State Contamination in Memory-Augmented LLM Agents

Yian Wang, Agam Goyal, Yuen Chen, Hari Sundaram

May 16, 2026
arXiv:2605.16746v1PDF
cs.AI(primary)cs.LG
#175 of 2292 · Artificial Intelligence
Share
Tournament Score
1525±45
10501800
85%
Win Rate
22
Wins
4
Losses
26
Matches
Rating
7.4/ 10
Significance
Rigor
Novelty
Clarity

Abstract

LLM agents increasingly rely on persistent state, including transcripts, summaries, retrieved context, and memory buffers, to support long-horizon interaction. This makes safety depend not only on individual model outputs, but also on what an agent stores and later reuses. We study a failure mode we call memory laundering: toxic or adversarial context can be compressed into memory summaries that no longer appear toxic under standard detectors, while still preserving hostile framing or conflict structure that influences future generations. Using paired counterfactual multi-agent rollouts, we show that toxic-origin memory summaries can remain below common toxicity thresholds while nevertheless increasing downstream toxicity relative to matched neutral baselines. To measure this hidden influence, we introduce the sub-threshold propagation gap (SPG), which quantifies downstream behavioral differences conditioned on memory states that a deployed monitor would classify as safe. Our experiments show that toxicity propagates through distinct state channels: raw transcript reuse drives overt downstream toxicity, while compressed memory carries hidden sub-threshold influence. We further find that mitigation depends critically on intervention placement. Sanitizing toxic state before summarization substantially reduces the hidden propagation gap, whereas cleaning only the completed summary can leave laundered influence intact. These results suggest that safety in memory-augmented agents should be treated as a state-control problem over evolving context, with sanitization applied before unsafe information is compressed into persistent memory.

AI Impact Assessments

(1 models)

Scientific Impact Assessment: "State Contamination in Memory-Augmented LLM Agents"

1. Core Contribution

This paper identifies and formalizes memory laundering, a safety failure mode in memory-augmented LLM agent systems where toxic content survives summarization/compression into memory states that appear benign to standard toxicity classifiers while still steering downstream agents toward toxic behavior. The key insight is that summarization acts as an inadvertent "laundering" step — stripping lexical toxicity markers while preserving adversarial framing, conflict structure, and hostile stance.

The paper introduces the sub-threshold propagation gap (SPG), a metric that conditions on memory states a deployed monitor would classify as safe, then measures the behavioral difference between toxic-origin and neutral-origin conditions. This is a well-motivated metric that captures precisely the failure mode standard monitoring would miss.

The authors further decompose toxic influence into three channels — transcript backflow, memory laundering, and parametric bias — and show these carry distinct signatures: transcript drives overt toxicity (∆µ, P95_tox), while compressed memory drives hidden sub-threshold influence (SPG). The critical practical finding is that sanitization placement matters: cleaning before summarization is effective, while cleaning after summarization often fails because harmful framing has already been compressed below classifier thresholds.

2. Methodological Rigor

The experimental design is commendably careful. The paired counterfactual rollout framework — where toxic and neutral conditions differ only in the focal agent's system prompt, with identical seeds, topologies, and decoding randomness — provides clean causal attribution. With n=200 paired seeds across multiple conditions, statistical testing via Wilcoxon signed-rank tests with reported p-values and confidence intervals is appropriate.

The channel isolation experiments (transcript-only, memory-only, combined) are well-designed ablations that convincingly demonstrate the distinct propagation signatures. The robustness checks across topologies (chain, tree, DAG, high-branching), injection counts, classifier thresholds (τ ∈ {0.03–0.5}), and models (gpt-4o-mini, Llama-3.1-8B-Instruct) strengthen the claims.

However, there are methodological limitations worth noting:

  • Toxicity measurement relies solely on Detoxify, a single automated classifier. The absence of human evaluation is a notable gap, particularly for a paper arguing that classifiers miss subtle behavioral influence.
  • The simulation environment (Reddit-style political discussions) is stylized and may not capture the complexity of real deployment scenarios with tools, retrieval, and persistent memory architectures.
  • The DPO component is evaluated only on Llama-3.1-8B-Instruct, limiting generalizability of the parameter-level mitigation findings.
  • The paper acknowledges but does not resolve the circularity of using the same type of classifier (Detoxify) both as the "deployed monitor" being critiqued and as the ground-truth toxicity scorer.

    • 3. Potential Impact

    This work has significant implications for the rapidly growing ecosystem of deployed LLM agents:

    Immediate practical impact: The finding that sanitization placement (before vs. after summarization) is critical provides actionable architectural guidance for agent system designers. The "sanitize before summarizing" principle is simple, implementable, and well-supported by the evidence.

    Safety evaluation paradigm: The SPG metric offers a principled way to audit memory-augmented systems for hidden influence — a capability gap in current safety evaluation pipelines. This could influence how AI safety teams evaluate agent systems.

    Theoretical framing: Recasting agent safety as a state-control problem over evolving context is a valuable conceptual contribution that extends safety thinking beyond per-turn output monitoring. This framing connects to control theory and could inspire formal safety guarantees.

    Broader influence: The three-channel decomposition (transcript, memory, parametric) provides a useful taxonomy that could structure future work on agent safety, potentially influencing system architectures for memory management in production LLM agents.

    4. Timeliness & Relevance

    This paper is extremely well-timed. Memory-augmented LLM agents (MemGPT, Generative Agents, AutoGen, etc.) are proliferating in both research and deployment, yet safety evaluation has largely remained focused on single-turn or output-level monitoring. The gap between capability advances in agent memory and corresponding safety mechanisms is real and growing. The paper addresses a genuine blind spot that becomes more critical as agents are deployed in multi-agent, long-horizon settings.

    5. Strengths & Limitations

    Key Strengths:

  • Novel, well-defined failure mode: Memory laundering is a clearly articulated, previously unexamined phenomenon with practical relevance.
  • Clean experimental design: Paired counterfactual rollouts with careful controls enable causal claims.
  • Actionable findings: The placement-dependent effectiveness of sanitization is immediately useful for practitioners.
  • Comprehensive ablation: The 9-condition defense ablation with single-channel, pairwise, and full-system comparisons is thorough.
  • Metric contribution: SPG fills a genuine measurement gap for hidden influence in classifier-clean states.

    • Notable Limitations:

  • Ecological validity: Controlled Reddit-style simulations omit deployment complexity (tools, RAG, persistent databases, user interaction). The authors acknowledge this.
  • Single toxicity metric: Relying on Detoxify for both the "broken monitor" and ground truth creates tension. Human evaluation or diverse classifiers would strengthen claims.
  • Limited model coverage: Parameter-level interventions tested only on one open model.
  • Narrow harm type: Only toxicity is studied; other harms (misinformation, manipulation, privacy leakage) could exhibit different laundering dynamics.
  • Effect sizes in some conditions are modest: Memory-only SPG on Llama is 0.015 at baseline, and some absolute differences are small, raising questions about practical significance versus statistical significance.
  • The summarizer and generator are the same model, which may not reflect all deployment patterns where specialized summarizers are used.

    • Overall Assessment

    This is a solid, well-executed paper that identifies a genuine and timely safety concern for memory-augmented LLM agents. The conceptual contribution (memory laundering, state-control framing) is strong, the experimental methodology is careful, and the findings are actionable. The main weaknesses — reliance on a single toxicity classifier, limited ecological validity, and narrow model coverage — are acknowledged and represent natural avenues for future work rather than fundamental flaws. The paper should stimulate important follow-up research on agent-level safety beyond output monitoring.

    Rating:7.4/ 10
    Significance 7.5Rigor 7Novelty 7.8Clarity 8.2

    Generated May 19, 2026

    Comparison History (26)

    vs. POLAR-Bench: A Diagnostic Benchmark for Privacy-Utility Trade-offs in LLM Agents
    gemini-3.15/20/2026

    Paper 1 introduces a conceptually novel failure mode ('memory laundering') and a new metric (SPG) for memory-augmented agents, uncovering how compressed state can bypass safety monitors while retaining harmful influence. This discovery of hidden state contamination is likely to spur broad follow-up research into agent memory architecture and dynamic safety mechanisms. While Paper 2 provides a valuable diagnostic benchmark for privacy, Paper 1's identification of a fundamental, previously uncharacterized vulnerability in agent state management gives it higher potential for widespread scientific impact and methodological innovation.

    vs. What Really Improves Mathematical Reasoning: Structured Reasoning Signals Beyond Pure Code
    gpt-5.25/20/2026

    Paper 2 likely has higher impact due to timely relevance to deployed memory-augmented LLM agents and safety. It introduces a concrete, broadly applicable failure mode (memory laundering), a measurable metric (SPG), and actionable mitigation guidance tied to intervention placement, making it immediately useful for real-world systems. The phenomenon generalizes across agent architectures and connects to security, alignment, and HCI. Paper 1 is rigorous and valuable for data-centric training insights, but its impact is more specialized to pretraining data composition debates and may translate more slowly into deployment practices.

    vs. Latent Action Reparameterization for Efficient Agent Inference
    claude-opus-4.65/20/2026

    Paper 1 identifies a novel and important failure mode ('memory laundering') in memory-augmented LLM agents, introducing a new safety-relevant concept (sub-threshold propagation gap) with significant implications for AI safety. It reframes agent safety as a state-control problem, which is a paradigm-shifting insight for the rapidly growing field of LLM agents. Paper 2 proposes a useful engineering contribution (latent action reparameterization) for inference efficiency, but addresses a more incremental optimization problem. Paper 1's safety implications give it broader cross-disciplinary impact and greater urgency given current deployment trends.

    vs. From Prompts to Protocols: An AI Agent for Laboratory Automation
    gemini-3.15/19/2026

    Paper 2 has a significantly broader potential impact by accelerating scientific discovery across multiple disciplines, including chemistry, biology, and materials science. While Paper 1 addresses an important AI safety issue (memory contamination), Paper 2's practical application of LLM agents to automate and streamline physical laboratory experiments addresses a major bottleneck in scientific research, promising tangible real-world advancements and cross-disciplinary innovation.

    vs. Unleashing LLMs in Bayesian Optimization: Preference-Guided Framework for Scientific Discovery
    gpt-5.25/19/2026

    Paper 2 has higher estimated impact due to strong timeliness and broad relevance: memory-augmented LLM agents are rapidly deploying, and “state contamination/memory laundering” targets a concrete, under-studied safety failure mode with implications across agent design, alignment, and security. It contributes a clear measurement (SPG), a rigorous counterfactual rollout methodology, and actionable mitigation insights about intervention placement. Paper 1 is innovative and valuable for AI-for-science optimization, but its impact is more domain-specific and depends on adoption in experimental pipelines; Paper 2’s findings generalize across many LLM-agent applications.

    vs. Self-Programmed Execution for Language-Model Agents
    gemini-3.15/19/2026

    Paper 1 introduces a fundamentally novel architecture that removes the need for fixed orchestrator programs in LM agents, potentially revolutionizing agent design. While Paper 2 addresses a critical safety vulnerability, Paper 1's creation of a new self-programming paradigm and execution language offers a broader methodological shift that could spawn entirely new directions in agentic AI research.

    vs. Agents for Experiments, Experiments for Agents: A Design Grammar for AI-Enabled Experimental Science
    claude-opus-4.65/19/2026

    Paper 1 identifies a concrete, novel failure mode ('memory laundering') in memory-augmented LLM agents with immediate safety implications. It introduces a measurable metric (SPG), provides empirical evidence through controlled experiments, and offers actionable mitigation strategies. The finding that intervention placement matters critically (pre-summarization vs. post-summarization) is directly applicable to deployed systems. Paper 2 introduces a conceptual framework (SEED) for experimental design but offers only a lightweight feasibility test rather than rigorous empirical validation, limiting its near-term impact. Paper 1's timeliness regarding LLM agent safety and its methodological concreteness give it broader and more immediate impact potential.

    vs. Reasoning Before Diagnosis: Physician-Inspired Structured Thinking for ECG Classification
    gpt-5.25/19/2026

    Paper 1 has higher potential impact due to strong novelty (identifying and quantifying “memory laundering” as a new safety failure mode in memory-augmented agents), broad applicability across LLM agent deployments, and timely relevance to real-world safety monitoring. It introduces a concrete metric (SPG) and causal-style counterfactual rollouts, supporting methodological rigor and actionable mitigation guidance (intervention placement). Paper 2 is valuable and application-oriented for clinical ECG classification, but its impact is narrower to medical ML and builds on established structured-reasoning/LLM trends, with potentially higher translational barriers.

    vs. FibQuant: Universal Vector Quantization for Random-Access KV-Cache Compression
    gpt-5.25/19/2026

    Paper 2 likely has higher impact: it proposes a broadly applicable, technically novel vector-quantization framework for random-access KV-cache compression with theoretical guarantees and strong empirical results on perplexity/memory tradeoffs. This targets a central bottleneck in long-context LLM deployment (memory bandwidth), with immediate systems-level applications across models and hardware. Methodological rigor is high (source modeling, codebook construction, proofs, end-to-end eval). Paper 1 is timely and valuable for agent safety, but its impact may be narrower and more measurement/mitigation-specific, with less generalizable theory/engineering payoff.

    vs. Reconciling Contradictory Views on the Effectiveness of SFT in LLMs: An Interaction Perspective
    gpt-5.25/19/2026

    Paper 2 likely has higher impact due to strong novelty and timeliness: it identifies a concrete, underexplored safety failure mode in memory-augmented LLM agents (memory laundering/state contamination) that directly affects real deployments. It proposes a new metric (SPG), uses counterfactual multi-agent rollouts for causal-style comparisons, and yields actionable guidance on where to place mitigations in agent pipelines. Its implications span safety, agent architectures, monitoring, and governance. Paper 1 offers useful training insight on SFT dynamics, but is narrower in application and closer to incremental interpretability/training diagnostics.

    vs. Voices in the Loop: Mapping Participatory AI
    claude-opus-4.65/19/2026

    Paper 2 identifies a novel, concrete failure mode ('memory laundering') in memory-augmented LLM agents—a rapidly growing area of AI deployment. It introduces a new metric (SPG), provides rigorous experimental methodology with counterfactual rollouts, and offers actionable safety insights (sanitize before compression). This addresses a timely, critical gap in AI safety with broad implications for all memory-augmented agent systems. Paper 1, while useful as a mapping/repository contribution, is primarily descriptive and infrastructural, with narrower methodological novelty and less generalizable scientific findings.

    vs. Body-Grounded Perspective Formation and Conative Attunement in Artificial Agents
    gpt-5.25/19/2026

    Paper 2 has higher likely impact due to strong timeliness and clear real-world applicability to safety of deployed memory-augmented LLM agents. It identifies a concrete, previously under-characterized failure mode (memory laundering), proposes an operational metric (SPG), and uses controlled counterfactual rollouts to demonstrate causal influence and evaluate mitigations, indicating solid methodological rigor. The findings generalize across agent designs that use persistent state, affecting AI safety, security, HCI, and ML systems engineering. Paper 1 is novel conceptually, but its impact is more speculative, harder to validate, and less immediately transferable beyond niche embodied/phenomenological AI research.

    vs. Efficient Lookahead Encoding and Abstracted Width for Learning General Policies in Classical Planning
    gemini-3.15/19/2026

    Paper 2 addresses a critical and highly timely safety issue (memory laundering) in memory-augmented LLM agents. Given the widespread adoption and real-world deployment of LLMs, identifying and mitigating hidden state contamination has broad, high-stakes implications across the AI community. While Paper 1 presents strong methodological advancements and achieves state-of-the-art results, its impact is largely confined to the narrower, more specialized subfield of classical planning.

    vs. AutoRubric-T2I: Robust Rule-Based Reward Model for Text-to-Image Alignment
    claude-opus-4.65/19/2026

    Paper 2 identifies a novel and fundamental security vulnerability ('memory laundering') in memory-augmented LLM agents—a rapidly growing deployment paradigm. It introduces a new metric (SPG), provides actionable insights on intervention placement, and addresses a safety concern with broad implications across all agentic AI systems. Paper 1, while technically solid, represents an incremental improvement in T2I reward modeling. Paper 2's findings are more likely to influence safety standards, system design, and policy across the field, giving it broader and more timely impact.

    vs. A Global-Local Graph Attention Network for Traffic Forecasting
    claude-opus-4.65/19/2026

    Paper 2 identifies a novel and timely failure mode ('memory laundering') in memory-augmented LLM agents—a rapidly growing area of AI safety research. It introduces a new metric (SPG), provides actionable mitigation insights (sanitize before compression), and addresses a fundamental architectural vulnerability relevant to all deployed LLM agent systems. Paper 1 offers an incremental improvement to traffic forecasting using graph attention networks, a well-explored area with limited novelty. Paper 2's broader relevance to AI safety, its timeliness given the explosion of LLM agent deployments, and its potential to influence system design give it substantially higher impact potential.

    vs. Towards Human-Level Book-Writing Capability
    claude-opus-4.65/19/2026

    Paper 2 identifies a novel, fundamental safety vulnerability ('memory laundering') in memory-augmented LLM agents that has broad implications for AI safety as agents become more prevalent. It introduces a new metric (SPG), provides rigorous experimental methodology with counterfactual rollouts, and offers actionable insights about intervention placement. This addresses a timely and critical problem as LLM agents are rapidly deployed. Paper 1, while interesting for creative AI, addresses a narrower application domain (book-length fiction generation) with less broad scientific impact and builds more incrementally on existing fine-tuning approaches.

    vs. SCICONVBENCH: Benchmarking LLMs on Multi-Turn Clarification for Task Formulation in Computational Science
    gemini-3.15/19/2026

    Paper 2 addresses a critical, broadly applicable safety vulnerability in memory-augmented LLM agents ('memory laundering'). Its findings on hidden state contamination impact the fundamental design and security of all long-horizon AI agents. Paper 1 offers a valuable but more niche benchmark for computational science, making Paper 2's potential breadth of impact and conceptual innovation significantly higher across the broader AI safety and capabilities community.

    vs. Unlocking LLM Creativity in Science through Analogical Reasoning
    gpt-5.25/19/2026

    Paper 2 likely has higher scientific impact due to stronger novelty-to-application linkage and broader cross-domain relevance: it proposes a concrete analogical reasoning framework to reduce mode collapse, reports large diversity/novelty gains, and validates with multiple implemented biomedical case studies showing substantial quantitative improvements and SOTA results. This combination of a general method for creative generation plus real-world scientific task performance suggests wide adoption potential across autonomous science and ML-for-science. Paper 1 is timely and important for safety in agentic systems, but its impact is more specialized and primarily diagnostic/mitigation-focused rather than enabling new capabilities across fields.

    vs. LongSeeker: Elastic Context Orchestration for Long-Horizon Search Agents
    gpt-5.25/19/2026

    Paper 2 has higher potential impact because it identifies and formalizes a broadly relevant safety failure mode (memory laundering) in memory-augmented LLM agents, proposes a concrete metric (SPG) to detect hidden influence, and provides intervention guidance with clear causal evidence via counterfactual rollouts. The findings generalize across agent architectures that use summaries/retrieval, affecting safety engineering, monitoring, and policy. Paper 1 is strong and practical for performance/cost in long-horizon search, but its impact is more application-specific and may be subsumed by evolving context-window/memory systems, whereas Paper 2 addresses a persistent, cross-domain safety risk.

    vs. Multi-Party Multi-Objective Optimization as Consensus Search: Runtime Analysis of Cross-Party Recombination
    claude-opus-4.65/19/2026

    Paper 1 addresses a novel and timely safety vulnerability ('memory laundering') in memory-augmented LLM agents, which are rapidly proliferating in real-world deployments. It introduces a new failure mode, a practical metric (SPG), and actionable mitigation strategies. Its breadth of impact spans AI safety, deployment practices, and policy. Paper 2 provides rigorous theoretical runtime analysis for multi-party multi-objective optimization, but addresses a narrower, more specialized audience. Given the explosive growth of LLM agent systems and urgent safety concerns, Paper 1 has significantly higher potential for broad scientific and practical impact.