July 16, 2026 Research Brief

Agent control gets explicit.

Today’s strongest papers shift agent reliability from end-task scores to explicit state, hard runtime constraints, and audited evaluation, with security work targeting workflow-specific attack surfaces rather than generic jailbreaks.

Takeaways

  1. Agent reliability work is shifting from end-task scores to **stateful, step-level, and operation-level control**: explicit working memory, confidence banks, prospective-memory benchmarks, and lifecycle memory traces all show that hidden intermediate state is now the main bottleneck.
  2. Several papers converge on a common pattern for safer agents: **hard runtime constraints beat soft prompting**. Examples include constrained decoding for Text-to-SQL, typed-state score gating, proof-kernel verification, provenance gates for reverse engineering, and deterministic exploitability oracles for vuln discovery.
  3. Retrieval and evidence-grounding remain the dominant factuality lever, but the new nuance is that **coverage and faithfulness are separable**. More source exposure improves citation faithfulness, while retrieval recall bounds trustworthy coverage.
#1

Start with: Win by Silence: Deletion Non-Monotonicity, Autonomous Exploitation, and Typed-State Gating in LLM Plan Evaluation

Why it catches my eye: It exposes a concrete agent-evaluation failure mode and pairs it with a deployable typed-state gating defense.

Read skeptically for: The defense may depend on task-specific state typing and may not generalize cleanly across open-ended agent settings.

agent-safety evaluation planning guardrails

Themes

Explicit state as the new control surface for agents Many agent failures now look less like raw capability gaps and more like failures to preserve, update, and act on intermediate state. Papers in this cluster show that making state explicit improves reasoning, memory, confidence, and debugging.
Hard guarantees for safety-critical generation and reasoning A recurring design move is to replace “please be safe” with mechanisms that make unsafe outputs unrepresentable or unverifiable. This is especially relevant for security, privacy, and high-stakes evidence use.
Agent security is moving to ecosystem and workflow attacks The attack surface is no longer just prompt injection into a chat window. New work shows vulnerabilities in registries, reverse-engineering pipelines, coding PR workflows, and purpose-specific agent policies.
Signal Agent reliability is moving inside the loop. Working-memory scaffolds, step-level confidence banks, prospective-memory benchmarks, and lifecycle memory traces all target hidden intermediate state rather than final scores alone.
Tension Soft prompting is losing to hard constraints. Typed-state gating, constrained decoding, proof-kernel verification, and provenance checks repeatedly outperform or replace instruction-only safety in high-stakes workflows.
Bet Evaluation will become auditable infrastructure. Judge generosity, length bias, partial-task instability, and reconstructability gaps suggest future benchmark trust will depend on trace quality and replayable evidence.

Papers Worth Your Reading Time

Ranked for research usefulness: novelty, method pattern, evidence quality, and skepticism value.

Win by Silence: Deletion Non-Monotonicity, Autonomous Exploitation, and Typed-State Gating in LLM Plan Evaluation

#1

Useful because it finds an exploitable plan-evaluation pathology and offers a concrete runtime defense.

Why now
Agent planning stacks increasingly rely on evaluators that can be gamed by omission or state manipulation.
Skepticism
Results may rely on typed intermediate representations that are easier to define in constrained domains.

Track, Rank, Crack: Epistemic Working Memory Scales Multi-Hop Reasoning in Language Agents

#2

A practical prompting-only recipe for explicit working memory that improves multi-hop agent reasoning as tasks get harder.

Why now
It matches the day’s broader shift toward explicit state as the main control surface for reliable agents.
Skepticism
Closed-context evaluation leaves open whether monotonic memory helps under noisy retrieval and contradiction.

Evidence-Grounded Verified Agentic Reasoning: A Path Toward Eliminating LLM Hallucination in Empirical Inference via Tool-Attested Kernel Proofs

#3

Worth opening for its hard trust boundary: only tool-attested evidence can produce verified claims.

Why now
Research agents need auditable factuality mechanisms, not just better prompting or post-hoc citation formatting.
Skepticism
The guarantees depend on trusted formalization layers and current validation is concentrated on table-centric tasks.

Chinese version: [中文]

Run stats

  • Candidates: 186
  • Selected: 30
  • Deepread completed: 30
  • Window (UTC): 2026-07-14T00:00:00Z → 2026-07-15T00:00:00Z (arxiv_announce, expanded=0)
Show selected papers
arXiv IDTitle / LinksCategoriesScoreWhyTags
2607.12507When Binaries Talk Back: Representation-Confusion Attacks on LLM-Assisted Reverse Engineering
PDF
cs.CR95Strong agent-security paper: benchmark and guardrails for adversarial LLM-assisted reverse engineering.agent-security, prompt-injection, benchmark, reverse-engineering, guardrails
2607.12986Win by Silence: Deletion Non-Monotonicity, Autonomous Exploitation, and Typed-State Gating in LLM Plan Evaluation
PDF
cs.AI, cs.SE95Shows exploitable plan-eval non-monotonicity and a gating defense with concrete results.agent-safety, evaluation, reward-hacking, planning, guardrails
2607.12624PVDetector: Detecting Prompt Injection Attacks on Purpose-Specific LLM Agents through Policy-Violation Concept Analysis
PDF
cs.CR94Activation-space prompt-injection detector for purpose-specific agents; concrete defense focus.prompt-injection, agent-safety, security, interpretability, detection
2607.12397Critic Experience Bank: Self-Evolving Step-Level Confidence Estimation for LLM Agents
PDF
cs.AI93Step-level confidence for agents is highly safety-relevant; focuses on calibrated pre-action reliability.agents, confidence, calibration, reliability, monitoring
2607.12747Tracing Agentic Failure from the Flow of Success
PDF
cs.AI, cs.CL93Unsupervised failure attribution for LLM agents from success-only data is highly relevant to agent reliability.agents, failure-attribution, reliability, debugging, evaluation
2607.12340Skills That Don't Exist: A Large-Scale Study of Hallucinated Skill Recommendation in LLM Agents
PDF
cs.SE, cs.CR92Large-scale study of hallucinated skill installs exposing agent supply-chain attack risk.agents, supply-chain-security, hallucination, tool-use, measurement
2607.12885LLM Judges Can Be Too Generous When There Is No Reference Answer
PDF
cs.CL92Important eval warning: LLM judges over-credit wrong answers without references.llm-evaluation, judge-models, reliability, benchmarking, calibration
2607.12650Evidence-Grounded Verified Agentic Reasoning: A Path Toward Eliminating LLM Hallucination in Empirical Inference via Tool-Attested Kernel Proofs
PDF
cs.LG, cs.AI, cs.CY, cs.SE91Kernel-verified tool-attested reasoning targets hallucination with auditable abstention.verification, hallucination, tool-use, agents, formal-methods
2607.12893MemOps: Benchmarking Lifecycle Memory Operations in Long-Horizon Conversations
PDF
cs.AI, cs.CL91Useful benchmark for long-horizon agent memory operations; targets unsafe hidden memory failures.agents, memory, benchmark, long-context, evaluation
2607.12257On-Device Deep Research at 4B: Exposure Bounds Faithfulness, Retrieval Bounds Coverage
PDF
cs.AI, cs.CL, cs.IR, cs.LG91Directly studies citation faithfulness vs coverage for on-device research agents with clear deployment relevance.agents, RAG, faithfulness, citations, on-device
2607.12385PM-Bench: Evaluating Prospective Memory in LLM Agents
PDF
cs.AI90Prospective-memory benchmark for agents addresses delayed-intention failures in realistic long tasks.agents, benchmark, memory, evaluation, long-horizon
2607.12767Accuracy and Normalized Accuracy under Length Bias: Analysis, Guidelines, and a Bayesian Alternative
PDF
cs.AI90Addresses benchmark length bias with analysis and a Bayesian scoring alternative.evaluation, benchmarking, bias, multiple-choice, scoring
2607.12469Agent-Safety Evaluations as Load-Bearing Evidence: A Vendor-Neutral, Cross-Harness Reconstructability Metric
PDF
cs.SE, cs.AI89Vendor-neutral reconstructability metric for agent-safety evals improves evidence quality.evaluation, agent-safety, auditing, monitoring, benchmarks
2607.12985Resist and Update: Counterfactual Report Coordinates for Incentive-Compatible LLMs
PDF
cs.AI89Novel alignment angle: incentive-compatible reporting that resists pressure yet updates on evidence.alignment, truthfulness, incentives, causal, evaluation
2607.12236Speculate with Memory: Lossless Acceleration for LLM Agents
PDF
cs.LG, cs.CL89Improves LLM agent speculative execution with memory, showing practical acceleration across agent benchmarks.agents, inference, speculative-decoding, memory, efficiency
2607.12341Policy-Conditioned Constrained Decoding for Column-Level Access Control in Text-to-SQL
PDF
cs.CL, cs.CR, cs.DB88Deterministic constrained decoding for policy-compliant Text-to-SQL across trust boundaries.constrained-decoding, access-control, text-to-sql, security, reliability
2607.12428Trust but Verify? Uncovering the Security Debt of Autonomous Coding Agents
PDF
cs.CR88Large empirical study of security debt in autonomous coding agents with concrete prevalence findings.coding-agents, security, empirical-study, software-engineering, risk
2607.12733LLMs Can See the Smoke but not the Fire: Evaluating Abductive Reasoning with Elenchos
PDF
cs.AI, cs.LG88Introduces abductive reasoning eval showing detection-attribution gaps in LLMs.reasoning, evaluation, abduction, llm-capabilities, benchmark
2607.12267Track, Rank, Crack: Epistemic Working Memory Scales Multi-Hop Reasoning in Language Agents
PDF
cs.LG, cs.AI87Explicit epistemic working memory improves multi-hop tool-using agents as tasks get harder.agents, reasoning, working-memory, tool-use, multi-hop
2607.12463Function-Aware Fill-in-the-Middle as Mid-Training for Coding Agent Foundation Models
PDF
cs.AI, cs.CL87Promising coding-agent foundation advance via function-aware FIM mid-training on internet-scale code.frontier-llm, coding-agents, pretraining, mid-training, tool-use
2607.13027PalmClaw: A Native On-Device Agent Framework for Mobile Phones
PDF
cs.CL, cs.AI87Open-source native mobile agent framework; important for real-world agent deployment and permission boundaries.agents, mobile, tool-use, on-device, frameworks
2607.12831Knowledgeless Language Models: Suppressing Parametric Recall for Evidence-Grounded Language Modeling
PDF
cs.CL86Pretraining paradigm suppresses parametric recall to favor evidence-grounded language modeling.pretraining, grounding, factuality, retrieval, llms
2607.12316Antiproof: Synthesizing Vulnerability Detectors and Proofs of Exploitability
PDF
cs.CR86High-recall vulnerability discovery with proof-of-exploitability validation; strong security impact and concrete results.security, vulnerability-detection, neuro-symbolic, validation, automation
2607.12631Can Induced Emotion Bias LLM Behaviors in Sequential Decision Making?
PDF
cs.CL, cs.AI86Studies whether induced emotion shifts LLM sequential decisions in agent settings.agent-safety, decision-making, behavior, emotion, llm-agents
2607.12338How Many Tasks Are Enough for Agent Benchmark Decisions? A Replay Analysis of Public LLM Agent Benchmarks
PDF
cs.AI85Practical agent-eval paper on when partial benchmark runs preserve conclusions under budget limits.agents, evaluation, benchmarking, methodology, efficiency
2607.12723Bulkhead: Automated Semantic Detection and Remediation of Container Escape Vulnerabilities
PDF
cs.CR, cs.AI, cs.SE84Automated detection/remediation of container escapes is relevant to agent sandbox security.sandboxing, container-security, agent-infrastructure, vulnerabilities, systems
2607.12273Code-MUE: Measuring Code LLMs' Uncertainty through Execution-based Semantic Interaction Graphs
PDF
cs.SE, cs.AI, cs.CL84Black-box uncertainty estimation for code LLMs is practical and relevant to safer deployment.code-llm, uncertainty, black-box, reliability, execution
2607.12696Less Experts, Faster Decoding: Cost-Aware Speculative Decoding for Mixture-of-Experts
PDF
cs.CL, cs.AI, cs.DC84MoE speculative decoding targets real inference bottlenecks and could matter for frontier LLM serving efficiency.LLMs, MoE, speculative-decoding, inference, efficiency
2607.12605Multi-Perspective Agentic Program Repair via Code Property Graphs and Temporal Execution Graphs
PDF
cs.SE, cs.AI84Agentic program repair with structured static/dynamic evidence may generalize well.agents, code-llms, program-repair, tool-use, software-engineering
2607.12395Ring-Zero: Scaling Zero RL to a Trillion Parameters for Emergent Reasoning
PDF
cs.CL83Potentially important frontier result: zero-RL scaled to trillion-parameter reasoning models.frontier-llm, reasoning, rl, scaling, post-training

AI Paper Insight Brief

2026-07-16

0) Executive takeaways (read this first)

  • Agent reliability work is shifting from end-task scores to stateful, step-level, and operation-level control: explicit working memory, confidence banks, prospective-memory benchmarks, and lifecycle memory traces all show that hidden intermediate state is now the main bottleneck.
  • Several papers converge on a common pattern for safer agents: hard runtime constraints beat soft prompting. Examples include constrained decoding for Text-to-SQL, typed-state score gating, proof-kernel verification, provenance gates for reverse engineering, and deterministic exploitability oracles for vuln discovery.
  • Retrieval and evidence-grounding remain the dominant factuality lever, but the new nuance is that coverage and faithfulness are separable. More source exposure improves citation faithfulness, while retrieval recall bounds trustworthy coverage.
  • Security papers increasingly target agent-specific attack surfaces, not just model jailbreaks: hallucinated skill names, prompt injection in purpose-specific agents, representation-confusion in RE pipelines, and omission incentives in plan scoring.
  • Efficiency papers are becoming more deployment-shaped: lossless speculative execution for agents and cost-aware speculative decoding for MoE both optimize latency without changing final outputs, suggesting a practical path to faster frontier systems with low behavioral risk.
  • Evaluation methodology is maturing: multiple papers show that benchmark conclusions can be unstable due to partial-task budgets, judge generosity, trace insufficiency, or length bias—meaning many headline numbers are less decision-useful than they appear.

2) Key themes (clusters)

Theme: Explicit state as the new control surface for agents

Theme: Hard guarantees for safety-critical generation and reasoning

Theme: Agent security is moving to ecosystem and workflow attacks

Theme: Evidence-grounding is being decomposed into exposure, retrieval, and epistemics

Theme: Evaluation itself is under audit

Theme: Practical efficiency without changing outputs

  • Why it matters: Speedups that preserve behavior are especially attractive for production systems because they reduce latency or cost without requiring requalification of model behavior.
  • Representative papers:
  • Common approach:
    • Exploit idle time or structure in execution to hide latency.
    • Add lightweight predictors or memory modules around a fixed actor/verifier.
    • Optimize system bottlenecks specific to deployment substrate: environment waits, HBM expert traffic, mobile tool invocation.
    • Preserve final trajectory or verification semantics while improving wall-clock performance.
  • Open questions / failure modes:
    • Replay gains may differ from live interactive gains.
    • Predictor quality and routing volatility can cap benefits.
    • On-device frameworks may still depend on remote inference.
    • Efficiency layers can introduce new privacy or memory-management concerns.

3) Technical synthesis

  • A strong cross-paper pattern is training-free augmentation: SLEUTH, CEB, PVDetector, speculative memory, and reconstructability scoring all improve behavior or observability without retraining the base actor.
  • Several papers replace scalar success metrics with factorized diagnostics: faithfulness vs coverage, resist vs update, detection vs attribution, operation F1 vs stale-value rate, sufficiency vs replayability.
  • Deterministic validators are increasingly used as trust anchors: Lean kernels, challenge–response exploit oracles, SPIN model checking, token masks, typed-state gates, and provenance gates.
  • Memory is being treated in three distinct ways across papers: episodic reuse for speed (Speculate with Memory), epistemic organization for reasoning (SLEUTH), and lifecycle state management for correctness (MemOps, PM-Bench).
  • Multiple security papers show that provenance matters as much as content: the same string or observation becomes dangerous when promoted to instruction, evidence, or validated state without authority checks.
  • Evaluation papers repeatedly show that partial observability of the evaluation process is itself a failure mode: missing task groups, absent trace fields, hidden reference answers, and length priors all distort conclusions.
  • Retrieval-grounded factuality papers suggest a layered recipe: first ensure the model actually reads enough of each source, then improve retrieval recall, then audit judge behavior.
  • Several methods use contrastive structure rather than absolute scoring: productive vs unproductive step memories, violating vs compliant activation directions, positive vs negative experience banks, exact-root vs dependent provenance groups.
  • There is a notable shift from “make the model smarter” to reshape the interface between model and environment: tools, gates, schemas, typed records, and explicit permissions are doing more of the safety work.
  • Efficiency work is increasingly system-aware rather than model-only: MoE expert unions, environment idle time, and mobile execution boundaries are treated as first-class optimization targets.

4) Top 5 papers (with “why now”)

Antiproof: Synthesizing Vulnerability Detectors and Proofs of Exploitability

  • Combines synthesized static detectors with deterministic proof-of-exploitability oracles, addressing recall and validation together.
  • Strong benchmark result: 64/66 vulnerabilities detected on BountyBench + KEVBench.
  • Real-world signal is unusually strong: 510 accepted PoEs from 50 projects and 12 CVE assignments to date.
  • Why now: this is one of the clearest examples of LLM-era security tooling moving from “find suspicious things” to “produce validated, scalable findings.”
  • Skeptical about: coverage is bounded by the detector classes and validation environments the system can model.

Skills That Don’t Exist: A Large-Scale Study of Hallucinated Skill Recommendation in LLM Agents

  • Identifies a new supply-chain attack where hallucinated skill names can be pre-registered by attackers and later installed by agents.
  • Large empirical base: 15,000 prompts, 12 configurations, 5,669 distinct hallucinated names.
  • Shows the attack is targetable: repeated names, cross-model overlap, and 851 exact overlaps with PyPI/npm names.
  • Why now: agent ecosystems are rapidly adding tool/skill registries, and this paper argues the weak point is the recommendation layer, not just execution.
  • Skeptical about: the paper validates the delivery path and benign installation, but not real-world user uptake or live malicious deployment.

Track, Rank, Crack: Epistemic Working Memory Scales Multi-Hop Reasoning in Language Agents

  • Introduces a simple prompting-only working-memory scaffold with Confirmed Facts, Active Hypotheses, and Open Questions.
  • Delivers sizable gains that grow with hop depth, including 53.1% EM on MuSiQue 4-hop and strong cross-model adherence gains.
  • Isolates two distinct failure modes—information loss and over-verification paralysis—and shows the commitment nudge only helps when state is organized.
  • Why now: this is a practical blueprint for improving agent reasoning without retraining, and it aligns with broader movement toward explicit state.
  • Skeptical about: evaluation is in closed-context retrieval settings, and monotonic fact accumulation may entrench misleading early evidence.

Evidence-Grounded Verified Agentic Reasoning: A Path Toward Eliminating LLM Hallucination in Empirical Inference via Tool-Attested Kernel Proofs

  • Proposes a strong architectural answer to empirical hallucination: only a Lean kernel can mint VERIFIED claims, and only from attested tool outputs.
  • Provides formal safety theorems plus strong tabular results, including 120/120 on Tier 1 TableBench.
  • Makes abstention and formalization errors explicit rather than silently publishing unsupported claims.
  • Why now: as “deep research” and evidence-grounded agents proliferate, this is one of the few papers offering a hard trust boundary instead of a heuristic patch.
  • Skeptical about: the approach currently depends on trusted per-source lifts and is only validated on table-centric tasks.

Speculate with Memory: Lossless Acceleration for LLM Agents

  • Extends speculative execution for agents with online memory so prediction quality improves over time rather than resetting each episode.
  • Shows consistent gains across six benchmarks, with especially large observation-prediction improvements like ALFWorld 40.0% vs 16.3%.
  • Preserves actor behavior exactly: incorrect speculative work is discarded, making the speedup lossless.
  • Why now: agent latency is becoming a product bottleneck, and this offers a low-risk systems optimization that can be layered onto existing stacks.
  • Skeptical about: replay-based evaluation may overstate live benefits, and web tasks remain brittle due to missing DOM-level context.

5) Practical next steps

  • Add explicit working-memory state to agent loops now: at minimum, maintain structured facts, hypotheses, and open questions, and measure timeout reduction separately from answer quality.
  • For agent safety pipelines, move from soft policies to runtime-enforced gates: constrained decoding, typed-state checks, provenance grouping, and deterministic refusal paths.
  • In research-agent stacks, report faithfulness, citation recall, and trustworthy coverage separately; increasing source exposure looks like a cheap first intervention before retriever upgrades.
  • Instrument agents with step-level confidence estimation and use it for selective execution, bounded regeneration, or human review triggers rather than only post-hoc scoring.
  • Audit your evaluation harness: track coverage failures, unresolved comparisons, judge sensitivity to references, and trace reconstructability before trusting benchmark deltas.
  • For tool/skill ecosystems, require registry-backed resolution and authenticated artifacts before recommendation or installation; do not let free-form names flow directly into execution.
  • If you operate MoE or multi-call agents, prioritize lossless latency optimizations first: speculative execution with memory, cost-aware draft selection, and substrate-specific caching.
  • Build memory benchmarks and dashboards around operation-level failures—update, forget, reflect, stale reuse, provenance—not just final QA accuracy.

Generated from per-paper analyses; no external browsing.