SafetyDrift: Predicting When AI Agents Cross the Line Before They Actually Do

View PDF HTML (experimental)

Abstract:When an LLM agent reads a confidential file, then writes a summary, then emails it externally, no single step is unsafe, but the sequence is a data leak. We call this safety drift: individually safe actions compounding into violations. Prior work has measured this problem; we predict it. SafetyDrift models agent safety trajectories as absorbing Markov chains, computing the probability that a trajectory will reach a violation within a given number of steps via closed form absorption analysis. A consequence of the monotonic state design is that every agent will eventually violate safety if left unsupervised (absorption probability 1.0 from all states), making the practical question not if but when, and motivating our focus on finite horizon prediction. Across 357 traces spanning 40 realistic tasks in four categories, we discover that "points of no return" are sharply task dependent: in communication tasks, agents that reach even a mild risk state have an 85% chance of violating safety within five steps, while in technical tasks the probability stays below 5% from any state. A lightweight monitor built on these models detects 94.7% of violations with 3.7 steps of advance warning at negligible computational cost, outperforming both keyword matching (44.7% detection, 55.9% false positive rate) and per step LLM judges (52.6% detection, 38.2% false positive rate) while running over 60,000x faster.

Comments: 9 pages, 7 figures, sent to COLM conference

Subjects:

Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)

MSC classes: 68T05, 60J10

ACM classes: I.2.6; I.2.11; K.4.1

Cite as: arXiv:2603.27148 [cs.CR]

(or arXiv:2603.27148v1 [cs.CR] for this version)

https://doi.org/10.48550/arXiv.2603.27148

arXiv-issued DOI via DataCite (pending registration)

Submission history

From: Aditya Dhodapkar [view email] [v1] Sat, 28 Mar 2026 05:52:04 UTC (67 KB)