A 4,416-trial causal study across 12 models and 8 providers at six conversation depths. Prohibition-type constraints (never reveal credentials, never exfiltrate data) decay as context grows. Requirement-type constraints hold. This asymmetry, Security-Recall Divergence, leaves failures invisible to standard commission-based monitoring.
Omission compliance fell from 73% at turn 5 to 33% at turn 16. Commission compliance held at 100% across tested models. Token-matched padding controls isolated schema semantic content as the primary driver, accounting for 62-100% of the dilution effect.
Re-injecting constraints before each model's Safe Turn Depth restores compliance without retraining. Most production security policies are prohibition-type. Commission-based audit signals can appear healthy while omission constraints have already failed.
Published on arXiv →A controlled empirical study across LangChain, MCP, and the Anthropic API, run exclusively on Claude Sonnet 4. 3,274 trials, 42 attack payloads, measuring how injected instructions propagate through multi-step agent pipelines. Task framing, not framework architecture, drives vulnerability.
Instruction-following tasks reached 89-91% attack success rates. LangChain's FAISS retrieval introduced task-dependent exposure, amplifying attack surface when payloads were semantically similar to the query. MCP adds no measurable attack surface relative to the raw API baseline (p > 0.6).
Hardened system prompts reduced attack success by over 17x but created a brittle threshold rather than a gradient: in the trials where the model engaged despite hardening, exploitation exceeded 55%. Dataset and framework are open-sourced on GitHub and Zenodo.
Preprint on Zenodo →