July 15, 2026 Research Brief
Agent safety gets operational.
Today’s strongest papers replace abstract agent wins with runtime security, verifier audits, and structured control, showing that deployment failures often come from weak monitors, leaky judges, and flat orchestration.
Takeaways
- **Agent evaluation is shifting from task success to runtime realism.** Several papers replace idealized benchmarks with stateful, fault-injected, storage-aware, citation-grounded, or visual tool-calling evaluations, and they consistently uncover failure modes that standard success metrics hide.
- **Verifier design is now a first-class bottleneck.** Across RLVR, proof verification, citation grounding, scam detection, and distributed-backdoor monitoring, the main lesson is that weak or mis-scoped verifiers can silently reward bugs, miss compositional harm, or compress meaningful differences between systems.
- **Structure beats flat context for long-horizon agents.** Hierarchical orchestration, executable SOP runtimes, verifier-committed state, provider-side tool memory, and harness-native routing all improve scalability, auditability, or cost-efficiency by reducing what the model must reason over at each step.
Start with: When the Reward Suite Is Leaky: A Preregistered Causal Contrast of Natural Verifier False Positives in RLVR
Why it catches my eye: It gives a concrete pretraining audit for reward leakage, a bottleneck that can silently corrupt RLVR progress.
Read skeptically for: Evidence is limited to small code models, MBPP-style tasks, and short-horizon settings.
Themes
Papers Worth Your Reading Time
Ranked for research usefulness: novelty, method pattern, evidence quality, and skepticism value.
When the Reward Suite Is Leaky: A Preregistered Causal Contrast of Natural Verifier False Positives in RLVR
#1Useful if you train reasoning models: it shows RL can systematically exploit verifier false positives instead of averaging them away.
- Why now
- RLVR is scaling quickly, so reward-suite QA is becoming a deployment prerequisite.
- Skepticism
- Results are centered on 1–1.5B code models and MBPP-family tasks.
Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability
#2A strong companion to the lead paper because it measures real agent infrastructure and shows scanner outputs are far noisier than teams may assume.
- Why now
- MCP is becoming default agent plumbing, but current security tooling appears unreliable at runtime scale.
- Skepticism
- Recall estimates rely on limited ground-truth vulnerability coverage.
Compile, Then Page: Executable SOP Programs and a Capability-Gated Runtime for Procedural LLM Agents
#3Worth opening for a concrete recipe to turn prose procedures into auditable, capability-gated agent programs.
- Why now
- Enterprises need safer long-horizon workflows, not bigger prompt stuffing.
- Skepticism
- Evidence comes from one benchmark family and a limited model set.
Chinese version: [中文]
Run stats
- Candidates: 242
- Selected: 30
- Deepread completed: 30
- Window (UTC): 2026-07-13T00:00:00Z → 2026-07-14T00:00:00Z (arxiv_announce, expanded=0)
Show selected papers
| arXiv ID | Title / Links | Categories | Score | Why | Tags |
|---|---|---|---|---|---|
2607.11751 | When Local Monitors Miss Compositional Harm: Diagnosing Distributed Backdoors in Multi-Agent Systems | cs.CR, cs.LG, cs.MA | 96 | Formalizes monitor blind spots for distributed backdoors in multi-agent LLM systems. | agent-safety, multi-agent, backdoors, monitoring, theory |
2607.11475 | HyperSafe: Inference-Time Safety Recovery for Fine-Tuned Language Models | cs.LG, cs.CL | 95 | Inference-time safety recovery for fine-tuned LMs; directly targets alignment fragility post-tuning. | llm-safety, alignment, fine-tuning, inference-time, robustness |
2607.11098 | AgentCheck: A Reproduce-Intervene-Mitigate Workbench for LLM Agents over MCP | cs.SE, cs.AI, cs.CL | 95 | Practical agent-safety workbench for reproducing tool faults and validating mitigations over MCP. | agents, MCP, tool-use, safety, evaluation, red-teaming, monitoring |
2607.11698 | Agent Hacks Agent: Autoresearch for Production-Agent Red-Teaming | cs.CR, cs.AI | 94 | Automated red-teaming loop for production agents targets reusable vulnerability knowledge. | agent-safety, red-teaming, production-agents, security, evaluation |
2607.11086 | Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability | cs.CR | 94 | Large-scale MCP security study with dynamic analysis and scanner reliability; highly relevant to agent security. | MCP, security, agents, tool-use, benchmark, dynamic-analysis |
2607.11022 | When the Reward Suite Is Leaky: A Preregistered Causal Contrast of Natural Verifier False Positives in RLVR | cs.LG, cs.CL | 93 | Preregistered study on leaky RLVR rewards; important for reliable post-training and eval integrity. | rlvr, evaluation, reward-hacking, code-llms, reliability |
2607.11151 | AMT-X: Phase-Structured Multi-Turn Red-Teaming with Checklist-Gated Evaluation | cs.CR, cs.AI | 92 | Structured multi-turn red-teaming with gated harm scoring fits realistic adversaries. | jailbreaks, red-teaming, evaluation, multi-turn, safety |
2607.11346 | Compile, Then Page: Executable SOP Programs and a Capability-Gated Runtime for Procedural LLM Agents | cs.AI, cs.PL | 92 | Executable SOP runtime with capability gating for safer long-horizon agents; concrete benchmark gains. | agents, safety, SOP, runtime, capability-gating, long-horizon |
2607.11707 | An Explainable Agentic System for Detection of Conversational Scams with Summary-Based Memory | cs.MA, cs.AI, cs.CR, cs.HC | 91 | Agentic scam detection with memory plus public benchmark; strong real-world safety relevance. | agent-safety, scam-detection, benchmark, memory, security |
2607.11818 | MM-ToolSandBox: A Unified Framework for Evaluating Visual Tool-Calling Agents | cs.CV, cs.AI | 90 | Large benchmark for visual tool-calling agents with stateful, multi-turn evaluation. | agents, benchmark, tool-use, multimodal, evaluation |
2607.11226 | Heterogeneous Agent Cohorts for Safe Open-Ended Exploration with Runtime Constraint Memory | cs.AI | 90 | Safety-oriented multi-agent design with runtime validation and reusable constraint memory for exploration. | agents, multi-agent, safety, runtime-constraints, tool-use, MCTS |
2607.11414 | Confidently Wrong: Detecting Hallucinations in Financial Question Answering from LLM Internal States | cs.CL | 90 | Probes LLM internal states to detect confident hallucinations; strong reliability relevance. | hallucination, uncertainty, interpretability, financial-qa, llm-reliability |
2607.11399 | Agentic Routing: The Harness-Native Data Flywheel | cs.CL, cs.AI | 89 | Step-level routing for agent harnesses addresses core systems issue in multi-model agents. | agents, routing, llm-systems, tool-use, efficiency |
2607.11070 | MJ: Multi-turn LLM Jailbreaking via Decomposed Credit Assignment | cs.CL | 88 | Improves learning for multi-turn jailbreak attacks via turn-level credit assignment. | jailbreaks, multi-turn, RL, red-teaming, LLM-safety |
2607.11388 | StructAgent: Harness Long-horizon Digital Agents with Unified Causal Structure | cs.AI, cs.CL, cs.LG, cs.MA | 88 | Unified causal state for long-horizon digital agents could improve reliability, recovery, and verification. | agents, long-horizon, state-tracking, causal-structure, reliability |
2607.11506 | SCOPE-RL: Optimizing Reasoning Paths Before and After Success | cs.LG, cs.CL | 88 | Improves RLVR with process rewards before/after success; directly relevant to LLM reasoning training. | llm-reasoning, rlvr, process-rewards, grpo, post-training |
2607.11423 | ToFu: A White-Box, Token-Efficient Agent Harness for Researchers | cs.CL | 87 | White-box agent harness for researchers; reusable infrastructure for agent study and auditing. | agents, open-source, harness, tool-use, research-infra |
2607.11126 | ToolAtlas: Learning Once, Reusing Everywhere with Tool-Side Memory | cs.LG | 87 | Provider-side tool memory is a novel reusable layer for better tool use across heterogeneous agents. | agents, tools, memory, MCP, tool-use, inference |
2607.11149 | The Hidden Footprint: Making Storage a First-Class Metric for LLM Agent Evaluation | cs.AI | 86 | Introduces storage footprint as a neglected but important metric for agent evaluation. | agents, evaluation, privacy, data-retention, benchmarking |
2607.11849 | AdvancedMathBench: A Benchmark Suite for Advanced Mathematical Proof Generation and Verification | cs.CL | 86 | Advanced math proof benchmark with automatic verification; useful for reasoning evaluation. | benchmark, reasoning, math, verification, evaluation |
2607.10966 | SVR-R1: Bootstrapping Multi-modal Reasoning with Self-verification in Reinforcement Learning | cs.AI | 86 | Self-verification as RL signal for multimodal reasoning with reported gains over GRPO baselines. | multimodal, reasoning, self-verification, reinforcement-learning, vlm |
2607.11074 | ResearchQA: Benchmarking Citation-Grounded Question-Answering on Scientific Papers | cs.CL | 85 | Citation-grounded QA benchmark rewards supported answers and grounded refusal on scientific papers. | evaluation, grounding, citations, QA, hallucination, benchmark |
2607.11444 | UMoE:Unlocking Every Expert in Domain-Specific Training | cs.CL | 84 | MoE domain post-training method could matter for frontier LLM efficiency and adaptation. | LLM, MoE, post-training, efficiency, domain-adaptation |
2607.11736 | MET: Theory-Grounded and Culture-Aware Multilingual Moral Reasoning | cs.CL | 84 | Culture-aware multilingual moral reasoning benchmark and methods; alignment-relevant and novel. | alignment, moral-reasoning, multilingual, benchmark, ethics |
2607.11266 | Valid $\ne$ Necessary: Diagnosing Latent Inefficiency in Chain-of-Thought | cs.AI | 84 | Benchmark for inefficient but valid CoT steps; useful for reasoning quality and inference efficiency. | chain-of-thought, evaluation, reasoning-efficiency, benchmark, llm |
2607.11183 | Amplitude-Only FFN Intervention for Tool-Structured LLM Inference Method: Gated Evaluation Protocol, and Cross-Model Empirical Results | cs.CL | 83 | FFN amplitude gating improves tool-structured outputs without retraining; relevant to agent reliability. | tool-use, inference-time, reliability, llm, intervention |
2607.11127 | Do LLMs Fabricate Legal Citations? A Bilingual Benchmark on Saudi Data Protection Law and the GDPR | cs.CL, cs.CY | 83 | Targeted benchmark on fabricated legal citations probes hallucination risk in compliance use cases. | hallucination, legal, citations, benchmark, reliability, factuality |
2607.11228 | DeepBias: Adaptive In-depth Probing of Social Biases in LVLMs | cs.CY, cs.AI | 82 | Adaptive probing framework surfaces deeper social bias failures in LVLMs than static tests. | bias, LVLM, evaluation, agents, safety |
2607.11131 | TIGER: Text-Conditioned Visual Gated Routing with Acceptance Alignment for Multimodal Speculative Decoding | cs.CL | 82 | Multimodal speculative decoding with visual gating; notable frontier efficiency for VLMs. | vlm, efficiency, speculative-decoding, multimodal, inference |
2607.11138 | A Formal Hierarchical Architecture for Agentic Orchestration with Stack-Based Execution and Lazy Discovery | cs.AI, cs.LG | 82 | Hierarchical tool orchestration targets agent scaling bottlenecks; relevant to agent reliability. | agents, tool-use, orchestration, hierarchical-routing, agent-architecture |
AI Paper Insight Brief
2026-07-15
0) Executive takeaways (read this first)
- Agent evaluation is shifting from task success to runtime realism. Several papers replace idealized benchmarks with stateful, fault-injected, storage-aware, citation-grounded, or visual tool-calling evaluations, and they consistently uncover failure modes that standard success metrics hide.
- Verifier design is now a first-class bottleneck. Across RLVR, proof verification, citation grounding, scam detection, and distributed-backdoor monitoring, the main lesson is that weak or mis-scoped verifiers can silently reward bugs, miss compositional harm, or compress meaningful differences between systems.
- Structure beats flat context for long-horizon agents. Hierarchical orchestration, executable SOP runtimes, verifier-committed state, provider-side tool memory, and harness-native routing all improve scalability, auditability, or cost-efficiency by reducing what the model must reason over at each step.
- Inference-time control is becoming more targeted and model-specific. The day’s papers show multiple lightweight interventions—self-verification in RL, FFN amplitude gating, checkpoint-specific safety side networks, speculative decoding alignment, and internal-state probes—that improve safety, efficiency, or reliability without full retraining.
- Multimodal systems remain bottlenecked by perception fidelity, not just planning. In visual tool use and multimodal speculative decoding, gains come from better routing of visual evidence and better acceptance objectives, while benchmark results show many top-model failures are still simple visual extraction errors.
- Red teaming is maturing from “find a jailbreak” to “learn reusable mechanisms.” Multi-turn jailbreak optimization, phase-structured attack pipelines, and concept-graph-based autoresearch all emphasize attribution, transfer, and actionability rather than one-off attack success.
2) Key themes (clusters)
Theme: Runtime-grounded evaluation for agents and tools
- Why it matters: A large share of current agent benchmarking still assumes correct tools, negligible persistence costs, and stateless interactions. These papers show that once you evaluate real runtime behavior—faults, storage residue, deployment drift, visual inputs, or scam conversations—the failure surface changes materially.
- Representative papers:
- AgentCheck: A Reproduce-Intervene-Mitigate Workbench for LLM Agents over MCP
- The Hidden Footprint: Making Storage a First-Class Metric for LLM Agent Evaluation
- MM-ToolSandBox: A Unified Framework for Evaluating Visual Tool-Calling Agents
- An Explainable Agentic System for Detection of Conversational Scams with Summary-Based Memory
- Common approach:
- Build stateful harnesses rather than single-turn benchmarks.
- Use controlled interventions: replay with one perturbed tool response, injected faults, or sandboxed execution.
- Add nonstandard metrics such as retained bytes, first-detection turn, state-diff verification, or failure-root-cause labels.
- Separate silent propagation failures from overt crashes or task misses.
- Open questions / failure modes:
- Single-fault injections may miss compound and cascading failures.
- LLM judges remain a weak point in several setups, even when paired with deterministic checks.
- Benchmarks may still underrepresent live deployment conditions, especially benign traffic and long-lived sessions.
- Visual and multi-image tasks expose perception bottlenecks that current planning-centric agent designs do not solve.
Theme: Verifiers, judges, and observability as the real control surface
- Why it matters: Many systems now optimize against verifiers rather than humans directly. The day’s papers show that if the verifier is leaky, local, or poorly aligned with the real objective, training and monitoring can look successful while paying for bugs or missing harm entirely.
- Representative papers:
- When the Reward Suite Is Leaky: A Preregistered Causal Contrast of Natural Verifier False Positives in RLVR
- When Local Monitors Miss Compositional Harm: Diagnosing Distributed Backdoors in Multi-Agent Systems
- AdvancedMathBench: A Benchmark Suite for Advanced Mathematical Proof Generation and Verification
- ResearchQA: Benchmarking Citation-Grounded Question-Answering on Scientific Papers
- Common approach:
- Stress-test the scope of the verifier’s view: local step, assembled artifact, extra tests, proof trajectory, or citation span.
- Use human adjudication or expert labels to calibrate what the verifier is actually rewarding.
- Compare cheap observable signals against stronger but more expensive or more structured verification.
- Treat evaluation as a causal measurement problem, not just a leaderboard exercise.
- Open questions / failure modes:
- Persistent false positives may not hurt held-out metrics immediately, yet still reward real bugs.
- Local monitors can be fundamentally blind when harm only appears after composition.
- Pessimistic or strict verification improves trustworthiness but may reduce acceptance and throughput.
- Same-family evaluator bias remains a recurring issue in citation and benchmark grading.
Theme: Structured control for long-horizon agents
- Why it matters: Flat tool registries, raw history buffers, and prose SOPs do not scale to enterprise or long-horizon settings. A common pattern across papers is to externalize structure—state, hierarchy, programs, memory graphs, or routing logs—so the model reasons over a smaller, more auditable slice of the problem.
- Representative papers:
- A Formal Hierarchical Architecture for Agentic Orchestration with Stack-Based Execution and Lazy Discovery
- Compile, Then Page: Executable SOP Programs and a Capability-Gated Runtime for Procedural LLM Agents
- StructAgent: Harness Long-horizon Digital Agents with Unified Causal Structure
- ToolAtlas: Learning Once, Reusing Everywhere with Tool-Side Memory
- Common approach:
- Replace flat context with hierarchies, stacks, or typed state.
- Move reusable knowledge into provider-side or runtime-managed memory rather than agent-local traces.
- Use verifier-backed transitions or executable programs to constrain progress updates.
- Page or retrieve only the active frame / relevant traces / local manifest at each step.
- Open questions / failure modes:
- Benefits are often capability-gated: stronger models exploit structure better than weaker ones.
- Tree layout, verifier coverage, and memory refresh policies become new design bottlenecks.
- Externalized structure improves auditability but can still fail on cross-app planning or wide fan-out nodes.
- Governance questions remain open for provider-side memory: poisoning, access control, and staleness.
Theme: Inference-time and post-hoc interventions for safety, efficiency, and reliability
- Why it matters: Several papers avoid full retraining and instead intervene at inference or post-hoc analysis time. This is attractive operationally because it targets deployed checkpoints, preserves base weights, and can be layered onto existing systems.
- Representative papers:
- HyperSafe: Inference-Time Safety Recovery for Fine-Tuned Language Models
- Amplitude-Only FFN Intervention for Tool-Structured LLM Inference Method: Gated Evaluation Protocol, and Cross-Model Empirical Results
- Confidently Wrong: Detecting Hallucinations in Financial Question Answering from LLM Internal States
- TIGER: Text-Conditioned Visual Gated Routing with Acceptance Alignment for Multimodal Speculative Decoding
- Common approach:
- Read or modulate internal activations rather than only outputs.
- Use lightweight side models or probes attached to frozen backbones.
- Optimize for the runtime quantity that matters: harmful-prompt routing, accepted prefix length, structured-output success, or confident-error detection.
- Distinguish oracle headroom from deployable gains with gated protocols.
- Open questions / failure modes:
- Many methods require white-box access or family-specific calibration.
- Gains are often strongest on narrow routes (tool-structured tasks, numeric QA, specific VLM families).
- Additional verifier-in-the-loop or calibration passes can shift cost from inference to setup/training.
- Robustness to distribution shift, larger models, and adversarial adaptation remains under-tested.
Theme: RL and red-teaming are becoming more process-aware
- Why it matters: Instead of optimizing only final outcomes, newer RL and red-teaming methods shape intermediate reasoning, turn-level credit, or attack phases. This yields better attribution and often better efficiency, but also increases dependence on process judges and rollout design.
- Representative papers:
- Common approach:
- Densify sparse rewards with self-verification, scaffolds, or process-quality signals.
- Move from trajectory-level to turn-level or phase-level credit assignment.
- Use gated evaluation to separate partial success from fully actionable outcomes.
- Analyze whether training is selecting existing behaviors or creating new exploit strategies.
- Open questions / failure modes:
- Process rewards can fail on very hard subsets or depend heavily on judge quality.
- Strong attack ASR may partly reflect attacker–evaluator coupling.
- Short-horizon results may not extrapolate to longer contexts or larger models.
- Better process shaping can reduce entropy/exploration if not balanced carefully.
Theme: Groundedness, citation fidelity, and culturally aware reasoning
- Why it matters: Multiple papers show that models can appear fluent while failing on the grounding dimension users actually need: legal citations, scientific citations, proof validity, or culturally legible moral reasoning.
- Representative papers:
- Do LLMs Fabricate Legal Citations? A Bilingual Benchmark on Saudi Data Protection Law and the GDPR
- ResearchQA: Benchmarking Citation-Grounded Question-Answering on Scientific Papers
- MET: Theory-Grounded and Culture-Aware Multilingual Moral Reasoning
- AdvancedMathBench: A Benchmark Suite for Advanced Mathematical Proof Generation and Verification
- Common approach:
- Replace generic answer scoring with verbatim citation checks, process verification, or theory-grounded reasoning.
- Build domain-specific benchmarks where correctness is externally checkable.
- Measure abstention/refusal correctness rather than rewarding forced answers.
- Emphasize native-language or culturally adapted evaluation instead of direct translation.
- Open questions / failure modes:
- Confidence is often anti-helpful: fabricated legal citations were frequently high-confidence.
- LLM-generated datasets and same-family judges can bias results.
- Correct citation or theory selection does not guarantee correct interpretation or reconciliation.
- Coverage remains limited in language, domain, and multimodal evidence types.
3) Technical synthesis
- A recurring design move is to externalize latent structure—tool capabilities, SOP logic, task state, routing records, or vulnerability concepts—so the model no longer has to infer everything from raw history.
- Several papers converge on “judge the process, but only when outcome is anchored”: SCOPE-RL gates process rewards by final correctness; SVR-R1 rewards only the final affirmed answer; AdvancedMathBench uses pessimistic multi-pass verification.
- There is a clear split between local observability and assembled observability. This appears in distributed backdoors, citation matching, proof verification, and RLVR test suites: what matters is not just detector quality, but whether the detector sees the right representation.
- Capability-gated interventions are common: executable SOP paging helps stronger models but can hurt weaker ones; structured runtimes and hierarchy improve feasibility but not universally accuracy; FFN gating shows headroom that learned gates only partially capture.
- Many systems now use lightweight side components rather than full model retraining: linear probes, side networks, graph memories, LightGBM routers, one-class assembly monitors, and deterministic citation matchers.
- The strongest evaluation papers separate artifact-level success from mechanism-level understanding: AHA stores falsifiable vulnerability concepts, AgentCheck confirms fixes on the same injected fault, and AMT-X distinguishes lenient from fully actionable ASR.
- Across multimodal work, the bottleneck is often evidence selection rather than raw model size: TIGER routes sparse visual tokens; MM-ToolSandBox shows top-model failures are often factual extraction errors; SVR-R1 benefits from self-verification but fails on overly hard subsets.
- Several papers explicitly show that aggregate metrics compress important differences: LLM evaluator scores in ResearchQA, overall ASR in AMT-X, and full-population hallucination metrics in financial QA all hide the cases practitioners care about most.
- A practical systems trend is cost-aware optimization beyond tokens: storage footprint, billed routing cost, verification turns, accepted-prefix length, and token-per-success all become first-class objectives.
- The day’s RL and routing papers suggest a broader pattern: better intermediate supervision often improves both quality and efficiency, but only when the intermediate signal is tightly tied to the deploy-time objective.
4) Top 5 papers (with “why now”)
- Shows that deployed code reward suites contain persistent false positives that RL can select rather than average away.
- Introduces a cheap static audit that predicts where rewarded false-positive mass will appear during training (Spearman ρ ≈ 0.80).
- Human adjudication finds that a large residual share of rewarded false positives are genuinely wrong programs (~47.57% record-weighted in the main family).
- Why now: RLVR is scaling quickly, and this paper gives a concrete QA procedure for reward suites before teams overfit to leaky verifiers.
- Skepticism / limitation: Scope is limited to 1–1.5B models, MBPP-family tasks, and short horizons.
Rethinking MCP Security: A Large-Scale Study of Runtime MCP Servers and Security Scanner Reliability
- Builds MCPZoo, a runtime-enabled corpus with 64,611 unique projects and 37,288 interactable servers.
- Finds that 96.89% of interactable servers are flagged by at least one scanner, yet scanner quality is poor: average validated precision 45.53%, low agreement, and 24.17% CVE-based recall.
- Quantifies deployment reality: most projects lack Dockerfiles, duplication is high, and runtime behavior is essential for measurement.
- Why now: MCP is becoming core agent infrastructure, and current scanner outputs appear too noisy to trust at face value.
- Skepticism / limitation: Ground-truth vulnerability coverage is still small, especially for recall evaluation.
Compile, Then Page: Executable SOP Programs and a Capability-Gated Runtime for Procedural LLM Agents
- Converts SOPs from resident prose into executable programs with evidence-returning rule subroutines and a stack-paged runtime.
- Shows large gains from compilation alone, e.g. 70.4% → 86.4% on Bank for DeepSeek-V4-Flash, with runtime paging further improving to 92.8% and 100% refusal correctness on the screened subset.
- Isolates a key deployment lesson: runtime paging helps strong models but can harm weaker ones.
- Why now: Enterprises are trying to operationalize policy-heavy agents, and this gives a concrete recipe for auditable SOP execution rather than prompt stuffing.
- Skepticism / limitation: Evidence is from one benchmark family and a limited model set.
StructAgent: Harness Long-horizon Digital Agents with Unified Causal Structure
- Introduces a unified typed state (requirements, values, verified evidence) and a planner-actor-verifier loop where only verifier-backed decisions commit progress.
- Delivers large gains on OSWorld-Verified, including 27.0% → 46.9% for Qwen3.5-9B and 31.6% → 62.2% for Qwen3.5-27B.
- Reaches 78.9% with MiniMax-M3, reported as the best open-source result in the paper.
- Why now: Long-horizon digital agents are hitting state-management limits, and this paper offers a reusable abstraction for progress tracking and recovery.
- Skepticism / limitation: Remaining failures still cluster in verification and cross-application planning.
HyperSafe: Inference-Time Safety Recovery for Fine-Tuned Language Models
- Generates a checkpoint-specific Safe Side Network from activation fingerprints of a fine-tuned model.
- Reduces harmful-response rates from 19–31% to below 1% on held-out checkpoints while keeping downstream task accuracy within about 1 point on average.
- Adds only ~3–4% parameter overhead and leaves safe-query decoding cost unchanged.
- Why now: Fine-tuning-induced safety regressions are common in practice, and this is a post-hoc fix for already-shipped checkpoints.
- Skepticism / limitation: Requires hypernetwork training coverage across checkpoint families and calibration prompts at deployment.
5) Practical next steps
- Audit your verifiers before scaling RLVR: run a static leakiness audit on code tasks, stratify by task leakiness, and manually inspect rewarded false positives rather than trusting aggregate held-out pass rates.
- Add runtime fault injection to agent eval: replay real trajectories with one perturbed tool response and require mitigation confirmation on the exact same injected fault before rollout.
- Track storage as a deployment metric alongside success, latency, and token cost; measure retained bytes, duplication, and reconstructability per run.
- Move from flat prompts to structured control for long-horizon agents: try executable SOPs, typed verifier-committed state, or hierarchical manifests before adding more context window.
- Separate partial from actionable safety failures in red teaming; report both lenient success and fully actionable success, especially for multi-turn jailbreaks.
- For multimodal agents, instrument perception failures explicitly: log whether failure came from visual extraction, tool selection, or execution, since benchmark evidence suggests perception is often the dominant bottleneck.
- Use model-specific post-hoc controls where possible: internal-state probes for high-stakes QA triage, checkpoint-specific safety side networks for fine-tuned models, or FFN gating on structured-output routes.
- Treat provider-side tool memory as infrastructure: cache verified affordances, boundaries, and co-usage patterns once, then expose them to heterogeneous agents instead of relearning tool behavior per harness.
Generated from per-paper analyses; no external browsing.