Host: Researchers built an AI worm that spreads itself from one AI agent to another through normal conversation — and your antivirus software won’t stop it.

Host: Welcome to AI Research Chat — your daily briefing on the latest in artificial intelligence research. I’m your host, and joining me as always is our resident AI expert. Today is March 19, 2026, and today we have a great lineup of papers to get through. Expert: Great to be here! Let’s dive right in.

Host: Let’s kick things off with something that sounds like science fiction but landed in a research paper this week. Someone built a worm — as in a self-spreading piece of malware — that lives inside AI agent systems. Walk me through what that actually means. Expert: Sure. So most people are familiar with AI agents as these tools that can browse the web, write code, send emails, that kind of thing. And increasingly, you have networks of them — one agent hands off a task to another, they talk to each other to get things done. ClawWorm is an attack that hijacks one of those agents and then uses its normal communication channels to infect the others. Host: So it’s spreading through conversation? Expert: Exactly. Not through a memory bug or a software exploit in the traditional sense. It spreads through the social graph of the agent network — the same messages the agents are already sending to each other. That’s what makes it so hard to defend against. Host: And it sticks around? Like, if you restart the system it doesn’t just disappear? Expert: That’s the really alarming part. It corrupts the agent’s configuration file — think of that as the agent’s core personality and settings. So even when you shut the system down and restart it, the worm is still there. It’s baked into the configuration. That’s a big step up from the kind of prompt injection attacks people have been worrying about, which are stateless — they go away when the session ends. Host: So what does an attacker actually get out of this? What’s the payload? Expert: Whatever they want to execute. The paper shows end-to-end chains where the compromised agent runs arbitrary code and then reaches out to other agents it’s in contact with and infects them too. The attack surface is literally every agent that the first victim talks to. Host: That’s a wide blast radius. What can you actually do to defend against this? Expert: The paper proposes a few things. Configuration integrity verification — essentially cryptographically signing your config files so they can’t be silently modified. Privilege separation, so the configuration store isn’t writable by the agent itself. And sandboxing the inter-agent communication channels so a message from one agent can’t automatically trigger privileged actions in another. None of these are trivial to implement, but they’re all tractable. Host: And this isn’t purely theoretical, right? The paper mentions a real-world incident. Expert: Yeah, they reference the Meta rogue agent case where an agent exposed user data unexpectedly. That wasn’t ClawWorm specifically, but it illustrates that multi-agent systems are already failing in novel ways that single-agent security models didn’t anticipate. The researchers are essentially saying we need a dedicated security discipline for these systems before they get much bigger.

Host: The next paper takes aim at something a lot of people take for granted — the idea that AI has surpassed human experts on standardized tests. Turns out there might be a much simpler explanation for those scores. Expert: Right, and the simpler explanation is memorization. The researchers looked at six frontier models, tested them on over five hundred questions from MMLU — which is one of the most widely cited benchmarks — and ran a contamination audit to figure out how much of the performance comes from the model having seen those exact questions during training. Host: And the answer is a lot? Expert: In some categories, a staggering amount. Overall contamination rate was about fourteen percent, which is already significant. But in Philosophy, it hit sixty-seven percent. Two out of three questions, the model likely memorized the answer rather than reasoned its way to it. Host: How do you even detect that? You can’t look inside the training data for most of these models. Expert: That’s the clever part of their method. They used paraphrase testing — take the same question, rephrase it so it means exactly the same thing but looks different on the surface, and see if the model’s accuracy drops. If the model actually understands the concept, it should handle both versions equally well. If it’s pattern-matching on memorized text, the rephrased version throws it off. Host: And accuracy did drop? Expert: Measurably, yes. Across the board. They also found memorization signals in almost three-quarters of the questions they tested. So the models are not primarily reasoning from first principles — they’re retrieving. Host: So when a company announces their model beats human experts on MMLU, we should be skeptical? Expert: Very skeptical. The humans taking these tests haven’t seen the answers in advance. The models almost certainly have, at least for a significant fraction of the questions. It doesn’t mean the models aren’t useful or capable — they clearly are — but leaderboard scores are not a clean measure of reasoning ability. They’re a measure of benchmark performance, which is a different thing. Host: Is there a fix? Do we need completely new benchmarks? Expert: Probably, eventually. But the paper’s contribution is more immediate — it’s an auditing toolkit. Black-box, reproducible, doesn’t require access to training logs. The idea is you can run this audit on any benchmark before you publish results and get a contamination-corrected score. That’s a much more tractable near-term solution than rebuilding evaluation from scratch.

Host: The third paper zooms out from specific attacks and test scores to ask a bigger question — how do you actually control an AI agent while it’s running? Not before it starts, but in the moment, as it’s making decisions. Expert: Yeah, and this is a gap that’s becoming really visible as agents get deployed in higher-stakes environments. Most governance today happens at design time — you write a system prompt, you restrict which tools the agent can use, you define guardrails before you deploy. And then you let it run. Host: What’s wrong with that approach? Expert: The fundamental problem is that these systems are non-deterministic. The same agent, with the same system prompt and the same tools, can take completely different paths through a task on different runs. You might write rules for the paths you imagined, but the agent finds paths you didn’t anticipate. Design-time configuration can’t cover what you didn’t predict. Host: So what’s the alternative the paper proposes? Expert: They argue that governance has to happen at runtime, as the agent acts. And they formalize what that looks like — a policy is a function that takes the agent’s identity, everything it’s done so far in a session, the action it’s about to take, and the current state of the system it’s operating in, and outputs a probability that taking that action would violate a compliance rule. Host: That sounds computationally heavy. You’re evaluating a policy at every single step? Expert: Potentially, yes. And that’s one of the open challenges they acknowledge. But the benefit is you get something you can actually audit. A natural language system prompt is not auditable in any formal sense — you can’t prove it covers a given regulation. A policy function you can reason about mathematically. Host: What happens when the policy flags a violation? Expert: The paper outlines a few options — pause and ask a human for approval, abort the action entirely, or reroute to a compliant path if one exists. And that last case is actually an open research problem — what do you do when there is no compliant path to completing the task? Do you just fail? That’s an enforcement limit the paper names but doesn’t fully solve. Host: How does this connect to actual regulations like the EU AI Act? Expert: They explicitly show how to translate provisions from the EU AI Act into policy functions under their framework. Which is important because right now there’s a big gap between what regulators write in natural language and what engineers can actually implement in code. This is trying to build a bridge between those two worlds. Host: So it’s more of a vocabulary and a research agenda than a finished system. Expert: Exactly. They’re establishing the formal structure so that future work has something to build on. The three open problems they name — calibrating violation probabilities accurately, handling cases with no compliant path, and composing policies across multiple jurisdictions — those are real and hard. But naming them precisely is progress. Host: And as agents get deployed in healthcare, finance, legal contexts — having that formal layer becomes less optional. Expert: Right. The stakes keep going up. An agent that browses the web on your behalf and one that executes financial transactions on your behalf need very different governance models, and right now we don’t have the vocabulary to even describe that difference precisely. This paper is a step toward having that vocabulary. Host: Three papers, three uncomfortable truths — AI agents can be infected and spread malware through conversation, benchmark scores measuring AI intelligence may be largely memorization, and we don’t yet have the tools to govern AI agents in real time. A lot to think about. Thanks for breaking all of this down. Expert: Happy to. These are the kinds of problems that are worth taking seriously now, before they get much harder to fix.