benchmarks.
- Open questions / failure modes:
- Structural defenses often assume trusted offline calibration or trusted embeddings.
- Strong defenses can add latency or operational complexity.
- Some attacks remain effective under adaptive or white-box settings.
- Coverage is often partial across protocols, browsers, or deployment environments.
Theme: Judges, critics, and meta-evaluators are becoming first-class system components
- Why it matters: Many systems now rely on learned evaluators to guide refinement, routing, or safety analysis. This creates leverage—but also a new dependency that itself must be audited.
- Representative papers:
- Training Therapeutic Judges and Multi-Agent Systems for Human-Aligned Mental Health Support
- Can We Trust LLM’s Logic? Quantifying Uncertainty, Coherence, and Robustness via a Graph-Based Framework
- Who Analyses the Analyser? Self-Validating LLM Hazard Analysis with Constitutional Meta-STPA
- Using AI Agents to Automate Black-Box Audits of Personalization Algorithms at Scale
- Common approach:
- Train or structure judges around multidimensional rubrics rather than scalar preference.
- Use evaluator outputs as active control signals for refinement or governance.
- Add adversarial probes, manifests, or meta-analysis to validate the evaluator itself.
- Separate generation and evaluation models to reduce reward hacking or bias.
- Open questions / failure modes:
- Judge quality is often domain-limited and annotation-expensive.
- Lexical or heuristic validators can miss paraphrases or subtle failures.
- Human realism remains a concern for agent-based audits.
- Strong evaluator dependence can create brittle pipelines if the judge drifts.
3) Technical synthesis
- Multiple papers converge on a generate-then-verify pattern, but the strongest versions make verification deterministic or externally grounded rather than another free-form LLM pass.
- Action-space restriction is a recurring safety primitive: MedEvoEval’s four actions, AI Training Manager’s bounded JSON updates, enterprise harness validators, and regulatory browse/read/search tools all reduce uncontrolled behavior.
- Several systems show that planning beats retrieval alone: the FSAR paper isolates a +38.0 point gain from state-conditioned planning over the same tree/tools, and ATHENA-R1 outperforms tool-use baselines by learning evidence-seeking policies rather than merely having tool access.
- Verifier quality is now a bottleneck variable across domains: RoR’s gains shrink as verifier quality drops, therapeutic refinement depends on judge fidelity, and graph-based reasoning audits depend on decomposition quality.
- There is a strong trend toward hybrid deterministic + generative architectures in safety-critical settings: deterministic analytics for tables, deterministic retrieval for identifiers, and LLMs only for synthesis or bounded planning.
- Several papers replace text-heavy reasoning with compressed operational representations: symbolic LSFs, dynamic sub-KGs, manifests/claims, SOM cells for local calibration, and behavioral operators for routing.
- Cost-aware evaluation and inference is becoming explicit rather than implicit: weighted routing, sequential testing, token-budgeted symbolic reasoning, and budget-aware resample/reroute all optimize utility under resource constraints.
- Robustness work is increasingly interface-specific: wrong-dip exposes internal interface fragility under compression, DERAIL targets the planner scoring head, and TOD recovery targets the DB boundary rather than generic hallucination.
- A notable methodological split is emerging between benchmarking for realism (live X audits, clinical episodes, enterprise traces) and benchmarking for guarantees (conformal validity, DP, machine-verified proofs); few papers yet combine both.
- Small specialized models plus decomposition often outperform larger monoliths, suggesting system design is currently a bigger lever than raw model scale in many applied settings.
4) Top 5 papers (with “why now”)
A Machine-Verified Proof of a Quantum-Optimization Conjecture
- Resolves the Farhi–Goldstone–Gutmann conjecture for depth-p QAOA on ring of disagrees, proving the exact approximation ratio ((2p+1)/(2p+2)).
- Introduces a new analytic route from QAOA mode dynamics to SU(2)/QSP polynomial interpolation.
- Demonstrates a generate-then-certify workflow where Claude Fable 5 helped produce a proof that Lean 4 mechanically verified.
- Why now: it is a rare example where LLM assistance contributes to a genuinely nontrivial theorem while the final artifact is machine-checkable.
- Skepticism / limitation: the semantic gap remains—humans still must ensure the formal statement matches the intended informal conjecture.
An AI agent for treatment reasoning over a biomedical tool universe
- Trains an evidence-seeking treatment agent over 212 biomedical tools using large-scale synthetic traces plus RL with scientific feedback.
- Reports 94.7% on DrugPC and 82.9% on TreatmentPC, outperforming GPT-5 and other reasoning/tool baselines in the reported setup.
- Includes blinded expert preference studies and observational EHR validation of generated adverse-event hypotheses.
- Why now: this is one of the clearest demonstrations that tool access alone is not enough; learned evidence-gathering policy is the differentiator.
- Skepticism / limitation: performance depends on tool coverage/reliability, and the EHR validation is observational rather than prospective.
Wrong Before Right: Late Rescue and Interface Failure in Aligned Language Models
- Identifies the “wrong-dip,” where mid-layers transiently prefer the wrong answer before late layers rescue the output.
- Shows high-dip items are 3–7× more likely to fail under structural compression, while quantization failures are largely dip-blind.
- Demonstrates a dip-regularized LoRA intervention that reduces the causal dip and improves compression retention.
- Why now: as model compression and deployment optimization accelerate, output-level evals are increasingly insufficient to catch internal fragility.
- Skepticism / limitation: evidence is strongest on minimal-pair tasks and LoRA-scale interventions, not broad free-form generation.
Linguistic Firewall: Geometry as Defense in Multi-Agent Systems Routing
- Replaces text-based router decisions with empirically learned behavioral operators over trusted benchmark queries.
- Achieves near-zero ASR on description-injection tests where textual routing baselines are heavily hijacked.
- Reframes routing security as removing untrusted language from the control path rather than trying to sanitize it.
- Why now: multi-agent systems are proliferating, and router metadata is becoming a practical attack surface.
- Skepticism / limitation: the defense assumes a trusted offline calibration pipeline and trustworthy embeddings.
From Prompts to Contracts: Harness Engineering for Auditable Enterprise LLM Agents
- Shows how to move enterprise agent behavior from prompts into manifests, promoted claims, validators, and trace artifacts.
- In 270 live-model runs, code-owned checks passed consistently while model-composed outputs varied by provider.
- In ablations, the harness blocked all tested violations while preserving utility better than an external guardrail.
- Why now: many enterprise teams are stuck between prototype demos and deployable systems; this paper offers a concrete engineering pattern for crossing that gap.
- Skepticism / limitation: evaluation is on a bounded public-data slice and validates contract enforcement more than domain correctness.
5) Practical next steps
- Instrument process, not just outputs: log tool calls, action traces, retrieval scope, validator outcomes, and stopping reasons; several papers show these reveal failures hidden by final-answer metrics.
- Move critical guarantees into code-owned layers: use manifests, schemas, deterministic routing, exact analytics, and export gates for any high-stakes workflow.
- Audit your verifier/judge explicitly: if your system uses a judge for routing, refinement, or safety, measure its agreement, failure modes, and drift before trusting downstream gains.
- Add boundary-specific failure tests: DB failures, wrong-domain retrieval, metadata injection, scoring-head perturbations, and browser/API leakage are all concrete interfaces worth red-teaming.
- Evaluate cost-quality tradeoffs directly: test weighted routing, sequential evaluation, or budget-aware resample/reroute instead of assuming a fixed benchmark size or fixed inference policy.
- Prefer learned orchestration over naive tool access when tasks require multi-step evidence gathering; benchmark whether the model knows what to retrieve, not just whether tools are available.
- For safety-critical RAG, separate deterministic state from narrative context: inject authoritative latest-state facts directly and constrain retrieval to scoped records or verified sources.
- Measure subgroup or region failures explicitly: use local calibration, held-out transfer, or persona-conditioned audits to catch reliability gaps masked by global averages.
Generated from per-paper analyses; no external browsing.