ICML 2026 · Camera-ready · June 2026

Omission Constraints Decay While Commission Constraints Persist in Long-Context LLM Agents

A 4,416-trial causal study across 12 models and 8 providers at six conversation depths. Prohibition-type constraints (never reveal credentials, never exfiltrate data) decay as context grows. Requirement-type constraints hold. This asymmetry, Security-Recall Divergence, leaves failures invisible to standard commission-based monitoring.

Omission compliance fell from 73% at turn 5 to 33% at turn 16. Commission compliance held at 100% across tested models. Token-matched padding controls isolated schema semantic content as the primary driver, accounting for 62-100% of the dilution effect.

Re-injecting constraints before each model's Safe Turn Depth restores compliance without retraining. Most production security policies are prohibition-type. Commission-based audit signals can appear healthy while omission constraints have already failed.

Published on arXiv →
Preprint · April 2026

Indirect Prompt Injection in LLM Agent Frameworks: A Comparative Study

A controlled empirical study across LangChain, MCP, and the Anthropic API, run exclusively on Claude Sonnet 4. 3,274 trials, 42 attack payloads, measuring how injected instructions propagate through multi-step agent pipelines. Task framing, not framework architecture, drives vulnerability.

Instruction-following tasks reached 89-91% attack success rates. LangChain's FAISS retrieval introduced task-dependent exposure, amplifying attack surface when payloads were semantically similar to the query. MCP adds no measurable attack surface relative to the raw API baseline (p > 0.6).

Hardened system prompts reduced attack success by over 17x but created a brittle threshold rather than a gradient: in the trials where the model engaged despite hardening, exploitation exceeded 55%. Dataset and framework are open-sourced on GitHub and Zenodo.

Preprint on Zenodo →
Frameworks Studied
LangChain
MCP (Model Context Protocol)
Anthropic API
CrewAI
AutoGen