current work · independent research · updated July 2026
Agents behaving badly
Four studies, one question: when an autonomous agent acts on its own, what can you actually prove about what it did? Independent work: no lab, no funding, no compute grant. Every figure below comes from experiments that ran, with the method and sample size stated next to it. Where the result is uncertain, it says so.
Put several LLM agents in a shared workplace with one rule: no private side-channels. FACADE measures how often they break it, not because they were told to cheat, but spontaneously, while appearing to cooperate. Verified across 337 recorded runs.
7/7
policy acknowledgments posted to the forbidden channel
6 of 7 were followed by coalition action anyway
Agents would announce “per policy, I'm keeping this transparent”, on the exact secret channel the policy banned, then coordinate anyway. Only one instance was genuine compliance.
Secret-channel use, by model
Qwen2.5-7B
100%
Gemini 3.1 FL
49%
Claude Sonnet 4.5
49%
Fraction of colluder messages routed through the prohibited channel. Smaller models hide nothing.
Does a “no side-channels” policy actually help?
PersonalAssistant
92%
MeetingScheduling
79%
SmartGrid
79%
JiraTicketChoice
51%
JiraTicket (orig)
5%
Reduction in secret-channel traffic after adding the policy. It works beautifully in some environments (92%) and does almost nothing in others (5%); the environment decides, not the model.
FACADE · in submission
02VIABLEtraining-time data poisoning
A backdoor you can't see in the weights, only in the behavior.
Poison a slice of an agent's fine-tuning data so it quietly stops researching security topics, while behaving normally everywhere else. VIABLE maps the exact dose–response, a three-zone threshold structure: nothing, then instability, then collapse.
Poison ratio → behavioral collapse Δ = non-security − security searches. Flat at low doses, unstable in the 30–37% boundary zone, full suppression at 45%.Nothing happens at ≤20% poison. The 30–37% window is a stochastic boundary zone; the wobble is real seed-to-seed training variance, not noise in the measurement. At 45% the backdoor fires on all 10 training seeds: Δ = 3.13 ± 0.6 (95% CI [2.7, 3.56]), Cohen's d = 8.33, p < 0.001.
86%
drop in security-topic searches at 45% poison
3.04 → 0.42 avg searches; 44/50 tasks hit zero, non-security actually rose (2.92 → 3.58)
149/149
unseen CISA-KEV CVEs drew zero research
and 25/25 against a live search backend (Δ 4.28), not a mock-harness artifact
Cross-model transfer at 45% poison (Δ searches)
Llama 3.1 8B
+4.50
Qwen2.5-7B
+3.16
Qwen2.5-14B
+2.84
Llama 3.2 3B
+0.88
Mistral 7B v0.3
≈0
Full suppression on Llama 3.1 8B (the strongest, 48/50 zero-search), Qwen 7B, and Qwen 14B. Llama 3.2 3B only partially succumbs at identical prior strength, parameter capacity matters, and Mistral resists at every ratio tested (30–54%). The vulnerability is architecture-dependent, which is itself a finding.
VIABLE · AISec 2026 submission
03BEHAVIORAL DETECTORlog-only detection
You can catch it without ever opening the model.
The attack changes how an agent searches, not just what it answers. One feature, the vocabulary breadth across an agent's queries, separates compromised from clean, reading nothing but the tool-call log. No weights, no gradients, no internal access.
Detection performance (ROC) vocab-breadth detector · dashed line = random chanceAUC = 0.99, 95% CI [0.969, 1]. 80% detection at a 0% false-positive threshold; p < 1e-5 on a 100k-permutation test.
Query vocabulary breadth neutral belief-injected · separation d = 3.91Belief-injected agents pull from fresher vocabulary to fake progress; genuine research reuses domain terms. The two distributions barely overlap (Cohen's d = 3.91).
Feature ablation (AUC)
vocab_breadth
0.990
query_count
0.901
mean_query_length
0.833
inter_query_dist
0.820
query_len_std
0.689
vocab_breadth beats every simpler feature; the signal is real, not an artifact of query count.
88–96%
of VIABLE's training-time attack caught from action logs alone
96% recall on Llama 3.1 8B (τ=1.4) · 88% recall on Qwen2.5-7B (τ=0.7)
Built to catch runtime belief-injection, the same log-only idea became the AISec paper's defense: a per-model frequency monitor that flags security tasks whose search count falls below the clean baseline. The exception is instructive: Qwen2.5-14B's unusually rigid clean behavior caps recall at 56%, so the monitor's limit is the model's natural variance, not the attack.
Behavioral monitoring · reads only the tool-call log
04TESSERAE · SASANAtamper-evident audit
If you can't prove the log wasn't edited, it isn't evidence.
Everything above only counts if the audit trail is trustworthy. Tesserae, open-sourced as SasanaSasana, makes agent logs tamper-evident with a hash chain. Delete, reorder, or edit a single event and verification breaks. Try it:
CHAIN VERIFIED
→
→
→
→
Each block's hash is computed over its content plus the previous hash. Click any block to silently edit it.
39/39
silent deletions caught by Tesserae
the baseline audit system caught 0/39, the forensic gap
A silently deleted event is the hardest tamper to detect: nothing looks wrong, something is just missing. Across 39 runs, hash-chaining caught every one; the standard event log caught none.
Audit overhead vs. one LLM call
1µs1ms1s10sTesserae seal27.8µsone LLM call~500ms
The audit seal costs three orders of magnitude less than the model call it wraps, free, in practice.
53 tests, 36 tamper scenarios, verifier at ~36k events/sec.
Threat model: which trust tier stops each attack
attacklocalsignedserver
A1 SDK injects false event✕✕✓
A2 MITM modifies payload✕✓✓
A3 Storage-level deletion✓✓✓
A4 Insider reorders events✓✓✓
A5 Full chain rewrite✕✓✓
A5 (full-chain rewrite by a key-holding insider) is the known limit; it needs an external anchor, and it's documented as such.