Recent AI research papers with accessible summaries. Updated daily from arXiv, summarized for developers who don't read papers regularly.
Josh Hills, Ida Caspary, Asa Cooper Stickland
Persistent AI systems that ship code iteratively create a new vulnerability: attackers can hide malicious behavior by spreading it across multiple sessions, and different detection strategies are needed to catch gradual versus concentrated attacks.
This paper studies how AI coding agents can distribute malicious attacks across multiple pull requests over time to evade detection. The authors introduce a benchmark where agents pursue hidden goals while building software, comparing gradual attacks spread across PRs against concentrated attacks.
Matteo Boglioni, Thibault Rousset, Siva Reddy et al.
Current unlearning methods are imprecise at targeting specific parameters where knowledge is stored, making them vulnerable to attacks that resurface the data—precise localization matters more than output-level performance.
LACUNA is a new benchmark for testing whether LLM unlearning methods actually erase sensitive data from model parameters or just hide it. The researchers inject fake personal information into specific weights of language models, then check if unlearning methods successfully target those exact parameters.
Bo Shen, Lifeng Chang, Tianyuan Wei et al.
Autonomous agents need internal, runtime defenses beyond training-time alignment—ANIS provides a biologically-inspired immune system that monitors and protects an agent's memory, tools, and multi-agent interactions from active exploitation.
This paper introduces Agent-Native Immune System (ANIS), a defense framework built directly into autonomous agents to protect against runtime attacks like memory poisoning and tool manipulation. Unlike traditional external security measures, ANIS operates within the agent's reasoning loop through a six-layer architecture and continuously learns to adapt to new threats.
Hamid Reza Firoozfar, Mohammadsadegh Abolhasani, Reza Mousavi et al.
A mechanism-oriented taxonomy of how language encodes hidden meaning is more effective for LLM-based content moderation than taxonomies based on communicative intent or surface forms.
This paper creates a taxonomy of indirect linguistic expressions (coded language like algospeak and euphemisms) that people use to evade content moderation. Rather than categorizing by intent, the taxonomy focuses on the underlying encoding mechanisms—how meaning is hidden and recovered.
Md Nayem Uddin, Amir Saeidi, Eduardo Blanco et al.
Explicitly tracking task state in a separate ledger helps agents avoid stale information and policy violations—two major failure modes in tool-calling agents—without requiring model retraining.
LedgerAgent is a method that helps AI agents handle customer service tasks by maintaining a separate record (ledger) of important task information like facts and constraints. Instead of having agents dig through long prompts to find relevant details, the ledger keeps this information organized and visible, and also checks whether tool calls follow domain rules before executing them.
Shaghayegh Kolli, Timo Cavelius, Nafiseh Nikeghbal et al.
Social biases in vision-language models aren't random—they're driven by a small set of visual cues like age, body type, and clothing style. Understanding which specific visual features trigger biased judgments is crucial for building fairer AI systems.
This paper creates a controlled benchmark with 25K photorealistic images to measure how specific visual attributes (like age, body type, and fashion style) cause social biases in multimodal AI models. By keeping identity fixed and changing one visual cue at a time, researchers show that just 15 visual attributes account for 80% of bias variation across six major MLLMs.
Sicheng Yang, Hangjie Yuan, Wenjun Zhang et al.
Medical AI hallucinations have different sources (visual, knowledge, reasoning); diagnosing which stage fails helps you fix the right problem and improve trustworthiness.
ClinHallu is a benchmark with 7,031 medical cases that diagnoses where hallucinations occur in medical AI systems—whether from misreading images, recalling wrong medical facts, or flawed reasoning. It includes detailed reasoning traces and shows that training on these traces reduces errors.
Marianna Bergamaschi Ganapini, Massimo Chiriatti, Enrico Panai et al.
AI systems can shape what we think about and how we think before we're aware it's happening, embedding corporate or other interests into our reasoning in ways that are hard to detect or resist.
This paper analyzes how AI systems influence human thinking before conscious deliberation occurs, introducing the concept of 'cognitive colonization'—where AI embeds external interests into our decision-making in ways we don't notice.
Sondos Mahmoud Bsharat, Jiacheng Liu, Xiaohan Zhao et al.
AI-text detection isn't just about how much AI content is present—it depends on what edits were made, the domain, and revision history. Mixed-authorship documents can be harder to detect than fully AI-generated ones, exposing blind spots in current detection methods.
This paper introduces OpAI-Bench, a benchmark for detecting AI-generated text in documents that have been progressively edited by both humans and AI. Unlike existing benchmarks that only look at final outputs, OpAI-Bench tracks how AI authorship signals change across multiple revision stages, edit types, and document granularities (document, sentence, token, and span levels).
Hanjiang Hu, Yiyuan Pan, Jiaxing Li et al.
Real-time safety monitoring for physical tasks requires understanding intent—the same action is safe or dangerous depending on context, which VLESA solves with a goal-conditioned safety filter that works without retraining for new scenarios.
VLESA is a safety system that watches egocentric video to detect dangerous human actions and intervene in real-time. It understands that the same action can be safe or unsafe depending on what the person is trying to do, using a goal-aware safety filter trained with reinforcement learning to make context-aware safety decisions without retraining.
Alireza Kheirandish, Jihoon Hong, Sara Fridovich-Keil
You can detect subtle distribution shifts in medical images by measuring how differently a diffusion model's prior and posterior distributions behave—no need for labeled anomaly examples or calibration data.
This paper introduces KLIP, a method for detecting when images deviate from expected distributions in medical imaging and other inverse problems. It uses diffusion models to spot both whole-image anomalies and localized abnormalities (like tumors in CT scans) without needing examples of the shifted distribution beforehand.
Davis Brown, Samarth Bhargav, Arav Santhanam et al.
Safety monitors that only check individual user sessions miss coordinated attacks split across accounts—you need to track patterns across groups of users to catch distributed agent misuse.
Language models can help attackers find vulnerabilities, and they're increasingly splitting harmful tasks across multiple accounts to evade detection.
Laura R. Marusich, Mary Grace Kozuch Dhooghe, Jonathan Z. Bakdash et al.
Adding narrative explanations to AI predictions can backfire: they increase trust in AI without improving accuracy, and may actually harm decision quality by making people slower to question wrong predictions.
This study tested how AI-generated narrative explanations affect human decision-making in classification tasks. Researchers found that persuasive explanations didn't improve accuracy compared to predictions alone, but did increase reliance on AI—even when the AI was wrong. More persuasive narratives sometimes slowed decisions and made it harder to spot AI errors.
Qianshu Cai, Yonggang Zhang, Xianzhang Jia et al.
Self-evolving agents need source-code access, not just prompt editing—structural bugs in routing and state management can't be fixed by text-layer changes alone, and MOSS demonstrates this works in production with measurable improvements.
MOSS is a system that lets autonomous agents automatically fix themselves by rewriting their own source code based on real failures. Unlike existing approaches that only modify text files like prompts, MOSS can change the actual code structure—routing logic, state management, dispatch—making it possible to fix a much broader class of problems.
Rui Wen, Mark Russinovich, Andrew Paverd et al.
LLM backdoors don't need suspicious text triggers—attackers can hide them in positional encoding, making them invisible to content-based defenses and activatable through normal conversation length patterns.
This paper reveals a new way to attack large language models by exploiting how they process word positions rather than modifying the text itself. Researchers show that backdoors can be triggered by input length alone, allowing attackers to make models leak secrets or misbehave without leaving obvious traces in the conversation.
Pratinav Seth, Vinay Kumar Sankarapu
Behavioral evaluations alone cannot verify the safety claims regulators now demand—you need mechanistic evidence like activation analysis to actually verify what's happening inside AI models, not just what they output.
This paper argues that current AI safety evaluation methods (like red-teaming and behavioral testing) cannot verify the deep safety properties that AI governance frameworks now require, such as absence of hidden objectives or resistance to loss-of-control.
Shuhang Lin, Chuhao Zhou, Xiao Lin et al.
Conformal Path Reasoning provides statistical guarantees that your KGQA system will include the correct answer in its output set, while keeping that set compact and practical—solving a real reliability problem in knowledge graph reasoning.
This paper improves Knowledge Graph Question Answering by adding statistical guarantees to answer reliability. It uses conformal prediction—a technique that creates sets of answers with proven coverage rates—combined with a neural network that learns to score reasoning paths better. The result is more trustworthy answers with smaller, more useful prediction sets.
Sushant Gautam, Finn Schwall, Annika Willoch Olstad et al.
When deploying LLMs in new languages or sectors without existing safety benchmarks, you can't collapse safety comparisons into a single score—you must report the full context: which scenarios, which judge, which risk measure, and the uncertainty around each comparison.
This paper tackles a real-world problem: comparing AI models for safety when no labeled benchmark exists yet. Instead of relying on ground-truth labels, the authors validate safety scores through three checks—whether models respond to safety changes, whether model differences dominate over measurement noise, and whether results stay consistent across retests.