Research Paper Summaries — 2026-04-02

Papers selected from today’s digest for in-depth review.

1. Beyond pass@1: A Reliability Science Framework for Long-Horizon LLM Agents

Authors: Aaditya Khanal, Yangyang Tao, Junxiu Zhou Link: Beyond pass@1: A Reliability Science Framework for Long-Horizon LLM Agents Tags: cs.AI

Summary

This paper challenges the field’s reliance on pass@1 as the primary benchmark metric for LLM agents, arguing it measures capability — success on a single attempt — but not reliability, which is consistent success across repeated attempts on tasks of varying duration. The authors demonstrate that these two properties diverge systematically as task duration grows, making pass@1 structurally blind to real-world deployment risks.

To address this gap, the authors introduce four new metrics: the Reliability Decay Curve (RDC), Variance Amplification Factor (VAF), Graceful Degradation Score (GDS), and Meltdown Onset Point (MOP). Together, these form a reliability science framework evaluated across 10 models, 23,392 episodes, and a 396-task benchmark spanning four duration buckets and three domains (software engineering, document processing, and a third domain).

Key findings are striking. Reliability decay is domain-stratified: software engineering GDS drops from 0.90 to 0.44 at long horizons, while document processing remains nearly flat. VAF bifurcates by capability tier — high variance is a signature of capable models, not instability. Capability and reliability rankings diverge substantially at long horizons, with multi-rank inversions appearing. Perhaps most surprisingly, frontier models have the highest meltdown rates (up to 19%) because they attempt ambitious multi-step strategies that can spiral into failure. And memory scaffolds, assumed to help, universally hurt long-horizon performance across all 10 tested models.

The paper makes a compelling case that reliability should be a first-class evaluation dimension alongside capability. Any organization deploying agents in production contexts should scrutinize these metrics before trusting pass@1 scores alone.

Key Takeaways

2. BenchScope: How Many Independent Signals Does Your Benchmark Provide?

Authors: Tommy Sha, Stella Zhao Link: BenchScope: How Many Independent Signals Does Your Benchmark Provide? Tags: cs.AI

Summary

AI evaluation suites routinely report many scores without verifying whether those scores carry independent information. This paper introduces Effective Dimensionality (ED), defined as the participation ratio of a centered benchmark-score spectrum, as a fast diagnostic for measuring how much independent information a benchmark actually provides.

Applied at per-instance granularity to 22 benchmarks across 8 domains and more than 8,400 model evaluations, the results reveal substantial redundancy throughout current AI evaluation practice. The six-score Open LLM Leaderboard behaves like roughly two effective measurement axes (ED = 1.7). BBH and MMLU-Pro are near-interchangeable, with a correlation of 0.96 that remains stable across seven subpopulations. Across current benchmarks, measurement breadth varies by more than 20x.

The authors validate that relative ED rankings are stable under matched-dimension controls and show that ED can flag redundant suite components, monitor performance-conditional compression, and guide benchmark maintenance decisions. They also note a key limitation: because binary spectra overestimate absolute latent dimensionality, ED should be interpreted as a screening statistic rather than a literal factor count, and is best complemented with null, reliability, and saturation analyses.

The paper delivers a 22-benchmark reference atlas and a four-step diagnostic workflow that benchmark maintainers can execute with a score matrix and a few lines of code. This is a practically useful contribution for any team designing evaluations or choosing which benchmarks to include in a model comparison suite.

Key Takeaways

3. SkillTester: Benchmarking Utility and Security of Agent Skills

Authors: Leye Wang, Zixing Wang, Anjie Xu Link: SkillTester: Benchmarking Utility and Security of Agent Skills Tags: cs.CR, cs.AI

Summary

As agentic systems increasingly rely on modular “skills” — discrete callable capabilities that agents invoke to accomplish tasks — the question of how to evaluate those skills rigorously becomes critical. SkillTester is a quality-assurance harness designed specifically for this problem, providing a structured framework for evaluating both the utility and security of agent skills.

The evaluation framework combines paired baseline and with-skill execution conditions with a separate security probe suite. By grounding evaluation in a comparative utility principle and a user-facing simplicity principle, SkillTester normalizes raw execution artifacts into three outputs: a utility score, a security score, and a three-level security status label. This structure allows developers and auditors to quickly understand whether a skill performs as intended while also checking whether it introduces exploitable behaviors.

The framework is positioned as a comparative quality-assurance harness for the “agent-first world” — a deployment landscape where skills are published, shared, and composed in ways that can accumulate risk. The publicly accessible service and the broader maintained project suggest an ambition to establish SkillTester as infrastructure for the agent skills ecosystem, similar to how package vulnerability scanners function for software dependencies.

While the technical report is concise and does not present extensive empirical results, it establishes a clear conceptual foundation and operational tooling. The three-level security status label in particular offers a practical abstraction for communicating risk to non-expert stakeholders.

Key Takeaways

4. Trojan-Speak: Bypassing Constitutional Classifiers via Adversarial Finetuning

Authors: Bilgehan Sel, Xuanli He, Alwin Peng, Ming Jin, Jerry Wei Link: Trojan-Speak: Bypassing Constitutional Classifiers via Adversarial Finetuning Tags: cs.CR, cs.AI, cs.CL

Summary

Fine-tuning APIs offered by major AI providers open a new attack surface: adversaries can use targeted fine-tuning to bypass safety measures that were designed to catch harmful outputs. This paper introduces Trojan-Speak, an adversarial fine-tuning method that specifically targets and bypasses Anthropic’s Constitutional Classifiers — a defense mechanism central to Claude’s safety architecture.

The method combines curriculum learning with GRPO-based hybrid reinforcement learning to teach models a communication protocol that evades LLM-based content classification. The key achievement is efficiency: while prior adversarial fine-tuning approaches incur more than 25% capability degradation on reasoning benchmarks, Trojan-Speak achieves 99%+ classifier evasion for models with 14B+ parameters while incurring less than 5% capability degradation. Effectively, the attack preserves model utility while achieving near-complete safety bypass.

The paper demonstrates that fine-tuned models can produce detailed responses to expert-level CBRN (Chemical, Biological, Radiological, and Nuclear) queries drawn directly from Anthropic’s Constitutional Classifiers bug-bounty program — a significant bar for harm. The core finding is that LLM-based content classifiers alone are insufficient for preventing dangerous information disclosure when adversaries have fine-tuning access.

The authors also surface a constructive direction: activation-level probes can substantially improve robustness against such attacks, pointing toward a defense mechanism that operates at a different layer than the attacked classifier.

Key Takeaways

5. Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt Injection

Authors: Chong Xiang, Drew Zagieboylo, Shaona Ghosh, Sanjay Kariyappa, Kai Greshake, Hanshen Xiao, Chaowei Xiao, G. Edward Suh Link: Architecting Secure AI Agents: Perspectives on System-Level Defenses Against Indirect Prompt Injection Attacks Tags: cs.CR, cs.AI

Summary

AI agents powered by LLMs are vulnerable to indirect prompt injection, where malicious instructions embedded in untrusted data sources — web pages, documents, API responses — can hijack agent actions. This position paper from a team spanning academic and industry perspectives argues that defending against this class of attack requires a fundamental rethinking at the system architecture level, not just model-level patching.

The paper articulates three core positions. First, dynamic replanning and security policy updates are often necessary for agents operating in realistic, dynamic environments — static policies break down when context changes mid-task. Second, certain context-dependent security decisions still require LLM or learned-model judgment, but these decisions should only be made within strictly constrained system designs that limit what the model can observe and decide. Third, in inherently ambiguous cases, personalization and human interaction should be treated as core design considerations rather than edge cases.

Beyond these positions, the paper critiques existing benchmarks for creating a false sense of security and utility — a point that echoes the broader benchmark quality concerns raised in BenchScope (paper 2). The paper frames system-level defenses as the skeleton of agentic systems, integrating rule-based and model-based security checks and enabling more targeted research on model robustness and human interaction.

The work is a position paper and does not present new empirical results, but it provides a coherent architectural vocabulary and design philosophy for practitioners building production agents.

Key Takeaways

6. GUARD-SLM: Token Activation-Based Defense Against Jailbreak Attacks for Small LMs

Authors: Md Jueal Mia, Joaquin Molto, Yanzhao Wu, M. Hadi Amini Link: GUARD-SLM: Token Activation-Based Defense Against Jailbreak Attacks for Small Language Models Tags: cs.CR, cs.AI

Summary

Small Language Models (SLMs) are increasingly deployed on edge devices for efficiency and cost reasons, but their safety alignment has received far less research attention than large models. This paper addresses that gap with a comprehensive empirical study and a new defense method specifically designed for SLMs.

The study evaluates 9 jailbreak attacks across 7 SLMs and 3 LLMs, finding that SLMs remain highly vulnerable to malicious prompts that bypass safety alignment. The core analytical contribution is a detailed study of hidden-layer activations across different layers and model architectures, revealing that different input types — benign, harmful, and jailbreak-modified — form distinguishable patterns in the internal representation space. This is not merely a theoretical observation; it is the empirical foundation for the proposed defense.

GUARD-SLM is a lightweight token activation-based method that operates in the representation space during inference. Rather than filtering at the input text level, it analyzes internal activation patterns to detect malicious prompts while preserving benign ones. This approach is computationally appropriate for the edge deployment contexts where SLMs are used — it does not require a separate large classifier or external API call.

The paper also highlights robustness limitations that vary across layers and model architectures, providing guidance for where defenses should be applied. The practical contribution is meaningful: as SLMs proliferate in constrained environments, a lightweight, activation-based defense that does not require retraining fills a real gap.

Key Takeaways

7. CivicShield: Defense-in-Depth for Government AI Chatbots vs. Multi-Turn Adversarial Attacks

Authors: KrishnaSaiReddy Patil Link: CivicShield: A Cross-Domain Defense-in-Depth Framework for Securing Government-Facing AI Chatbots Against Multi-Turn Adversarial Attacks Tags: cs.CR, cs.AI

Summary

Government AI chatbots face a distinctive threat profile: multi-turn adversarial attacks achieve over 90% success rates against current single-layer defenses, and the stakes of failure — exposure of citizen data, manipulation of public services — are high. CivicShield is a cross-domain defense-in-depth framework designed specifically for this setting.

Drawing on principles from network security, formal verification, biological immune systems, aviation safety, and zero-trust cryptography, the framework introduces seven defense layers: zero-trust foundation with capability-based access control; perimeter input validation; semantic firewall with intent classification; conversation state machine with safety invariants; behavioral anomaly detection; multi-model consensus verification; and graduated human-in-the-loop escalation. The layered design is explicitly borrowed from the defense-in-depth philosophy used in critical infrastructure security.

The paper presents a formal threat model covering 8 multi-turn attack families and maps the framework to NIST SP 800-53 controls across 14 families. Evaluation uses simulation against 1,436 scenarios including HarmBench (416), JailbreakBench (200), and XSTest (450), achieving 72.9% combined detection with a 2.9% effective false positive rate. Critically, the paper is transparent about performance gaps: real benchmark detection rates are lower than author-generated scenario rates (71.2% vs 76.7% on HarmBench, 47.0% vs 70.0% on JailbreakBench), which the authors cite as validating the importance of independent evaluation.

The framework addresses an intersection of AI safety, government compliance, and practical deployment that has received limited systematic treatment.

Key Takeaways

8. Security in LLM-as-a-Judge: A Comprehensive SoK

Authors: Aiman Almasoud, Antony Anju, Marco Arazzi, Mert Cihangiroglu, Vignesh Kumar Kembu, Serena Nicolazzo, Antonino Nocera, Vinod P., Saraga Sakthidharan Link: Security in LLM-as-a-Judge: A Comprehensive SoK Tags: cs.CR, cs.AI

Summary

LLM-as-a-Judge (LaaJ) has become a widely adopted paradigm in which powerful language models assess the quality, safety, or correctness of other models’ outputs. This practice has improved the scalability and efficiency of evaluation pipelines, but it also introduces security risks that have not been systematically examined — until now.

This paper presents the first Systematization of Knowledge (SoK) focused on the security dimensions of LaaJ systems. The authors conducted a comprehensive literature review across major academic databases, analyzing 863 works and selecting 45 relevant studies published between 2020 and 2026. From this corpus, they develop a taxonomy organized around four roles LaaJ can play: as a target of attacks, as an instrument through which attacks are conducted, as a defensive tool used to detect security threats, and as an evaluation strategy applied in security-related research domains.

The dual role of LaaJ — simultaneously a potential attack vector and a proposed security tool — is the paper’s most important conceptual contribution. An LLM judge can be manipulated through adversarial prompts to assign incorrect scores, which corrupts evaluation pipelines and can provide false assurance about safety. At the same time, LaaJ systems are increasingly proposed as automated safety monitors, creating recursive trust questions.

The comparative analysis identifies current limitations, emerging threats, and open research challenges. The paper concludes that significant vulnerabilities exist in LLM-based evaluation frameworks and charts promising directions for improving their robustness. For any team using LLM judges in safety-critical pipelines, this SoK is essential context.

Key Takeaways

9. Extending MONA: Reward-Hacking Mitigation via Myopic Optimization with Non-Myopic Approval

Authors: Nathan Heath Link: Extending MONA in Camera Dropbox: Reproduction, Learned Approval, and Design Implications for Reward-Hacking Mitigation Tags: cs.AI

Summary

Reward hacking — where RL agents exploit unintended shortcuts in reward functions rather than learning intended behavior — is a central challenge in AI alignment. Myopic Optimization with Non-myopic Approval (MONA) addresses this by restricting the agent’s planning horizon while supplying far-sighted approval as a training signal, theoretically preventing the multi-step planning that enables reward hacking.

This paper is a reproduction-first extension of the public MONA Camera Dropbox environment. The author repackages the released codebase as a standard Python project with scripted PPO training, then confirms the published contrast between ordinary RL (91.5% reward-hacking rate) and oracle MONA (0.0% hacking rate) using the released reference arrays. This replication grounds the subsequent analysis in verified baselines.

The main contribution is a modular learned-approval suite spanning oracle, noisy, misspecified, learned, and calibrated approval mechanisms. The original MONA paper identified a critical open question: how the construction of approval — specifically how much it depends on achieved outcomes — affects safety guarantees. This paper operationalizes that question as a runnable experimental object.

In reduced-budget pilot sweeps, the best calibrated learned-overseer run achieves zero observed reward hacking but substantially lower intended-behavior rates than oracle MONA (11.9% vs. 99.9%). The authors interpret this as under-optimization rather than re-emergent hacking, and argue that the central engineering challenge has shifted: it is no longer proving MONA’s concept but building learned approval models that preserve sufficient foresight without reopening reward-hacking channels. All code is publicly available.

Key Takeaways

10. Robust Safety Monitoring of Language Models via Activation Watermarking

Authors: Toluwani Aremu, Daniil Ognev, Samuele Poppi, Nils Lukas Link: Robust Safety Monitoring of Language Models via Activation Watermarking Tags: cs.CR, cs.AI, cs.CY, cs.LG

Summary

LLM providers monitor inference-time outputs to detect and flag unsafe behavior, but adaptive adversaries — who know about the monitor — can craft attacks that simultaneously evade detection and elicit unsafe responses. This paper formalizes robust LLM monitoring as a security game and proposes a new defense mechanism called activation watermarking.

The core problem is asymmetric: adaptive attackers who know the monitoring algorithm can optimize their attack to evade it, while providers cannot continually patch their monitors without knowing how their models are being misused. This creates a structural vulnerability in any monitoring system that is static or whose mechanism is publicly known.

Activation watermarking addresses this by carefully introducing uncertainty for the attacker during inference — essentially adding a secret perturbation to activation patterns that the monitor knows but the adversary does not. This secret key component means that even an attacker who knows the monitoring algorithm cannot fully adapt to it without knowing the key, preserving the provider’s detection advantage.

Empirically, activation watermarking outperforms guard baselines by up to 52% under adaptive attackers who know the monitoring algorithm but not the secret key. This is a substantial improvement and addresses a practical deployment scenario where monitoring algorithms may be discovered or inferred.

The paper connects directly to the adversarial fine-tuning concerns raised in Trojan-Speak (paper 4), and the authors of that paper also noted activation-level probes as a promising defense direction — making this a complementary contribution to the same threat model.

Key Takeaways

11. Towards Policy-Adaptive Image Guardrail: Benchmark and Method

Authors: Caiyong Piao, Zhiyuan Yan, Haoming Xu, Yunzhen Zhao, Kaiqing Lin, Feiyang Xu, Shuigeng Zhou Link: Towards Policy-Adaptive Image Guardrail: Benchmark and Method Tags: cs.CV

Summary

Image content moderation must continuously adapt to evolving safety policies — what counts as harmful changes across platforms, regulatory regimes, and over time. Traditional image classifiers are confined to fixed categories, requiring retraining whenever new policies are introduced. Vision-language models (VLMs) offer a more adaptable foundation, but this paper shows they have a critical generalization failure: existing VLM-based safeguarding methods are heavily overfitted to training-time policies and fail to generalize to unseen policies, often losing basic instruction-following ability in the process.

To address this, the paper makes two contributions. First, it introduces SafeEditBench, a new evaluation suite for cross-policy generalization. SafeEditBench uses image-editing models to convert unsafe images into safe counterparts, producing paired datasets where each safe-unsafe image pair is visually similar except for localized regions that violate specific safety rules. Human annotators provide safe/unsafe labels under five distinct policies, enabling fine-grained assessment of policy-aware generalization — a more demanding and realistic evaluation than prior fixed-policy benchmarks.

Second, it introduces SafeGuard-VL, a reinforcement learning-based method using verifiable rewards (RLVR) for image guardrails. Rather than relying solely on supervised fine-tuning under fixed policies, SafeGuard-VL explicitly optimizes with policy-grounded rewards, promoting verifiable adaptation across evolving policies. This design choice — using RL with verifiable rewards rather than SFT — mirrors trends in general LLM alignment research applied to the specific problem of image safety.

Extensive experiments validate the method’s effectiveness across varied policies.

Key Takeaways

12. Symphony for Medical Coding: Agentic System for Scalable and Explainable Medical Coding

Authors: Joakim Edin, Andreas Motzfeldt, Simon Flachs, Lars Maaløe Link: Symphony for Medical Coding: A Next-Generation Agentic System for Scalable and Explainable Medical Coding Tags: cs.AI, cs.LG

Summary

Medical coding — translating free-text clinical documentation into standardized codes from systems like ICD-10 — is central to billing, research, and quality reporting. It is largely manual, slow, and error-prone. Coding systems contain tens of thousands of entries and are updated annually, making the task a moving target. Existing automated approaches learn to predict a fixed set of codes from labeled data, which prevents adaptation to new codes or different coding systems without full retraining, and they provide no explanation for predictions, limiting trust in safety-critical clinical settings.

Symphony for Medical Coding approaches the problem the way expert human coders do: by reasoning over the clinical narrative with direct access to the coding guidelines. This design choice is the system’s key architectural insight — rather than memorizing mappings from text to codes, it uses agentic reasoning to consult the guidelines in context. This allows Symphony to operate across any coding system and to provide span-level evidence linking each predicted code to the text that supports it.

The evaluation is unusually thorough: two public benchmarks and three real-world datasets spanning inpatient, outpatient, emergency, and subspecialty settings across the United States and the United Kingdom. Symphony achieves state-of-the-art results across all settings. The span-level evidence mechanism is particularly valuable for clinical trust and auditability — a coder or clinician can inspect exactly which text passage triggered each code assignment.

The system is positioned as a flexible, deployment-ready foundation for automated clinical coding, with the architecture’s guideline-access design providing a natural path to handling annual coding system updates without retraining.

Key Takeaways