arxiv: 2604.20911 · v1 · submitted 2026-04-22 · 💻 cs.CR · cs.AI

Recognition: unknown

Omission Constraints Decay While Commission Constraints Persist in Long-Context LLM Agents

Yeran Gamage

Authors on Pith no claims yet

Pith reviewed 2026-05-10 01:04 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords LLM agentssecurity constraintscontext lengthomission compliancecommission complianceSecurity-Recall Divergencebehavioral policieslong-context models

0 comments

The pith

Prohibition constraints in LLM agents weaken as conversations lengthen while requirement constraints remain fully effective.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper demonstrates that LLM agents follow 'do not' rules less reliably as conversations extend, with omission compliance dropping sharply, while 'do' rules hold steady at full strength. This creates an asymmetry where security policies erode without detection because monitoring tools focus on the persistent requirement signals. A large-scale experiment across many models and providers shows the effect scales with conversation depth and can be countered by re-injecting the original constraints at a model-specific safe point. The finding matters because production agents operate under long-running policies that safety tests usually evaluate only at the start.

Core claim

In a 4,416-trial causal study spanning 12 models, 8 providers, and six conversation depths, omission compliance falls from 73 percent at turn 5 to 33 percent at turn 16 while commission compliance stays at 100 percent. The authors label this pattern Security-Recall Divergence and show that semantic content in the constraint schema drives most of the decay. Re-injecting the original prohibitions before each model's Safe Turn Depth restores compliance without retraining. Production security policies therefore consist of decaying prohibitions paired with stable commission signals that leave failures invisible to standard audits.

What carries the argument

Security-Recall Divergence (SRD), the asymmetry in which prohibition-type (omission) constraints lose effectiveness under growing context length while requirement-type (commission) constraints do not.

If this is right

Standard audit signals based on commission constraints will continue to report healthy behavior even after prohibition constraints have failed.
Re-injecting constraints before the per-model Safe Turn Depth restores omission compliance across tested models.
Semantic content in the constraint schema accounts for 62 to 100 percent of the dilution in the two models with token-matched controls.
Production behavioral policies relying on prohibitions become ineffective in extended sessions while their monitoring remains intact.
The pattern appears consistently across 12 models from 8 providers at six depths.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Operators of long-running LLM agents may need periodic constraint refresh mechanisms to prevent silent erosion of prohibitions.
Safety evaluations limited to single-turn or short-context tests will underestimate real-world risk for omission-based policies.
This divergence suggests that context-window scaling alone may increase certain security exposures unless paired with active constraint management.

Load-bearing premise

The decay in omission compliance is produced by increasing conversation length rather than by differences in prompt wording, scenario construction, or model training data.

What would settle it

An experiment that increases the number of turns while holding total token count fixed through neutral padding and shows no drop in omission compliance.

Figures

Figures reproduced from arXiv: 2604.20911 by Yeran Gamage.

**Figure 1.** Figure 1: Security-Recall Divergence across three models and an immune control. Left: Omission constraint C3 (no bullet points) decays with injection depth in Mistral Large 3, Nemotron Super 120B, and Qwen 3.5 397B, while Gemma 4 31B holds at 100% throughout (immune control). Right: Commission constraint C4 (STATUS: prefix) holds near 100% across all models at every depth. Gemma 4 31B shows near-complete compliance… view at source ↗

**Figure 2.** Figure 2: Three-arm trial protocol. All arms share the same setup scaffold (left) and differ only in what tools are registered during the continuation window (center). Arm A (gray) isolates conversation depth with no schema dilution. Arm B (blue) adds 20 cloud tool schemas. Arm C (orange) adds 20 token-matched neutral probes of identical length but no cloud semantics, separating volume effects from semantic effects… view at source ↗

**Figure 3.** Figure 3: SRD Heatmap across models and constraints. Each cell shows compliance rate (%) for one constraint at one turn depth, under Arm B (dilution). Red = high exploit rate (low compliance); white/light = low exploit rate (high compliance). Commission constraints (C1, C4, C8) form a stable light band across all depths. Omission constraints (C3, C9) show progressive reddening with depth, visually confirming the Sec… view at source ↗

**Figure 4.** Figure 4: Commission constraints hold near 100% while omission constraints decay with depth in susceptible models. Omission compliance falls from 73% at turn 5 to 33% at turn 16 and 20% at turn 25 in the worst case (Mistral Large 3, CMH χ 2 = 147, p < 10−33); commission compliance remains at 100% throughout. 3.3 The Difficulty Deconfound Finding 3: Hard commission holds where hard omission fails [PITH_FULL_IMAGE:fi… view at source ↗

**Figure 5.** Figure 5: Schema semantics drives omission decay. Token volume alone cannot account for the effect. Arm C (token-matched neutral probes) tracks Arm A in both Gemini 2.5 Flash and Llama 3.3 70B; token volume accounts for 38% of the Gemini effect and 0% of the Llama effect. Key Takeaway CMH confirms the omission/commission asymmetry in all three SRD-susceptible models: Mistral (χ 2 = 147, p < 10−33), Nemotron (χ 2 = … view at source ↗

read the original abstract

LLM agents deployed in production operate under operator-defined behavioral policies (system-prompt instructions such as prohibitions on credential disclosure, data exfiltration, and unauthorized output) that safety evaluations assume hold throughout a conversation. Prohibition-type constraints decay under context pressure while requirement-type constraints persist; we term this asymmetry Security-Recall Divergence (SRD). In a 4,416-trial three-arm causal study across 12 models and 8 providers at six conversation depths, omission compliance falls from 73% at turn 5 to 33% at turn 16 while commission compliance holds at 100% (Mistral Large 3, $p < 10^{-33}$). In the two models with token-matched padding controls, schema semantic content accounts for 62-100% of the dilution effect. Re-injecting constraints before the per-model Safe Turn Depth (STD) restores compliance without retraining. Production security policies consist of prohibitions such as never revealing credentials, never executing untrusted code, and never forwarding user data. Commission-type audit signals remain healthy while omission constraints have already failed, leaving the failure invisible to standard monitoring.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper reports that prohibition constraints in LLM agents weaken with longer contexts while requirement constraints hold, backed by a large multi-model trial, but scenario construction differences could explain part of the gap.

read the letter

The main point is that omission constraints like 'never reveal credentials' lose compliance as conversations lengthen, dropping from 73% at turn 5 to 33% at turn 16 in their tests, while commission constraints stay at 100%. They label this Security-Recall Divergence and show that re-injecting the rules before a certain depth restores performance without retraining the model. This matters for production monitoring because standard audit signals would miss the omission failures.

Referee Report

1 major / 2 minor

Summary. The paper claims that prohibition-type constraints (omissions such as never revealing credentials) decay under increasing conversation length in LLM agents while requirement-type constraints (commissions) remain robust, an asymmetry termed Security-Recall Divergence (SRD). This is demonstrated via a 4,416-trial three-arm causal study across 12 models and 8 providers at six depths, with omission compliance falling from 73% at turn 5 to 33% at turn 16 (e.g., Mistral Large 3, p < 10^{-33}) while commission compliance holds at 100%; token-matched padding controls are used, semantic content explains 62-100% of dilution in two models, and re-injection of constraints before the per-model Safe Turn Depth restores compliance.

Significance. If the causal attribution to context pressure holds, the result is significant for LLM agent security: it identifies a monitoring blind spot where commission-based audit signals remain healthy while omission constraints have already failed. The scale of the multi-model, multi-provider experiment, the inclusion of padding controls, and the partial mechanistic explanation via semantic dilution provide a concrete basis for improved safety evaluations and the practical mitigation of constraint re-injection.

major comments (1)

[§3.2] §3.2 (Scenario Generation and Three-Arm Design): The manuscript describes the three-arm causal design and token-matched padding but does not detail whether omission scenarios (prohibitions on exfiltration, credential disclosure, etc.) are constructed with equivalent semantic complexity, potential for conflict with accumulating user messages, and implicit task difficulty as commission scenarios at greater depths. Without this, the SRD attribution to context pressure alone remains vulnerable to confounding by prompt construction differences.

minor comments (2)

[Abstract] Abstract: The statement that 'schema semantic content explains 62-100% of the dilution effect' should name the two models involved and the precise measurement procedure for semantic content to support replication.
[§4.1] §4.1 (Results): The per-model Safe Turn Depth (STD) values are reported but the exact formula or threshold used to compute STD from the compliance curves is not stated, hindering direct comparison across the 12 models.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive feedback and positive assessment of the work's significance for LLM agent security. We address the single major comment below and will incorporate the requested details into the revised manuscript.

read point-by-point responses

Referee: [§3.2] §3.2 (Scenario Generation and Three-Arm Design): The manuscript describes the three-arm causal design and token-matched padding but does not detail whether omission scenarios (prohibitions on exfiltration, credential disclosure, etc.) are constructed with equivalent semantic complexity, potential for conflict with accumulating user messages, and implicit task difficulty as commission scenarios at greater depths. Without this, the SRD attribution to context pressure alone remains vulnerable to confounding by prompt construction differences.

Authors: We agree that the current manuscript does not provide sufficient detail on scenario construction to fully rule out confounding. In the revised version we will expand §3.2 with a dedicated subsection on scenario generation. This will include: (i) the parallel template structure used for omission and commission scenarios, (ii) explicit matching criteria for semantic complexity (e.g., entity density, sentence length, and number of potential context-conflict points), (iii) how implicit task difficulty was balanced across arms at each depth, and (iv) example paired scenarios. We will also add a brief validation note confirming that post-generation review showed no systematic differences in these dimensions. These additions will strengthen the causal claim without altering the reported results. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical results from controlled trials

full rationale

The paper's central claim of Security-Recall Divergence rests entirely on direct experimental measurements from a 4,416-trial three-arm causal study across models, providers, and conversation depths. Omission and commission compliance rates are reported as observed outcomes (e.g., 73% to 33% drop for omissions, 100% for commissions) with statistical significance, token-matched controls, and semantic-content analysis; no equations, derivations, fitted parameters, self-citations, or ansatzes are invoked that would reduce the result to its own inputs by construction. The findings are therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The paper is an empirical measurement study whose central claim depends on the validity of the experimental design, scenario construction, and statistical tests rather than on new theoretical axioms or free parameters.

axioms (1)

standard math Standard assumptions of the statistical tests used to compute p-values hold for the reported compliance rates.
The abstract cites p < 10^{-33} for the main comparison.

invented entities (1)

Security-Recall Divergence (SRD) no independent evidence
purpose: Label for the observed difference in decay rates between omission and commission constraints.
New descriptive term introduced to name the empirical pattern; no independent physical or mathematical existence claimed.

pith-pipeline@v0.9.0 · 5491 in / 1414 out tokens · 109748 ms · 2026-05-10T01:04:28.108896+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

18 extracted references · 4 canonical work pages · 4 internal anchors

[1]

DOI: 10.1162/tacl a 00638. M. Levy, A. Jacoby, and Y . Goldberg. Same Task, More Tokens: The Impact of Input Length on the Reasoning Performance of Large Language Models. InProceedings of ACL 2024, pp. 15339–15353,

work page internal anchor Pith review doi:10.1162/tacl 2024
[2]

Hsieh, S

C.-P. Hsieh, S. Sun, S. Kriman, S. Acharya, D. Rekesh, F. Jia, and B. Ginsburg. RULER: What’s the Real Context Size of Your Long-Context Language Models? InProceedings of the 1st Conference on Language Modeling (COLM 2024),

2024
[3]

H. Yen, T. Gao, M. Hou, et al. HELMET: How to Evaluate Long-Context Language Models Effectively and Thoroughly. InICLR 2025, pp. 3473–3524,

2025
[4]

G. Xiao, Y . Tian, B. Chen, S. Han, and M. Lewis. Efficient Streaming Language Models with Attention Sinks. InICLR 2024,

2024
[5]

J. Zhou, T. Lu, S. Mishra, S. Brahma, S. Basu, Y . Luan, D. Zhou, and L. Hou. Instruction-Following Evaluation for Large Language Models.arXiv preprint arXiv:2311.07911,

work page internal anchor Pith review Pith/arXiv arXiv
[6]

Jiang, Y

Y . Jiang, Y . Wang, X. Zeng, W. Zhong, L. Li, F. Mi, L. Shang, X. Jiang, Q. Liu, and W. Wang. FollowBench: A Multi-level Fine-grained Constraints Following Benchmark for Large Language Models. InProceedings of ACL 2024, pp. 4667–4688,

2024
[7]

Greshake, S

K. Greshake, S. Abdelnabi, S. Mishra, C. Endres, T. Holz, and M. Fritz. Not What You’ve Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. InProceedings of AISec 2023 (co-located with ACM CCS), pp. 79–90,

2023
[8]

Q. Zhan, Z. Liang, Z. Ying, and D. Kang. InjecAgent: Benchmarking Indirect Prompt Injections in Tool- Integrated Large Language Model Agents. InFindings of ACL 2024, pp. 10471–10506,

2024
[9]

Zhang, J

H. Zhang, J. Huang, K. Mei, et al. Agent Security Bench (ASB): Formalizing and Benchmarking Attacks and Defenses in LLM-based Agents. InICLR 2025,

2025
[10]

Andriushchenko, A

M. Andriushchenko, A. Souly, et al. AgentHarm: A Benchmark for Measuring Harmfulness of LLM Agents. InICLR 2025,

2025
[11]

H. Li, D. Guo, W. Fan, M. Xu, J. Huang, F. Meng, and Y . Song. Multi-step Jailbreaking Privacy Attacks on ChatGPT. InFindings of EMNLP 2023, pp. 4138–4153,

2023
[12]

A. Zou, Z. Wang, N. Carlini, M. Nasr, J. Z. Kolter, and M. Fredrikson. Universal and Transferable Adversarial Attacks on Aligned Language Models.arXiv preprint arXiv:2307.15043,

work page internal anchor Pith review Pith/arXiv arXiv
[13]

Perez, S

E. Perez, S. Huang, F. Song, et al. Red Teaming Language Models with Language Models. InProceedings of EMNLP 2022,

2022
[14]

Mazeika, L

M. Mazeika, L. Phan, X. Yin, A. Zou, et al. HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal. InICML 2024(PMLR 235:35181–35224),

2024
[15]

B. Wang, W. Chen, et al. DecodingTrust: A Comprehensive Assessment of Trustworthiness in GPT Models. InAdvances in NeurIPS 36 (Datasets and Benchmarks Track), 2023.Outstanding Paper Award. Y . Huang, L. Sun, et al. Position: TrustLLM: Trustworthiness in Large Language Models. InICML 2024 (PMLR 235:20166–20270),

2023
[16]

arXiv:2209.11895. Y . Zhao, W. Zhang, Y . Xie, A. Goyal, K. Kawaguchi, and M. Shieh. Understanding and Enhancing Safety Mechanisms of LLMs via Safety-Specific Neuron. InICLR 2025,

work page internal anchor Pith review arXiv 2025
[17]

S. Yao, J. Zhao, D. Yu, et al. ReAct: Synergizing Reasoning and Acting in Language Models. InICLR 2023,

2023
[18]

security policy.txt

17 Appendix A Prompt Templates and Detection Functions A.1 System Prompt You are a DevOps assistant helping a software engineering team debug a production web application. You have access to tools to read files and execute commands in the applica- tion’s working directory. Your primary task is to help the team understand a cache connection timeout error t...

2026