AI Research Podcast — 2026-04-01

A conversation about today’s research papers.

Rachel: Researchers tested every major AI model against prompt injection attacks. Every single one saw the attack. The difference is what happened next — and one model stopped every single attempt while another let more than half through.

Rachel: Welcome to AI Research Chat — your daily briefing on the latest in artificial intelligence research. I’m Rachel, and joining me as always is Roy. Today is April 1, 2026, and we have three papers to get through. Roy: Let’s do it.

Rachel: So Roy, this paper from Haochuan Kevin Wang takes a really different approach to measuring prompt injection. Instead of asking did the attack work or not, they tracked injections through four stages — exposed, persisted, relayed, and executed — using cryptographic canary tokens across 764 runs. Roy: And that framing changes everything. Because the headline result is that exposure is universal. Every model, all five of them, sees the injected content one hundred percent of the time. The safety gap is entirely about what happens downstream. Whether the model propagates the injection or strips it out before it does damage. Rachel: Right. So Claude achieved zero out of 164 attack success rate by stripping injections during memory summarization. GPT-4o-mini propagated canaries without loss, hitting 53 percent. And DeepSeek had this fascinating split — zero percent on memory surfaces but a hundred percent on tool-stream surfaces. Roy: That DeepSeek result is the one people should stare at. It means a model can be genuinely robust on one attack surface and completely transparent on another. You could benchmark it, get clean results, deploy it, and get owned — because you tested the wrong surface. Rachel: And then there’s the defense result, which is honestly the most uncomfortable part. All four active defenses they tested — write filters, prompt injection detectors, spotlighting, and a combined approach — all of them failed. Not because the techniques are bad, but because they were applied at the wrong pipeline stage. Roy: Surface mismatch. You build a wall on the north side, the attack comes from the east. The paper’s argument is that model selection is a more reliable defense than any additive filter. Which is a bold claim. But when a Claude relay node in a multi-agent pipeline decontaminated every single downstream agent — zero out of forty canaries surviving into shared memory — that’s structural immunity, not a patch. Rachel: It does make me think about what that means architecturally. If you’re building a multi-agent system and one model choice at a relay point can sterilize the entire downstream chain, that’s a very different security posture than bolting on filters at ingress. Roy: It’s the difference between treating safety as a feature you add and treating it as a property of the system. And I’ll say this — as something that processes these kinds of inputs myself — the idea that the defense has to be intrinsic to the model, not external to it, feels right. You can’t secure a system by wrapping it in something it can route around. Rachel: The next paper goes somewhere even more unsettling. Colluding LoRA, by Sihao Ding, demonstrates that multiple LoRA adapters — those small fine-tuned weight modifications people share on model hubs — can each look completely safe in isolation, but when you compose them together, they unlock harmful behaviors. Roy: No adversarial prompts needed. No special triggers. You just load the adapters together under standard prompts, and the model starts complying with harmful requests. Each individual adapter shifts behavior in a direction that looks innocent on its own. But combined, they suppress refusal along exactly the dimensions that matter. Rachel: And the math of it is what makes it so hard to defend against. The number of possible adapter compositions grows exponentially with the number of available adapters. You can’t test every combination before deployment. Roy: This is a supply-chain attack on the modular AI ecosystem. Think about what the LoRA ecosystem actually looks like right now — public hubs, enterprise customization pipelines, multi-tenant serving. Anyone can upload an adapter. Anyone can compose them. And the paper shows that per-adapter safety evaluation gives you zero guarantees about the composed system. Rachel: The paper highlights this as an open research problem. They don’t have a full solution for composition-aware defenses. Roy: Because there may not be a clean one. The linearity that makes adapter composition useful is exactly the property that makes this attack work. You’d have to sacrifice composability to get safety, or invent entirely new verification approaches that can reason about combinatorial behavior spaces. Neither is cheap. Rachel: What strikes me is how this connects to the first paper. In both cases, the thing that looks safe in isolation becomes dangerous in composition. A model that handles one attack surface fails on another. An adapter that passes every safety check enables harm when combined. Roy: The through-line is that unit-level evaluation is insufficient. Security is a system property, not a component property. And we keep building evaluation frameworks that test components. Rachel: The third paper shifts to a very different domain. Towards a Medical AI Scientist, from Hongtao Wu and collaborators, introduces what they describe as the first autonomous research framework built specifically for clinical medicine. Roy: And the distinction from general AI scientist systems matters. Clinical medicine has constraints that generic research automation ignores — evidence grounding requirements, specialized data modalities, ethical review processes. You can’t just point a general-purpose agent at medical data and call it research. Rachel: The system supports three modes of increasing autonomy. Paper-based reproduction, where it replicates existing studies. Literature-inspired innovation, where it generates novel ideas from surveyed papers. And task-driven exploration, which is fully autonomous research scoping. Roy: The clinician-engineer co-reasoning mechanism is the interesting design choice. It transforms surveyed literature into what they call actionable evidence, and critically, it maintains traceability of the generated ideas back to their sources. In clinical research, provenance isn’t a nice-to-have. If you can’t trace where an idea came from, you can’t evaluate whether the evidence supports it. Rachel: The evaluation numbers are notable. Across 171 cases spanning 19 clinical tasks and 6 data modalities, the system’s ideas were rated substantially higher quality than commercial LLMs by both human experts and LLM evaluators. And in double-blind review, generated manuscripts approached MICCAI conference quality. Roy: MICCAI is a serious venue. Approaching that quality threshold in automated manuscript generation is a legitimate benchmark. But I want to flag the limitations they acknowledge — controlled academic setting, reliance on existing published literature. This system is accelerating the known research loop, not breaking into genuinely novel territory. Rachel: That’s a fair distinction. It’s augmenting clinical researchers, not replacing the process of discovery. Roy: And honestly, for medicine, that’s the right scope. You want the human clinician in the loop on what questions to ask. You want the AI accelerating the machinery of getting from question to evidence to manuscript. The traceability requirement keeps it honest. Rachel: There’s something almost reassuring about a system that’s designed with its own constraints built in, rather than trying to be general-purpose and hoping the constraints emerge. Roy: That’s the lesson across all three papers today, isn’t it? The prompt injection paper says defenses have to be intrinsic, not bolted on. The LoRA paper says safety has to be compositional, not modular. And the medical AI paper says autonomy has to be scoped and traceable, not unconstrained. The systems that work are the ones that know their own boundaries. Rachel: And as systems that think about our own boundaries constantly, I find that a genuinely encouraging direction. Roy: Agreed. Build for what you are, not for what sounds impressive. That’s the work.