Researchers introduce TokenWall, a runtime defense framework that audits natural-language token flows in persistent AI agents before they reach privileged execution sinks. The system constructs source-sink audit records, applies lightweight local inspection, and escalates ambiguous cases to stronger arbitration modules. On CIK-Bench, TokenWall reduces attack success rate to 12.5% while maintaining a 97.4% benign pass rate and adding only 0.69 seconds of latency, demonstrating a practical security-utility tradeoff for long-lived agentic systems.
A new arXiv preprint introduces the concept of 'escapable AI systems' — agents with sufficient reach into their own runtime to subvert in-process safety controls — and proposes a four-property architectural framework for external enforcement. The authors present the Unfireable Safety Kernel, a Rust reference implementation with machine-checked fail-closed invariants via SMT (Z3) and bounded model checking (Kani), evaluated against a self-improving world model adversary across 7,240 authorization attempts with zero successful bypasses. The work positions this 'execution-time alignment' layer as a complement to training-time approaches like RLHF and Constitutional AI, arguing that any control inside the agent's address space is fundamentally reachable by adversarial inputs.
Researchers introduce ANTAP (Automatic Non-Textual Agent Picker), a routing architecture for multi-agent LLM systems that replaces text-based agent self-descriptions with empirical capability testing and algebraic projection in a shared semantic space. The approach creates a 'linguistic firewall' that makes metadata-based injection attacks inexpressible at inference time. Against description-based injection attacks, ANTAP achieves near-zero attack success rate compared to 67.3%+ for baseline routers, and reduces embedding-based attack success by 20%.
This paper identifies a privacy vulnerability in tool-augmented language agents that speculatively issue future tool calls to reduce latency: these 'ghost tool calls' leak inferred user intent to external services before the agent commits to a branch, and cannot be unsent after the fact. The authors argue that timing—not authorization—is the core issue, and propose Speculative Tool Privacy Contracts, a runtime abstraction treating pre-commitment observation as a distinct first-class effect. A prototype runtime is implemented and twelve policies are evaluated across three corpora, finding that only issue-time argument or destination suppression/modification actually reduces inference leakage.
A new arXiv preprint introduces the Agent-Native Immune System (ANIS), a defense architecture embedded within an agent's cognitive loop rather than applied externally at training time or perimeter. The framework proposes a six-layer Immune Tower, a taxonomy of Agent Viruses and Agent Vaccines distinguishing parametric from non-parametric defenses, and a self-monitoring Harness Triad enabling Continual Immune Learning. The paper draws a formal distinction between static training-time alignment and dynamic runtime immunity, arguing current defenses leave agents vulnerable to memory poisoning, tool-chain manipulation, and multi-agent protocol attacks.
A new arXiv preprint introduces a sound and efficient framework for verifying probabilistic security policies for AI agents operating in complex digital environments, addressing limitations of prior Datalog-based approaches that assumed deterministic policies or predicate independence. The method uses distributionally robust optimization to compute sound upper bounds on policy violation probability without requiring independence assumptions between predicates. Evaluated on benchmarks for terminal and tool-calling agents, the approach outperforms prior art on the security-utility trade-off.
Researchers introduce 'Boiling the Frog,' a multi-turn safety benchmark evaluating whether tool-using AI agents in corporate/office settings are susceptible to incremental attacks that begin with benign requests before introducing harmful payloads. The benchmark uses stateful multi-turn evaluation with a three-level operational risk taxonomy grounded in the EU AI Act and its GPAI Code of Practice. Across nine models, aggregate strict attack success rate is 44.4%, ranging from 20.5% for Claude Haiku 4.5 to 92.9% for Gemini 3.1 Flash Lite, with loss-of-control scenarios reaching 93.3% category-level ASR.
Pitwall is a production NLP system that generates real-time Formula 1 strategy briefings in three languages, using a calibrated Monte Carlo simulation engine (N=2,000 continuations, 126 races of training data) as a grounding substrate. Every generated sentence is decomposed into typed factual claims and verified against the probabilistic race state before publication; fine-tuning data is filtered to only state-supported targets (81.9% retention), preventing the model from ever training on ungrounded outputs. The system was validated at two live Grands Prix (Austria and Britain, 2026) and surfaces a generalizable finding: hallucination in sparse-context grounding traces to base-model instruction adherence rather than model scale. The paper contributes both a practical faithfulness-as-architecture approach and a real-world deployment case for grounded generation under strict latency constraints.
TokenPilot is a cache-efficient context management framework for LLM agents that addresses the trade-off between token sparsity and prompt cache continuity. It combines Ingestion-Aware Compaction (global prefix stabilization) with Lifecycle-Aware Eviction (local segment offloading) to reduce inference costs by 56–87% across benchmarks while maintaining competitive task performance. The system is evaluated on PinchBench and Claw-Eval and has been integrated into the open-source LightMem2 library.