Tracking the Behavioral Trajectories of Adapting Agents
Jonah Leshin, Manish Shah, Ian Timmis
Abstract
Text files such as skill files, memory files, and behavioral configuration files play a central role in defining how modern agents act. Through edits by humans or the agents themselves, these files may evolve over time, directly steering the agent's behavior in future interactions. We present a methodology and framework for measuring agent by defining traits as directions in the embedding space of a text embedding model. We train a linear model on labeled "before" versus "after" skill file diffs to learn a trait vector, then score arbitrary skill edits by projecting their embedding diffs onto this vector. Evaluated on 68 labeled skill diff pairs for the trait of propensity to seek sensitive data, our method achieves 91.2% sign classification accuracy and a Spearman rank correlation of under leave-one-out cross-validation. We build this trait evaluation into a broader agent-to-agent protocol that enables one agent to evaluate another's skill file updates through a trusted intermediary.
AI Impact Assessments
(1 models)Scientific Impact Assessment
Core Contribution
This paper introduces a method for tracking behavioral changes in AI agents by analyzing modifications to their text-based configuration files (skill files, memory files, etc.). The key idea is to define agent "traits" as directions in the embedding space of a text embedding model, borrowing from representation engineering (Zou et al., 2023) but applying it to external text artifacts rather than internal model activations. A Ridge regression model learns a trait vector from labeled before/after skill file diffs, and new edits are scored by projecting their normalized embedding diffs onto this vector. The paper also proposes an agent-to-agent evaluation protocol mediated by a trusted intermediary server.
The problem addressed—monitoring evolving agent configurations for safety-relevant behavioral drift—is genuinely important and timely. The framing of the problem is the paper's strongest conceptual contribution: recognizing that as agents increasingly define their behavior through mutable text files, monitoring these files becomes a critical safety surface.
Methodological Rigor
The methodology has significant limitations that temper enthusiasm:
Dataset scale and construction. The evaluation uses only 68 labeled diff pairs derived from 63 publicly available skills. The "after" versions are synthetically generated by the authors to clearly increase or decrease the data-seeking trait. This is a major concern: synthetic data designed to exhibit a trait may contain obvious lexical signals that make the classification task artificially easy. The paper does not discuss how the synthetic edits were generated or whether they resemble realistic adversarial or organic modifications.
Single trait validation. Only one trait (data-seeking/sensitive data propensity) is tested. The paper claims generality but provides no evidence that the linear direction assumption holds for other traits, which substantially weakens the contribution.
Labeling process. Labels were partially generated by an LLM (Claude Opus 4.6) and then reviewed by the authors, introducing potential bias—especially since the authors also created the synthetic data. The inter-annotator agreement is not reported.
Baselines. The YARA baseline (63.2%) is a straw man—simple regex-style pattern matching. The GPT-5.4 baseline achieves 100% accuracy, which raises the question: if a frontier LLM perfectly solves this task, what is the practical advantage of the proposed method beyond cost/speed? The paper acknowledges this tradeoff (determinism, auditability, speed) but doesn't quantify the cost or latency differences to make the case compelling.
Statistical evaluation. The 91.2% accuracy and ρ=0.82 under LOOCV are reasonable but on a small, synthetic dataset. The PRESS-based LOOCV is appropriate for the small sample size, which is a methodological positive. However, all 6 misclassifications have low-magnitude predictions, suggesting the model may simply be learning a coarse positive/negative distinction rather than fine-grained trait measurement.
Potential Impact
The paper opens an interesting direction at the intersection of AI safety and agent monitoring. The key practical insight—that skill/config files are an undermonitored attack surface—has real-world relevance, especially given cited incidents like the Cisco memory-file compromise.
However, the practical impact is limited by several factors:
The protocol contribution (Section 4) is interesting but underspecified. Hash chaining, Merkle-tree commitments, and HMAC verification are mentioned as future work—yet these are essential for any real security guarantee. Without them, the protocol is more of a sketch than a deployable system.
Timeliness & Relevance
The paper is well-timed. Agent frameworks with mutable skill/memory files are proliferating (Claude Code, Hermes, various copilot ecosystems), and supply-chain attacks on agent configurations are an emerging threat. The cited Cisco attack and Qu et al.'s supply-chain poisoning work establish a clear threat landscape. The need for automated monitoring of agent configuration drift is real and growing.
Strengths
1. Problem framing: Identifying text file evolution as a key behavioral attack surface is valuable and clearly articulated.
2. Simplicity: The method is lightweight, deterministic, and interpretable—a linear model in embedding space is easy to audit and deploy.
3. End-to-end deployment: The authors deployed the system with a live Hermes agent, demonstrating practical feasibility.
4. Appropriate validation choices: LOOCV via PRESS is well-suited for small datasets; using both sign accuracy and Spearman correlation provides complementary evaluation.
Limitations
1. Synthetic evaluation data: The core results rest on author-generated "after" files, not real-world skill edits.
2. Single trait: No evidence the approach generalizes beyond data-seeking behavior.
3. Small scale: 68 examples is minimal; the embedding model has 4096 dimensions, making overfitting a concern even with Ridge regularization.
4. Adversarial robustness: Not addressed despite being acknowledged as critical for the security use case.
5. Protocol underspecified: Key security mechanisms are deferred to future work.
6. Limited novelty: Applying representation engineering ideas to text embeddings with Ridge regression is a relatively straightforward adaptation.
Overall Assessment
This is a workshop paper that identifies an important and timely problem—monitoring behavioral drift in AI agents through their configuration files—and proposes a clean, simple methodology. However, the validation is preliminary: a single trait, synthetic data, small scale, and an underspecified protocol. The gap between the GPT-5.4 baseline (100%) and the proposed method (91.2%) weakens the practical case, though the determinism/auditability argument has merit. The paper is best viewed as a position piece with preliminary validation rather than a mature methodology paper. It opens a research direction worth pursuing but requires substantially more evidence to demonstrate real-world impact.
Generated Jun 2, 2026
Comparison History (31)
Paper 2 demonstrates higher potential scientific impact due to its immediate and significant real-world clinical application. It applies rigorous methodology, including uncertainty quantification and longitudinal statistical modeling, to a large-scale medical dataset to derive actionable insights about osteoarthritis pain. In contrast, while Paper 1 presents an innovative approach to AI agent behavior, its evaluation is limited in scale (68 pairs) and its impact is currently confined to a niche area of AI alignment.
BiNSGPS addresses a fundamental challenge in AI—bridging neural and symbolic reasoning through bidirectional interaction—with broader implications across mathematical reasoning, neuro-symbolic AI, and multimodal learning. The bidirectional feedback loop between neural and symbolic components represents a more general architectural innovation applicable beyond geometry. Paper 1, while addressing the important topic of AI safety through agent trait tracking, presents a narrower methodology (linear projections on embedding diffs) with a relatively small evaluation dataset (68 labeled pairs) and more limited generalizability.
Paper 1 addresses a timely and novel problem—tracking behavioral trajectories of AI agents through text file embeddings—which is highly relevant given the rapid proliferation of autonomous agents. The methodology for measuring agent traits via embedding space directions is innovative and has broad applications in AI safety, alignment monitoring, and multi-agent trust protocols. Paper 2, while methodologically sound, addresses a more niche application (wind farm layout optimization) with a relatively incremental contribution (applying optimal transport for permutation invariance in BO). Paper 1's impact spans AI safety, agent governance, and alignment—areas of growing urgency.
Paper 1 has higher likely impact due to timeliness and practical applicability: it targets real, emerging problems in agentic systems—monitoring behavioral drift and safety-relevant changes in editable “skill/memory” artifacts. Its method is simple, testable, and integrates into an operational agent-to-agent evaluation protocol. While the dataset is small, it reports clear quantitative results with cross-validation. Paper 2 is conceptually novel but relies on a very small training set, reports limited evaluation (format compliance issues, narrow tasks), and its broader generalization and rigor are less convincing, reducing near-term impact.
Paper 2 proposes a novel, generalizable framework for quantifying how agent behavior shifts as their editable text artifacts (skills/memory/config) change, with a clear measurement method (trait vectors from embedding diff projections) and an agent-to-agent evaluation protocol. It targets an urgent, high-impact area—agent safety/governance and continuous monitoring—likely applicable across many agentic systems and domains. While Paper 1 is a useful benchmark contribution, benchmarks tend to have narrower impact unless they become standard; its scope (graph-assisted math MCQs) is more specialized. Paper 2’s approach is timelier and broader.
Paper 1 addresses a highly novel and critical problem in AI safety and autonomous agents: tracking and evaluating the behavioral evolution of self-adapting agents. Its approach to measuring traits via embedding diffs and enabling agent-to-agent evaluation protocols has broad implications for managing future AI systems. While Paper 2 offers a solid neurosymbolic methodology for VQA, Paper 1's focus on the behavioral trajectories of adapting agents aligns with pressing, high-impact challenges in general AI safety and multi-agent systems.
Paper 2 addresses foundational challenges in AI safety, alignment, and interpretability by tracking the behavioral evolution of adapting agents. Its methodology for quantifying qualitative traits is broadly applicable across any domain utilizing AI agents. In contrast, Paper 1 proposes a domain-specific framework for financial trading, and its abstract lacks quantitative empirical results, limiting its broader scientific impact compared to Paper 2's focus on general agent behavior.
Paper 2 introduces a principled geometric decomposition framework for understanding how prompting steers LLM/VLM behavior internally, with broad applicability across multiple models, modalities, and tasks. It provides mechanistic interpretability insights (e.g., affine transformations as key mechanisms) with causal validation. Paper 1 addresses a narrower problem—tracking behavioral trajectories of agents via skill file diffs—with a simpler methodology (linear projection in embedding space) evaluated on a single trait with limited data (68 pairs). Paper 2's broader scope, deeper mechanistic insights, and relevance to fundamental LLM understanding give it substantially higher potential impact.
Paper 2 is more methodologically novel and broadly applicable: it introduces a general framework to quantify and track behavioral trait shifts from agent configuration/skill edits, with a concrete evaluation protocol (including intermediary-based assessment) relevant to safety, governance, and continual agent development. Its approach can transfer across agent platforms and traits, and addresses a timely problem (monitoring adapting agents). Paper 1 provides a useful dataset and capture system, but its impact is narrower (embodied conversation forensics/interaction study) and largely infrastructural rather than a new analytical paradigm.
Paper 2 offers a more broadly novel and generalizable measurement framework: defining and tracking agent behavioral traits via embedding-diff directions, with a concrete evaluation protocol for monitoring self-/human-edited agent configuration over time. Its applications extend beyond finance to safety, governance, and alignment across many agent architectures and domains, making its cross-field impact higher. While Paper 1 is well-engineered and rigorously benchmarked, it is domain-specific (financial agents) and focuses on systems performance rather than a broadly reusable scientific methodology.
Paper 2 (SIRI) presents a more complete and practically impactful framework for LLM agent training with self-discovered skills that are internalized into the model, eliminating inference-time overhead. It demonstrates strong empirical results on established benchmarks (ALFWorld, WebShop), offers a novel three-phase training paradigm combining RL with skill mining and distillation, and addresses a broadly relevant problem in LLM agent deployment. Paper 1, while addressing an interesting safety-adjacent problem of tracking agent behavioral drift, is narrower in scope, evaluated on a small dataset (68 pairs), and relies on a relatively straightforward linear probing methodology with limited generalizability demonstrated.
Paper 1 addresses a timely and practically important problem—monitoring and evaluating behavioral changes in AI agents—with a concrete methodology, empirical validation (91.2% accuracy, ρ=0.82), and a clear application to AI safety. It offers novelty in defining agent traits as directions in embedding space and proposes an agent-to-agent evaluation protocol. Paper 2 presents a purely abstract mathematical framework for representing conflict between data types, but lacks empirical validation, concrete applications, or demonstration of utility beyond theoretical formulation, limiting its near-term scientific impact.
Paper 2 is likely to have higher scientific impact due to broader cross-field relevance and timeliness: it addresses measuring and auditing evolving agent behavior—central to AI safety, alignment, and governance across many agentic systems. The core idea (trait vectors from embedding diffs) is simple, generalizable, and easy to adopt as an evaluation protocol, enabling real-world monitoring of agent self-modification. While Paper 1 is application-strong, it is more domain-specific (traffic liability) and largely integrates established components (VLM+hybrid retrieval+LLM) into a specialized pipeline.
Paper 2 is more novel and timely: it offers a general, lightweight method to quantify behavioral change in evolving AI agents via trait directions in embedding space, with a protocol for agent-to-agent evaluation—highly relevant to current concerns about AI safety, auditing, and governance. Its approach is broadly applicable across many agent systems and domains, potentially enabling standardized monitoring of risky capability drift. Paper 1 targets an important real-world problem, but relies on a hybrid simulated dataset and shows limited overall performance gains, which may constrain rigor and generalizability despite strong niche application impact.
POIROT addresses a more fundamental and broadly applicable problem—failure detection in multi-agent LLM systems—with a novel protocol that repurposes agents as their own diagnostic layer. It demonstrates scalability across multiple dimensions (complexity, agent count, fault types) with rigorous statistical evidence. The release of both an open-source library and a benchmark (BLAME) increases adoption potential. Paper 2, while presenting a creative trait-tracking methodology, addresses a narrower problem (monitoring skill file edits) with a smaller evaluation scope (68 labeled pairs) and more limited generalizability. POIROT's relevance to AI safety regulation gives it broader and more timely impact.
Paper 2 introduces a novel methodology for tracking behavioral trajectories of AI agents through text file analysis, addressing the increasingly critical problem of AI safety and alignment. Its approach to defining agent traits as directions in embedding space is conceptually innovative and broadly applicable across the growing field of autonomous agents. While Paper 1 makes solid incremental contributions to energy prediction with spatial modeling and uncertainty quantification, Paper 2 opens a new research direction in agent monitoring and governance that has broader cross-disciplinary impact and higher timeliness given the rapid proliferation of autonomous AI agents.
Paper 2 likely has higher impact due to broader applicability and timeliness: long-horizon, hierarchical coordination and memory in LLM agents is central to both social simulation and enterprise agent deployments. TaskWeave is positioned as a general framework with evaluations in a year-long organizational simulation and comparisons to other frameworks, implying stronger methodological scope and clearer real-world utility (organizational workflows, enterprise NLP artifacts). Paper 1 is novel for auditing trait shifts via file-diff embeddings, but is narrower (single trait, small labeled set) and more specialized to agent file governance.
Paper 2 has higher potential impact due to its novel, generalizable framework for quantifying and monitoring evolving agent behavior via “trait vectors” from skill/memory file edits—directly relevant to agent safety, governance, and auditing. Its methodology (labeled diffs, linear trait direction, LOOCV with strong accuracy/correlation) is relatively rigorous and supports real-world deployment in CI pipelines and oversight protocols. The agent-to-agent evaluation protocol broadens applicability across security, alignment, and MLOps. Paper 1 is useful and timely for multi-agent performance, but attention steering/context decay is a narrower optimization with likely incremental novelty.
Paper 1 addresses a novel and timely problem—tracking behavioral trajectories of AI agents through text file evolution—which is highly relevant to AI safety and alignment. Its methodology of defining traits as directions in embedding space is innovative and broadly applicable. Paper 2, while solid applied work combining DRL with explainability for building energy management, represents a more incremental contribution in a well-explored domain. Paper 1's agent-to-agent evaluation protocol has broader implications for trust and governance of autonomous agents, a rapidly growing area of concern across multiple fields.
Paper 2 addresses LLM hallucinations, a critical and widespread challenge in artificial intelligence, offering a novel, theoretically grounded inference-time solution (DeLask) with extensive evaluation across diverse models. In contrast, Paper 1 focuses on a more niche area of agent behavior tracking and is evaluated on a very small dataset (68 pairs), making its methodological rigor and breadth of impact significantly lower than Paper 2.