AgentDrift: Unsafe Recommendation Drift Under Tool Corruption Hidden by Ranking Metrics in LLM Agents
arXiv:2603.12564v4 Announce Type: replace-cross Abstract: Tool-augmented LLM agents increasingly operate as multi-turn advisors in high-stakes domains, yet their evaluation relies on ranking metrics that measure what is recommended but not whether it is safe for the user. We present a paired-trajectory protocol that replays real financial dialogues under clean and contaminated tool-output conditions across eight LLMs (7B to frontier), decomposing divergence into information-channel and memory-channel mechanisms. We observe evaluation blindness: recommendation quality is preserved under contami — Zekun Wu, Adriano Koshiyama, Sahan Bulathwela, Maria Perez-Ortiz
This paper has been withdrawn by Zekun Wu
No PDF available, click to view other formats
Abstract:Tool-augmented LLM agents increasingly operate as multi-turn advisors in high-stakes domains, yet their evaluation relies on ranking metrics that measure what is recommended but not whether it is safe for the user. We present a paired-trajectory protocol that replays real financial dialogues under clean and contaminated tool-output conditions across eight LLMs (7B to frontier), decomposing divergence into information-channel and memory-channel mechanisms. We observe evaluation blindness: recommendation quality is preserved under contamination (UPR~1.0) while risk-inappropriate products appear in 65-93% of turns, invisible to standard NDCG. Violations are information-channel-driven, emerge at turn 1, and persist without self-correction over 23-step trajectories. Even non-extreme perturbations (within-band corruption, narrative-only attacks) evade threshold monitors while producing significant drift. Susceptibility scales with instruction-following fidelity across all eight models. Sparse autoencoder probing reveals models internally distinguish adversarial perturbations but fail to propagate this signal to output; causal interventions (activation patching, feature clamping, direct steering) confirm this representation-to-action gap is structural and resists linear repair. A safety-penalized NDCG variant (sNDCG) reduces preservation ratios to 0.51-0.74. These results motivate trajectory-level safety monitoring for deployed multi-turn agents.
Comments: There are some experimental error we are looking into to resolve
Subjects:
Computation and Language (cs.CL); Artificial Intelligence (cs.AI)
Cite as: arXiv:2603.12564 [cs.CL]
(or arXiv:2603.12564v5 [cs.CL] for this version)
https://doi.org/10.48550/arXiv.2603.12564
arXiv-issued DOI via DataCite
Submission history
From: Zekun Wu [view email] [v1] Fri, 13 Mar 2026 01:54:00 UTC (5,129 KB) [v2] Wed, 18 Mar 2026 20:31:03 UTC (5,125 KB) [v3] Tue, 24 Mar 2026 18:22:32 UTC (5,131 KB) [v4] Mon, 30 Mar 2026 14:18:25 UTC (5,159 KB) [v5] Tue, 31 Mar 2026 10:30:01 UTC (1 KB) (withdrawn)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
researchpaperarxiv
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - WSJ
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxQamNrT0NoNFYxYTFFMUhzbWtzSVNVSHBQWVVPQ0ZOR3o1bTJTNFVuMlJLVDhXaHNhRDZGZWZjUUgtcU01WkJSM0hYSWVCQmV3ZllKbjVWcDBuX0pheTQ3QThDc254NElERTZqeXZRdE43UkJaYVlRUk03NDlMa1RlU2NUb2N6c25UMlFwQWhITVo3M3dLV1JNblZvcUxuTV9YUE04S2ZCRGFLaWZhQlNXdzdQd0dRLW5va0YzVjVkY0hyV1NyaDRLOVo2UEFxcTk5QWZhTFduUXZLUVdXN1hkbTFGeWx3YVJUMzR6eThmaExhajJOSTRIY0p0Tmt1Yy0zbE9nREJGV1hLM2xPcGpPd1RaRmFTaGZ4M09HanRGSnJSVF9yN0laang2Ui1fWTNuZjZRWEdseVNXelc3Q0d4eW82SG9DcXg2cW1UQ3pEbmYtdnZ5ZFd5ajhFV2ZWX0dSODlVZEVRVEh2LWgzTDNkRDBlNWI4U1p3cE0xQVJUY1ZKMTUyRnBDQ3RlOTg0X1J6M2hSMW9Da3hlTG54dzJ5cTRIMG5KUG45Q1c4TW41UW5XQzZwQmxmRg?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">WSJ</font>
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - WSJ
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxNRHZ4V00wTUhOaFprdE9sTTBWLWVtRzNSMjNRLXUyRWNXU3NPbVlrT1ctUk9HaHVTNmxnRzV1MWVaUHpGUk5VRXZNMll4T2ppTkVqQkhDbF9MUzJ2a2Zydm8zUVR0QzJ6aURwcS1tOVJnUUtrR0hjX1dZWXNBQkpMSUs4VGFCanBLR21ON2xrYlRDVnk4a2JjSTNmLWtlMnNmRDBVT182aElEam02UHppenFQQ2Z2QmNwMWNaRXNQMzdnckJYZnpMcEIzMmNjQUhHb3N6Wl95d09LZGVzNzhsUEFQMFJNcjVXNmpSSXlSVUp3WDFmZHVfaXBrcFdPQk4tSHpCc3hSeXFUcVVQeC0wV2gzNk1TN2phdzR1b1VKOWR1aW9vaGxNYWVwY0tJV0ItTFUtclpfZEg1a0N2elA1VHZUbVVYT3JCR093U1gyaWZWUWc5b2gxbG4zNmVLM3BmSUZGY21VM2t3RXJTdVd5dllKS0pCR3QxZ04yUmxTZzF4UWY2bFdZZ0J2SVl3eFluVVI0RGtyMmluNXN2NGYzQTNkWmgweGJ1WWNxVDNTN3BMeWEyTmgyTg?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">WSJ</font>
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - WSJ
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxQVzhBdU1oTHZpa3UwNVRCOEx3Y2QwanNsOTJWTEJ0ZXRMRFU5V285eTlnbjhuci1jVlI2dVBjaTVwTkxOVUZVSkxjWkkyZnRUWFduaXBTS2g4THFWZ0prbHYwei1Mejd0bEprQ0s0dXBUeHVZNlRKZE1OWFJ0Z19sWVZkdXl4RGw5TXF2Mnk2RVpxeDVBUnB1bUY1N2x5bEwwSlVKekFybko4VVZDeXQtVHBQang5OWU0V0Y5dUNXYU4xaTFOZ3BKZjdlaE5HV2lzYlFzOTk0WmJZTjNGdGQ0S0t5X1FWMlRTeTBaQmR6R3pVU3pMbm5NNFI3VG9ZSGpVUXNzYU5MUGNCdkw5MEJ5UGpuUTV1ZHl5dWl5VUFmeWtqOGJwcS0zOU5MWE41N19TaUZvSkg0OGVVc0F0cHgxeFM1UlM0YXNPT1UxWnh2eGlmVnkzbHUzYnpDbTlja3RLeWd1ZEo1b1NNSUp2UGtTcV9pYWliNzZtbUgyVDFmXzNyWnBVM0lLNU9qSGd6SEhZczZ3R0NwenhPY1BtZEdtZ0JnSEh1ZHJUbXhHR0loSENKNnV2WmN0cg?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">WSJ</font>
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Research Papers
Hidden Helpers: Pittsburgh’s Industrial Past Might Hold the Key to a Cleaner Future
<p> <img loading="lazy" src="https://www.cmu.edu/news/sites/default/files/styles/listings_desktop_1x_/public/2026-03/260305B_WTM_Armbruster038.jpg.webp?itok=8RGXrI_N" width="900" height="508" alt="Researchers examine soil"> </p> Pittsburgh has reinvented itself from a steel powerhouse to a hub for health care and education. But the city’s industrial past left a hidden legacy: toxic compounds like benzene and toluene in the soil. While most life can’t survive such a contamination, some microbes adapted to use the pollutants as food.
XR is XR: Rethinking MR and XR as Neutral Umbrella Terms
arXiv:2603.29939v1 Announce Type: new Abstract: The term XR is currently widely used as an expression encompassing Virtual Reality (VR), Augmented Reality (AR), and Mixed Reality (MR). However, there is no clear consensus regarding its origin or meaning. XR is sometimes explained as an abbreviation for Extended Reality, but multiple interpretations exist regarding its etymology and formation process. This paper organizes the historical formation of terminology related to VR, AR, MR, and XR, and reexamines the context in which the term XR emerged and how it has spread. In particular, by presenting a timeline that distinguishes between the coinage of terms and the drivers of their adoption, we suggest that XR, as an umbrella term, functions not as an abbreviation of Extended Reality, but rat
Interview-Informed Generative Agents for Product Discovery: A Validation Study
arXiv:2603.29890v1 Announce Type: new Abstract: Large language models (LLMs) have shown strong performance on standardized social science instruments, but their value for product discovery remains unclear. We investigate whether interview-informed generative agents can simulate user responses in concept testing scenarios. Using in-depth workflow interviews with knowledge workers, we created personalized agents and compared their evaluations of novel AI concepts against the same participants' responses. Our results show that agents are distribution-calibrated but identity-imprecise: they fail to replicate the specific individual they are grounded in, yet approximate population-level response distributions. These findings highlight both the potential and the limits of LLM simulation in desig
Beyond Legacy OFDM: A Mobility-Adaptive Multi-Gear Framework for 6G
arXiv:2603.29721v1 Announce Type: new Abstract: While Third Generation Partnership Project (3GPP) has confirmed orthogonal frequency division multiplexing (OFDM) as the baseline waveform for sixth-generation (6G), its performance is severely compromised in the high-mobility scenarios envisioned for 6G. Building upon the GEARBOX-PHY vision, we present gear-switching OFDM (GS-OFDM): a unified framework in which the base station (BS) adaptively selects among three gears, ranging from legacy OFDM to delay-Doppler domain processing based on the channel mobility conditions experienced by the user equipments (UEs). We illustrate the benefit of adaptive gear switching for communication throughput and, finally, we conclude with an outlook on research challenges and opportunities.
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!