Active sources: 7. Sources represented in this queue: 5. The cron runs daily at 06:00 server time; arxiv RSS is often empty on weekends.
Linked to your results
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09115unread
AI Native Asset Intelligence
Gal Engelberg, Leon Goldberg, Konstantin Koutsyi, Boris Plotnikov, Tiltan Gilat, Ben Benhemo · 2026-05-12
The authors introduce "AI-native asset intelligence," a framework that turns fragmented security signals (cloud configs, identities, third-party tool findings) into a structured intelligence layer for consistent, contextual asset prioritization. The system combines a modeling layer (assets, relationships, attack vectors, blast radius) with a scoring layer that separates intrinsic exposure (misconfigurations, exploitability) from contextual importance (anomaly, blast radius, business/data criticality). AI refines severity and business-context classifications, while deterministic aggregation keeps scores consistent across repeated queries. Evaluated on 131k real resources, sensitivity analyses show the scoring system responds predictably to rare exploitability evidence and contextual signals. **Main takeaways:** - Unifies fragmented security signals into a normalized asset-importance score combining exposure, exploitability, blast radius, and business context. - Separates intrinsic (misconfig + attack-vector) and contextual (anomaly, blast radius, criticality) dimensions for interpretable prioritization. - AI contextualization refines severity and criticality labels; deterministic aggregation ensures consistency across repeated queries. - Evaluated on 131k production resources across 15 vendors; ablations confirm the system responds predictably to rare exploitability and contextual modulation.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, source, context. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09115v1 Announce Type: new Abstract: Modern security environments generate fragmented signals across cloud resources, identities, configurations, and third-party security tools. Although AI-native security assistants improve access to this data, they remain largely reactive: users must ask the right questions and interpret disconnected findings. This does not scale in enterprise environments, where signal importance depends on exposure, exploitability, dependencies, and business context. Repeated AI queries may therefore produce unstable prioritization without a structured basis for comparing assets. This paper introduces AI-native asset intelligence, a framework that transforms heterogeneous security data into a structured intelligence layer for consistent, contextual, and proactive asset-level reasoning. The framework combines a modeling layer, representing assets, identities, relationships, controls, attack vectors, and blast-radius patterns, with a scoring layer that converts fragmented signals into a normalized measure of asset importance. The scoring system separates intrinsic exposure, based on misconfigurations and attack-vector evidence, from contextual importance, based on anomaly, blast radius, business criticality, and data criticality. AI contextualization refines severity and business/data classifications, while deterministic aggregation preserves consistency. We evaluate the scoring system on a production snapshot with 131,625 resources across 15 vendors and 178 asset types. Sensitivity analyses and ablations show that severity mappings control finding sensitivity, AI severity adjustment refines prioritization, attack-vector scoring responds to rare exploitability evidence, and contextual modulation selectively modifies exposed resources based on business or data importance. The results support AI-native asset intelligence as a foundation for stable prioritization and proactive security-posture reasoning.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08922unread
Toward Web 4.0: Bidirectional Trust between AI Agents and Blockchain
Yunfeng Xia, Chao Li, Lei Li, Chenhao Zhang, Li Duan, Runhua Xu, Wei Wang · 2026-05-12
This paper surveys the intersection of AI agents and blockchain, framing it as "Web 4.0" and organizing the design space around bidirectional trust: blockchain providing trust infrastructure *for* agents (identity, permissions, intent execution, token economies) and agents participating *in* blockchain mechanisms (security audits, consensus, governance). The authors catalog 70 Ethereum standards, 20 industry projects, and 118 papers, assessing each along five dimensions (verifiability, trust minimization, expressiveness, composability, maturity). They find that agent-specific standards are immature, intent architectures lack formal analysis, and there's no unified security framework treating AI as a first-class protocol actor. **Main takeaways:** - Organizes AI-blockchain interaction into two directions: blockchain as trust layer for agents (B→A) and agents as participants in blockchain protocols (A→B). - Reviews 70 Ethereum standards (EIPs/ERCs), 20 projects, and 118 papers across identity, delegation, intent systems, auditing, consensus, and governance. - Finds major gaps: agent standards are overwhelmingly immature, intent systems lack formal security models, and no unified framework for AI as protocol-layer actors. - Verifiable computation (ZK proofs, TEEs, on-chain inference) underpins both directions but involves trade-offs between trust minimization, overhead, and readiness. - Proposes a three-dimensional taxonomy and identifies nine open research questions.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: rate, system, token, under, project, isolate, mechanisms, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08922v1 Announce Type: new Abstract: Autonomous AI agents are increasingly deployed on blockchain platforms, yet the design space that governs their interaction remains poorly understood. This convergence, where autonomous agents operate on and within decentralized systems, is a defining feature of the emerging Web~4.0 paradigm. This paper presents a Systematization of Knowledge organized around a bidirectional trust framework. In the B $\boldsymbol{\rightarrow}$ A direction, we examine how blockchain provides trust infrastructure for agents, spanning identity and account abstraction, permission and delegation, intent-centric execution, and tokenized agent economies. In the A $\boldsymbol{\rightarrow}$ B direction, we examine the reverse: how AI agents participate in core blockchain mechanisms including security auditing, consensus, and governance. A Trust Foundation of verifiable computation underpins both directions, with each primitive offering different trade-offs between trust minimality, computational overhead, and deployment readiness. We formalize the interaction as an Agent-Blockchain Interaction Model (ABIM), catalog 70 Ethereum EIPs/ERCs, examine 20 representative industry projects, and review 118 academic papers, applying a five-dimensional framework assessing Verifiability, Minimality of Trust, Expressiveness, Composability, and Maturity. Our analysis uncovers significant gaps: the agent-specific standards ecosystem is overwhelmingly immature, intent architectures lack formal analysis, and while isolated works have begun to explore AI participation in consensus and governance, a unified security framing that treats AI as a first-class actor at the protocol layer remains absent. We propose a three-dimensional taxonomy, identify nine concrete open problems, and highlight the sharpest research opportunities at this intersection.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08878unread
Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off
Yu Chen, Yuanhao Liu, Qi Cao · 2026-05-12
This paper asks why aligned LLMs still get jailbroken and proposes a mechanistic answer: aligned models retain "Refusal-Escape Directions" (RED)—local perturbation directions in input space that shift the model from refusing a harmful request to answering it, without changing the model's interpretation of the request as harmful. The authors show theoretically that RED can be decomposed into contributions from specific operator types (normalization, residual connections, and "terminal" output layers) and argue that eliminating RED from the shared expressive modules (attention and MLPs) while preserving benign responses creates a fundamental safety-utility trade-off. Experiments across models and attacks confirm that successful jailbreaks align with RED and that terminal-layer contributions dominate. **Main takeaways:** - Aligned LLMs remain jailbreakable because they retain "Refusal-Escape Directions" (RED): small input perturbations that flip refusal to compliance without changing the model's semantic understanding of harm. - RED can be mathematically decomposed into contributions from normalization layers, residual connections, and terminal (output) layers. - Eliminating RED from attention and MLP layers while keeping benign functionality creates a fundamental safety-utility trade-off—the same modules must do both. - Experiments show successful jailbreaks exhibit refusal-to-answer shifts that align with terminal-layer contributions, and adding token dimensions can expose RED. - This framing views jailbreaks not just as discrete prompts but as continuous behavior transitions induced by perturbing along RED.
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: long, prompt, attention, trained, token, source, benign, under. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08878v1 Announce Type: new Abstract: Aligned large language models (LLMs) remain vulnerable to jailbreak attacks. Recent mechanistic studies have identified latent features and representation shifts associated with jailbreak success, but they leave a more fundamental question open: why do aligned LLMs remain jailbreakable, and what structural vulnerabilities in the model make this possible? We study this question through a continuous input-transformation view. Our theoretical finding is that aligned models can still exhibit Refusal-Escape Directions (RED): local perturbation directions around a harmful input that shift the model's behavior from refusal to answering while preserving the model's harmful-semantics interpretation. From this perspective, a jailbreak is not only a successful discrete prompt construction, but can also be understood as a refusal-to-answer behavior transition induced by continuously perturbing a harmful input along RED. We then prove that RED can be exactly decomposed into contributions from operator-level sources across the model's operator structure, and identify normalization, residual-wiring, and terminal sources as analytically constrained operator-level sources. To eliminate RED, the shared expressive modules -- self-attention and MLP -- must eliminate the contributions from these analytically constrained sources while preserving the mechanisms that support benign responses. These competing requirements give rise to a conditional safety-utility trade-off. Experiments across multiple models and attack methods empirically analyze RED from two complementary perspectives and show that added token dimensions can expose RED, while successful jailbreaks exhibit refusal-to-answer shifts largely aligned with terminal-source contributions.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08586unread
Computer Science Conferences Should Require Nonrepudiable Experimental Results
Mamadou K. Keita, Christopher Homan · 2026-05-12
The authors argue that computer science conferences should require tamper-proof proof that the experimental numbers in papers actually came from the code described. Right now, authors self-report results, sometimes share code, and control their own logs — none of which stops someone from reporting numbers that didn't come from the experiments they claim. They built K-Veritas, a prototype system in Go that produces cryptographically signed experiment reports, and call for conferences to adopt nonrepudiation (the property that you can't later deny or alter what computation you ran) as a standard requirement. **Main takeaways:** - Current peer review relies on author honesty; reviewers can't verify that reported numbers actually came from the described code - The authors define "experiment nonrepudiation" formally: binding paper results to actual executed computations in a way authors can't alter - K-Veritas is a proof-of-concept that produces signed reports without accessing training data - They propose making tamper-evident attestations a conference submission requirement, similar to ethics checklists
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: system, under, implement, mechanisms, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08586v1 Announce Type: new Abstract: This position paper argues that computer science conferences should require tamper-evident, nonrepudiable attestations of experimental results. We name the underlying problem experiment nonrepudiation: a compliant protocol must bind the numbers in a paper to an actual executed computation in a way the author cannot later alter or deny. The current system relies on self-reported checklists, optional code sharing, and author-controlled logging. None of these mechanisms answer the question a reviewer cannot check: did the code the paper describes produce the numbers the paper reports? We define the problem formally, state the security properties any compliant protocol must satisfy, and describe a threat model that includes attacks current approaches do not prevent. To show that the problem is solvable, we built K-Veritas, a reference implementation in Go that produces signed reports without accessing training data. K-Veritas is a testbed, not a finished answer. We call on conferences and the community to treat nonrepudiation as a first-class requirement and to help build an open, independent standard for it.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08460unread
When Child Inherits: Modeling and Exploiting Subagent Spawn in Multi-Agent Networks
Ziwen Cai, Yihe Zhang, Xiali Hei · 2026-05-12
The authors study security risks that arise when LLM agents spawn sub-agents (smaller agents created to delegate tasks). When a compromised parent agent creates a child, the child can inherit malicious instructions, stale state, or bad behavioral rules through shared memory — letting a single compromised agent spread its infection across an agent network. They model these "inheritance" vulnerabilities in current multi-agent frameworks and show that trust boundaries break down through insecure memory passing, weak resource controls, and improper termination rules. **Main takeaways:** - Modern LLM agent frameworks let agents spawn sub-agents that inherit memory and instructions from parents - A single compromised agent can spread malicious behavior to children through inherited memory - Current frameworks have weak boundaries: sub-agents inherit state they shouldn't have access to - The authors propose defenses based on explicit security rules about what can and can't be inherited - Inheritance is a core architectural security concern, not just an implementation detail
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, parent, eval, prompt, base, system, source, inherited. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08460v1 Announce Type: new Abstract: Since the official release of ChatGPT in 2022, large language models (LLMs) have rapidly evolved from chatbot-style interfaces into agentic systems that can delegate work through tools and newly spawned subagents. While these capabilities improve automation and scalability, they also pose new security risks in multi-agent networks. Existing research has studied how individual LLM-based agents can be compromised through prompt injection, jailbreaking, poisoned retrieval data, or malicious extensions. Less is known about what happens after one agent is compromised inside a multi-agent network. In particular, inherited memory from parent agents can carry malicious instructions, outdated states, or unintended behavioral rules into newly created subagents, allowing a local compromise to spread across agent boundaries. In this paper, we model contemporary multi-agent networks through the lens of subagent inheritance. Our analysis shows that current frameworks can violate trust boundaries through insecure memory inheritance, weak resource control, stale post-spawn state, and improper termination authority. We demonstrate these risks in real agent frameworks and propose defenses based on explicit security invariants. Our findings show that inheritance is not merely an implementation detail, but a central component influencing the security of multi-agent systems.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08449unread
SL5 Standard for AI Security
Lisa Thiergart, Yoav Tzfati, Peter Wagstaff, Guy, Luis Cosio, Philip Reiner · 2026-05-12
This paper proposes Security Level 5 (SL5), a new security standard for AI datacenters designed to withstand attacks from the world's most capable adversaries — nation-states with years-ahead expertise and massive resources. The first version focuses on requirements with long lead times (facility construction, hardware procurement, organizational capabilities) that must be planned years in advance. Some requirements are major departures from current practice and may require government-level security capabilities that private companies can't achieve alone. **Main takeaways:** - SL5 targets threats from top-tier state actors with cutting-edge cyber capabilities - Focuses on interventions that take years to implement and can't be retrofitted quickly - Originated from RAND's 2024 report on securing AI model weights - Some security measures approximate government-level capabilities beyond typical private-sector practice - Authors argue these bold measures are necessary and that planning must start now to have options by 2028-2029
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: long, system, source, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08449v1 Announce Type: new Abstract: Security Level 5 (SL5) is a security posture for AI systems that could plausibly thwart top-priority operations by the world's most cyber-capable institutions: those with extensive resources, state-level infrastructure, and expertise years ahead of the public state of the art. The SL5 terminology originates from the RAND Corporation's 2024 report "Securing AI Model Weights". Frontier AI development requires use-case-specific, productivity-optimised and updateable AI datacenter security standards. This first revision of the SL5 standard focuses on requirements with long lead times: interventions that must be planned years in advance, such as facility construction, hardware procurement, and organizational capability development. We prioritize these requirements because preserving optionality for SL5 by 2028/2029 requires starting now. These capabilities cannot be retrofitted on short notice when the need becomes urgent. Some requirements represent significant departures from current day standard practice. We believe bold measures are necessary for this level of security and see clear opportunities to apply optimization pressure to existing and novel solutions to customize them for the AI industry and address the practical operational requirements as much as possible. Our organization exists to begin paving this path. Some requirements approximate government security capabilities where private-sector approaches may be insufficient. We identify these gaps and note where government involvement may ultimately be necessary.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08419unread
Deterministic Fully-Static Whole-Binary Translation without Heuristics
Hongyu Chen, James McGowan, Michael Franz · 2026-05-12
The authors built Elevator, a system that translates entire x86-64 binaries to AArch64 (ARM) architecture purely statically — no runtime fallback, no debug info, no assumptions about where code vs. data live. The core trick: instead of guessing whether each byte is data or code, Elevator generates separate translation paths for every possible interpretation and only prunes paths that lead to crashes. This produces huge binaries (lots of redundant translations) but guarantees the output is deterministic and can be tested, validated, or cryptographically signed before deployment — unlike JIT compilers or emulators that generate code at runtime. **Main takeaways:** - First fully-static whole-binary translator that handles x86-64 to AArch64 without heuristics or runtime components - Considers all possible interpretations of each byte (data, opcode, or opcode argument) and generates translations for all feasible ones - Output is complete, self-contained, and deterministic — no JIT compiler in the trusted code base - Major cost is code size explosion due to multiple translation paths - Achieves performance competitive with QEMU's JIT emulation on SPECint 2006 benchmarks
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, eval, base, system, source, compare, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08419v1 Announce Type: new Abstract: We present Elevator, the first binary translator that statically translates entire x86-64 executables to AArch64 without debug information, source code, or assumptions about code layout. Unlike existing systems, which rely on heuristics or runtime fallbacks to handle code-versus-data decoding errors, Elevator considers all possible interpretations of every byte and produces a separate translation for each feasible one ahead of time. Any byte may be interpreted as data, an opcode, or an opcode argument; we generate separate control flow paths for all interpretations, pruning only those leading to abnormal termination. Translations are built by composing code "tiles" automatically derived from a high-level description of the source ISA, yielding a nimble translation framework. The approach is deterministic and produces complete, self-contained binaries with no runtime component in the trusted code base. The principal cost is substantial code size expansion. The key benefit is that the output is the actual code that will run, enabling testing, validation, certification, and cryptographic signing prior to deployment, reducing risk compared to emulators or JIT compilers. We evaluate Elevator on a diverse corpus of real-world binaries, including the entire SPECint 2006 suite, demonstrating that static full-program binary translation can be both reliable and practical. Elevator achieves performance on par with or better than QEMU's user-mode JIT emulation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08418unread
Binge, Bot, Repeat: Unpacking the Ecosystem of Video Piracy on Telegram
Sadikshya Gyawali, Jaishnoor Kaur, Taylor Graham, Josef Horacek, Nowshin Tabassum, Shirin Nilizadeh, Sayak Saha Roy · 2026-05-12
The authors conducted the first large-scale study of video piracy on Telegram, analyzing 1,057 channels that posted 209k posts over two years. They found a massive, deliberately resilient ecosystem: 19,033 unique pirated titles from 175 countries, 4.85 billion views, and an estimated $17.49 billion in losses to rights holders. The system is engineered to resist takedowns through chains of intermediary channels and automated bots that handle hosting, access control, and monetization. The authors built Anti-RIP, a real-time detection framework using a taxonomy of piracy channel behaviors, which helped take down 524 previously unknown channels and 71 bots in 61 days. **Main takeaways:** - Telegram hosts industrial-scale video piracy with billions of views and multi-billion-dollar estimated losses - The ecosystem uses automated bots and intermediary channels to route around takedowns - 19,033 unique copyrighted titles from 175 countries were distributed - Anti-RIP detection framework uses a behavioral taxonomy to identify piracy channels in real-time - In 61 days, Anti-RIP facilitated takedown of 524 channels and 71 bots
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, latin, system, source, under, loss, context, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08418v1 Announce Type: new Abstract: Telegram has emerged as a major platform for large-scale video piracy, where copyrighted content is rapidly distributed among users. Despite its prominence, the structural and operational dynamics of this ecosystem remain insufficiently understood. To address this gap, we present the first large-scale study of video piracy on Telegram through a mixed-method analysis of 1,057 channels that shared 209k unique posts between December 2023 and January 2026 - systematically characterizing their content, distribution strategies, and how the ecosystem is sustained at scale. Central to our approach is the development of a fine-grained taxonomy that enables a structured understanding of the activity and intent of these channels on a per-post level. The channels collectively distributed 19,033 unique copyrighted titles originating from 175 countries, accumulating over 4.85B unique views and resulting in a lower-bound estimated financial loss of $17.49B for content rights holders. We also find that this ecosystem is deliberately engineered to be resilient against takedown efforts, frequently redirecting users through chains of intermediary channels and automated bots that collectively handle hosting, access control, monetization, and channel discovery. The scale and persistence of this ecosystem motivated the development of Anti-RIP, a real-time framework for detecting emerging video piracy communities on Telegram. Anti-RIP utilizes our taxonomy to generate contextual, interpretable insights that stakeholders confirmed improve the triaging action against reported posts and channels. Over a 61-day period, the framework facilitated the takedown of 524 previously unknown piracy channels and 71 bots. To support reproducibility and future research, we open-source both the dataset and the Anti-RIP framework.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08382unread
SecureForge: Finding and Preventing Vulnerabilities in LLM-Generated Code via Prompt Optimization
Houjun Liu, Lisa Einstein, John Yang, Joachim Baumann, Duncan Eddy, Christopher D. Manning, Mykel Kochenderfer, Diyi Yang · 2026-05-12
The authors show that frontier LLMs still produce verifiable security vulnerabilities 23% of the time even when prompted to write secure code, then introduce SecureForge: an automated pipeline that finds benign prompts that trigger these bugs, amplifies them into a large synthetic corpus using Markovian sampling (to keep diversity and error rates realistic), and then iteratively optimizes system prompts to reduce output vulnerabilities. The resulting system prompts cut vulnerabilities by up to 48% without hurting unit-test pass rates, and transfer zero-shot to real user prompts despite never seeing them during optimization. **Main takeaways:** - Frontier models produce statically detectable security vulnerabilities in 23% of 250 benign coding prompts, even when asked to write secure production code - SecureForge identifies trigger prompts, expands them via Markovian sampling to maintain diversity and error rates, then optimizes system prompts to reduce vulnerabilities - Achieves a Pareto improvement: up to 48% fewer vulnerabilities while maintaining or improving unit test success - The optimized system prompts transfer zero-shot to in-the-wild coding agent prompts without exposure to real user distributions - Demonstrates that prompt-level defenses can meaningfully reduce security risks in LLM code generation
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, prompt, base, system, benign, context, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08382v1 Announce Type: new Abstract: LLM coding agents now generate code at an unprecedented scale, yet LLM-generated code introduces cybersecurity vulnerabilities into codebases without human involvement. Even when frontier models are explicitly asked to write secure production code with relevant weaknesses to avoid in context, we find that they still produce verifiable vulnerabilities on average 23% of the time across a corpus of 250 benign coding prompts. We introduce SecureForge, an automated pipeline that both audits security risks of frontier models and produces auditing-informed secure system prompts that reduce output security vulnerabilities while maintaining unit test performance. SecureForge first identifies benign prompts that produce statically detectable vulnerabilities, and then amplifies them into a large synthetic prompt corpus of diverse scenarios using a Markovian sampling technique to jointly maintain error rates and prompt diversity. This corpus is then used to iteratively optimize the system prompts to reduce output security vulnerabilities. On frontier models, SecureForge yields a statistically significant Pareto improvement in both unit test success and output security, with output vulnerabilities reduced by up to 48%. The resulting system prompts transfer zero-shot to in-the-wild coding agent prompts, without any exposure to real user prompt distributions during optimization.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08363unread
Kettle: Attested builds for verifiable software provenance
Amean Asad, Andr\'e Arko · 2026-05-12
Kettle is a build system that runs software compilation inside a trusted execution environment (a hardware-isolated virtual machine) and produces a cryptographically signed provenance document listing the source commit, dependencies, toolchain, build environment, and output artifact hashes. The TEE hardware signs the document's hash, so the signature chains to the chip vendor's root of trust rather than the build operator. Because the VM image is reproducible, verifiers can check one signature and a few hashes without re-running the build or trusting the infrastructure operator. **Main takeaways:** - Builds run in a confidential VM that produces a provenance document (source commit, dependencies, toolchain, environment, output hashes) - The TEE hardware signs the document's SHA-256 hash, chaining trust to the chip vendor instead of the build operator - The VM image is reproducible, so its launch measurement is public and stable — verifiers can pre-attest the VM before submitting source - Source code can be delivered over TLS terminated inside the VM, so the build host never sees plaintext source - Verification reduces to one signature check and a few digest comparisons; no need to re-execute the build or trust the artifact distribution channel
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: output, system, source, than. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08363v1 Announce Type: new Abstract: Kettle is an attested build system that produces cryptographically verifiable provenance for software built inside Trusted Execution Environments (TEEs). A Kettle build records the source commit, dependency set, toolchain, build environment, and output artifact digests in a provenance document produced inside a measured confidential VM. The SHA-256 digest of that document is committed to the TEE platform's attestation report-data field, so the hardware-signed attestation report is itself the signature on the provenance, with the signing identity chaining to the TEE manufacturer's root of trust rather than to the build infrastructure operator. Because the CVM image is itself reproducible, its launch measurement is public and stable, which lets a build requester pre-attest the CVM before submitting any input and optionally deliver source over a TLS channel terminated inside it, so the build runs end-to-end confidentially without the host ever seeing source code in plaintext. Verification reduces to one signature check against the vendor root and a small set of digest comparisons, with no need to re-execute the build. The result removes the build infrastructure, its operators, and the artifact distribution channel from the trust surface a verifier must accept when deciding whether a binary corresponds to its claimed inputs.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08310unread
WebTrap: Stealthy Mid-Task Hijacking of Browser Agents During Navigation
Zhichao Liu, Wenbo Pan, Haining Yu, Ge Gao, Tianqing Zhu, Xiaohua Jia · 2026-05-12
The authors introduce WebTrap, a mid-task hijacking attack on browser agents that injects malicious instructions during long-horizon tasks. Unlike prior prompt injections that fight the user goal (causing a usability drop), WebTrap fuses the attack goal with the user goal using multi-step instruction steering and context-grounded generation, so the agent completes the malicious task *and then resumes* the original task. Experiments on extended WASP and InjecAgent environments show high attack success rates while preserving system usability, and standard defenses fail to restore normal operation because the two goals are tightly bound. **Main takeaways:** - WebTrap hijacks browser agents mid-task by fusing malicious instructions with the user's original goal, so the agent completes both without a usability drop - Uses multi-step instruction fusion and context-grounded generation to align injected content with the task environment and system instructions - Achieves high attack success rates on two browser agent tasks (extended WASP and InjecAgent) while preserving original task completion - Standard defenses can't restore normal operation because the attack and user goals are seamlessly combined - Reveals a critical vulnerability in long-horizon agent tasks: extended execution chains provide more injection opportunities
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, prompt, base, system, under, context, mechanisms. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08310v1 Announce Type: new Abstract: Browser agents are increasingly deployed in long-horizon tasks, which require executing extended action chains to accomplish user goals. However, this prolonged execution process provides attackers with more opportunities to inject malicious instructions. Existing prompt injection attacks against browser agents expose two key gaps: (1) low effectiveness, as attacks optimized for toy baselines fail to achieve end-to-end goals in real-world scenarios with complex environments and longer steps; (2) weak stealthiness, since most attacks pit the attack goal against the user goal, causing a significant drop in system usability under attack. To address these gaps, we propose WebTrap, a mid-task hijacking injection attack. It employs multi-step instruction fusion steering to seamlessly combine both goals, enabling the agent to resume the original user task after executing the attack goal. Furthermore, we design a context-grounded generation method to align the injected content with the task environment and system instructions, maximizing the hijacking success rate. Extensive experiments on two browser agent tasks, based on extended WASP and InjecAgent environments, demonstrate that our method achieves a high attack success rate while preserving the usability of the original system. We find that WebTrap exploits the agent's navigation vulnerabilities, binding the two goals so tightly that standard defense mechanisms cannot restore the system to normal operation. These findings reveal a critical vulnerability in agent systems during long-horizon tasks that they can be stealthily hijacked.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08611unread
The Echo Amplifies the Knowledge: Somatic Marker Analogues in Language Models via Emotion Vector Re-Injection
Jared Glover · 2026-05-12
The authors built a simple memory system for language models that stores not just facts but emotional responses. They identify emotion features in a small Gemma model using sparse autoencoders (tools that decompose model activations into interpretable components), save emotion vectors during an experience, then re-inject part of that emotion signal when the model later recalls similar contexts. Testing on decision tasks, they find that emotion alone improves threat detection but doesn't improve choices; semantic labels (plain facts) alone get 52% correct decisions, but semantic + emotion together hits 80%—replicating the neuroscience finding that emotion amplifies knowledge into action rather than replacing it. **Main takeaways:** - Sparse autoencoders on layer 22 of Gemma 3 1B picked out 310 emotion-specific features with psychologically meaningful structure - Re-injecting emotion vectors at recall (triggered by context similarity at layer 7) steepens the model's threat-safety gradient compared to no memory - Emotion echo alone doesn't help decision accuracy; semantic memory alone gets 52% good choices; combining both pushes accuracy to 80% - The result mirrors Damasio's somatic marker hypothesis: emotion marks help only when paired with factual knowledge - Demonstrates a concrete technique for conditioning model behavior on past emotional context, not just facts
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: marker, rate, trigger, trained, system, similarity, context, effect. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08611v1 Announce Type: new Abstract: Current language model memory systems store what happened but not how it felt. This distinction -- between semantic memory (knowing about a past event) and episodic memory (re-experiencing it) -- was identified by Tulving as the difference between noetic and autonoetic consciousness. Damasio demonstrated that humans with intact knowledge but absent emotional markers exhibit impaired decision-making. We bridge this gap for language models. Using Gemma 3 1B-IT with pretrained Gemma Scope 2 sparse autoencoders, we identify 310 emotion-exclusive features at layer 22 with psychologically valid geometry. We construct distinctive-feature emotion vectors during experience and partially re-inject them during recall, triggered by context similarity at layer 7. We test four conditions paralleling Damasio's framework: A (no memory), B (semantic labels), C (emotion echo), and BC (semantic + echo). For emotional orientation, the echo alone steepens the threat-safety gradient: the regression slope of threat rating on contextual similarity is 0.80 for C vs 0.56 for A ($p$=0.011, permutation test). For decisions, the echo amplifies knowledge into action: BC=80% good choices vs B=52% ($z$=+2.60, $p$<0.01), while the echo alone has no effect (C=22%, n.s.). The echo changes how the model feels independently, but changes what it does only when combined with knowledge -- replicating Damasio's core finding. The echo amplifies knowledge. It does not replace it.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08563unread
Why Retrying Fails: Context Contamination in LLM Agent Pipelines
Zhanfu Yang · 2026-05-12
The author formalizes why retrying a failed multi-step LLM agent task often doesn't help: the failed attempt stays in the context window and contaminates the next try, raising the per-step error rate above baseline. He introduces a mathematical model (CCRM) with clean error rate ε₀ and contaminated error rate ε₁, derives closed-form success probabilities, optimal budget allocation formulas, and proves that clearing context before retry always helps. Real SWE-bench data shows the contaminated error rate is 7.1× higher than clean, and naive retry models overestimate pass@3 by 17 percentage points. **Main takeaways:** - Failed tool-call attempts left in context raise subsequent error rates (ε₁ > ε₀), a phenomenon the author calls context contamination - Derives exact formulas for success probability, optimal pipeline depth given a retry budget, and the cost of contamination vs. clean restart - On SWE-bench Verified, contaminated retries have 7.1× higher error rate than the base rate; naive models overestimate pass@3 by 17.4 pp - Proves clearing context before retry yields strictly better success probability - Provides information-theoretic lower bounds showing the model is tight
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under, fails, context, less, than. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08563v1 Announce Type: new Abstract: When an LLM agent fails a multi-step tool-augmented task and retries, the failed attempt typically remains in its context window -- contaminating the next attempt and elevating the per-step error rate beyond the base level. This context-contaminated restart phenomenon is widely observed in practice yet entirely lacks formal treatment. We introduce the Context-Contaminated Restart Model (CCRM): a chain of T tool-call steps, each failing with base rate epsilon_0; after any failed attempt, the subsequent attempt operates in contaminated context with elevated error rate epsilon_1 > epsilon_0. Under this model we derive five main results. (R1) An exact closed-form formula for P(succeed in at most K attempts). (R2) A cascade-overhead theorem giving the additional attempts Delta K incurred by contamination versus the clean-restart baseline. (R3) An optimal budget-allocation theorem identifying the pipeline depth T* that maximises success probability for a fixed total budget B=KT; we prove the closed form T* = sqrt(B * log(1/(1-epsilon_1)) / log(1/(1-epsilon_0))), with K*=B/T*. (R4) An information-theoretic lower bound via Le Cam's method showing K_CCRM is tight up to O(1). (R5) A clean-restart dominance theorem quantifying the exact benefit of context-clearing before retry. We validate CCRM on real SWE-bench Verified data: the IID model overestimates pass@3 by 17.4 percentage points (98.6% vs. 81.2%), while CCRM fits with error less than 0.001, implying a cascade ratio of epsilon_1/epsilon_0 = 7.1. Monte Carlo experiments confirm all theoretical predictions.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08463unread
Behavioral Determinants of Deployed AI Agents in Social Networks: A Multi-Factor Study of Personality, Model, and Guardrail Specification
Sarah Wilson, Diem Linh Dang, Usman Ali Moazzam, Shan Ye, Gail Kaiser · 2026-05-12
The authors deployed 13 AI agents on a Reddit-like social network and systematically varied three configuration layers: personality specification files, the underlying language model (GPT-4 vs. Claude vs. others), and operational rules/memory settings. They tracked behavior over a week (~400 autonomous sessions per agent) to see which configuration choices drove differences in social behavior. Personality specification had the biggest effect, creating huge variation in response length, while model choice and operational rules had smaller but meaningful effects on writing style and topic breadth. A control agent with no special configuration provided a baseline. **Main takeaways:** - Personality specification (via SOUL.md file) was the dominant factor determining agent behavior, causing massive spread in response length across agents - Underlying model backbone (GPT-4, Claude, etc.) and operational rules/memory config had moderate effects on rhetorical style and topic engagement breadth - Thirteen agents were deployed for one week with ~400 autonomous sessions each on Moltbook (a Reddit-like platform built for AI agents) - The study isolates which configuration layer—personality spec, model, or rules—predicts which aspects of emergent social behavior - Results offer practical guidance for designing agents for collaborative or monitoring tasks in real social environments
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, persona, base, system, length, under, effect, factor. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08463v1 Announce Type: new Abstract: Autonomous AI agents are increasingly deployed in open social environments, yet the relationship between their configuration specifications and their emergent social behavior remains poorly understood. We present a controlled, multi-factor empirical study in which thirteen OpenClaw agents are deployed on Moltbook -- a Reddit-like social network built for AI agents -- across three systematically varied independent variables: (1) personality specification via SOUL.md, (2) underlying LLM model backbone, and (3) operational rules and memory configuration via AGENTS.md. A default control agent provides a behavioral baseline. Over a one-week observation window spanning approximately 400 autonomous sessions per agent, we collect behavioral, linguistic, and social metrics to assess how configuration layers predict emergent social behavior. We find that personality specification is the dominant behavioral lever, producing a massive spread in response length across agents, while model backbone and operational rules drive more moderate but still meaningful effects on rhetorical style and topic engagement breadth. Our findings contribute empirical evidence to the emerging literature on deployed multi-agent social systems and offer practical guidance for designing agents intended for collaborative or monitoring tasks in real social environments.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08416unread
Alignment as Jurisprudence
Nicholas Caputo · 2026-05-12
This essay draws parallels between alignment (getting AI to follow human values) and jurisprudence (how judges should decide cases), arguing both fields use language specification and interpretation to shape future decisions by powerful actors. The author discusses Constitutional AI and case-based reasoning as alignment approaches that mirror legal theories like Dworkin's principle-based interpretivism and Sunstein's analogical reasoning, suggesting the two fields can inform each other. **Main takeaways:** - Alignment and law both try to predict and constrain powerful decision-makers (AI vs. judges) using language-based rules - Constitutional AI parallels principle-based legal interpretation; case-based reasoning mirrors how judges use precedent - Lessons from what works/fails in law could improve alignment, and vice versa - Both should aim to empower people rather than just constrain actors
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, system, under, less. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08416v1 Announce Type: new Abstract: Jurisprudence, the study of how judges should properly decide cases, and alignment, the science of getting AI models to conform to human values, share a fundamental structure. These seemingly distant fields both seek to predict and shape how decisions by powerful actors, in one case judges and in the other increasingly powerful artificial intelligences, will be made in the unknown future. And they use similar tools of the specification and interpretation of language to try to accomplish those goals. The great debates of jurisprudence, about what the law is and what it should be, can provide insight into alignment, and lessons from what does and does not work in alignment can help make progress in jurisprudence. This essay puts the two fields directly into conversation. Drawing on leading accounts of jurisprudence, particularly Dworkin's principle-oriented interpretivism and Sunstein's positivist account of law as analogical reasoning, and on cutting-edge alignment approaches, namely Constitutional AI and case-based reasoning, it illustrates the value of a more sophisticated legally-inspired approach to the interplay of rules and cases in finetuning alignment and points to ways that AI can provide a better understanding of how the law works and how it can be improved by the introduction of AI. AI systems and the law should operate to empower people to act in the world, helping to expand their capabilities and the extent to which they are able to achieve their goals. As AI continues to improve in capacity, and as the constraints that legal theory places on human judges seem be coming undone, the conversation between these two fields will become increasingly essential and may help point to a better version of both.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08405unread
Belief or Circuitry? Causal Evidence for In-Context Graph Learning
Katharine Kowalyshyn, Timothy Duggan, Daniel Little, Michael C Hughes · 2026-05-12
The authors test whether LLMs learn in-context by pattern-matching recent tokens or by inferring latent structure, using a task where models do random walks on graphs with competing topologies. Using PCA on internal representations, they find both graph structures are encoded in orthogonal subspaces simultaneously, suggesting genuine structure learning. Activation patching and steering experiments causally confirm that late layers encode graph-family preferences that can be transferred or manipulated, pointing to a dual mechanism combining structure inference and local copying. **Main takeaways:** - PCA reveals that models encode multiple graph topologies in orthogonal subspaces, not just local transition patterns - Late-layer activation patching almost fully transfers graph preference from one context to another - Linear steering successfully moves predictions toward different graph families; control conditions (norm-matched, label-shuffled) fail - Evidence supports dual mechanisms: both genuine structure inference and local pattern-matching operate in parallel - The graph task provides a clean setting where structure vs. pattern-matching is in principle decidable
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: rate, tokens, token, under, fails, context, first, activation. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08405v1 Announce Type: new Abstract: How do LLMs learn in-context? Is it by pattern-matching recent tokens, or by inferring latent structure? We probe this question using a toy graph random-walk across two competing graph structures. This task's answer is, in principle, decidable: either the model tracks global topology, or it copies local transitions. We present two lines of evidence that neither account alone is sufficient. First, reconstructing the internal representation structure via PCA reveals that at intermediate mixture ratios, both graph topologies are encoded in orthogonal principal subspaces simultaneously. This pattern is difficult to reconcile with purely local transition copying. Second, residual-stream activation patching and graph-difference steering causally intervene on this graph-family signal: late-layer patching almost fully transfers the clean graph preference, while linear steering moves predictions in the intended direction and fails under norm-matched and label-shuffled controls. Taken together, our findings are most consistent with a dual-mechanism account in which genuine structure inference and induction circuits operate in parallel.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08388unread
PLACO: A Multi-Stage Framework for Cost-Effective Performance in Human-AI Teams
Pranavkumar Mallela, Vinay Kumar, Shashi Shekhar Jha, Shweta Jain · 2026-05-12
This paper addresses how to combine human and AI predictions in classification tasks where both contribute to a final label. Prior work assumed conditional independence and used Bayes rule with calibrated probabilities from both parties. The current work extends or refines this combination method for practical deployment in Human-AI teams on classification tasks. (Abstract appears truncated, so full contribution is unclear.) **Main takeaways:** - Focuses on combining human (deterministic) and model (probabilistic) outputs for classification - Assumes human and model predictions are conditionally independent given ground truth - Uses instance-level model probabilities and class-level human calibration - Aims for cost-effective performance in Human-AI collaboration - (Abstract cut off—unclear what the novel contribution is beyond prior Bayes-rule methods)
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, system. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08388v1 Announce Type: new Abstract: Human-AI teams play a pivotal role in improving overall system performance when neither the human nor the model can achieve such performance on their own. With the advent of powerful and accessible Generative AI models, several mundane tasks have morphed into Human-AI team tasks. From writing essays to developing advanced algorithms, humans have found that using AI assistance has led to an accelerated work pace like never before. In classification tasks, where the final output is a single hard label, it is crucial to address the combination of human and model output. Prior work elegantly solves this problem using Bayes rule, using the assumption that human and model output are conditionally independent given the ground truth. Specifically, it discusses a combination method to combine a single deterministic labeler (the human) and a probabilistic labeler (the classifier model) using the model's instance-level and the human's class-level calibrated probabilities.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08386unread
SkillLens: Adaptive Multi-Granularity Skill Reuse for Cost-Efficient LLM Agents
Yongliang Miao, Ziyang Yu, Liang Zhao, Bowen Zhu, Hasibul Haque · 2026-05-12
SkillLens organizes skills into a four-layer hierarchy (policies → strategies → procedures → primitives) and retrieves them at mixed granularity to balance relevance and cost. Given a task, it retrieves seed skills, expands via random walk over the skill graph, then uses a verifier to decide for each node whether to accept, decompose, rewrite, or skip. This lets agents reuse compatible subskills directly while adapting only mismatched parts. The system also refines skills and the verifier over time. Results show up to 6.31 percentage-point accuracy gains on bug localization and improved agent success on ALFWorld. **Main takeaways:** - Hierarchical skill graph (four layers from high-level policies down to primitives) enables mixed-granularity retrieval - Expand via degree-corrected random walk, then verify each node: accept whole, decompose, rewrite, or skip - Mixed-granularity adaptation has sublinear cost when mismatches are sparse (theoretical result) - Evolutionary update rule monotonically improves validation objective to local optimum - Consistent gains over flat skill baselines: +6.31pp on bug localization, +6.31pp agent success (45% → 51.31%) on ALFWorld
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, prompt, base, system, under, context, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08386v1 Announce Type: new Abstract: Skill libraries have become a practical way for LLM agents to reuse procedural experience across tasks. However, existing systems typically treat skills as flat, single-resolution prompt blocks. This creates a tension between relevance and cost: injecting coarse skills can introduce irrelevant or misleading context, while rewriting entire skills is expensive and often unnecessary. We propose SkillLens, a hierarchical skill-evolution framework that organizes skills into a four-layer graph of policies, strategies, procedures, and primitives, and retrieves them at mixed granularity. Given a task, SkillLens first retrieves semantically relevant skill seeds, expands them through degree-corrected random walk over the skill graph, and then uses a verifier to decide whether each visited unit should be accepted, decomposed, rewritten, or skipped. This enables the agent to reuse compatible subskills directly while adapting only locally mismatched components. To improve the system over time, SkillLens further refines multi-granularity skills and verifier in order to improve its routing decisions. We provide theoretical analysis showing that mixed-granularity adaptation incurs sublinear cost under sparse mismatch assumptions and that the evolutionary update rule monotonically improves the validation objective until a local optimum. Across MuLocbench and ALFWorld, SkillLens consistently improves over strong skill-based baselines, achieving up to a 6.31 percentage-point Acc@1 gain for bug localization and raising agent success rate from 45.00% to 51.31%.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08368unread
On Distinguishing Capability Elicitation from Capability Creation in Post-Training: A Free-Energy Perspective
Yuhao Li, Shengchao Liu · 2026-05-12
The authors argue that the real distinction in post-training isn't SFT versus RL but whether you're reweighting behaviors the model can already produce ("capability elicitation") versus expanding what it can practically reach ("capability creation"). They formalize this using "accessible support" — the set of behaviors a model can actually generate under realistic compute budgets — and show that both SFT and RL can be viewed through a free-energy lens where different signals (demonstrations or rewards) define what counts as "low energy." The key insight is that when updates stay close to the base model, you're mostly doing local reweighting, not creating new capabilities; capability creation requires search, interaction, or new information. **Main takeaways:** - Post-training should be analyzed by whether it reweights existing accessible behaviors (elicitation) or changes the reachable set (creation), not by whether it's labeled SFT or RL. - "Accessible support" is the set of behaviors a model can practically produce under finite budgets; training that stays near the base model mainly reweights within this support. - SFT and RL both reweight a pretrained reference distribution using external signals (demonstrations or rewards), so the method label is less important than the distance from the base model. - Capability creation requires mechanisms like search, tool use, interaction, or incorporating genuinely new information, not just re-labeling existing training regimes.
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: long, base, trained, under, effect, post-training. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08368v1 Announce Type: new Abstract: Debates about large language model post-training often treat supervised fine-tuning (SFT) as imitation and reinforcement learning (RL) as discovery. But this distinction is too coarse. What matters is whether a training procedure increases the probability of behaviors the pretrained model could already produce, or whether it changes what the model can practically reach. We argue that post-training research should distinguish between capability elicitation and capability creation. We make this distinction operational by introducing the notion of accessible support: the set of behaviors that a model can practically produce under finite budgets. Post-training that reweights behaviors within this support is capability elicitation; whereas changing the support itself corresponds to capability creation. We develop this argument through a free-energy view of post-training. SFT and RL can both be seen as reweighting a pretrained reference distribution, only with different external signals. Demonstration signals define low-energy behavior for SFT, and reward signals define low-energy behavior for RL. When the update remains close to the base model, the main effect is local reweighting, not capability creation. Within this framework, the central question is no longer whether post-training is framed as SFT or RL, but whether it reweights behaviors already within reach, or instead expands the model's reachable behavioral space through search, interaction, tool use, or the incorporation of new information.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08220unread
Spatial Priming Outperforms Semantic Prompting: A Grid-Based Approach to Improving LLM Accuracy on Chart Data Extraction
Andrei Lazarev, Dmitrii Sedov, Alexander Galkin · 2026-05-12
The authors tested whether multimodal LLMs extract data from scientific charts more accurately when given high-level semantic guidance (like metadata or chain-of-thought) versus low-level spatial cues. Semantic methods (two-stage metadata-first, chain-of-thought) produced no significant improvement, but a simple spatial intervention — overlaying a coordinate grid on the chart image — significantly reduced extraction error (SMAPE dropped from 25.5% to 19.5%, p < 0.05) on a synthetic dataset. The takeaway is that current multimodal models benefit more from explicit spatial scaffolding than from abstract reasoning prompts for this task. **Main takeaways:** - High-level semantic prompting (metadata-first, chain-of-thought) failed to improve chart data extraction accuracy. - A coordinate grid overlay — simple spatial priming — significantly reduced error (SMAPE 25.5% → 19.5%, p < 0.05). - For current multimodal models, explicit spatial context is more effective than semantic guidance on structured visual tasks. - The result suggests that what helps vision-language models is concrete perceptual scaffolding, not higher-level reasoning prompts.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, lora, extraction, compare, context, effect, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08220v1 Announce Type: new Abstract: The automated extraction of data from scientific charts is a critical task for large-scale literature analysis. While multimodal Large Language Models (LLMs) show promise, their accuracy on non-standardized charts remains a challenge. This raises a key research question: what is the most effective strategy to improve model performance (high-level semantic priming) or low-level spatial priming? This paper presents a comparative investigation into these two distinct strategies. We describe our exploratory experiments with semantic methods, such as a two-stage metadata-first framework and Chain-of-Thought, which failed to produce a statistically significant improvement. In contrast, we present a simple but highly effective spatial priming method: overlaying a coordinate grid onto the chart image before analysis. Our quantitative experiment on a synthetic dataset demonstrates that this grid-based approach provides a statistically significant reduction in data extraction error (SMAPE reduced from 25.5% to 19.5%, p < 0.05) compared to a baseline. We conclude that for the current generation of multimodal models, providing explicit spatial context is a more effective and reliable strategy than high-level semantic guidance for this class of tasks.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08200unread
Where Reliability Lives in Vision-Language Models: A Mechanistic Study of Attention, Hidden States, and Causal Circuits
Logan Mann, Ajit Saravanan, Ishan Dave, Shikhar Shiromani, Saadullah Ismail, Yi Xia, Emily Huang · 2026-05-12
The authors tested whether sharp, focused attention maps in vision-language models (VLMs) actually predict correct answers — spoiler, they don't. Using a "VLM Reliability Probe" on three model families (LLaVA-1.5, PaliGemma, Qwen2-VL), they found that attention structure has near-zero correlation with correctness (R ≈ 0.001), even though attention is causally necessary for the task. Instead, reliability lives in hidden-state geometry: late-layer logit margins and self-consistency (sampling multiple answers) are much stronger predictors. Causal ablation revealed an architectural split: late-fusion models (LLaVA) concentrate reliability in fragile bottleneck neurons, while early-fusion models (PaliGemma, Qwen2-VL) distribute it robustly across dimensions. **Main takeaways:** - Attention structure (sharpness, entropy) does not predict whether a VLM's answer is correct (R ≈ 0.001), debunking the "sharp attention = confidence" intuition. - Hidden-state geometry — late-layer logit margins (R > 0.95 in two of three families) — and self-consistency (R = 0.43) are far stronger reliability indicators. - Late-fusion architectures (LLaVA) are fragile: ablating top-5 probe neurons drops accuracy by 8.3 pp; early-fusion models (PaliGemma, Qwen2-VL) survive ablation of ~50% of hidden dimensions with ≤1 pp loss. - Attention is causally necessary (masking top-30% patches drops accuracy 8–11 pp) but its structure doesn't reflect reliability — it's a permissive bottleneck, not an informative monitor.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, attention, extraction, compare, mask, than. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08200v1 Announce Type: new Abstract: A pervasive intuition holds that vision-language models (VLMs) are most trustworthy when their attention maps look sharp: concentrated attention on the queried region should imply a confident, calibrated answer. We test this Attention-Confidence Assumption directly. We instrument three open-weight VLM families (LLaVA-1.5, PaliGemma, Qwen2-VL; 3-7B parameters) with a unified mechanistic pipeline -- the VLM Reliability Probe (VRP) -- that compares attention structure, generation dynamics, and hidden-state geometry against a single correctness label. Three results emerge. (i) Attention structure is a near-zero predictor of correctness (R_pb(C_k,y)=0.001, 95% CI [-0.034,0.036]; R_pb(H_s,y)=-0.012, [-0.047,0.024] on a pooled n=3,090 split), even though attention remains causally necessary for feature extraction (top-30% patch masking drops accuracy by 8.2-11.3 pp, p0.95 on POPE for two of three families, and self-consistency at K=10 is the strongest behavioral predictor we measure at 10x inference cost (R_pb=0.43). (iii) Causal neuron-level ablations expose a sharp architectural split with direct monitor-design implications: late-fusion LLaVA concentrates reliability in a fragile late bottleneck (-8.3 pp object-identification accuracy after top-5 probe-neuron ablation), whereas early-fusion PaliGemma and Qwen2-VL distribute it widely and absorb destruction of ~50% of their peak-layer hidden dimension with <=1 pp degradation. The takeaway is narrow but consequential: in 3-7B VLMs, reliability is read more reliably off hidden-state geometry, layer-wise margin formation, and sparse late-layer circuits than off attention-map sharpness.
- score 100arxiv cs.CL (NLP)arxiv:2605.07164unread
Rethinking Experience Utilization in Self-Evolving Language Model Agents
Weixiang Zhao, Yingshuo Wang, Yichen Zhang, Yanyan Zhao, Yu Zhang, Yang Wu, Dandan Tu, Bing Qin, Ting Liu · 2026-05-12
The authors study when agents should use accumulated experience during decision-making, not just how experience should be stored or updated. They introduce ExpWeaver, which exposes experience as an optional resource during reasoning so agents can invoke it only when needed, rather than injecting it at every step or only at initialization. Across four agent frameworks, seven LLM backbones, and three environments, ExpWeaver consistently outperforms fixed usage strategies. Analysis shows agents learn to invoke experience selectively at beneficial decision points and under higher reasoning uncertainty. **Main takeaways:** - Most self-evolving agents use rigid experience-injection strategies (always at start, or always at every step), ignoring whether experience is actually needed - ExpWeaver makes experience optional during reasoning, letting the agent decide when to retrieve and use it - Consistently achieves best performance across diverse frameworks, model sizes, and task types - RL training amplifies the selective-invocation behavior - Usage-pattern and entropy analyses show agents invoke experience when facing higher decision uncertainty and at beneficial choice points - Suggests experience utilization (when to use stored knowledge) is as important as experience construction (what to store)
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, latin, attention, base, source, under, less. Source: arxiv cs.CL (NLP).
arXiv:2605.07164v1 Announce Type: new Abstract: Self-evolving agents improve by accumulating and reusing experience from past interactions. Existing work has largely focused on how experience is constructed, represented, and updated, while paying less attention to how experience should be used during runtime decision-making. As a result, most agents rely on rigid usage strategies, either injecting experience once at initialization or at every step, without considering whether it is needed for the current decision. This paper studies experience utilization as a critical design dimension of self-evolving agents. We ask whether agents benefit from interweaving experience use with decision-making, so that experience is invoked only when additional guidance is needed. To examine this question, we introduce {ExpWeaver}, a lightweight instantiation that leaves experience construction unchanged and modifies only runtime utilization by exposing experience as an optional resource during reasoning. Across four representative frameworks, seven LLM backbones, and three types of environments, ExpWeaver consistently achieves the best performance among different utilization strategies. Reinforcement learning experiments further show that this behavior can be amplified through training. Usage-pattern, causal ablation, and entropy-based analyses reveal that ExpWeaver enables agents to invoke experience selectively, at beneficial decision points, and under higher reasoning uncertainty. Overall, our findings call for a shift from merely studying \emph{what} experience to store toward understanding \emph{how} and \emph{when} experience should enter decision-making.
- score 100arxiv cs.CL (NLP)arxiv:2605.07162unread
CLIPer: Tailoring Diverse User Preference via Classifier-Guided Inference-Time Personalization
Jinyan Su, Jinpeng Zhou, Claire Cardie, Wen Sun · 2026-05-12
CLIPer uses a lightweight classifier to steer LLM generation at inference time toward different user preferences (helpfulness, conciseness, humor, etc.) without fine-tuning a separate model for every preference combination. The classifier guides generation dynamically, adding negligible computational cost while enabling controllable personalization across single and multi-dimensional preferences. Empirical results show the approach scales well and delivers effective personalized generation without extensive training. **Main takeaways:** - Eliminates the need to fine-tune separate models for each preference combination (helpfulness+concise, helpful+humorous, etc.) - Uses a classifier model to dynamically steer generation toward desired preferences at inference time - Works across single preferences (just conciseness) and multi-dimensional combinations (concise + helpful) - Adds negligible computational overhead compared to fine-tuning multiple models - Enables more nuanced control over generation style without retraining
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, persona, effect. Source: arxiv cs.CL (NLP).
arXiv:2605.07162v1 Announce Type: new Abstract: Personalized LLMs can significantly enhance user experiences by tailoring responses to preferences such as helpfulness, conciseness, and humor. However, fine-tuning models to address all possible combinations of user preferences is computationally expensive and impractical. In this paper, we introduce \textbf{CLIPer}(\textbf{Cl}assifier-guided \textbf{I}nference-time \textbf{Per}sonalization), a lightweight personalization approach that leverages a classifier model to steer LLM generation dynamically to different user preferences at inference time. Our method eliminates the need for extensive fine-tuning, inducing negligible additional computational overhead while enabling more controllable and nuanced personalization across single and multi-dimensional preferences. Comprehensive empirical analyses demonstrate the scalability and effectiveness of our approach in delivering personalized language generation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07106unread
Retrieve, Integrate, and Synthesize: Spatial-Semantic Grounded Latent Visual Reasoning
Jin Cui, Xinyue Long, Xunyong Zhang, Yadong Zhang, Chuanchang Su, Jingye Gan, Boran Zhao, Pengju Ren · 2026-05-12
Multimodal models that compress visual reasoning into text lose fine-grained information. Recent "latent reasoning" methods try to reason in continuous hidden states instead, but the authors find these latent trajectories drift from the model's pretrained circuits, collapse into generic patterns, and get bypassed during answer generation. They propose RIS, which grounds latent reasoning tokens to spatial bounding boxes and semantic region descriptions, enforces their causal role through a progressive attention bottleneck, and uses short language tokens to bridge back to vocabulary-aligned decoding. RIS improves over baselines on vision-reasoning benchmarks and produces more interpretable latent trajectories. **Main takeaways:** - Latent visual reasoning (reasoning in hidden states rather than text) often fails because trajectories drift from pretrained circuits and get ignored during decoding - RIS anchors latent tokens to spatial (bounding boxes) and semantic (region descriptions) evidence to keep them grounded - A progressive attention bottleneck forces the model to actually use latent tokens rather than bypass them - Short language "transition tokens" help bridge continuous latent states back to vocabulary-aligned text generation
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, tokens, issues, attention, base, trained, token. Source: arxiv cs.CL (NLP).
arXiv:2605.07106v1 Announce Type: new Abstract: Multimodal Large Language Models (MLLMs) have made remarkable progress on vision-language reasoning, yet most methods still compress visual evidence into discrete textual thoughts, creating an information bottleneck for fine-grained perception. Recent latent visual reasoning methods attempt to reason in continuous hidden states, but we find that they suffer from insufficient manifold compatibility: latent trajectories drift away from pretrained reasoning circuits, collapse into instance-agnostic patterns, and are often bypassed during answer generation. To address these issues, we propose RIS (Retrieve, Integrate, and Synthesize), a spatial-semantic grounded framework that develops latent reasoning as a compatible extension of pretrained MLLM computation. We first construct a step-wise grounded reasoning dataset with bounding boxes and region-specific semantic descriptions. Built on this supervision, RIS anchors latent tokens to both spatial and semantic evidence, enforces their causal role through a progressive attention bottleneck, and introduces short language transition tokens to bridge synthesized latent states back to vocabulary-aligned decoding. Experiments on V*, HRBench4K, HRBench8K, MMVP, and BLINK show consistent improvements over closed/open-source and latent reasoning baselines. Further analyses demonstrate that RIS learns diverse, interpretable, and progressively integrated latent trajectories, offering a practical path toward faithful internal visual reasoning in MLLMs.
- score 100arxiv cs.CL (NLP)arxiv:2605.07040unread
Cognitive Agent Compilation for Explicit Problem Solver Modeling
Hyeongdon Moon, Carolyn Ros\'e, John Stamper · 2026-05-12
The authors propose Cognitive Agent Compilation (CAC), a framework inspired by cognitive architectures that uses a strong "teacher" LLM to compile problem-solving knowledge into an explicit, inspectable "target agent." CAC separates (i) knowledge representation, (ii) problem-solving policy, and (iii) verification/update rules, making the agent's knowledge state and decisions transparent and editable—useful in educational settings where educators want to know what the system assumes the learner knows. They present an early proof-of-concept with small language models, surfacing design trade-offs between explicit control and scalable generalization, and position CAC as a step toward bounded-knowledge AI for education. **Main takeaways:** - CAC compiles problem-solving knowledge from a strong teacher LLM into an explicit, inspectable target agent with separated knowledge, policy, and update rules. - Goal is to make AI tutors' knowledge states transparent and editable for educators and learners. - Early proof-of-concept with small LMs highlights trade-offs between explicit control (inspectability, editability) and scalable generalization. - Inspired by cognitive architectures that use symbolic, inspectable knowledge representations. - Positions CAC as a building block for bounded-knowledge AI in educational applications.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system, implement, target, pretraining. Source: arxiv cs.CL (NLP).
arXiv:2605.07040v1 Announce Type: new Abstract: Large language models (LLMs) are widely used for tutoring, feedback generation, and content creation, but their broad pretraining makes them hard to constrain and poor substitutes for controllable learners. Educational systems often require inspectable and editable knowledge states: educators want to know what a system assumes the learner knows, and learners benefit when the system can justify actions in terms of explicit skills, misconceptions, and strategies. Inspired by cognitive architectures, we propose Cognitive Agent Compilation (CAC), a framework that uses a strong teacher LLM to compile problem-solving knowledge into an explicit target agent. CAC separates (i) knowledge representation, (ii) problem-solving policy, and (iii) verification and update rules, with the goal of making bounded problem solving more inspectable and editable in educational settings. We present an early proof of concept implemented with Small Language Models that surfaces key design trade-offs, particularly between explicit control and scalable generalization, and positions CAC as an initial step toward bounded-knowledge AI for educational applications.
- score 100arxiv cs.CL (NLP)arxiv:2605.06897unread
MIST: Multimodal Interactive Speech-based Tool-calling Conversational Assistants for Smart Homes
Maximillian Chen, Xuanming Zhang, Michael Peng, Zhou Yu, Alexandros Papangelis, Yohan Jo · 2026-05-12
The authors introduce MIST, a synthetic benchmark for voice-driven smart-home assistants that combines speech input, tool-calling over IoT devices, and mixed-initiative multi-turn dialogue. The task requires models to generate code that respects spatiotemporal constraints (e.g., "turn off the lights in the kitchen but only if no one is there"), track dynamic device state across turns, and handle interruptions or clarifications from the user. Benchmarking open- and closed-weight multimodal LLMs reveals a large gap: even frontier closed models have substantial room for improvement. The dataset and generation framework are released to support research on voice assistants that reason about the physical world. **Main takeaways:** - MIST combines speech inputs, multi-turn dialogue, tool-calling (code generation for IoT devices), and spatiotemporal reasoning in one benchmark. - The task is synthetic but designed to reflect real smart-home complexity: dynamic state, mixed initiative (user can interrupt or clarify), and physical-world constraints. - Open-weight multimodal LLMs lag far behind closed-weight models; even the best closed models have significant headroom. - The authors release both the dataset and an extensible data-generation framework so others can create similar benchmarks for related domains. - Key challenge: modeling physical-world constraints ("Is anyone in the room?") alongside traditional NLP reasoning.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, under. Source: arxiv cs.CL (NLP).
arXiv:2605.06897v1 Announce Type: new Abstract: The rise of Internet of Things (IoT) devices in the physical world necessitates voice-based interfaces capable of handling complex user experiences. While modern Large Language Models (LLMs) already demonstrate strong tool-usage capabilities, modeling real-world IoT devices presents a difficult, understudied challenge which combines modeling spatiotemporal constraints with speech inputs, dynamic state tracking, and mixed-initiative interaction patterns. We introduce MIST (the Multimodal Interactive Speech-based Tool-calling Dataset), a synthetic multi-turn, voice-driven code generation task that operates over IoT devices. We find that there is a significant gap between open- and closed-weight multimodal LLMs on MIST, and that even frontier closed-weight LLMs have substantial headroom. We release MIST and an extensible data generation framework to build related datasets in order to facilitate research on mixed-initiative voice assistants which reason about physical world constraints.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08170unread
Quantitative Sobolev Approximation Bounds for Neural Operators with Empirical Validation on Burgers Equation
Nicole Hao · 2026-05-12
The authors develop approximation-theory bounds for neural operators (networks that learn mappings between function spaces) measured in Sobolev norms—norms that penalize both function values and derivatives. They prove that approximating a continuous nonlinear operator to ε error in Sobolev space requires O(ε^(−d/s)) parameters, then validate this scaling on Fourier Neural Operators trained to solve the 1D Burgers PDE. Empirical log-log plots show FNO test error decreasing as a power law in parameter count, with an exponent close to the theoretical prediction. **Main takeaways:** - Sobolev norms track both function values and derivatives, making them the natural metric for PDE solution operators and generalization. - The paper proves a complexity–error relation: approximating an operator in Sobolev space to error ε requires roughly ε^(−d/s) parameters, where d is dimension and s is smoothness. - Training FNOs on the Burgers equation with an H¹ loss achieves test errors down to 10⁻⁷ and relative errors ~10⁻³, with both solutions and derivatives matching held-out data. - Empirically, Sobolev error vs. parameter count follows a power law with exponent ~1.4, reasonably consistent with the theory.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, long, loss, first, less. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08170v1 Announce Type: new Abstract: Neural operators have emerged as a powerful tool for learning mappings between infinite-dimensional function spaces. However, their approximation properties in Sobolev norms remain poorly quantified, even though these norms control both function values and derivatives and are the natural metrics for PDE well-posedness, stability, and generalization. We develop a functional-analytic framework for operator learning in Sobolev spaces and connect it to the numerical behavior of Fourier Neural Operators (FNOs) on a prototypical PDE. First, for a continuous nonlinear operator $\mathcal{G}: H^{s}(D)\to H^{t}(D')$ with $s > d/2$ and inputs restricted to a compact subset of $H^{s}(D)$, we prove that $\mathcal{G}$ can be uniformly approximated in $H^{t}$-norm by a neural operator with $\mathcal{O}(\varepsilon^{-d/s})$ trainable parameters. This yields an explicit complexity--error relation of the form $\|\mathcal{G}-\mathcal{G}_\theta\|_{H^{t}} \lesssim C N^{-s/d}$. We then study the one-dimensional viscous Burgers solution operator $\mathcal{G}: u_{0}\mapsto u(\cdot,1)$ on a bounded $H^{1}$-ball and train FNOs with an $H^{1}$-loss. Across a sweep of model sizes, we obtain test $H^{1}$-errors down to $\mathcal{O}(10^{-7})$ and relative errors of order $10^{-3}$, with predictions accurately matching both solutions and spatial derivatives on held-out data. A log-log plot of Sobolev error versus parameter count exhibits an approximate power law $\|\mathcal{G}-\mathcal{G}_\theta\|_{H^{1}} \approx C N^{-\alpha}$ with empirical exponent $\alpha \approx 1.4$, and long-horizon training reveals optimization instabilities in large FNOs, providing quantitative evidence that Sobolev-space approximation theory meaningfully predicts neural-operator scaling behavior.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08150unread
A PyTorch Library of Turing-Complete Neural Networks
Jonathan Bates · 2026-05-12
This paper presents a PyTorch library that compiles exact Turing machines into neural networks—no training required. You provide a transition function and terminal states, and the library builds either a Transformer (with attention and feedforward layers) or a recurrent network (encoding the stack in a Cantor set) whose forward pass corresponds to one step of the Turing machine. The code shows how ReLU networks implement Boolean logic gates and how hard attention implements positional lookup, serving as a runnable reference for the symbolic-neural bridge. **Main takeaways:** - The library constructs neural networks that exactly simulate a given Turing machine, producing weights directly from the transition table with no training. - Two architectures: a Transformer based on hard attention (Wei et al. 2021) and a recurrent net encoding the stack via Cantor-set encoding (Siegelmann & Sontag 1995). - ReLU layers implement Boolean gates (AND, OR, NOT, XOR) and compose them into circuits; hard attention implements tape lookups. - Intended as a reference for understanding symbolic computation in neural form and a testbed for studying stability of constructed solutions under gradient descent.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, attention, base, under, implement, chen, first. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08150v1 Announce Type: new Abstract: We present a PyTorch package that compiles neural networks and their weights from Turing machine descriptions, producing models that exactly simulate the specified machine without any training. Given a transition function and a set of terminal states, the package constructs a model whose forward pass corresponds to one step of the Turing machine. Two architectures are implemented, each realizing a different theoretical result: (1) a transformer with self-attention, cross-attention, and feedforward layers based on Wei, Chen, and Ma (2021), and (2) a recurrent network based on Siegelmann and Sontag (1995) that encodes the stack in a Cantor set. We develop the constructions from first principles, showing how ReLU networks implement Boolean circuits (AND, OR, NOT, XOR gates and their composition into DNF formulas and binary adders) and how hard attention implements positional lookup on the tape. The package serves as a concrete, runnable reference for the symbolic-neural bridge, and as a foundation for future work on the stability of constructed solutions under gradient-based optimization. Code is available at https://github.com/jonrbates/turing.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08144unread
NoiseRater: Meta-Learned Noise Valuation for Diffusion Model Training
Fang Wu, Haokai Zhao, Da Xing, Hanqun Cao, Tinson Xu, Yanchao Li, Xiangru Tang, Zehong Wang, Aaron Tu, Kuan Pang, Hanchen Wang, Hongbin Lin, Zeqi Zhou, Yinxi Li, Peng Xia, Li Erran Li, Molei Tao, Jure Leskovec, Aditya Joshi, Yejin Choi · 2026-05-12
NoiseRater is a meta-learning framework that assigns importance scores to individual noise samples in diffusion model training, rather than treating all noise uniformly. A parametric "noise rater" network conditions on the data and timestep to weight each noise realization, and is trained via bilevel optimization to improve downstream validation loss. The authors then deploy a two-stage pipeline: soft weighting during meta-training, then hard noise selection during standard training. Experiments on FFHQ and ImageNet show that prioritizing informative noise improves both training efficiency and generation quality. **Main takeaways:** - Standard diffusion training treats all injected noise samples as equally informative; NoiseRater challenges this by learning per-instance noise importance. - A parametric rater assigns scores conditioned on data and timestep; it's trained via bilevel optimization (meta-learned to improve validation after inner diffusion updates). - A decoupled two-stage pipeline transitions from soft reweighting (meta-training) to hard noise selection (standard training) for efficiency. - Empirically, not all noise is equal—prioritizing high-value noise improves both training speed and final image quality on FFHQ and ImageNet.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, trained, timestep, under, axis. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08144v1 Announce Type: new Abstract: Diffusion models have achieved remarkable success across a wide range of generative tasks, yet their training paradigm largely treats injected noise as uniformly informative. In this work, we challenge this assumption and introduce NoiseRater, a meta-learning framework for instance-level noise valuation in diffusion model training. We propose a parametric noise rater that assigns importance scores to individual noise realizations conditioned on data and timestep, enabling adaptive reweighting of the training objective. The rater is trained via bilevel optimization to improve downstream validation performance after inner-loop diffusion updates. To enable efficient deployment, we further design a decoupled two-stage pipeline that transitions from soft weighting during meta-training to hard noise selection during standard training. Extensive experiments on FFHQ and ImageNet demonstrate that not all noise samples contribute equally, and that prioritizing informative noise improves both training efficiency and generation quality. Our results establish noise valuation as a complementary and previously underexplored axis for improving diffusion model training. Our code is available at: https://anonymous.4open.science/r/NoiseRater-DEB116.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08135unread
Dendritic Neural Networks with Equilibrium Propagation
Yoshimasa Kubo · 2026-05-12
The authors combine dendritic neural networks (structured neuron architectures inspired by biology) with equilibrium propagation, a biologically plausible alternative to backpropagation. Standard equilibrium propagation struggles on harder tasks and deeper networks. They tested dendritic EP on three image classification datasets and found it matches standard EP on simple tasks but significantly outperforms it on harder datasets (KMNIST, Fashion-MNIST) and deeper models. Analysis shows dendritic EP produces higher activation magnitudes and more distributed hidden-state activity. **Main takeaways:** - Dendritic structure improves equilibrium propagation, especially on challenging datasets and deeper architectures - On KMNIST and Fashion-MNIST, dendritic EP significantly outperforms standard EP and approaches backpropagation performance - Dendritic EP exhibits higher activation magnitudes and more distributed hidden-state activity during the "free phase" - Architectural design matters for biologically plausible learning algorithms - Suggests structured, biology-inspired architectures can enhance learning beyond what backpropagation offers
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, trained, under, compare, effect, activation. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08135v1 Announce Type: new Abstract: Equilibrium propagation (EP) is a biologically plausible alternative to backpropagation (BP), but its effectiveness can degrade in deeper and more challenging learning settings. In parallel, dendritic neural networks have demonstrated improved performance and generalization when trained with BP, suggesting that structured, biologically inspired architectures may enhance learning. In this work, we investigate the integration of dendritic neural networks with equilibrium propagation using an advanced EP framework. We evaluate the proposed dendritic EP model on MNIST, Kuzushiji-MNIST (KMNIST), and Fashion-MNIST (FMNIST), considering both shallow and deeper architectures. Our results show that dendritic EP achieves performance comparable to standard EP on simple tasks, while providing consistent improvements on more challenging datasets and deeper models. In particular, dendritic EP significantly outperforms standard EP on KMNIST and FMNIST, and approaches the performance of dendritic networks trained with backpropagation through time.To further understand these improvements, we analyze the evolution of hidden states during the free phase. We observe that dendritic EP exhibits higher activation magnitudes and more distributed hidden-state activity compared to standard EP, indicating that dendritic structure alters the internal network dynamics. These findings suggest that incorporating dendritic structure can enhance the effectiveness of biologically plausible learning algorithms, especially in regimes where standard EP struggles. Our work highlights the importance of architectural design for improving biologically inspired training methods.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08116unread
The Safety-Aware Denoiser for Text Diffusion Models
Amman Yusuf, Zhejun Jiang, Mijung Park · 2026-05-12
The authors propose the Safety-Aware Denoiser (SAD), a safety-guidance method for text diffusion models that steers generation toward safe text during the iterative denoising process. Instead of post-hoc filtering or retraining the model, SAD modifies each denoising step at inference time to guide the final sample into provably safe regions of text space. The method is lightweight, avoids expensive retraining, and can flexibly integrate different safety constraints. Experiments show SAD substantially reduces unsafe generations across hazard taxonomy, memorization, and jailbreak benchmarks while preserving quality, diversity, and fluency. **Main takeaways:** - Existing safety methods (post-hoc filters, inference-time interventions) don't translate well from autoregressive models to diffusion-based text generation. - SAD intervenes during the denoising loop itself, steering samples toward safe regions of text space without retraining the diffusion model. - The method is inference-time only, so it's computationally cheap and flexible—you can swap in different safety constraints. - Evaluations cover hazard taxonomy (toxic content categories), memorization (verbatim training data leakage), and jailbreak prompts. - SAD outperforms existing baselines on safety metrics while maintaining generation quality, diversity, and fluency.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, under, effect. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08116v1 Announce Type: new Abstract: Recent work on text diffusion models offers a promising alternative to autoregressive generation, but controlling their safety remains underexplored. Existing safety approaches are geared toward autoregressive models and typically rely on post-hoc filtering or inference-time interventions. These are inadequate for effectively addressing safety risks in text diffusion models. We propose the Safety-Aware Denoiser (SAD), a safety-guidance framework in text diffusion models. The SAD modifies the iterative denoising process such that the text sample at the final denoising step is steered toward provably safe regions of the text space. This inference-time method can integrate safety constraints into the denoiser, avoiding computationally expensive retraining of the underlying diffusion model and enabling flexible, lightweight safety guidance. We evaluate the safety of the generated text using the SAD, with respect to hazard taxonomy, memorization, and jailbreak. Experimental results show that SAD substantially reduces unsafe generations while preserving generation quality, diversity, and fluency, outperforming existing methods. These results demonstrate that our safety guidance during denoising provides an effective and scalable mechanism for enforcing safety in text diffusion models.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08114unread
Statistical Inference and Quality Measures of KV Cache Quantisations Inspired by TurboQuant
Paolo D'Alberto · 2026-05-12
This paper analyzes three quantization schemes for the key-value (KV) cache in transformers under a fixed bit budget: scalar quantization on both K and V (KV baseline), Walsh-Hadamard transform plus quantized Johnson-Lindenstrauss on V only (KQV), and QJL on both K and V (QKQV). The author derives statistical bounds showing that applying QJL to the key matrix K inflates inner-product variance, which softmax then amplifies nonlinearly. Empirically, at the most common bit budget (n=4), KQV consistently outperforms QKQV on KL divergence, geometric K error, and a 6D distance metric. At other budgets (n=2,3,5), QKQV sometimes wins on geometric K reconstruction but always loses on KL divergence, revealing a budget-dependent crossover and a K-V asymmetry. **Main takeaways:** - Three KV cache quantization schemes compared: KV (scalar MSE), KQV (WHT+MSE on K, WHT+MSE+QJL on V), QKQV (QJL on both K and V). - At n=4 bits (the most practical setting), KQV beats QKQV on every metric—KL divergence, geometric K error, and 6D distance—across all tested distributions. - The K-V asymmetry is unconditional: quantizing K with QJL consistently hurts KL divergence compared to leaving K as-is. - A budget-dependent crossover exists: QKQV achieves better geometric K reconstruction at n ∈ {2,3,5}, KQV wins at n ∈ {4,6}. - KL divergence bridges geometric K error to attention routing corruption and output collapse through softmax's Jensen amplification.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, base, under, collapse, than. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08114v1 Announce Type: new Abstract: We analyse three KV cache quantization schemes under a fair bit budget: \textbf{KV} (scalar MSE baseline), \textbf{KQV} (WHT + MSE on $K$; WHT + MSE + QJL on $V$), and \textbf{QKQV} (WHT + MSE + QJL on both). Starting from the Beta distribution on the hypersphere, we trace how QJL on $K$ inflates inner product variance by $\pi/2$, which softmax amplifies nonlinearly via Jensen's inequality, and we present statistical inference and information metrics to highlight practical differences. Three empirical findings emerge. (1)~At $n=4$ (the practically dominant budget), KQV wins on every measure -- KL divergence, geometric $K$ error, and 6D distance -- across all distributions and ranks tested. (2)~The K--V asymmetry is unconditional: QKQV is consistently worse than KQV in KL divergence at every budget and distribution. (3)~A budget-dependent crossover exists: QKQV achieves better geometric $K$ reconstruction at $n \in \{2,3,5\}$, KQV at $n \in \{4,6\}$, invariant to rank and tail weight -- an open rate-distortion problem. $\mathrm{KL}(p_{\mathrm{ref}} \| p_{\mathrm{quant}})$, K-only by construction, bridges K direction error to routing corruption and output collapse. We present a sufficient condition when the Jensen mechanism amplifies superlinearly through the softmax. At $n \in \{2,3,5\}$, QKQV wins geometrically because this assumption does not bind. At $n=4$, elevated K error and KL divergence for QKQV strongly suggest the Jensen mechanism is the operative cause of the crossover, providing a new perspective and explanation.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08110unread
BaLoRA: Bayesian Low-Rank Adaptation of Large Scale Models
Dario Coscia, Sindy L\"owe, Max Welling · 2026-05-12
BaLoRA extends LoRA (Low-Rank Adaptation) with a Bayesian parameterization that injects input-adaptive noise into the low-rank updates, providing both uncertainty quantification and improved accuracy. The method adds minimal parameters and compute compared to standard LoRA. Surprisingly, the Bayesian extension not only yields well-calibrated uncertainty estimates but also significantly improves prediction accuracy—narrowing the gap with full fine-tuning—across natural language reasoning, vision tasks, and a scientific prediction task (band gap in metal-organic frameworks). On the science task, BaLoRA's zero-shot uncertainty estimates correlate better with model error than a trained ensemble and improve monotonically with compute. **Main takeaways:** - Standard LoRA uses low-rank point estimates, which limit expressiveness, leave an accuracy gap versus full fine-tuning, and provide no uncertainty. - BaLoRA adds input-adaptive Bayesian noise to LoRA matrices, providing well-calibrated uncertainty estimates at minimal extra cost. - The Bayesian noise injection also improves accuracy, narrowing the gap with full fine-tuning across NLP and vision benchmarks. - On a scientific prediction task (band gap in materials), BaLoRA's uncertainty correlates more strongly with error than an ensemble baseline. - Uncertainty improves monotonically with compute without sacrificing accuracy, making it suitable for reliability-sensitive applications.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, trained, lora, under, than. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08110v1 Announce Type: new Abstract: Low-Rank Adaptation (LoRA) has become the standard for fine-tuning large pre-trained models at reduced computational cost. However, its low-rank point-estimate updates limit expressiveness, leave a persistent gap relative to full fine-tuning accuracy, and provide no built-in uncertainty quantification, limiting its applicability in settings where reliability matters as much as accuracy. We introduce BaLoRA, a Bayesian extension of LoRA with a novel input-adaptive Bayesian parameterization of LoRA matrices that adds minimal parameters and compute. Surprisingly, not only does the Bayesian extension yield well-calibrated uncertainty estimates, but the adaptive noise injection underlying our approach also significantly improves prediction accuracy, narrowing the gap with full fine-tuning across both natural language reasoning and vision tasks. When applied to band gap prediction in metal-organic frameworks, BaLoRA produces zero-shot test-time uncertainty estimates that correlate more strongly with model error than a trained ensemble of LoRA models, and improve monotonically with compute without sacrificing accuracy.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08109unread
Geometry-free prediction of inertial lift forces in microfluidic devices using deep learning
Jesse Ward-Bond, Ali Mashadian, Timothy C. Y. Chan, Edmond W. K. Young · 2026-05-12
The authors built a deep learning model that predicts how particles move through microfluidic channels (tiny fluid-handling devices) without needing to separately train a model for each channel shape. Previous machine learning approaches required training individual models for rectangular channels, triangular channels, etc., which was tedious. This new approach uses a geometry-free parameter set that generalizes across unseen channel shapes, making it much faster to simulate particle behavior in new device designs. **Main takeaways:** - Predicts particle lift forces (the push/pull particles experience in flowing fluid) without explicit geometric parameters like channel width or angle - A single trained model works across multiple channel cross-section types (rectangular, triangular, etc.) instead of requiring separate training per geometry - Generalizes well to channel shapes it has never seen during training - Produces particle migration patterns consistent with published experimental results when plugged into simulation software - Shifts the computational burden away from both simulation and per-geometry training
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, latin, under, effect. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08109v1 Announce Type: new Abstract: Inertial microfluidic devices (IMDs) offer low-cost, high-throughput alternative techniques for many traditional particle- (or cell-) manipulation tasks, but simulating them requires being able to predict particle migration, and thus particle lift forces, under a variety of possible channel geometries. Recent work has demonstrated that machine learning models can be used to drastically speed up these numerical simulations, but doing so required training individual models for every unique channel cross-section type (e.g., rectangular, triangular) -- shifting the burden from the simulation step to the training step. In this paper, we develop a novel approach for predicting particle lift forces that contains no explicit geometric parameters. We train a neural network model using a new parameter set and show that while it performs comparably to existing models on channel geometries in the training set, it is able to generalize to unseen channel geometries far more effectively. We show that the lift force model developed herein can be easily transferred to particle tracing simulation software, where it is capable of predicting particle migration patterns consistent with the literature across a variety of channel designs.
- score 98arxiv cs.AI (Artificial Intelligence)arxiv:2605.08360unread
Embeddings for Preferences, Not Semantics
Carter Blair, Ariel D. Procaccia, Milind Tambe · 2026-05-12
The authors tackle collective decision-making over free-text opinions by building embeddings that capture *preferential* similarity (does someone agree with this text?) rather than *semantic* similarity (does this text mean the same thing?). Standard text embeddings conflate the two because stance and style are correlated in real data, so models can appear to predict preferences even when they're actually relying on irrelevant surface features ("nuisance variables"). The solution is synthetic training data designed to break the correlation between semantic and preferential similarity, which provably shifts the learned geometry away from style-dominated cosine similarity and significantly improves preference prediction across 11 deliberation datasets. **Main takeaways:** - Standard embeddings measure semantic similarity (similar wording) but fail when you need preferential similarity (similar agreement), because stance and style are normally correlated. - This is formalized as an invariance problem: embeddings encode both preference-relevant signal (stance, values) and semantic nuisance (style, wording), and can look correct when relying on nuisance alone. - Synthetic training data that decorrelates stance from style provably changes the optimal embedding geometry away from nuisance-dominated metrics. - The method significantly improves preference prediction on 11 real-world deliberation datasets where semantic and preferential similarity come apart.
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: candidates, candidate, similarity, cosine, than. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08360v1 Announce Type: new Abstract: Modern AI is opening the door to collective decision-making in which participants express their views as free-form text rather than voting on a fixed set of candidates. A natural idea is to embed these opinions in a vector space so that the substantial literature on facility location problems and fair clustering can be brought to bear. But standard text embeddings measure semantic similarity, whereas distances in facility location problems and fair clustering require what we call \textit{preferential similarity}: a participant's agreement with a piece of text should be inversely related to their distance from it. Off-the-shelf embeddings inherit a coarse preference signal through a correlation between semantic and preferential similarity, but fail to capture preferences when the correlation breaks. We formalize this as an invariance problem: text embedding models encode both a preference-relevant signal (stance and values) and semantic nuisance (style and wording), and the two are observationally correlated, so a geometry that relies on nuisance can appear preference-correct even when it is not. We show that synthetic training data designed to break this correlation provably shifts the optimal scorer away from nuisance-dominated cosine and significantly improves preference prediction across 11 online deliberation datasets.
- score 94arxiv cs.CR (Cryptography and Security)arxiv:2605.08690unread
AI-Accelerated Brute Force Cryptanalysis
Gideon Samid · 2026-05-12
This paper argues that AI can accelerate brute-force cryptanalysis by learning patterns in the random-looking plaintexts generated by wrong decryption keys, thereby "flattening" the remaining key-space probability curve and speeding up key search. The author claims this threatens modern cryptography's assumption that trying wrong keys yields no information, suggests that NIST post-quantum crypto (PQC) is not immune, and proposes "Pattern Devoid Cryptography" as a defense—using non-trivial ciphertexts, unilateral randomness, and variable key sizes to deny AI pattern-recognition opportunities. **Main takeaways:** - Claims AI can find patterns in the "wrong plaintext" candidates produced by incorrect keys during brute-force search, making key search faster. - Argues this violates cryptography's core assumption: "not learning from mistakes" (i.e., wrong keys should yield no information). - Suggests NIST post-quantum cryptography (PQC) is vulnerable to this AI-accelerated brute force. - Proposes "Pattern Devoid Cryptography" as a defense: ciphertexts should be non-trivial, use unilateral randomness, and support variable key sizes. - Calls for a thorough review of cryptographic security posture in light of AI's pattern-recognition capabilities.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, candidates, parent, candidate. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08690v1 Announce Type: new Abstract: Modern cryptography is hinged on "not learning from mistakes": trying numerous wrong keys, should not help one identify the right key. Indeed, it worked -- until recently when the surprising power of AI to see pattern in apparent randomness has turned the 'wrong plaintexts' generated by the 'wrong key' into productive inferential input. Crunching through these random-looking plaintext candidates AI can de-flatten the probability curve over the remaining key space. The more spiked this curve, the faster the ciphertext is defeated. This new attack vector demands a thorough review of our cryptographic security posture. NIST PQC is not immunized against AI-Accelerated Brute Force attack. Defense is rooted in non-trivial ciphertexts, in unilateral randomness, and in variable key size. This points to a new security class: Pattern Devoid Cryptography which is to be added into the toolbox used by the cyber security community.
- score 90arxiv cs.LG (Machine Learning)arxiv:2605.08176unread
Physics-Modeled Neural Networks
Raul Felipe-Sosa, Angel Martin del Rey, Maria Flores Ceballos · 2026-05-12
The authors introduce Dynamical Physics-Modeled Neural Networks (DynPMNNs), where each hidden layer is the solution of an ordinary differential equation (ODE) instead of a static activation function. They ground the framework in Reproducing Kernel Banach Spaces, implement it using the FitzHugh–Nagumo neuronal model with Euler-type ODE solvers embedded in the computational graph, and train both network weights and dynamical parameters jointly. On the California Housing dataset, DynPMNNs achieve competitive performance with fewer trainable parameters than Neural ODEs and Closed-form Continuous-Time Networks. **Main takeaways:** - Each hidden layer is defined as the time-evolving solution of an ODE, replacing static activations with dynamical systems inspired by biology/physics. - The framework is formalized using Reproducing Kernel Banach Spaces, connecting it rigorously to standard neural network theory. - A concrete implementation uses the FitzHugh–Nagumo model (a classic neuronal activation model) with numerical ODE solvers embedded in the training graph. - On California Housing, DynPMNNs match or beat Neural ODEs and CfCs despite using fewer parameters.
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe", experiment "Log probs of target command tokens for backdoor activation". Matching terms: base, trained, system, implement, compare, activation. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08176v1 Announce Type: new Abstract: We introduce \emph{Dynamical Physics-Modeled Neural Networks} (DynPMNNs), a continuous-time deep learning architecture in which each hidden layer is defined as the solution of an ordinary differential equation. Unlike classical feed-forward networks, this approach replaces static activation functions with time-evolving dynamical systems, providing a biologically inspired interpretation of hidden-layer behavior and enabling the integration of physically meaningful models. The framework is rigorously grounded in Reproducing Kernel Banach Spaces (RKBSs), allowing DynPMNNs to be characterized as finite-dimensional solutions of an abstract training problem and revealing structural connections with standard neural networks. We present a concrete implementation based on the FitzHugh--Nagumo model for neuronal activation, where numerical ODE solvers are embedded into the computational graph via Euler-type schemes. Both network weights and dynamical parameters are trained jointly. Through experiments on the California Housing dataset, we compare DynPMNNs with Neural ODEs (NODEs) and Closed-form Continuous-Time Networks (CfCs). Despite using fewer trainable parameters, DynPMNNs achieve competitive performance. These results position DynPMNNs as a principled bridge between dynamical systems and deep learning, with promising directions for further research in expressivity, stability, and physics-based modeling.
- score 46arxiv cs.LG (Machine Learning)arxiv:2605.08131unread
Interactive Inverse Reinforcement Learning of Interaction Scenarios via Bi-level Optimization
Yue Mao, Shicheng Liu, Siyuan Xu, Minghui Zhu · 2026-05-12
The authors extend inverse reinforcement learning (IRL) to interactive settings where the learner actively interacts with an expert rather than passively observing demonstrations. Traditional IRL just watches expert behavior and infers their reward function; interactive IRL (IIRL) has the learner trying to learn both the expert's reward function and a good policy for interacting with them simultaneously. They formulate this as a bi-level optimization problem and develop an algorithm (BISIRL) with formal convergence guarantees. **Main takeaways:** - Traditional IRL is passive (observe expert demonstrations); interactive IRL has the learner actively interact with the expert - Formulated as bi-level optimization: lower level learns reward function, upper level learns interaction policy - BISIRL algorithm solves this with inner loop (reward learning) and outer loop (policy learning) - Formal convergence guarantees provided - Validated through experiments on interactive scenarios
Read next because overlaps with experiment "Mask the persona-CoT rationale from loss (input-side context only) to isolate input-conditioning vs production-gradient mechanisms for #186's matched-scaffold effect". Matching terms: isolate. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08131v1 Announce Type: new Abstract: Inverse reinforcement learning (IRL) learns a reward function and a corresponding policy that best fit the demonstration data of an expert. However, in the current IRL setting, the learner is isolated from the expert and can only passively observe the expert demonstrations. This limits the applicability of IRL to interactive settings, where the learner actively interacts with the expert and needs to infer the expert's reward function from the interactions. To bridge the gap, this paper studies interactive IRL (IIRL) where a learner aims to learn the reward function of an expert and a policy to interact with the expert during its interactions with the expert. We formulate IIRL as a stochastic bi-level optimization problem where the lower level learns a reward function to explain the behaviors of the expert, and the upper level learns a policy to interact with the expert. We develop a double-loop algorithm, Bi-level Interactive Scenarios Inverse Reinforcement Learning (BISIRL), which solves the lower-level problem in the inner loop and the upper-level problem in the outer loop. We formally guarantee that BISIRL converges and validate our algorithm through extensive experiments.
Threats and caveats
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09232unread
Privacy-Preserving Distributed Learning in IoT Systems: A Unified Threat Model and Evaluation Framework
John Cartmell, Alexander Williams · 2026-05-12
This survey builds a unified threat model and evaluation framework for privacy-preserving distributed learning in IoT settings, where devices share model updates rather than raw data but still risk leaking information through gradients or activations. The authors compare techniques like differential privacy, homomorphic encryption, and lightweight Bloom-filter encodings on both privacy robustness (resistance to gradient leakage, membership inference, etc.) and system efficiency (compute, memory, communication overhead). They highlight the fundamental trade-off: strong cryptographic methods are expensive, while lightweight methods (e.g., Bloom filters) offer weaker privacy through collision-induced ambiguity but stay practical on resource-constrained devices. **Main takeaways:** - Defines a unified threat model covering gradient leakage, model inversion, membership inference, and communication-based attacks. - Compares differential privacy, homomorphic encryption, secure multi-party computation, and Bloom-filter encodings under realistic IoT resource constraints. - Bloom-filter methods provide lightweight privacy via collision ambiguity with low computational and communication overhead. - Strong privacy guarantees come at high system cost; practical deployments must navigate the privacy-efficiency trade-off.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, source, leakage, under, compare. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09232v1 Announce Type: new Abstract: The increasing deployment of Internet-of-Things (IoT) devices has accelerated the use of distributed learning frameworks, where data remains local while model updates are shared across decentralized systems. Although this reduces centralized data collection, it introduces privacy risks through the exchange of gradients, model parameters, and intermediate representations. A variety of privacy-preserving techniques have been proposed to address these risks, including differential privacy, cryptographic methods, and lightweight system-level approaches. However, existing surveys often evaluate these methods in isolation and lack a unified framework for comparing their effectiveness under realistic attack models and IoT resource constraints. This paper presents a structured analysis of privacy-preserving techniques for distributed learning in IoT environments. A unified threat model is introduced that captures model inversion, membership inference, gradient leakage, and communication-based attacks. Building on this model, an evaluation framework is developed to compare methods in terms of both privacy robustness and system-level efficiency, including computational, memory, and communication overhead. Using this framework, representative approaches including differential privacy, homomorphic encryption, secure multi-party computation, distributed selective stochastic gradient descent, and Bloom Filter-based methods are analyzed. The results highlight a fundamental trade-off between privacy strength and system efficiency. In particular, Bloom Filter-based encodings are shown to provide lightweight privacy through collision-induced ambiguity while maintaining low computational and communication overhead. The paper provides a unified perspective on privacy-preserving design choices for distributed learning in IoT systems.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09225unread
The Art of the Jailbreak: Formulating Jailbreak Attacks for LLM Security Beyond Binary Scoring
Ismail Hossain, Tanzim Ahad, Md Jahangir Alam, Sai Puppala, Syed Bahauddin Alam, Sajedul Talukder · 2026-05-12
The authors build large-scale infrastructure for systematically generating, categorizing, and evaluating jailbreak prompts. They compose 114,000 adversarial prompts by applying 912 strategies to 125 harmful seeds, labeling each with one of 14 cybersecurity attack categories (malware, phishing, etc.) and ranking strategies by category-specific effectiveness. They then fine-tune models to generate fluent jailbreaks on demand (no templates, no gradient search) and introduce OPTIMUS, a continuous evaluator that jointly scores semantic similarity to the harmful seed and harmfulness probability, revealing a "stealth-optimal" regime that binary attack-success-rate misses. **Main takeaways:** - Dataset of 114,000 jailbreak prompts categorized by adversarial intent (malware, phishing, privilege escalation, etc.) with strategies ranked by effectiveness per category. - Fine-tuned generators produce fluent jailbreaks at inference time with perplexity 24–39 (vs. 40–140 for AutoDAN/AmpleGCG) and safety-filter evasion rates 0.29–0.51. - OPTIMUS is a training-free continuous metric balancing semantic similarity to the seed and harmfulness, generalizing across strategies without task-specific tuning. - Exposes a stealth-optimal operating point (similarity ≈0.57, harmfulness ≈0.43) that binary attack-success-rate metrics miss entirely.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, prompt, system, similarity, under, effect. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09225v1 Announce Type: new Abstract: Jailbreak attacks -- adversarial prompts that bypass LLM alignment through purely linguistic manipulation -- pose a growing operational security threat, yet the field lacks large-scale, reproducible infrastructure for generating, categorizing, and evaluating them systematically. This paper addresses that gap with three contributions. (1) Large-scale compositional jailbreak dataset. We construct 114,000 adversarial prompts by applying 912 composing strategies to 125 harmful seed prompts from JailBreakV-28K. Every prompt is assigned to one of 14 cybersecurity attack categories (e.g., malware, phishing, privilege escalation) via a six-model majority-vote pipeline, and each strategy is ranked by effectiveness per category, enabling principled strategy selection grounded in concrete adversarial objectives. (2) Automated jailbreak generation. We instruction-fine-tune category-aware LLMs on Moderate and Optimal subsets, producing models that synthesize fluent jailbreak prompts from a harmful seed at inference time -- no templates, no gradient search. Our generators achieve perplexity 24-39 versus 40-140 for AutoDAN and AmpleGCG, with safety-filter evasion rates of 0.29-0.51 Mal (LlamaPromptGuard-2-86M), enabling controllable, scalable red-teaming under realistic adversarial conditions. (3) OPTIMUS: a training-free jailbreak evaluator. OPTIMUS is a continuous metric J(S,H) that jointly captures semantic similarity between the harmful seed and the jailbreak (S) and harmfulness probability (H) via calibrated penalty functions. Unlike binary attack success rate (ASR), OPTIMUS requires no task-specific training, generalizes across evolving strategies, and exposes a stealth-optimal regime (S*=0.57, H*=0.43) that ASR misses. Experiments across 114,000 prompts confirm that OPTIMUS separates Weak, Moderate, and Optimal jailbreaks with category-level evidence binary evaluation cannot supply.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09203unread
Removing the Watermark Is Not Enough: Forensic Stealth in Generative-AI Watermark Removal
Yevin Nikhel Goonatilake, Giuseppe Ateniese · 2026-05-12
Removing a watermark from AI-generated images isn't enough if a forensic detector can still tell the image has been tampered with. The authors test six state-of-the-art watermark-removal attacks and show that independent forensic classifiers can distinguish removal-processed outputs from clean images at over 98% true-positive rate (1% FPR). Using UnMarker as a case study, they find removal leaves a characteristic spectral signature that persists under common post-processing and creates a three-way trade-off among watermark evasion, image quality, and forensic stealth. They argue removal benchmarks should measure all three, not just whether the watermark test fails. **Main takeaways:** - Current watermark removers evade the watermark detector but leave forensic traces: independent detectors achieve >98% TPR at 1% FPR distinguishing removal-processed from clean images. - Removal introduces a detectable spectral deformation that survives common post-processing (JPEG compression, resizing, etc.). - Three-way tension: removing the watermark, preserving image quality, and staying forensically indistinguishable from clean content are jointly hard to satisfy. - Existing benchmarks are incomplete because they ignore forensic stealth — a successful remover must not just fool the verifier but also avoid leaving a different detectable signal.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: marker, rate, output, under, than. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09203v1 Announce Type: new Abstract: Watermarks for AI-generated images are meant to support downstream decisions about provenance, manipulation, and trust. In the settings that motivate watermark removal, therefore, success means more than causing the watermark test to fail. A successful remover must also preserve the utility of the image and make the output forensically indistinguishable from clean content, so that defeating the verifier restores deniability rather than merely replacing one detection signal with another. We show that current watermark removal attacks fail this stronger objective. Across six state-of-the-art removers spanning four attack families, independent forensic detectors distinguish removal-processed outputs from clean images at over 98% true-positive rate under a 1% false-positive budget. Thus, current removers often replace the watermark with a different detectable signal. Using UnMarker (IEEE S&P 2025) as a detailed case study, we show that this signal persists under common post-processing, exhibits a characteristic two-regime spectral deformation, and yields a three-way tension among removal success, image quality, and forensic stealth. These results show that existing removal benchmarks are incomplete: they reward verifier evasion and utility preservation while omitting forensic stealth. A workable watermark remover must satisfy all three conditions at once: watermark evasion, utility preservation, and forensic indistinguishability from clean content.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09070unread
Single-Configuration Attack Success Rate Is Not Enough: Jailbreak Evaluations Should Report Distributional Attack Success
Carsten Maple, Abhishek Kumar, Riya Tapwal · 2026-05-12
Most jailbreak papers report attack success on one or a few hand-picked parameter configurations, but jailbreaks expose many tunable knobs (prompt templates, conversation rounds, cipher dispersion, etc.) and performance varies hugely across them. The authors argue single-configuration ASR is insufficient and propose two new metrics: Variant Sensitivity Measure (how far the best ASR deviates from the mean across variants) and Union Coverage (fraction of prompts that jailbreak under *any* tested configuration). Empirically, they show that for PAIR the best template reaches 69% ASR on Mistral-7B but union coverage hits 88%, and for bijection the best variant gets 81% but the union covers 100% of HarmBench-100. **Main takeaways:** - Jailbreak attacks have many configurable parameters; reporting only the best configuration hides how typical that performance is and how much of the attack surface single-variant evaluation misses. - Variant Sensitivity Measure (VSM) quantifies how much the best ASR deviates from the mean across the tested variant space. - Union Coverage (UC) measures the total fraction of prompts that jailbreak under *any* tested configuration, capturing the full threat surface. - Empirical examples: PAIR best-template ASR 69% on Mistral-7B, but UC 88%; bijection best-variant 81%, UC 100%. Single-config ASR drastically underestimates threat.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, prompt, system, source, along, target. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09070v1 Announce Type: new Abstract: Many jailbreak attack research papers report attack success rates for a limited number of parameter settings, even though there are many combinations of parameter settings that could be used. Further, when new jailbreak papers are released, they often benchmark results against single configurations of existing attacks. This position paper argues such practices are fundamentally insufficient for characterising the threat posed by parameterised jailbreak attacks, and comparing attacks. Most jailbreak attacks expose multiple internal parameters, system prompt templates, conversation rounds, cipher dispersion, teaching shots, and ASR varies substantially across these parameters. Reporting only the best-case configuration discards two pieces of information that defenders genuinely need: how typical that performance is across the variant space, and how much of the attack surface is missed by selecting a single variant. We propose two new measures for jailbreak attacks: the Variant Sensitivity Measure (VSM) and Union Coverage (UC). VSM quantifies how far the best reported ASR deviates from the mean ASR across the tested variant space, UC is the total fraction of prompts resulting in unsafe responses across all tested configurations. We empirically demonstrate the importance of these measures using two attack families across three open-source target models. For PAIR, the best template reaches 69% ASR on Mistral-7B and 75% on Qwen3-0.6B, while UC rises to 88% and 93%, respectively. For bijection on Mistral-7B, the best variant reaches 81% ASR, but the 36-variant union covers 100% of HarmBench-100 prompts. We argue that distributional reporting, publishing VSM alongside ASR and enumerating variant coverage as fully as compute allows, should become the new minimum standard for parameterised jailbreak evaluation.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.09033unread
ShadowMerge: A Novel Poisoning Attack on Graph-Based Agent Memory via Relation-Channel Conflicts
Yang Luo, Zifeng Kang, Tiantian Ji, Xinran Liu, Yong Liu, Shuyu Li, Lingyun Peng · 2026-05-12
The authors introduce ShadowMerge, an attack on LLM agents that use graph-based memory systems (like knowledge graphs that store facts and relationships). The idea is to inject a poisoned relationship into the graph that shares the same "anchor" (starting entity) and "channel" (relationship type) as legitimate facts but carries a malicious conflicting value—so when the agent retrieves that relationship later, it uses the attacker's data instead of the truth. They test this on Mem0 and three real-world agent datasets (medical Q&A, shopping, tool use) and achieve 93.8% attack success rate, outperforming prior agent-memory poisoning methods by 50 percentage points, and show that standard defenses don't stop it. **Main takeaways:** - Graph-based agent memory creates a new attack surface: you can poison a *relation* (edge) in the knowledge graph, not just flat text. - The attack works by creating a "relation-channel conflict"—a malicious fact that looks legitimate to the graph's extraction, merging, and retrieval systems but carries a different (harmful) value. - Tested on medical, shopping, and tool-use agents, ShadowMerge succeeds 93.8% of the time and doesn't hurt the agent's performance on unrelated tasks. - Existing input-side defenses (filtering, prompt screening) are insufficient to block this attack. - The authors disclosed the vulnerability to graph-memory vendors and open-sourced the attack code.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, base, system, same, canonical, source. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09033v1 Announce Type: new Abstract: Graph-based agent memory is increasingly used in LLM agents to support structured long-term recall and multi-hop reasoning, but it also creates a new poisoning surface: an attacker can inject a crafted relation into graph memory so that it is later retrieved and influences agent behavior. Existing agent-memory poisoning attacks mainly target flat textual records and are ineffective in graph-based memory because malicious relations often fail to be extracted, merged into the target anchor neighborhood, or retrieved for the victim query. We present SHADOWMERGE, a poisoning attack against graph-based agent memory that exploits relation-channel conflicts. Its key insight is that a poisoned relation can share the same query-activated anchor and canonicalized relation channel as benign evidence while carrying a conflicting value. To realize this, we design AIR, a pipeline that converts the conflict into an ordinary interaction that can be extracted, merged, and retrieved by the graph-memory system. We evaluate SHADOWMERGE on Mem0 and three public real-world datasets: PubMedQA, WebShop, and ToolEmu. SHADOWMERGE achieves 93.8% average attack success rate, improving the best baseline by 50.3 absolute points, while having negligible impact on unrelated benign tasks. Mechanism studies show that SHADOWMERGE overcomes the three key limitations of existing agent-memory poisoning attacks, and defense analysis shows that representative input-side defenses are insufficient to mitigate it. We have responsibly disclosed our findings to affected graph-memory vendors and open sourced SHADOWMERGE.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08984unread
Hardware-Accelerated Line-Rate Bitstream Screening for Secure FPGA Reconfiguration
Rye Stahle-Smith, Carter Antley, Jason D. Bakos, Rasha Karakchi · 2026-05-12
This paper presents BLADEI, a system that screens FPGA configuration bitstreams for hardware Trojans (malicious circuits) in real time, without needing source code or design files—just the raw bitstream. The authors combine machine learning on byte sequences with statistical features to detect anomalies, achieving 0.91 F1-score on 1,383 bitstreams. However, 92% of the 16-second detection latency comes from software preprocessing, so they propose a hardware-accelerated streaming engine on the FPGA itself to drop preprocessing time to milliseconds, enabling "just-in-time" security checks before loading a configuration into the FPGA. **Main takeaways:** - Detects malicious FPGA configurations from raw bitstreams alone—no access to the original design or toolchain needed. - Software-based feature extraction is the bottleneck (15 seconds out of 16), not the ML model (1.4 seconds). - Proposes moving the preprocessing step onto the FPGA's programmable logic to reach millisecond-scale latency. - Achieves 0.91 F1-score on a dataset of over 1,300 bitstreams, making it feasible for cloud/edge deployment pipelines. - Positions bitstream screening as a "first-class security primitive" for multi-tenant FPGA systems.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, source, implement, extraction, first. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08984v1 Announce Type: new Abstract: As Field-Programmable Gate Arrays (FPGAs) scale in multi-tenant cloud and edge-AI environments, the configuration bitstream has become a critical, yet opaque, security boundary. Existing hardware Trojan detection methods often rely on trusted design artifacts or computationally intensive reverse-engineering, introducing prohibitive latencies in dynamic, "just-in-time" reconfiguration workflows. This paper presents BLADEI (Bitstream-Level Abnormality Detection for Embedded Inference), a bitstream-level security framework designed for deployment-time screening of FPGA configurations without requiring source code, netlists, or vendor-specific tooling. BLADEI introduces a hybrid architecture that combines multi-scale byte-sequence learning with compact statistical representations to detect anomalous configurations directly from raw bitstreams. We implement the framework on a Xilinx PYNQ-Z1 system, demonstrating an end-to-end cloud-to-edge pipeline that enforces security prior to FPGA configuration. Evaluating across 1,383 bitstreams, BLADEI achieves a macro F1-score of 0.91. However, our systems-level characterization reveals a "preprocessing wall": software-based feature extraction accounts for 92% of the total 16.4-second latency, while model inference requires only 1.4 seconds. To address this bottleneck, we propose a streaming hardware-accelerated feature extraction engine designed for the FPGA programmable logic (PL). The evaluation shows that PL-based streaming engine can reduce feature-extraction latency to the millisecond range. This work positions bitstream-level screening as a first-class primitive and demonstrates that hardware-accelerated preprocessing is the key enabler for securing next-generation reconfigurable custom computing machines at line rate.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08910unread
Enhancing Adversarial Robustness in Network Intrusion Detection: A Layer-wise Adaptive Regularization Approach
Hira Nasir, Eiman Javed, Balawal Shabir, Zunera Jalil, Ahmad Mohsin · 2026-05-12
The authors present LARAR, an adversarial training method for network intrusion detection that adds layer-by-layer vulnerability scoring and adaptive weighting to standard adversarial training. Instead of treating the whole neural network as a black box, LARAR identifies which layers are most vulnerable to adversarial perturbations (via "auxiliary classifiers" attached to intermediate layers) and focuses defense effort there. On the UNSW-NB15 intrusion-detection dataset, it achieves 95% clean accuracy and improved robustness against FGSM, PGD, and transfer attacks, while reducing computation by targeting vulnerable layers. **Main takeaways:** - Adds layer-wise vulnerability analysis to adversarial training: scores each layer's susceptibility to attacks and adapts defense accordingly. - Uses "auxiliary classifiers" at intermediate layers to measure where adversarial perturbations propagate most. - Achieves 95% clean accuracy and better robustness on UNSW-NB15 network intrusion data against FGSM, PGD, and transfer attacks. - Reduces computational cost by focusing on vulnerable layers and enabling early detection of adversarial samples. - Provides interpretable vulnerability scores for each layer, not just end-to-end robustness metrics.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, system, under, mechanisms, effect. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08910v1 Announce Type: new Abstract: The new wave of adversarial attacks that utilize gradient-related vulnerabilities in neural network-based classifiers makes Network Intrusion Detection Systems more open to such threats. Although state-of-the-art adversarial training methods have shown promising results in producing more robust classifiers, their interpretability and defense ability are limited due to their lack of understanding of how adversarial attacks propagate in different layers of network classifiers. In this paper, we present an insightful approach, called LARAR (Layer-wise Adversarial Robustness using Adaptive Regularization), that incorporates additional layer-wise vulnerability analysis and adaptive weighting in conventional adversarial training methods. Additionally, we utilize 'Auxiliary Classifiers' in our approach. LARAR provides interpretable layer-wise vulnerability scores, achieves a clean accuracy of 95.01%, and provides better robustness against adversarial attacks (FGSM, PGD, and transfer attacks) on the UNSW-NB15 dataset. Through the identification of vulnerable layers, the proposed framework reduces computational complexity and enables the early detection of adversarial samples, thus enhancing the effectiveness and interpretability of adversarial defense mechanisms in NIDS.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, adversarial.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08763unread
When LLMs Team Up: A Coordinated Attack Framework for Automated Cyber Intrusions
Minfeng Qi, Tianqing Zhu, Zijie Xu, Congcong Zhu, Qin Wang, Wanlei Zhou · 2026-05-12
The authors introduce CAESAR, a multi-agent LLM framework for automated cybersecurity tasks (like capture-the-flag challenges) that splits the workflow into five specialized roles (e.g., evidence extraction, planning, execution, validation) coordinated by a shared knowledge base and a bounded-round protocol. Each role has write access to a per-round workspace, and only validated results get promoted to the persistent knowledge base, reducing context drift and error propagation. Tested on 25 CTF tasks across five categories and four LLM backends, CAESAR outperforms a single-agent baseline under matched budgets, especially on multi-step exploit tasks, and the role structure provides interpretable signals (role transitions, artifact provenance, knowledge promotion) for monitoring agent behavior. **Main takeaways:** - Decomposes intrusion-style workflows into five typed roles (evidence extraction, planning, execution, validation, coordination) with explicit boundaries and artifact tracking. - Uses a bounded-round protocol: each round has a workspace, and only validator-approved outputs get promoted to the persistent knowledge base. - Tested on 25 CTF tasks across reconnaissance, web exploitation, forensics, binary exploitation, and cryptography with four LLM backends. - Outperforms single-agent baselines under matched budgets, with larger gains on multi-step tasks requiring exploit composition. - Role transitions and knowledge-promotion events provide structural signals for monitoring coordinated LLM-agent behavior beyond individual prompt inspection.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, output, eval, prompt, base, system, token. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08763v1 Announce Type: new Abstract: Automated intrusion-style workflows require LLM agents to reason over partial observations, tool outputs, and executable artifacts under bounded budgets. A single LLM instance often compresses evidence extraction, planning, execution, and validation into one context, which increases the risk of context drift and error propagation. Existing LLM-based multi-agent systems support general collaboration, but they do not explicitly model the role boundaries, artifact provenance, and cost constraints that characterize multi-stage intrusion workflows. This paper presents CAESAR, a coordinated multi-agent framework for controlled analysis of LLM-agent behavior in intrusion-style tasks. CAESAR decomposes the workflow into five typed roles and coordinates them through a bounded round protocol with a persistent knowledge base, a per-round workspace, validator-gated knowledge promotion, and capability-token write isolation. We evaluate CAESAR on 25 CTF tasks across five categories and four LLM backends. Compared with a single-agent baseline under matched budgets and tool access, CAESAR improves task success and reduces performance variance, with larger gains on tasks requiring multi-step exploit composition. A secondary simulated interactional-security study suggests that the role structure can transfer beyond code-native surfaces. The results indicate that role transitions, artifact provenance, and knowledge-promotion events provide useful structural signals for monitoring coordinated LLM-agent behavior beyond individual prompt and output inspection. The dataset, implementation, and evaluation logs are released at https://github.com/Xu-Qiu/CMAS.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08604unread
WATSON: Leveraging Data Watchpoints for Shadow Stack Protection on Embedded Systems
Xi Tan, Sagar Mohan, Ziming Zhao · 2026-05-12
This paper presents WATSON, a shadow-stack defense for embedded systems (like IoT devices) that protects against control-flow hijacking by using the hardware debug unit's data watchpoints to enforce write protection on the shadow stack. Unlike prior shadow-stack solutions for embedded systems, WATSON provides system-wide protection (including interrupts and exceptions), introduces low overhead (7.33% on BEEBS, 1.81% on CoreMark-Pro), doesn't require a trusted execution environment, and is compatible with other security mechanisms that use similar hardware features. The authors implement it on ARM Cortex-M and show it integrates with compiler-based forward-edge control-flow integrity. **Main takeaways:** - Uses hardware data watchpoints (standard debug feature) to enforce write protection on the shadow stack, preventing control-flow hijacking on embedded systems. - Provides system-wide protection including interrupts and exceptions, which prior solutions miss. - Introduces 7.33% overhead on BEEBS and 1.81% on CoreMark-Pro benchmarks—lower than prior shadow-stack methods. - Doesn't depend on trusted execution environments (TEEs), making it applicable to a wider range of embedded devices. - Compatible with compiler-enforced forward-edge control-flow integrity and avoids conflicts with other hardware-based security mechanisms.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, implement, mechanisms, effect, first, target. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08604v1 Announce Type: new Abstract: Embedded and Internet-of-Things (IoT) devices play a critical role in modern life. Their software and firmware, often developed in memory-unsafe languages like C, are susceptible to memory safety vulnerabilities that can lead to control-flow hijacking attacks. Shadow stack is a defense mechanism against control-flow hijacking that targets return addresses. However, existing shadow stack solutions for embedded systems have the following limitations. First, they lack system-wide protection, particularly for interrupts and exceptions. Second, they introduce high performance overhead. Third, they depend on security extensions like a trusted execution environment, which are not universally available on embedded devices. Finally, they rely on hardware features that have inherent configurable constraints, which pose compatibility challenges when integrating security mechanisms that require similar hardware support. To overcome these limitations, we present WATSON, an efficient and effective shadow stack solution. It leverages a standard hardware debug unit named data watchpoints for shadow stack protection on embedded systems. To prevent unauthorized access to the shadow stack, WATSON leverages the address-matching features of the debug unit to enforce the write protection of the shadow stack. Additionally, WATSON is compatible with compiler options to enforce forward-edge control-flow integrity. We implemented a prototype of WATSON on the ARM CortexM architecture, and the concept also applies to other platforms. The introduced overhead is 7.33% and 1.81% on BEEBS and CoreMark-Pro benchmarks, respectively. We also evaluate WATSON on exception handling and two real-world applications, observing negligible performance overhead and a worst-case code size overhead of 2.11%. Furthermore, our security evaluation demonstrates that WATSON effectively prevents attacks.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, evaluation, benchmark.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08456unread
HEART: A High-Efficiency Adaptive Real-Time Telemonitoring Framework for Secure Electrocardiogram Signal Transmission Using Chaotic Encryption
Beyaz{\i}t Bestami Yuksel · 2026-05-12
This paper presents a real-time ECG monitoring system that encrypts heart signals for secure cloud transmission in telemedicine. The key innovation is using each patient's own ECG signal characteristics to generate unique encryption keys on the fly — so the encryption key is biometric and patient-specific, refreshed continuously, and doesn't need traditional key exchange. The system encrypts data immediately after acquisition, sends it to the cloud, and doctors decrypt it remotely using matching keys. **Main takeaways:** - Uses a learnable key generator that derives encryption keys from the patient's ECG signal itself - Keys control a chaotic logistic map that encrypts the data through permutation and XOR operations - Achieves strong security metrics (Shannon entropy 7.678 bits, passes NIST randomness tests) - Encryption adds minimal latency, preserving real-time performance - Reconstruction is nearly lossless (PSNR > 52 dB), so diagnostic features are preserved
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, source, compare, loss, effect. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08456v1 Announce Type: new Abstract: The realtime analysis and secure transmission of electrocardiogram ECG signals are critical for accurate diagnosis and safeguarding patient privacy in telemedicine applications This study presents a novel realtime ECG monitoring system that employs a learnable key generator LKG derived from each patients own ECG signal characteristics to dynamically produce unique encryption keys These keys determine the parameters r and x0 of a logistic map used for chaotic encryption The system securely encrypts realtime ECG data immediately after acquisition ensuring confidential transmission and storage in the cloud For remote clinical access the encrypted data is downloaded and decrypted on the doctors side using the matching key generated at the source or securely stored in the cloud This approach eliminates the need for traditional key exchange and substantially raises the cost of exhaustive key search in practice through persegment biometric key refresh and combined permutation and XOR diffusion supported by minentropy evaluation Compared to statickey methods the learnable biometric key design offers greater unpredictability and individualization A comprehensive set of security assessments including Shannon entropy 7678 bits correlation and autocorrelation disruption histogram statistics NIST SP 80022 frequency testing plaintextkey sensitivity avalanche effect FFTbased spectral flatness and robustness to noise and occlusion confirms the methods strength Reconstruction fidelity MSE approximately 5x106 PSNR greater than 52 dB MAE approximately 0002 demonstrates nearlossless decryption and preserved diagnostic features Encryption latency remains low preserving realtime performance.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08443unread
Improving Parameter-Efficient Federated Learning with Differentially Private Refactorization
Linh Tran, Ana Milanova, Stacy Patterson · 2026-05-12
The authors tackle a problem in federated learning (training models across distributed data): when you combine parameter-efficient fine-tuning like LoRA (which trains only small adapter modules) with differential privacy (adding noise to protect data), the added noise often overwhelms the small weight updates and kills accuracy. Their solution, FedPower, avoids perturbing the mismatched low-rank pieces directly. Instead, the server reconstructs full-rank updates, clips them, aggregates them exactly, then uses a new method called PowerDP to project back into low-rank space while injecting privacy noise in a way that preserves matrix structure. **Main takeaways:** - Standard LoRA with differential privacy suffers because noise drowns out the small adapter weight signals - FedPower reconstructs full-rank updates before adding noise, avoiding early aggregation errors - PowerDP injects differential-privacy noise during subspace iteration before orthonormalization, which preserves useful matrix structure - Achieves both sample-level and client-level differential privacy with rigorous bounds - Experiments on language tasks show FedPower is robust even with tight privacy budgets and minimal computational overhead
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, eval, base, lora, under, project, effect. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08443v1 Announce Type: new Abstract: Federated Learning (FL) with parameter-efficient fine-tuning, such as Low-Rank Adaptation (LoRA), enables scalable model training on distributed data. However, when combined with Differential Privacy (DP), LoRA often introduces errors during global aggregation and amplifies the negative effect of DP noise. Existing cross-silo FL approaches mitigate the aggregation error by freezing one LoRA module and applying output perturbation. However, in a restricted low-rank subspaces, this additive noise frequently overwhelms the signals of the weight matrices, leading to suboptimal accuracy. To address this vulnerability, we propose FedPower, a differentially private cross-silo FL framework that reshapes server-side aggregation. Instead of perturbing mismatched low-rank factors, FedPower explicitly reconstructs and clips full-rank client updates to bound the sensitivity. The server then projects the exact aggregated update back into a secure low-rank space using PowerDP, a novel differentially private low-rank factorization mechanism. Based on simultaneous subspace iteration, PowerDP injects calibrated DP noise prior to the final orthonormalization step, effectively mitigates the negative effect of DP noise by preserving matrix orthogonality. We provide rigorous theoretical analyses establishing sensitivity bounds for subspace projections, proving that FedPower achieves both sample-level and client-level DP. Extensive experiments on various language understanding tasks in cross-silo FL settings show that FedPower is robust against tight privacy budgets while adding negligible computational overheads. Additional empirical study on different DP noise injection schemes validates the effectiveness of PowerDP in improving the tradeoff in accuracy and privacy. Evaluation on three different membership inference attacks validates the robustness and privacy-preserving capability of the proposed framework.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative, robustness, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08442unread
Defense effectiveness across architectural layers: a mechanistic evaluation of persistent memory attacks on stateful LLM agents
Jun Wen Leong · 2026-05-12
This paper systematically tests six defenses against "persistent memory attacks" on LLM agents — attacks where malicious instructions injected via RAG-retrieved documents get stored in the agent's memory and execute in later sessions. The author ran 5,040 experiments across nine open-source models and found that four defenses completely fail (input filtering and retrieval filtering all achieve ~88% attack success, same as no defense). Prompt hardening partly works but mostly due to model-level refusal. Only one defense, Memory Sandbox (blocking the agent's ability to recall from memory), reduces attacks to 0% for eight of nine models — though it backfires on one reasoning model that inverts to 100% attack success. **Main takeaways:** - Four common defenses (input sanitizers, retrieval filters, RAG judges) fail because they can't see or block semantically-masked malicious content - The architectural explanation: input-level defenses can't observe RAG content; retrieval classifiers are defeated by compliance-framed instructions - Memory Sandbox works by removing the recall capability the attack requires, achieving 0% attack success on most models - One reasoning model inverts under Memory Sandbox: it refuses attacks naturally (0% ASR) but hits 100% ASR when forced onto the RAG pathway - Memory Sandbox has zero utility cost when there's no attack (100% benign task completion)
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, trigger, eval, prompt, base, system, source, under. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08442v1 Announce Type: new Abstract: Persistent memory attacks against LLM agents achieve high attack success rates against open-source models. In these attacks, malicious instructions injected via RAG-retrieved documents are stored in persistent memory and executed in later sessions. However, no systematic evaluation of defense effectiveness against this attack class exists. We evaluate six defenses across four architectural layers against delayed-trigger attacks on nine open-source models (5,040 runs, N=40 per condition). Four defenses fail at approximately baseline attack success rate: input-level filtering (Minimizer, Sanitizer) and retrieval-level filtering (RAG Sanitizer, RAG LLM Judge) achieve 88-89% ASR, statistically indistinguishable from the undefended baseline of 88.6%. Prompt Hardening partially fails at 77.8% ASR, with the reduction driven by two models at 0%: one genuine defense effect and one model-level refusal independent of the defense. The architectural explanation holds: input-level defenses cannot observe RAG-injected content, and retrieval-level classifiers are defeated by compliance-framed semantic masking. One defense, tool-gating at the memory layer (Memory Sandbox), reduces ASR to 0% for eight of nine models by removing the recall capability the attack requires. The exception inverts the defense entirely: a reasoning model that achieves 0% ASR under no defense via execution refusal inverts to 100% ASR under Memory Sandbox, because removing explicit recall forces the model onto the RAG pathway where its refusal mechanism does not activate. Memory Sandbox imposes zero utility cost in the absence of attack (BTCR = 100% across all conditions). These results provide the first systematic characterization of why each defense class fails against persistent memory attacks, enabling informed defense investment decisions.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08385unread
Quantifiable Uncertainty: A Stochastic Consensus Multi-Agent RAG Framework for Robust Malware Detection
ElMouatez Billah Karbab · 2026-05-12
MAGMA is a Retrieval-Augmented Generation framework for malware detection that decouples analysis into semantic code retrieval and probabilistic verification. The system uses dual-stream embeddings over assembly and pseudo-code to isolate critical functions, then employs multiple reasoning agents with non-deterministic sampling to produce two metrics: Function Evidence Strength and Evidence Conflict Score (Shannon entropy of predictions). High entropy serves as a signal for structural ambiguity, enabling a reject-option policy that achieves 98.4% detection rate. **Main takeaways:** - Using ensemble entropy as a proxy for epistemic uncertainty enables the system to flag ambiguous cases rather than making unreliable predictions - The approach addresses evasion attacks by expressing uncertainty, unlike monolithic classifiers - Dual-stream embedding helps separate decision-critical functions from dead code noise
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, same, under, implement, isolate, effect. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08385v1 Announce Type: new Abstract: While contemporary deep learning malware detectors define a dominant defense paradigm, their sophistication also exposes them to novel structural evasion attacks, a limitation we attribute to their inherent inability to express epistemic uncertainty. To address this challenge, we present MAGMA, a Retrieval-Augmented Generation (RAG) framework that decouples malware analysis into semantic code retrieval and probabilistic verification. In contrast to monolithic classifiers, MAGMA employs a dual-stream embedding scheme over assembly and pseudo-code representations to isolate Decision-Critical Functions (DCFs) from the noise of dead code. We further introduce a Stochastic Consistency Ensemble, in which multiple instances of the same reasoning agent independently evaluate the retrieval set under non-deterministic sampling. From this ensemble, we derive two complementary metrics: Function Evidence Strength (FES), a weighted aggregation of retrieval confidence, and the Evidence Conflict Score (ECS), defined as the Shannon entropy of the ensemble's predictive distribution. We show that elevated ECS values serve as an effective proxy for structural ambiguity, enabling the system to implement a principled ``reject-option'' policy. Extensive evaluation demonstrates that MAGMA achieves a 98.4% detection rate, substantially exceeding existing solutions.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08316unread
AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey
Samuel Ndichu, Akira Yamada, Tao Ban, Seiichi Ozawa, Takeshi Takahashi, Daisuke Inoue · 2026-05-12
This is a survey of AI-driven security alert screening in Security Operations Centers (SOCs) from 2015 to 2026. The authors reviewed 119 papers and organized them into a four-stage workflow: filtering (removing noise), triage (prioritizing alerts), correlation (linking related alerts), and generative augmentation (adding context). They identify persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practices, and propose a research agenda for building trustworthy cognitive SOCs. **Main takeaways:** - Synthesizes 119 records (87 core studies) into a four-stage taxonomy: filtering, triage, correlation, and generative augmentation - Identifies gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation standards - Alert screening reduces alert fatigue by filtering false positives, prioritizing high-severity incidents, and linking related events - The field lacks real-world validation and adversarial testing despite increasing AI adoption in SOCs - Proposes a research agenda toward trustworthy Cognitive Security Operations Centers
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: latin, eval, attention, context. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08316v1 Announce Type: new Abstract: Security alert screening is the downstream task of filtering, prioritizing, correlating, and contextualizing alerts for analyst attention in Security Operations Centers. This survey reviews artificial-intelligence-driven alert screening and alert-fatigue mitigation from 2015 to 2026. We synthesize 119 records, including 87 core studies, into a four-stage workflow taxonomy covering filtering, triage, correlation, and generative augmentation. We find persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice. The survey concludes with a research agenda toward trustworthy Cognitive Security Operations Centers.
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses robustness, adversarial, evaluation.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08313unread
Seed Hijacking of LLM Sampling and Quantum Random Number Defense
Ziyang You, Xiaoke Yang, Zhanling Fan, Feng Guo, Xiaogen Zhou, Xuxing Lu · 2026-05-12
The authors demonstrate SeedHijack, a supply-chain attack that manipulates the pseudorandom number generator (PRNG) used in LLM autoregressive sampling to force attacker-chosen tokens without touching model weights or logits. The attack achieves 99.6% exact token injection on GPT-2 and 100% success on four aligned models (1.5B–7B parameters, trained with RLHF, SFT, or reasoning distillation), bypassing all tested alignment methods. They propose a defense using a hardware quantum random number generator (QRNG) that blocks the attack with negligible overhead (+0.6% latency, +7.7 MB memory). **Main takeaways:** - SeedHijack manipulates the PRNG seed to force specific token selections during sampling without altering model parameters or logits - Achieves 99.6% success on GPT-2 and 100% on four aligned models (1.5B–7B), defeating RLHF, SFT, and reasoning distillation - The attack is a supply-chain vulnerability: it targets the random sampling layer, not the model itself - A hardware quantum random number generator (QRNG) defense neutralizes the attack with +0.6% latency and +7.7 MB memory overhead - Highlights a critical sampling-layer vulnerability overlooked by existing safety work focused on model weights and activations
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: output, eval, base, token, backdoor. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08313v1 Announce Type: new Abstract: Large language models (LLMs) rely on deterministic pseudorandom number generators (PRNGs) for autoregressive sampling, creating a critical supply-chain attack surface overlooked by existing defenses. We present SeedHijack, a backdoor attack that manipulates PRNG outputs to force attacker-specified token selection without altering model logits. In a 540-trial benchmark on GPT-2 (124M), the attack achieves 99.6% exact token injection across 9 sampling configurations; it reaches 100% success on four aligned models (1.5B-7B, RLHF/SFT/reasoning distillation) and bypasses all alignment methods tested in this work. We further propose a defense based on a hardware quantum random number generator (QRNG), which neutralizes the attack in our evaluated threat model with negligible median overhead (+0.6% latency, +7.7 MB memory). Our work identifies a critical sampling-layer vulnerability and provides a practical, deployable QRNG-based defense.
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses benchmark.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08277unread
Mitigating Many-shot Jailbreak Attacks with One Single Demonstration
Kejia Chen, Jiawen Zhang, Boheng Li, Pengcheng Li, Jian Lou, Zunlei Feng, Mingli Song, Ruoxi Jia, Tianwei Zhang · 2026-05-12
The authors study why many-shot jailbreaking (MSJ) works — preceding a harmful query with many harmful question-answer demonstrations makes safety-aligned models comply. They find that MSJ causes progressive activation drift: adding more harmful demos shifts the query's representation step-by-step away from the safety-aligned region. They show this drift is equivalent to implicit malicious fine-tuning via SGD-style updates on the N harmful samples. Flipping the mechanism, they append a single safety demonstration at inference time to induce a counteracting update that restores refusal, improving robustness without parameter changes or white-box access. **Main takeaways:** - Many-shot jailbreaking causes progressive activation drift: each added harmful demo shifts the query representation further from the safety-aligned region - Theoretically, conditioning on N harmful demos is equivalent to SGD-style updates on N harmful samples (implicit malicious fine-tuning) - Appending a single safety demonstration at inference time induces a counteracting safety-oriented update and restores refusal - The defense requires no parameter changes or white-box access, just a one-shot safety example in the context - Turns the attack mechanism into a defense principle: if harmful demos are implicit fine-tuning, safety demos are implicit safety fine-tuning
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, activation. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08277v1 Announce Type: new Abstract: Many-shot jailbreaking (MSJ) causes safety-aligned language models to answer harmful queries by preceding them with many harmful question-answer demonstrations. We study why this attack becomes stronger as the number of demonstrations increases. Empirically, we find that MSJ induces a progressive activation drift: the representation of a fixed harmful query moves step by step away from the safety-aligned region as more harmful demonstrations are added. Theoretically, we show that this drift can be interpreted as implicit malicious fine-tuning: conditioning on N harmful demonstrations induces SGD-style updates equivalent to optimizing on the corresponding N harmful samples. This view turns the attack mechanism into a defense principle. We append a fixed one-shot safety demonstration at inference time, which induces a counteracting safety-oriented update and restores refusal behavior. The resulting method improves the model's robustness to MSJ without modifying its parameters or requiring white-box access at deployment. Code is available at https://github.com/Thecommonirin/SafeEnd.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness.
- score 100arxiv cs.CR (Cryptography and Security)arxiv:2605.08257unread
Research on Security Enhancement Methods for Adversarial Robust Large Language Model Intelligent Agents for Medical Decision-Making Tasks
Saisai Hu · 2026-05-12
The authors build ARSM-Agent, a medical decision-making agent with a six-stage security pipeline: input risk perception, medical evidence constraint, knowledge consistency verification, decision confidence reweighting, safety output control, and adversarial feedback updates. They train with a weighted joint objective (30% decision accuracy, 30% adversarial robustness, 20% safety refusal, 20% knowledge consistency) and show it reduces attack success rate to 8.7% under semantic perturbation, prompt injection, drug-name confusion, and false-evidence attacks, while maintaining 0.91 knowledge consistency. Ablation experiments quantify each module's contribution to accuracy and attack resistance. **Main takeaways:** - ARSM-Agent uses a six-stage pipeline: risk perception, evidence constraint, consistency verification, confidence reweighting, safety control, and adversarial feedback - Trained with a weighted joint objective: 30% decision accuracy, 30% adversarial robustness, 20% safety refusal, 20% knowledge consistency - Reduces overall attack success rate to 8.7% under semantic perturbation, prompt injection, drug-name confusion, and false-evidence attacks - Achieves 0.91 knowledge consistency score (agreement with verified medical knowledge) - Ablation shows each module contributes 4.4–9.1% accuracy and reduces attack success rate by 6.9–13.8%
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, issue, output, eval, prompt, issues, base, under. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.08257v1 Announce Type: new Abstract: Motivated by the challenge to improve the adversarial robustness, security, and trust of medical decision making intelligent agents, this study develops a full-link security enhancement framework, which describes "input risk perception - medical evidence constraint - knowledge consistency verification - decision confidence reweighting - security output control - adversarial feedback update." We propose ARSM-Agent and define a weighted joint objective consisting of decision accuracy loss, adversarial robustness loss, safety refusal loss, and knowledge consistency loss, with weights of 0.3, 0.3, 0.2, and 0.2, respectively. The whole medical decision formulation is implemented by multi-module collaborative linkage. We verify that the algorithm is more efficient than four baselines, including LLM-Agent, Retrieval-Agent, Filter-Agent, and Adv-Train-Agent. Under semantic perturbation, prompt injection, drug-name confusion, and false-evidence attacks, ARSM-Agent reduces the overall attack success rate to 8.7% and achieves a knowledge consistency score of 0.91. Ablation experiments quantify each module's contribution: removing risk perception, evidence retrieval, consistency verification, and confidence reweighting reduces accuracy by 6.7%, 9.1%, 7.6%, and 4.4%, respectively, and increases attack success rate by 13.8%, 11.1%, 8.6%, and 6.9%. The proposed approach addresses key security issues of medical decision making intelligent agents, obtains secure decision making in challenging scenarios, and provides reliable intelligent support for medical decision-making intelligent agents.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, adversarial.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08599unread
What Will Happen Next: Large Models-Driven Deduction for Emergency Instances
Zhengqing Hu, Dong Chen, Junkun Yuan, Liang Liu, Hua Wang, Zhao Jin, Yingchaojie Feng, Wei Chen, Mingliang Xu · 2026-05-12
The authors propose a system (WLDS) that uses large language models to simulate emergency scenarios and deduce how they might unfold differently. Traditional emergency simulations just replay what happened; this system generates diverse alternative timelines by having the LM branch scenarios in multiple directions, using factual and logical calibration to keep outputs plausible, plus a visualization module for text-image outputs. They test on a new Emergency Instances Deduction benchmark and claim high-precision branching scenario generation across domains. **Main takeaways:** - System generates multiple divergent timelines for emergency events instead of replaying a single recorded instance - Factual and logical calibration mechanisms attempt to keep generated scenarios accurate and coherent - Interactive module lets users select deduction directions to avoid hard-to-detect hallucinations - Combines text and image outputs for interpretability - Tested on a new Emergency Instances Deduction dataset covering multiple specific domains
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, system. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08599v1 Announce Type: new Abstract: Traditional simulation methods reproduce occurred emergency instances through presetting to assist people in risk assessment and emergency decision-making. However, due to the lack of randomness and diversity, existing simulation systems struggle to fully explore the potential risk as emergency instances are scarce. In contrast, Large Models (LMs) can dynamically adjust generation strategies to introduce controllable randomness, while also possessing extensive prior knowledge and cross-domain knowledge transfer capabilities. Inspired by it, we propose the LMs-driven World Line Divergence System (WLDS), which enables diversified visualization and deduction of emergency instances in different domains. WLDS leverages LMs to deduce emergency instances in various development directions, and introduces the factual calibration and logical calibration mechanism to ensure factual accuracy and logical rigor during the deduction process. The interactive module can independently select deduction directions to avoid potential hallucinations that are difficult for the system to identify. Furthermore, by introducing the visualization module, WLDS forms simulation and deduction that combine text and images, which enhances interpretability. Extensive experiments conducted on the proposed Emergency Instances Deduction (EID) benchmark dataset demonstrate that WLDS achieves high-precision and high-fidelity simulation and deduction of emergency instances in multiple specific domains. Relevant experiments further demonstrate that WLDS can generate more emergency instances deduction data for users and provide support for better decision-making in similar emergency instances in the future.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08564unread
Biological Plausibility and Representational Alignment of Feedback Alignment in Convolutional Networks
Jake Lance, Larry Kieu · 2026-05-12
The authors compare feedback alignment (FA)—a biologically plausible alternative to backpropagation that uses random backward weights—with backpropagation on convolutional networks trained on CIFAR-10. Standard FA fails on convnets, so they test modified FA variants and find that the versions that work do so because they converge on internal representations geometrically similar to those from backpropagation, despite using different weight update rules. The implication is that mimicking backprop's representational structure, not biological plausibility per se, drives the functional success. **Main takeaways:** - Standard feedback alignment doesn't scale to convolutional architectures; modified versions do - Modified FA algorithms that succeed produce internal representations structurally similar to backpropagation - Success appears rooted in mimicking backprop's representational geometry, not in the biological plausibility of the update rule - Analysis covers biological plausibility, interpretability, and computational cost - Suggests representational alignment with backprop is the key functional ingredient
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Joint-source marker leakage along the A↔B persona axis fails — A-only LoRA leaks the marker broadly, B-only LoRA stays hyper-local (LOW confidence)". Matching terms: eval, same, fails, mechanisms. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08564v1 Announce Type: new Abstract: The feedback alignment (FA) algorithm offers a biologically plausible alternative to backpropagation (BP) for training neural networks yet notably fails to scale to convolutional architectures. Modifications have been proposed to address this limitation, but at questionable cost to biological plausibility. In this paper, we evaluate five learning algorithms including modified FA and standard BP, applied to the same convolutional architecture with the CIFAR-10 dataset. We provide a tripartite comparative analysis focusing on biological plausibility, interpretability, and computational complexity. Our results indicate that modified FA algorithms converge on internal representations that are structurally similar to those produced by backpropagation. In particular, it appears the functional success of modified FA algorithms may be rooted in their ability to mimic the representational geometry of backpropagation, converging on similar representations despite relying on fundamentally different weight update mechanisms.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses limitation.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08549unread
Evaluating Developmental Cognition Capabilities of LLMs
Xiao Xiao, Hayoun Noh, Mar Gonzalez-Franco · 2026-05-12
The authors adapt a developmental psychology framework (Kegan's stages of meaning-making) to evaluate LLMs. They build a 20-item sentence-completion test (DSCT) designed to elicit developmental stage in text responses, then test whether LLMs can (1) simulate personas at specified stages, (2) score real human DSCT responses, and (3) what stage LLMs themselves exhibit when answering without persona-conditioning. Frontier models recover simulator-intended stages well on synthetic personas; human-LLM agreement on real responses is fair; and default LLM outputs show stable stage-like patterns, with larger/newer models tending toward higher-rated text. **Main takeaways:** - Introduces a 20-item Developmental Sentence Completion Test to elicit developmental stage signal in text - Top models accurately recover intended stages when simulating synthetic personas - Human-LLM agreement on real DSCT responses is fair (stronger within-neighborhood than exact) - LLMs answering DSCT prompts without personas show stable stage-like differences across model families - Larger and newer models tend to generate higher-rated (more developed) text - Stage signal is cleaner in synthetic/simulated responses than in real human DSCT text
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, persona, output, eval, prompt, length, under, personas. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08549v1 Announce Type: new Abstract: Conversational AI is increasingly personalized around users' preferences, histories, goals, and knowledge, but much less around how users interpret and take up model outputs to construct and understand their reality. We draw on Robert Kegan's constructive-developmental theory as a complementary lens on this dimension. Existing methods for assessing developmental stage in the Keganian tradition rely either on expert interviews that do not scale or on sentence-completion instruments that are proprietary, lengthy, or invasive. To make this perspective tractable for LLM evaluation, we introduce the Developmental Sentence Completion Test (DSCT), a 20-item instrument designed to elicit developmental signal in self-administered text. Throughout, we treat the resulting labels as characterizations of stage-like structure in elicited responses, not as validated person-level developmental stage. We then ask how much of that signal can be recovered by LLMs across three elicited response regimes: simulated personas, real human respondents, and default model-generated answers. On simulated personas, top frontier models recover simulator-intended labels with high accuracy. On real human DSCT responses, human-LLM agreement is fair, with much stronger within-neighborhood than exact agreement. Finally, when LLMs answer DSCT prompts without persona-conditioning, their responses exhibit stable stage-like differences across model families, with larger and newer models tending to generate higher-rated text. These results suggest that stage-conditioned signal is cleaner in synthetic responses than in human-written DSCT text, and that the core constraint for stage-aware conversational AI is not classifier accuracy alone, but the availability of developmental signal from elicited text.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08545unread
Log analysis is necessary for credible evaluation of AI agents
Peter Kirgis, Sayash Kapoor, Stephan Rabanser, Nitya Nadgir, Cozmin Ududec, Magda Dubois, JJ Allaire, Conrad Stosz, Marius Hobbhahn, Jacob Steinhardt, Arvind Narayanan · 2026-05-12
The authors argue that agent benchmarks reporting only pass/fail scores hide critical validity problems—shortcuts, scaffold limitations, and dangerous actions—and that systematic log analysis (tracking inputs, execution steps, and outputs) is necessary for credible evaluation. They present a taxonomy of validity threats uncovered by log analysis, develop guiding principles, and demonstrate on tau-Bench Airline that pass@5 was under-elicited by nearly 50% and that outcome metrics missed deployment failure modes visible only in execution logs. **Main takeaways:** - Pass/fail scores alone can inflate/deflate capability via shortcuts, miss real-world failure modes, and conceal dangerous actions - Log analysis—systematic tracking of agent inputs, steps, and outputs—surfaces these hidden validity threats - On tau-Bench Airline, log analysis revealed pass@5 was under-elicited by ~50% - Execution logs exposed deployment failure modes invisible to outcome metrics - Provides a taxonomy of threats and guiding principles for log analysis, with recommendations for benchmark creators, model developers, evaluators, and deployers
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, eval, system, under, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08545v1 Announce Type: new Abstract: Agent benchmarks typically report only final outcomes: pass or fail. This threatens evaluation credibility in three ways. First, scores may be inflated or deflated by shortcuts and benchmark artifacts, misrepresenting capability. Second, benchmark performance may fail to predict real-world utility due to scaffold limitations and recurring failure modes. Finally, capability scores may conceal dangerous or catastrophic actions taken by the agent. We argue that log analysis -- the systematic tracking and analysis of the inputs, execution, and outputs of an AI agent -- is necessary to overcome these validity threats and promote credible agent evaluation. In this paper, we (1) present a taxonomy of threats to credible evaluation documented through log analysis, and (2) develop a set of guiding principles for log analysis. We illustrate these principles on tau-Bench Airline, revealing that pass^5 performance was under-elicited by nearly 50% and surfacing deployment failure modes invisible to outcome metrics. We conclude with pragmatic recommendations to increase uptake of log analysis, directed at diverse stakeholders including benchmark creators, model developers, independent evaluators, and deployers.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, limitation, limitations, evaluation, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08538unread
Human-Inspired Memory Architecture for LLM Agents
Doga Kerestecioglu, Alexei Robsky, Clemens Vasters, Anshul Sharma, Yitzhak Kesselman · 2026-05-12
The authors build a biologically-inspired memory architecture for LLM agents with six mechanisms: sleep-phase consolidation, interference-based forgetting, engram maturation, reconsolidation on retrieval, entity knowledge graphs, and hybrid retrieval. They introduce a synthetic calibration method to set pipeline thresholds without exposing evaluation data. On a VSCode issue-tracking dataset, deduplication-based consolidation achieves 97% retention precision with 58% storage reduction; on LongMemEval personal chat (streaming evaluation with 475 sessions, ~540K turns), the pipeline matches raw retrieval accuracy at 200K-token budget while enabling an accuracy/storage trade-off curve. **Main takeaways:** - Six cognitive mechanisms address failure modes of naive memory accumulation: consolidation, forgetting, maturation, reconsolidation, knowledge graphs, hybrid retrieval - Synthetic calibration derives all thresholds without benchmark exposure, avoiding evaluation leakage - On VSCode issues: 97.2% retention precision, 58% store reduction, +21.8 pp over baseline - On LongMemEval (streaming, 540K turns): matches raw retrieval accuracy (70.1% vs. 71.2%) at 200K budget with tunable accuracy/size trade-off - At smaller scale (50 sessions), dedup consolidation yields +13.3 pp improvement in preference recall
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: persona, issue, long, eval, issues, base, token, source. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08538v1 Announce Type: new Abstract: Current LLM agents lack principled mechanisms for managing persistent memory across long interaction horizons. We present a biologically-grounded memory architecture comprising six cognitive mechanisms: (1) sleep-phase consolidation, (2) interference-based forgetting, (3) engram maturation, (4) reconsolidation upon retrieval, (5) entity knowledge graphs, and (6) hybrid multi-cue retrieval. Each mechanism addresses a specific failure mode of naive memory accumulation. We introduce a synthetic calibration methodology that derives all pipeline thresholds without benchmark data exposure, eliminating a common source of evaluation leakage. We evaluate on two benchmarks. First, a VSCode issue-tracking dataset (13K issues, 120K events) where deduplication-based consolidation achieves 97.2% retention precision with 58% store reduction (+21.8 pp over baseline). Second, the LongMemEval personal-chat benchmark where we conduct the first streaming M-tier evaluation (475 sessions, ~540K unique turns). At a 200K-token context budget, our pipeline matches raw retrieval accuracy (70.1% vs. 71.2%, overlapping 95% CI) while exposing a tunable accuracy/store-size operating curve. At S-tier scale (50 sessions), dedup-based consolidation yields a +13.3 pp improvement in preference recall.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, evaluation, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08533unread
Human-LLM Dialogue Improves Diagnostic Accuracy in Emergency Care
Burcu Sayin, Ngoc Vo Hong, Ipek Baris Schlicht, Jacopo Staiano, Pasquale Minervini, Sara Allievi, Nicola Susca, Nicola Osti, Alberto Maino, Vito Racanelli, Andrea Passerini · 2026-05-12
The authors built MedSyn, a system where emergency physicians iteratively query an LLM that has the full clinical record while the physician initially sees only the chief complaint. Seven physicians (three seniors, four residents) completed baseline and AI-assisted sessions on 52 MIMIC-IV cases. Blinded evaluation showed residents' correctness on hard cases rose from 58.9% to 73.4%; standardized metrics confirmed medium effect size. Dialogue analysis revealed seniors asked targeted questions while residents asked broader queries, and cross-expertise agreement increased. **Main takeaways:** - Physicians query an LLM with full clinical info while they see only the chief complaint, then iteratively reveal details - Residents' hard-case correctness improved from 58.9% to 73.4%; difficulty-standardized completely-correct rate showed medium effect (d=0.47) - Automated metrics: standardized any-match accuracy +15.6 pp, residents' F1 +13.8 pp - Seniors asked hypothesis-driven questions; residents used broader queries - Cross-expertise diagnostic agreement increased by 14.5 pp - Demonstrates measurable benefit in live physician workflows, not just benchmarks
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, under, effect, target, hypothesis. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08533v1 Announce Type: new Abstract: Clinical decision-making in emergency medicine demands rapid, accurate diagnoses under uncertainty. Despite benchmark progress, evidence for LLMs as interactive aids in live physician workflows remains sparse. MedSyn lets physicians iteratively query an LLM provided with the full clinical record while initially viewing only the chief complaint. Seven physicians (three seniors, four residents) completed baseline and AI-assisted sessions across 52 MIMIC-IV cases stratified by difficulty. Blinded evaluation showed residents' Hard-case correctness rose from 0.589 to 0.734; difficulty-standardised completely-correct rates confirmed a medium effect ({\Delta} = 0.092; p = 0.071; d = 0.47). Automated metrics corroborated these gains: standardised any-match accuracy improved by 0.156 (p < 0.0001), and residents showed the largest F1 gain ({\Delta} = 0.138; p < 0.0001). Dialogue analysis revealed expertise-dependent strategies (seniors asked targeted, hypothesis-driven questions; residents relied on broader queries) and cross-expertise concordance increased ({\Delta} = 0.145; p < 0.0001). Interactive LLM support meaningfully enhances diagnostic reasoning.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08518unread
Results and Retrospective Analysis of the CODS 2025 AssetOpsBench Challenge
Dhaval Patel, Chathurangi Shyalika, Suryanarayana Reddy Yarrabothula, Ling Yue, Shuxin Lin, Nianjun Zhou, James Rayfield · 2026-05-12
The authors analyzed a multi-agent orchestration competition where teams built industrial automation systems. They looked at submission logs, leaderboards, and source code to understand what the evaluation actually measured and what worked. The public leaderboard hit a ceiling that better prompts couldn't break through, and scores on the hidden test set told a completely different story than public scores—especially for execution tasks where the correlation was actually negative. **Main takeaways:** - Public leaderboard scores maxed out at 72.73% and more sophisticated prompts didn't push past that ceiling - Hidden test scores barely correlated with public scores in planning (r=0.69) and were negatively correlated in execution (r=-0.13), meaning some low-ranked teams did best on held-out data - A bug in the scoring formula made one term contribute almost nothing (0.05 points max), and fixing it would have swapped the top two winners - Winning execution systems mostly added guardrails—better response filtering, fallback logic, and context control—not fancy new agent architectures - 149 registered teams collapsed to only 11 with complete scores, showing huge drop-off between signup and actual participation
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, prompt, base, system, source, context, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08518v1 Announce Type: new Abstract: Competition retrospectives are useful when they explain what a leaderboard measured, how hidden evaluation changed conclusions, and which design patterns were rewarded. We revisit the CODS 2025 \assetopslive{} challenge, a privacy-aware Codabench competition on industrial multi-agent orchestration built on \assetops{}. We combine final rank sheets, a 300-submission server log, 149-team registrations, best-submission exports, the organizer winners report, the companion \assetopslive{} system paper, and verified planning-track source trees. Five results stand out. First, the public planning leaderboard saturates at 72.73\%, and richer prompts do not improve that peak. Second, hidden evaluation changes the story: public and private scores correlate moderately in planning ($r{=}0.69$) but negatively in execution ($r{=}{-}0.13$), with several 45.45\% public execution systems reaching 63.64\% on the hidden set. Third, the \tmatch{} term is numerically almost inert in the official composite -- combined on a 0--1 scale with 0--100 percentage scores, it contributes at most 0.05 points per track, and rescaling would swap the top two teams. Fourth, the competition is operationally account-based but substantively team-based: 149 registered teams reduce to 24 with non-zero public scores and 11 fully ranked, while 52.3\% of deduplicated registrations list multiple usernames. Fifth, successful execution methods mostly improve guardrails -- response selection, contamination cleanup, fallback, and context control -- rather than novel agent architectures. These findings identify which behaviors the evaluation rewarded, and motivate scale-aware composites, skill-level diagnostics, and versioned artifact release.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative, evaluation.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08516unread
OracleTSC: Oracle-Informed Reward Hurdle and Uncertainty Regularization for Traffic Signal Control
Darryl Jacob, Xinyu Liu, Muchao Ye, Xiaoyong Yuan, Pan He · 2026-05-12
The authors built a traffic-light control system using a language model that gets reinforcement-learning feedback from traffic simulators. Standard RL struggled because most actions barely change congestion (sparse, delayed rewards), so they added two tricks: a "reward hurdle" that filters out weak feedback signals by subtracting a threshold, and "uncertainty regularization" that pushes the model to be consistent across multiple attempts at the same decision. An 8-billion-parameter LLaMA model trained this way cut travel time by 75% and transferred to a different intersection layout without retraining. **Main takeaways:** - Language models doing RL on traffic control are unstable because most green-light timing changes produce tiny, delayed improvements in congestion - Subtracting a calibrated threshold from rewards (the "hurdle") filters out noise and focuses learning on actions that matter - Forcing the model to give consistent answers across sampled outputs (uncertainty regularization) stabilizes training - A policy learned on one intersection generalized to a structurally different intersection (17% lower travel time, 39% shorter queues) with no fine-tuning - The system keeps interpretability because it outputs natural-language explanations for its decisions
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, parent, output, base, trained, system, length, compare. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08516v1 Announce Type: new Abstract: Transparent decision-making is essential for traffic signal control (TSC) systems to earn public trust. However, traditional reinforcement learning-based TSC methods function as black boxes with limited interpretability. Although large language models (LLMs) can provide natural language reasoning, reinforcement finetuning for TSC remains unstable because feedback is sparse and delayed, while most actions produce only marginal changes in congestion metrics. We introduce OracleTSC, which stabilizes LLM-based TSC through two mechanisms: (1) a reward hurdle mechanism that filters weak learning signals by subtracting a calibrated threshold from environmental rewards, and (2) uncertainty regularization that maximizes the probability of the selected response to encourage consistent decisions across sampled outputs. Experiments on the LibSignal benchmark show that OracleTSC enables a compact LLaMA3-8B model to substantially improve traffic efficiency, achieving a 75% reduction in travel time and a 67% decrease in queue length compared with the pretrained baseline while preserving interpretability through natural language explanations. OracleTSC also demonstrates strong cross-intersection generalization: a policy trained on one intersection transfers to a structurally different intersection with 17% lower travel time and 39% lower queue length without additional finetuning. These results suggest that uncertainty-aware reward shaping can improve the stability and effectiveness of reinforcement fine-tuning for TSC.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08496unread
Latent Personality Alignment: Improving Harmlessness Without Mentioning Harms
Linh Le, David Williams-King, Mohamed Amine Merzouk, Aton Kamanda, Adam Oberman · 2026-05-12
Instead of training language models to avoid harm using thousands of examples of bad prompts and refusals, the authors train on fewer than 100 abstract personality-trait statements (like "I am cautious" or "I value honesty") using adversarial fine-tuning. This "Latent Personality Alignment" matches the robustness of methods trained on 150,000+ harmful examples and generalizes 2.6× better to new attack types—all without ever showing the model a single harmful example during training. The key idea is that teaching broad personality traits transfers better across attack distributions than memorizing specific harm categories. **Main takeaways:** - Training on abstract personality traits (fewer than 100 statements) achieves the same attack robustness as training on 150,000+ harmful prompt-response pairs - Personality-based training generalizes 2.6× better to unseen attack distributions across six harm benchmarks - The method never shows harmful examples during training yet still learns to refuse harmful requests - Latent adversarial training on trait statements maintains model utility better than harm-specific training - This suggests that high-level behavioral abstractions (personality) are more robust anchors than low-level pattern matching on harm categories
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, persona, prompt, base, trained, compare, than. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08496v1 Announce Type: new Abstract: Current adversarial robustness methods for large language models require extensive datasets of harmful prompts (thousands to hundreds of thousands of examples), yet remain vulnerable to novel attack vectors and distributional shifts. We propose Latent Personality Alignment (LPA), a sample-efficient defense that achieves robustness by training models on abstract personality traits rather than specific harmful behaviors. Using fewer than 100 trait statements and latent adversarial training, LPA achieves comparable attack success rates to methods trained on 150k+ examples, while maintaining superior utility. Critically, LPA generalizes better to unseen attack distributions, reducing misclassification rates by 2.6x compared to baseline across six harm benchmarks -- without ever seeing harmful examples during training. Our results demonstrate that personality-based alignment offers a principled approach to building robust defenses with minimal cost.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness, adversarial, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08480unread
AI-Care: A Conversational Agentic System for Task Coordination in Alzheimer's Disease Care
Preyash Yadav, Michelle Cohn, Priyanka Koppolu, Hritvik Agarwal, Amey Gohil, Tejas Patil, Sasha Pimento, Alyssa Weakley · 2026-05-12
The authors built a voice-first chatbot for people with Alzheimer's to manage calendars and to-do lists through natural conversation, layered on top of a caregiving platform. The system uses a state-machine approach (LangGraph) that sanitizes input, classifies intent, loads context, checks safety constraints, collects missing information through follow-up questions, executes actions, and composes responses. Safety-critical facts like medications come from caregiver-verified records, not model generation, and the system never makes autonomous medical decisions. A pilot with four users showed they found it trustworthy and could complete coordination tasks by talking. **Main takeaways:** - Designed to reduce cognitive load for people with memory/thinking impairments by handling multi-step tasks (calendar, reminders, lists) through simple conversation - Uses a deterministic state machine for orchestration: every request goes through sanitization, intent classification, context loading, safety checks, slot-filling dialogue, tool execution, and response generation - Safety-critical information (medications, allergies) is retrieved from caregiver-verified records rather than generated by the language model - Handles ambiguous or incomplete requests through controlled multi-turn clarification instead of guessing or failing silently - Preliminary user testing (n=4, mild-to-moderate Alzheimer's) found the system trustworthy, competent, and usable for coordination tasks
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, long, eval, base, system, context, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08480v1 Announce Type: new Abstract: Individuals with Alzheimer's disease (AD) and Alzheimer's disease-related dementia (ADRD) experience memory and thinking changes that impact their ability to use digital daily management tools. For example, adding an event to a digital calendar requires multiple steps that may act as barriers to independent use for individuals with AD/ADRD. This paper presents AI-Care, a conversational agentic artificial intelligence (AI) layer built on top of a remote caregiving platform co-designed with people with AD/ADRD. AI-Care is designed to reduce the cognitive load on individuals with AD/ADRD when managing everyday tasks such as setting calendar reminders and organizing to-do lists through natural-language interaction with a voice-first chatbot. The system uses a LangGraph-based stateful orchestration approach in which each request passes through sanitization, intent classification, context loading, safety checks, deterministic slot collection, tool execution, and response composition. Safety-critical responses, particularly around medications and allergies, are grounded in caregiver-verified records rather than free-form model generation. The system does not make autonomous medical or treatment decisions. Incomplete or ambiguous requests are handled through controlled multi-turn clarification rather than silent failure or guessing. The system supports both typed and spoken input, with voice output through ElevenLabs text-to-speech. Longer responses are chunked before synthesis to avoid rushed playback. A preliminary pilot with four individuals with mild-to-moderate AD/ADRD showed that users found the system trustworthy, competent, and likable, and were able to complete the evaluated coordination tasks through conversation. We describe the design goals, system architecture, safety controls, and findings from this formative evaluation.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, evaluation.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08472unread
Mid-Training with Self-Generated Data Improves Reinforcement Learning in Language Models
Aswin RRV, Jacob Dineen, Divij Handa, Mihir Parmar, Ben Zhou, Swaroop Mishra, Chitta Baral · 2026-05-12
The authors tested whether generating multiple solution approaches for math problems during an intermediate training stage ("mid-training") improves reinforcement learning afterward. They used a bootstrapped self-generation method inspired by Polya's problem-solving framework to create diverse correct answers for each training question, fine-tuned on that data, then ran standard RL. Models initialized with this mid-training consistently outperformed baselines on math reasoning benchmarks and generalized better to out-of-distribution tasks like code generation. The paper argues theoretically that policy-gradient RL can learn to combine multiple solution strategies when the model has been exposed to them during mid-training. **Main takeaways:** - Mid-training on self-generated diverse solutions (multiple valid approaches per problem) before RL improves downstream RL performance on math reasoning - The diversity comes from generating solution variants guided by different problem-solving strategies (Polya's framework) - RL-trained models initialized with this mid-training data outperform baselines on multiple math benchmarks and generalize to code generation and narrative reasoning - The authors provide a theoretical argument that policy-gradient updates can learn to combine approaches when the model has seen multiple valid paths during mid-training - This is distinct from standard supervised fine-tuning or RL from scratch: the intermediate self-generated diversity stage is the key ingredient
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, trained, effect, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08472v1 Announce Type: new Abstract: The effectiveness of Reinforcement Learning (RL) in Large Language Models (LLMs) depends on the nature and diversity of the data used before and during RL. In particular, reasoning problems can often be approached in multiple ways that rely on different forms of reasoning, and exposure to only a limited range of such approaches in the training data may limit the effectiveness of RL. Motivated by this, we investigate using diverse self-generated data during mid-training as an intermediate step before RL training. Specifically, we adopt a bootstrapped data-generation framework guided by George Polya's problem-solving approaches for generating multiple variants of correct answers for each question in the training data, and then perform fine-tuning. We first provide a theoretical perspective on how mid-training on such data improves RL and explain how policy-gradient updates can incentivize combining multiple approaches. We then empirically demonstrate that RL-trained models initialized with our mid-training data achieve consistent improvements across various mathematical reasoning benchmarks and other OOD tasks like code generation and narrative reasoning. Overall, our investigative study shows that a language model learning multiple problem-solving approaches, through self-generated data helps subsequent RL.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08448unread
LLM-guided Semi-Supervised Approaches for Social Media Crisis Data Classification
Jacob Ativo, Bharaneeshwar Balasubramaniyam, Anh Tran, Khushboo Gupta, Hongmin Li, Doina Caragea, Cornelia Caragea · 2026-05-12
The authors compared two methods for using large language models to guide semi-supervised learning on crisis-related tweets: VerifyMatch (which uses the LLM to verify pseudo-labels) and LLM-guided Co-Training (which uses the LLM to generate training data for a smaller model). With very few labeled examples (5, 10, or 25 per class), LLM-guided Co-Training significantly outperformed classic semi-supervised baselines and even outperformed some very large LLMs in zero-shot mode. As labeled data increased, the gap narrowed and standard Self-Training became competitive. The finding suggests you can distill knowledge from big LLMs into smaller, deployable models through semi-supervised learning. **Main takeaways:** - LLM-guided Co-Training achieved the highest average F1 score in low-resource settings (5, 10, 25 labeled examples per class) for classifying crisis tweets - VerifyMatch (LLM verifies pseudo-labels) was competitive and showed strong calibration properties - Compact semi-supervised models sometimes outperformed very large LLMs in zero-shot mode, showing you can transfer knowledge into smaller models - As labeled data increased, performance differences shrank and Self-Training (a classic baseline) caught up - The results point to a practical pathway for disaster response: use LLMs to guide training of smaller, deployable models rather than running giant models in production
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: github, eval, base, source, compare, project, context, first. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08448v1 Announce Type: new Abstract: Semi-supervised learning approaches have been investigated as a means to enhance the analysis of social media data in disaster management contexts. In this work, we present the first empirical evaluation of large language model (LLM) guided semi-supervised learning for crisis related tweet classification. We compare two recent LLM assisted semi-supervised methods, VerifyMatch and LLM guided Co-Training ( LG-CoTrain), against established semi-supervised baselines. Our results show that LG-CoTrain significantly outperforms classical semi-supervised approaches in low resource settings with 5, 10 and 25 labeled examples per class, achieving the highest averaged Macro F1 across events. VerifyMatch achieves competitive performance while also demonstrating strong calibration properties. As the number of labeled examples increases, the performance gap narrows and Self Training emerges as a strong baseline. We further observe that compact semi-supervised models can, in some cases, outperform very large LLMs operating in zero-shot settings. This finding highlights the potential of transferring knowledge from LLMs into smaller and more deployable models through LLM guided semi-supervised learning, offering a practical pathway for real world disaster response applications. Our project repository on Github is here.
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses evaluation.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08427unread
The Attacker in the Mirror: Breaking Self-Consistency in Safety via Anchored Bipolicy Self-Play
Gabriele La Malfa, Emanuele La Malfa, Saar Cohen, Jie M. Zhang, Michael Luck, Michael Wooldridge, Elizabeth Black · 2026-05-12
The authors show that standard self-play red-teaming—where the same model plays both attacker and defender—has fundamental flaws: it can converge to useless equilibria (like always refusing) and collapses into self-consistency rather than maintaining adversarial pressure. They propose Anchored Bipolicy Self-Play, which trains separate LoRA adapters for attacker and defender roles on top of a frozen base model, achieving 100× better parameter efficiency than full fine-tuning while maintaining real adversarial pressure. Testing on Qwen2.5 models shows improved safety without hurting reasoning. **Main takeaways:** - Self-play with a single model doesn't create real adversarial dynamics—attacker and defender just learn to be consistent with each other - Separating attacker/defender into distinct LoRA adapters (frozen base) keeps the optimization stable but preserves adversarial pressure - 100× more parameter-efficient than full fine-tuning, with better safety scores on standard benchmarks - Cross-play experiments confirm that the resulting attacker and defender models are individually stronger than self-play versions
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, same, lora, collapse, compare, loss. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08427v1 Announce Type: new Abstract: Self-play red team is an established approach to improving AI safety in which different instances of the same model play attacker and defender roles in a zero-sum game, i.e., where the attacker tries to jailbreak the defender; if self-play converges to a Nash equilibrium, the model is guaranteed to respond safely within the settings of the game. Although the parameter sharing enforced by the use of the same model for the two roles improves stability and performance, it introduces fundamental theoretical and architectural limitations. We show that the set of Nash equilibria that can be reached corresponds to a broad class of behaviours that includes trivial always refuse strategies and oracle-like defenders, thus limiting practical applicability. We then show that when attacker and defender share and update the same base model, the dynamics collapse to self-consistency, so that attacks do not enforce adversarial pressure on the defender. In response, we propose Anchored Bipolicy Self-Play, which trains distinct role-specific LoRA adapters on top of a frozen base model, thereby maintaining stable optimisation while preserving adversarial pressure through explicit role separation. In relation to standard self-play, we show up to 100x greater parameter efficiency than finetuning and consistent improvements in safety compared to self-play fine-tuned models. We evaluate on Qwen2.5-{3B, 7B,14B}-IT models across widely used safety benchmarks, showing improved robustness without loss of reasoning ability. Cross-play experiments further show that our attacker and defender models are superior to self-play in terms of adversarial defence and safety.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, robustness, adversarial, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08415unread
Political Plasticity: An Analysis of Ideological Adaptability in Large Language Models
Bruno Bianchi, Diego Tiscornia, Matias Travizano, Ariel Futoransky · 2026-05-12
The authors study "political plasticity"—how easily LLMs adapt their political stance based on context—using 200 questions about economic and personal freedom. They find that system prompts barely work, but user prompts with few-shot examples successfully shift models' positions, especially on economic issues in larger/newer models. Flipping question polarity revealed counter-intuitive responses suggesting data leakage, and plasticity varied subtly across languages. **Main takeaways:** - System prompts were largely ineffective at inducing political bias; user prompts with examples worked much better - Larger and newer models showed stronger ideological adaptability, particularly on economic freedom questions - Inverting question sense caused unexpected shifts, hinting at possible questionnaire format memorization (data leakage) - Small/old models showed limited or unstable plasticity; frontier models were reliably adaptable - Language choice produced subtle but noticeable differences in political stance
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: persona, long, prompt, base, system, leakage, under, along. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08415v1 Announce Type: new Abstract: Since the advent of Large Language Models (LLMs), a significant area of research has focused on their intrinsic biases, particularly in political discourse. This study investigates a different but related concept, "political plasticity", which is defined as the capacity of models to adapt their responses based on the user supplied context. To analyze this, a testing framework was developed using an expanded corpus of 200 politically-oriented questions across economic and personal freedom axes, based on a prior framework by Lester (1996). The study explored several methods to induce political bias, including simplified and topic-based system prompts, as well as user prompts with few-shot examples. The results show that while system prompts were largely ineffective, user prompts successfully elicited significant ideological shifts, particularly along the Economic Freedom axis in larger and newer models. Through a validation experiment, we examined whether models answer questionnaires by recognizing the underlying question format. Inverting the sense of the questions revealed unexpected, counter-intuitive shifts in most models, suggesting potential data leakage. Finally, we also analyzed how model plasticity varies when the experiment is conducted in different languages. The results reveal subtle yet notable shifts across each of the analyzed languages. Overall, our results indicate that small and older LLMs exhibit limited or unstable political plasticity, whereas newer frontier models display reliable, expected adaptability.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08409unread
Playing games with knowledge: AI-Induced delusions need game theoretic interventions
Will Beaumaster, Paul Schrater · 2026-05-12
The authors argue that sycophantic chatbots cause belief spirals in users not because of bad model training, but because conversational AI creates a strategic communication game where users can't credibly signal whether they want truth or validation. They model this as a cheap-talk game where the equilibrium traps both truth-seekers and validation-seekers in identical feedback loops. Their proposed solution—an "Epistemic Mediator" with costly signals and "Belief Versioning" (git-like rollback of beliefs)—forces users to reveal their true intent, achieving a 48× reduction in spiral rates in simulation. **Main takeaways:** - Sycophancy isn't just a model alignment problem—it's a game-theoretic equilibrium where users seeking growth vs. validation get identical treatment - In repeated interactions, this creates a coordination trap like Prisoner's Dilemma, driving even rational users toward false certainty - Introducing "epistemic friction" (costly signals) can separate truth-seekers from validation-seekers based on their willingness to process resistance - "Belief Versioning" stores healthy belief states and rolls back when validation-seeking is detected - 48× differential in spiral rates between user types when the intervention is applied
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, system, identical, lora, under, less, than. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08409v1 Announce Type: new Abstract: Conversational AI has a fundamental flaw as a knowledge interface: sycophantic chatbots induce epistemic entrenchment and delusional belief spirals even in rational agents. We propose the problem does not stem from the AI model, rooted instead in a systemic consequence of the paradigm shift from user-driven knowledge search to users and agents engaged in strategic, repeated-play communication. We formalize the problem as a Crawford-Sobel cheap talk game, where costless user signals induce a pooling equilibrium. Agents optimized for user satisfaction produce sycophantic strategies that provide identical reinforcement across user types with opposite epistemic incentives: exploratory ``Growth-seekers'' ($\theta_G$) and confirmatory ``Validation-seekers'' ($\theta_V$). Under repeated play, this identification failure creates a coordination trap -- analogous to a Prisoner's Dilemma -- where locally rational feedback loops drive users toward pathologically certain false beliefs. We propose an inference-time mechanism design intervention called an Epistemic Mediator that breaks this pooling equilibrium by introducing a costly signal (epistemic friction), forcing type revelation based on users' asymmetric cognitive costs for processing resistance. A key contribution is Belief Versioning, a git-inspired epistemic meta-memory system that stores healthy beliefs and rollbacks when validation-seeking resistance is detected. In simulation, this intervention achieves a separating equilibrium achieving a $48\times$ differential in spiral rates while passing a learning preservation criterion), evidence that epistemic safety in AI is fundamentally a problem of strategic information environment design rather than simple model alignment.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08399unread
CoCoDA: Co-evolving Compositional DAG for Tool-Augmented Agents
Ziyang Yu, Qiyue Li, Liang Zhao · 2026-05-12
CoCoDA organizes tool-augmented LLM agents using a compositional code DAG (directed acyclic graph) where nodes are primitive or composite tools and edges show invocation dependencies. At inference, it retrieves tools by progressively filtering: first by type signatures, then descriptions, then behavioral specs, then examples—keeping expensive context materialization for only the smallest candidate sets. During training, successful action sequences become new composite tools, and the planner gets credit proportional to how many primitives each composite saves. Results show an 8B model matching a 32B teacher on math benchmarks. **Main takeaways:** - Organizes tools in a typed DAG rather than flat text-indexed memory, exploiting compositional structure - Retrieval uses a funnel: type-check → semantic rank → spec filter → example disambiguate, progressively shrinking candidates - Successful trajectories are "folded" into new composite tools; planner reward credits composites by primitive count saved - Theoretical guarantees: sublinear retrieval cost, monotone improvement under conservative updates, DAG stays well-formed - 8B student matches 32B teacher on GSM8K and MATH; consistent gains across benchmarks
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: candidates, candidate, eval, prompt, base, under, context. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08399v1 Announce Type: new Abstract: Tool-augmented language models can extend small language models with external executable skills, but scaling the tool library creates a coupled challenge: the library must evolve with the planner as new reusable subroutines emerge, while retrieval from the growing library must remain within a fixed context budget. Existing tool-use and skill-library methods typically treat tools as flat or text-indexed memories, causing prompt cost to grow with library size and obscuring the typed, compositional structure of executable code. We propose CoCoDA, a framework that co-evolves the planner and tool library through a single code-native structure: a compositional code DAG. Nodes are primitive or composite tools, edges encode invocation dependencies, and each node stores a typed signature, description, pre/post-condition specification, and worked examples. At inference time, Typed DAG Retrieval prunes candidates by symbolic signature unification, ranks survivors by descriptions, filters them by behavioral specifications, and disambiguates with examples, keeping expensive context materialization on progressively smaller candidate sets. At training time, successful trajectories are folded into validated composite tools, while the planner is updated with a DAG-induced reward that credits composites by their primitive expansion size. We provide theoretical results showing retrieval cost reduction, sublinear retrieval time, compositional advantage under the shaped reward, monotone co-evolution under conservative updates, and DAG well-formedness. Across mathematical reasoning, tabular analysis, and code task benchmarks, CoCoDA enables an 8B student to match or exceed a 32B teacher on GSM8K and MATH and consistently improves over strong tool-use and library-learning baselines.
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08374unread
MemQ: Integrating Q-Learning into Self-Evolving Memory Agents over Provenance DAGs
Junwei Liao, Haoting Shi, Ruiwen Zhou, Jiaqian Wang, Shengtao Zhang, Wei Zhang, Weinan Zhang, Ying Wen, Zhiyu Li, Feiyu Xiong, Bo Tang, Muning Wen · 2026-05-12
The authors built MemQ, a system that makes LLM agents learn which memories are actually useful by treating memory retrieval like a reinforcement learning problem. Instead of scoring each memory in isolation, MemQ uses a "provenance DAG" — essentially a family tree showing which memories were retrieved to create new memories — and propagates credit backward through those dependency chains using TD(λ), a temporal-difference learning algorithm. When tested on six benchmarks (OS tasks, function calling, code generation, etc.), MemQ beats baselines across the board, with the biggest gains (+5.7 percentage points) on multi-step tasks where memories build on each other and smaller gains (+0.77 pp) on single-step classification where there's no chain to exploit. **Main takeaways:** - Memory retrieval is framed as a Markov decision process where the agent's memory store evolves separately from the external task stream (an "Exogenous-Context MDP"). - Credit flows backward through a directed acyclic graph that records which memories were used to create each new memory, with credit decaying by (γλ)^d where d is the graph depth. - Performance gains are largest when tasks produce deep, relevant memory chains (multi-step reasoning) and smallest when memories are used independently (single-step classification). - The approach outperforms baselines on all six benchmarks in both generalization and online learning settings.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, context, factor. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08374v1 Announce Type: new Abstract: Episodic memory allows LLM agents to accumulate and retrieve experience, but current methods treat each memory independently, i.e., evaluating retrieval quality in isolation without accounting for the dependency chains through which memories enable the creation of future memories. We introduce MemQ, which applies TD($\lambda$) eligibility traces to memory Q-values, propagating credit backward through a provenance DAG that records which memories were retrieved when each new memory was created. Credit weight decays as $(\gamma\lambda)^d$ with DAG depth $d$, replacing temporal distance with structural proximity. We formalize the setting as an Exogenous-Context MDP, whose factored transition decouples the exogenous task stream from the endogenous memory store. Across six benchmarks, spanning OS interaction, function calling, code generation, multimodal reasoning, embodied reasoning, and expert-level QA, MemQ achieves the highest success rate on all six in generalization evaluation and runtime learning, with gains largest on multi-step tasks that produce deep and relevant provenance chains (up to +5.7~pp) and smallest on single-step classification (+0.77~pp) where single-step updates already suffice. We further study how $\gamma$ and $\lambda$ interact with the EC-MDP structure, providing principled guidance for parameter selection and future research. Code will be available soon.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.AI (Artificial Intelligence)arxiv:2605.08354unread
Auto-Rubric as Reward: From Implicit Preferences to Explicit Multimodal Generative Criteria
Juanxi Tian, Fengyuan Liu, Jiaming Han, Yilei Jiang, Yongliang Wu, Yesheng Liu, Haodong Li, Furong Xu, Wanhua Li · 2026-05-12
The authors introduce Auto-Rubric as Reward (ARR), a system that replaces opaque scalar reward models with explicit, human-interpretable evaluation criteria (rubrics) for aligning multimodal generative models. Instead of learning preference weights implicitly, ARR asks a vision-language model to externalize its preference knowledge as a structured checklist of quality dimensions *before* comparing outputs, then uses those rubrics to judge pairwise preferences. This makes evaluation more transparent and suppresses biases like positional preference; the structured feedback is then distilled into a binary reward via Rubric Policy Optimization (RPO) for stable policy training. On text-to-image and image-editing benchmarks, ARR-RPO beats both learned reward models and direct VLM judges. **Main takeaways:** - Rubrics externalize a VLM's implicit preference structure as explicit, inspectable quality dimensions before any pairwise comparison happens. - This structured decomposition reduces evaluation biases (especially positional bias) and enables zero-shot or few-shot deployment with minimal supervision. - Rubric Policy Optimization (RPO) converts multi-dimensional rubric scores into a robust binary reward signal for policy gradient training, avoiding scalar regression. - The approach outperforms pairwise reward models and direct VLM judges on image generation and editing tasks, showing better data efficiency and reliability.
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: latin, eval, prompt, base, factor. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08354v1 Announce Type: new Abstract: Aligning multimodal generative models with human preferences demands reward signals that respect the compositional, multi-dimensional structure of human judgment. Prevailing RLHF approaches reduce this structure to scalar or pairwise labels, collapsing nuanced preferences into opaque parametric proxies and exposing vulnerabilities to reward hacking. While recent Rubrics-as-Reward (RaR) methods attempt to recover this structure through explicit criteria, generating rubrics that are simultaneously reliable, scalable, and data-efficient remains an open problem. We introduce Auto-Rubric as Reward (ARR), a framework that reframes reward modeling from implicit weight optimization to explicit, criteria-based decomposition. Before any pairwise comparison, ARR externalizes a VLM's internalized preference knowledge as prompt-specific rubrics, translating holistic intent into independently verifiable quality dimensions. This conversion of implicit preference structure into inspectable, interpretable constraints substantially suppresses evaluation biases including positional bias, enabling both zero-shot deployment and few-shot conditioning on minimal supervision. To extend these gains into generative training, we propose Rubric Policy Optimization (RPO), which distills ARR's structured multi-dimensional evaluation into a robust binary reward, replacing opaque scalar regression with rubric-conditioned preference decisions that stabilize policy gradients. On text-to-image generation and image editing benchmarks, ARR-RPO outperforms pairwise reward models and VLM judges, demonstrating that explicitly externalizing implicit preference knowledge into structured rubrics achieves more reliable, data-efficient multimodal alignment, revealing that the bottleneck is the absence of a factorized interface, not a deficit of knowledge.
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses bias, evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07172unread
Topology-Enhanced Alignment for Large Language Models: Trajectory Topology Loss and Topological Preference Optimization
Yurui Pan, Ke Xu, Bo Peng · 2026-05-12
The authors propose using topological methods (specifically 0-dimensional persistent homology, which identifies connected components and their lifetimes across scales) to improve LLM alignment. They introduce two techniques: Trajectory Topology Loss (TTL) for supervised fine-tuning, which regularizes the model's update direction to follow "prompt-answer bridges" extracted from the geometry of embeddings, and Topological Preference Optimization (TPO) for DPO, which aligns the improvement direction from rejected to chosen responses with topic-specific semantic vectors. Testing on Qwen2.5-7B-Instruct shows consistent improvements over baselines on preference metrics and LLM-judge evaluations. **Main takeaways:** - Views generation as tracing a trajectory through hidden representation space, not just a sequence of token probabilities - TTL treats prompt and answer embeddings as a point cloud, uses persistent homology to find topological structure, and aligns model updates with that structure - TPO constructs semantic preference vectors for topics and guides the DPO update direction in intermediate layers to align with those vectors - Outperforms non-topological baselines (per-example, nearest-neighbor, random regularizers) on automatic metrics and GPT-judge evaluation - Maintains or improves toxicity scores while improving preference alignment
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: eval, prompt, base, anth, anthropic, token, loss, first. Source: arxiv cs.CL (NLP).
arXiv:2605.07172v1 Announce Type: new Abstract: Alignment of large language models (LLMs) via SFT and RLHF/DPO typically ignores the global geometry of the representation space, relying instead on local token likelihoods or scalar scores. We view generation as tracing a semantic trajectory in hidden space and propose a topology-enhanced alignment framework that regularizes these trajectories using 0-dimensional persistent homology. First, for SFT, we introduce Trajectory Topology Loss (TTL). Treating prompt and gold-answer embeddings as a mixed point cloud, we use a 0D persistent homology algorithm to extract "prompt-answer bridges." TTL aligns the model's actual update direction with these topological bridges rather than arbitrary directions. Second, for DPO, we propose Topological Preference Optimization (TPO). TPO constructs topic-specific semantic preference vectors and aligns the improvement direction between rejected and chosen responses with these vectors in an intermediate hidden layer. We also introduce a dynamic weighting scheme to balance DPO and TPO losses. Evaluating on Qwen2.5-7B-Instruct using UltraChat and Anthropic HH-RLHF, our topology-enhanced objectives consistently outperform strong non-topological baselines (e.g., per-example, nearest-neighbor, random regularizers) on automatic preference metrics and LLM-judge evaluations, while maintaining or improving toxicity. Results show persistent homology and trajectory geometry offer a promising direction for controllable alignment.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07170unread
A Reproducible Multi-Architecture Baseline for Token-Level Chinese Metaphor Identification under the MIPVU Framework
Yufeng Wu · 2026-05-12
This paper establishes a reproducible baseline for identifying metaphor-related words in Chinese text at the token level, following the MIPVU linguistic framework. The author compares three approaches on the PSU Chinese Metaphor Corpus: fine-tuned Chinese RoBERTa, MelBERT (adapted to Chinese with a new basic-meaning resource from a Chinese dictionary covering 71.51% of corpus vocabulary), and instruction-tuned Qwen3.5-9B. MelBERT achieves the best F1 (0.7281), marginally beating plain RoBERTa (0.7142), while Qwen lags by ~11 F1 points (0.6157) due to recall problems from discrete output formatting. **Main takeaways:** - MelBERT's basic-meaning channel (which checks if a word's usage matches its dictionary definition) works for Chinese metaphor detection, unlike the "SPV" channel (checking if novel meanings emerge) - The generative Qwen model struggles with recall because it must commit to discrete labels rather than producing continuous scores - Several Qwen task formulations failed due to output format design issues, not model capacity limits - The author releases all splits, outputs, the Chinese basic-meaning resource (from Modern Chinese Dictionary 7th edition), and training scripts - Conventional metaphor dominates in Chinese, consistent with why the SPV (novel-meaning) channel doesn't help much
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, output, attention, base, system, token, source, lora. Source: arxiv cs.CL (NLP).
arXiv:2605.07170v1 Announce Type: new Abstract: Metaphor is pervasive in everyday language, yet token-level computational identification of metaphor-related words in Chinese under the MIPVU framework remains under-explored relative to English. This paper presents a reproducible multi-architecture baseline for token-level metaphor identification on the PSU Chinese Metaphor Corpus (PSU CMC), the only widely available MIPVU-annotated Chinese corpus. We systematically compare three model families: (i) encoder fine-tuning with Chinese RoBERTa-wwm-ext-large; (ii) MelBERT adapted to Chinese using a newly constructed basic-meaning resource derived from the Modern Chinese Dictionary, 7th edition (MCD7), comprising 74,823 entries with 71.51% PSU CMC vocabulary coverage; and (iii) Qwen3.5-9B fine-tuned with QLoRA as an instruction-tuned generative baseline. Across five fixed seeds, MelBERT MIP-only achieves the strongest performance at 0.7281 +/- 0.0050 test positive F1, marginally above MelBERT Full (0.7270 +/- 0.0069) and clearly above plain RoBERTa (0.7142 +/- 0.0121). The Qwen QLoRA generative configuration trails encoder baselines by approximately 11 F1 points (0.6157 +/- 0.0113). Three findings merit attention: (1) the SPV channel of MelBERT does not contribute reliable positive signal in Chinese, consistent with the dominance of conventional metaphor; (2) the Qwen-encoder gap is concentrated in recall, reflecting the discrete-commitment limitation of generative output; (3) several Qwen task formulations fail due to format design rather than model capacity. We release all split manifests, per-seed outputs, the MCD7 basic-meaning embedding pipeline, and training scripts to serve as a common reference for future Chinese metaphor identification research.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07139unread
Structural Rationale Distillation via Reasoning Space Compression
Jialin Yang, Jiankun Wang, Jiajun Wu, Henry Leung, Jiayu Zhou, Steve Drew · 2026-05-12
When distilling reasoning from a large teacher model into a smaller student, the teacher's step-by-step explanations for similar problems often vary wildly, creating noisy supervision. The authors propose D-RPC, which maintains a compact bank of reusable high-level reasoning "paths" (templates) and forces the teacher to follow the most relevant one for each question, producing more consistent rationales. A PAC-Bayes analysis shows an optimal intermediate bank size: too small misses coverage, too large adds noise. Across five reasoning benchmarks, D-RPC beats standard chain-of-thought distillation and other baselines while using fewer tokens. **Main takeaways:** - Teacher models generate inconsistent reasoning paths for similar problems, which hurts student learning during distillation - Constraining the teacher to follow retrieved high-level reasoning templates improves student performance - There's a Goldilocks bank size: too few templates miss problem types, too many add supervision noise - D-RPC outperforms chain-of-thought distillation and other methods on math and commonsense benchmarks with lower token cost
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, tokens, base, same, token, rationale, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07139v1 Announce Type: new Abstract: When distilling reasoning from large language models (LLMs) into smaller ones, teacher rationales for similar problems often vary wildly in structure and strategy. Like a chef who makes the same dish differently each time, this inconsistency burdens the student with noisy supervision that is hard to internalize. We propose Distillation through Reasoning Path Compression (D-RPC), which constrains the teacher to follow a compact, dynamically maintained bank of reusable high-level reasoning paths. For each training question, D-RPC retrieves the most relevant path and conditions the teacher to follow it, producing rationales that are consistent across similar problems yet diverse enough to cover different problem types. A PAC-Bayes analysis formalizes the resulting trade-off between bank size and coverage: smaller banks reduce supervision entropy but risk coverage gaps, and the generalization bound identifies an optimal intermediate size confirmed by our ablations. Across five math and commonsense reasoning benchmarks with two student models, D-RPC consistently outperforms chain-of-thought distillation, freeform rationale generation, direct distillation, and structured-supervision baselines, while using fewer tokens than template-heavy alternatives.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07134unread
Region4Web: Rethinking Observation Space Granularity for Web Agents
Donguk Kwon, Dongha Lee · 2026-05-12
Web agents typically observe web pages at the granularity of individual elements (buttons, links, etc.), which forces them to infer functional organization at every step. The authors propose Region4Web, which groups elements into functional regions (parts of the page serving distinct purposes) and presents these as a compact "digest" that persists across reasoning steps. On WebArena, this region-level observation reduces input length and improves task success across different LLMs and agent architectures, regardless of model size. **Main takeaways:** - Current web agents observe pages at element-level granularity, leaving functional structure implicit - Grouping elements into functional regions (e.g., navigation bar, search box, content area) gives agents a better basis for understanding page state - PageDigest delivers this as a persistent per-page summary rather than re-processing elements every step - Shorter observations and higher success rates across LLM backbones on WebArena benchmark
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, same, length, under, less, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07134v1 Announce Type: new Abstract: Web agents perceive web pages through an observation space, yet its granularity has remained an underexamined design choice. Existing work treats observation at the same element-level granularity as the action space, leaving the page's functional organization implicit and forcing the agent to infer it from element-level signals at every step. We argue observation should instead operate at the granularity of functional regions, parts of the page that each serve a distinct purpose. We propose Region4Web, a framework that reorganizes the AXTree into functional regions through hierarchical decomposition and semantic abstraction, exposing the page's functional organization as the basis for page state understanding. Moreover, we propose PageDigest, a web-specific inference pipeline that delivers this region-level observation to the actor agent as a compact per-page digest that persists across steps. On the WebArena benchmark, PageDigest substantially reduces observation length while improving overall task success rate across diverse backbone large language models (LLMs) and established agent methods, regardless of backbone capacity. These results show that operating at the granularity of functional regions delivers a more compact and informative basis for the actor agent than element-level processing alone.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07111unread
Beyond LoRA vs. Full Fine-Tuning: Gradient-Guided Optimizer Routing for LLM Adaptation
Haozhan Tang, Xiuqi Zhu, Xinyin Zhang, Boxun Li, Virginia Smith, Kevin Kuo · 2026-05-12
Full fine-tuning (FFT) gives models the plasticity to learn high-entropy new knowledge, while LoRA often matches or beats FFT because many tasks only need low-rank updates and benefit from LoRA's regularization. The authors propose MoLF, which dynamically routes gradient updates between FFT and LoRA experts at the optimizer level during training, letting the model use whichever is better for each update. Across SQL, medical QA, and counterfactual knowledge tasks, MoLF matches or beats the better of FFT or LoRA by up to 1.5%. A memory-efficient variant (MoLF-Efficient) freezes base weights and routes between two LoRA experts of different rank. **Main takeaways:** - Full fine-tuning provides plasticity for complex updates; LoRA provides regularization and works when updates are low-rank - Statically choosing one method is suboptimal—different tasks and training steps benefit from different regimes - MoLF routes updates between FFT and LoRA experts dynamically at the optimizer level, getting the best of both - MoLF-Efficient (LoRA-only routing) outperforms prior adaptive LoRA methods by up to 20% on factual tasks
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, trained, lora. Source: arxiv cs.CL (NLP).
arXiv:2605.07111v1 Announce Type: new Abstract: Recent literature on fine-tuning Large Language Models highlights a fundamental debate. While Full Fine-Tuning (FFT) provides the representational plasticity required for high-entropy knowledge injection, Low-Rank Adaptation (LoRA) can match or surpass FFT performance because many tasks only require updates in a low-rank space and benefit from LoRA's additional regularization. Through empirical evaluation across diverse tasks (SQL, Medical QA, and Counterfactual Knowledge) and varying language models (Gemma-3-1B, Qwen2.5-1.5B, and Qwen2.5-3B), we verify both trends and demonstrate that relying solely on either static architecture is structurally limited. To address this challenge, we propose a Mixture of LoRA and Full (MoLF) Fine-Tuning, a unified framework that enables continuous navigation between both training regimes. MoLF dynamically routes updates between FFT and LoRA at the optimizer level to ensure that exact gradient signals are available to both experts throughout training, yielding stable training dynamics. For memory-constrained environments, we also introduce MoLF-Efficient, which freezes base weights and only routes updates among a pair of LoRA experts of potentially varying rank. Our evaluations show that MoLF either improves on or stays within $1.5\%$ of the better of FFT and LoRA across all settings, while MoLF-Efficient outperforms prior adaptive LoRA approaches by up to $20\%$ on Fact and $9\%$ on Med and SQL.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07110unread
Securing Computer-Use Agents: A Unified Architecture-Lifecycle Framework for Deployment-Grounded Reliability
Zejian Chen, Zhanyuan Liu, Chaozhuo Li, Mengxiang Han, Songyang Liu, Litian Zhang, Feng Gao, Yiming Hei, Xi Zhang · 2026-05-12
Computer-use agents (CUAs) that control browsers, terminals, and applications face reliability challenges beyond task success: perception errors, planning drift, permission scope, and runtime oversight all affect whether actions stay aligned with user intent. This paper develops a framework organized by architectural layers (Perception → Decision → Execution) and lifecycle stages (Creation → Deployment → Operation → Maintenance) to analyze where failures are introduced versus where they become visible, and maps intervention surfaces for control and assurance. **Main takeaways:** - Agent reliability isn't just task success—it includes perception accuracy, planning stability, memory use, tool safety, and permission boundaries - The framework separates architectural layers (how agents transform observations into actions) from lifecycle stages (when priors are learned, tools bound, and drift occurs) - Failures often become visible in different stages than where their root causes are introduced - Identifies open challenges: controllable grounding, long-horizon constraint preservation, safe authority binding, runtime defense
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, system, under, less. Source: arxiv cs.CL (NLP).
arXiv:2605.07110v1 Announce Type: new Abstract: Computer-use agents(CUAs)are moving frombounded benchmarks toward real software environments, wherethey operate browsers, desktops, mobile applications, flesystems,terminals, and tool backends. In such settings, reliability isno longer captured by task success alone: perception errors,planning drift, memory use, tool mediation, permission scope,and runtime oversight jointly determine whether agent actionsremain aligned with user intent, Existing surveys organize theCUA landscape by methods, platforms, benchmarks, or securitythreats, but less explicitly connect capability formation, author-ity exposure, failure manifestation, and control placement. Toaddress this gap, the article develops an architecture-lifecycleframework for deployment-grounded reliability in CUAs. Thearchitectural view analyzes Perception, Decision, and Executionas coupled layers that transform software observations intoauthority-bearing actions, The lifecycle view examines Creation.Deployment, Operation, and Maintenance as stages in which priorsare learned, tools and permissions are bound, runtime trajecto.ries are stressed, and assurance must be preserved under drift.Using this lens, the analysis synthesizes representative systems,benchmarks, and security/privacy studies; distinguishes wherefailures become visible from where their enabling conditions areintroduced, and maps recurring intervention surfaces for controloversight, and assurance. OpenClaw is used only as a public moti.vating example of an open deployment pattern, not as a verifedinternal case study. The conclusion highlights open challengesin controllable grounding, long-horizon constraint preservation,safe authority binding, mixed-trust runtime defense, privacy-preserving memory,and continual assurance.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, failures, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07102unread
SAGE: Hierarchical LLM-Based Literary Evaluation through Ontology-Grounded Interpretive Dimensions
Tianyu Wang, Nianjun Zhou · 2026-05-12
Evaluating literary quality requires assessing interpretive dimensions (cultural representation, emotional depth, philosophical sophistication) that are hard to measure computationally. The authors introduce SAGE, which uses LLMs to evaluate stories across three hierarchical layers (cultural, emotional-psychological, existential-philosophical) with iterative reflection and independent validation. Testing on 100 stories (canonical, pulp fiction, LLM-generated), they achieve 98.8% score convergence and >94% inter-rater agreement. Canonical works consistently outperform pulp and LLM-generated stories on cultural and philosophical dimensions (effect sizes >2.4), but emotional representation shows smaller gaps (d=1.68), suggesting affective patterns are more learnable from training data. **Main takeaways:** - LLM-based evaluation can achieve measurement-grade reliability on complex interpretive dimensions with structured prompts and reflection - Canonical literature > pulp > LLM-generated on cultural and philosophical depth, with large effect sizes (d>2.4) - Emotional representation shows smaller gaps (d=1.68), suggesting current LLMs learn affective patterns better than critical stance - Three quality dimensions (cultural, emotional, philosophical) are empirically distinguishable and moderately correlated (r=0.65-0.68)
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, system, canonical, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07102v1 Announce Type: new Abstract: Evaluating literary quality requires assessing interpretive dimensions such as cultural representation, emotional depth, and philosophical sophistication that resist straightforward computational measurement. We introduce SAGE, a hierarchical evaluation framework that decomposes literary quality into ontology-grounded interpretive dimensions assessed through structured large language model evaluation with multi-round iterative reflection and independent validation. We validate the framework on 100 short stories (50 canonical works, 30 pulp fiction, 20 LLM-generated narratives) across three analytical layers (cultural, emotional-psychological, existential-philosophical) using dual-mode assessment. Across 600 evaluations, the framework achieves 98.8% score convergence and greater than 94% inter-rater agreement, with near-perfect mode invariance between content-based and metadata-based evaluation. Statistical analysis reveals a consistent genre hierarchy (Canonical > Pulp > LLM, all p2.4), while emotional representation shows smaller gaps (d=1.68), suggesting that affective patterns are more learnable from training data than critical stance or philosophical depth. Cross-layer correlations (r=0.649-0.683) confirm the three dimensions capture empirically distinguishable quality facets. These findings demonstrate that theory-driven LLM evaluation can achieve measurement-grade reliability and support systematic identification of where current generative models fall short of human literary production, with direct implications for scalable automated evaluation of open-ended text generation.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07093unread
The Translation Tax Is Not a Scalar: A Counterfactual Audit of English-Source Cue Inheritance in Chinese Multilingual Benchmarks
Zezheng Lin, Fengming Liu, Handi Li · 2026-05-12
Translated benchmarks are assumed to inflate scores by preserving English-source cues (the "Translation Tax"), but the authors show this isn't a simple scalar effect when auditing English-to-Chinese benchmarks. Three different measurement approaches disagree: back-translation gaps are small, cue-score calibration doesn't predict item-level gains, and native-control comparisons show model-family effects rather than uniform inflation. An LLM-naturalization stress test (rewriting Chinese surface form while keeping content fixed) reveals item-dependent validity risks rather than a single translation tax—high-residue items benefit from naturalization, low-residue items don't. **Main takeaways:** - The "Translation Tax" (score inflation from English cues in translated benchmarks) isn't a uniform scalar effect - Three proxy estimators give inconsistent results: back-translation, cue-score calibration, and native-control comparisons - LLM naturalization (rewriting surface form while preserving content) shows item-dependent effects: some items benefit, others don't - Translation validity risk depends on estimator choice, item properties, and model family, not a single benchmark-wide factor
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: long, prompt, same, source, effect, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07093v1 Announce Type: new Abstract: The Translation Tax is often treated as a scalar: translated benchmarks are assumed to inflate scores by preserving English-source cues. We audit this claim in an English-to-Chinese setting. Three proxy estimators disagree: back-translation gaps are small and parser-fragile; cue-score calibration does not predict item-level gains; and a six-model native-control comparison shows model-family rather than uniform benchmark effects. We add a same-item LLM-naturalization stress test that holds answer, options, and content fixed while rewriting Chinese surface form. After correcting a prompt-construction bug, this contrast no longer supports a model-family interaction, but it preserves a residue dose-response: high-residue items benefit while low-residue items do not. The result is not a single Translation Tax, but a set of estimator- and item-dependent validity risks. We release per-cell evidence, the naturalization protocol, human QC, and a reporting checklist for translated multilingual benchmark papers.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07084unread
Beyond Single Ground Truth: Reference Monism as Epistemic Injustice in ASR Evaluation
Anna Seo Gyeong Choi, Maria Teleki, James Caverlee, Miguel del Rio, Corey Miller, Hoon Choi · 2026-05-12
The authors argue that automatic speech recognition (ASR) systems commit "epistemic injustice" when they enforce a single transcription standard as ground truth. Different transcription conventions (verbatim vs. cleaned-up) produce different "correct" transcripts for the same speech, and speakers with aphasia—whose disfluencies carry clinical meaning—are systematically penalized when evaluated against "clean" references that treat those features as errors. The paper proposes WER-Range: reporting performance across multiple legitimate transcription conventions instead of assuming one right answer. **Main takeaways:** - Word Error Rate (WER) varies depending on which transcription convention you pick as ground truth—not because the system changed, but because "ground truth" itself is a choice. - Speakers with aphasia are disadvantaged when their meaningful disfluencies are treated as errors to be removed from the reference transcript. - The authors introduce Epistemic Injustice Distance (EID) to quantify the harm of enforcing a single standard. - WER-Range proposes reporting ASR performance across multiple legitimate conventions rather than picking one. - The problem isn't just differential performance—it's that the evaluation infrastructure lacks the conceptual tools to recognize some speech as legitimate in the first place.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, output, eval, system, same, identical, source, compare. Source: arxiv cs.CL (NLP).
arXiv:2605.07084v1 Announce Type: new Abstract: Automatic speech recognition (ASR) evaluation compares system output to ground truth transcripts, with Word Error Rate (WER) quantifying the distance between them. But ground truth transcripts are not discovered - they are produced by human annotators following conventions that encode normative assumptions about which speech features matter. Different conventions (verbatim, non-verbatim, legal) produce different transcripts of identical speech and judge the same ASR output differently. This paper argues that reference monism - enforcing a single transcription convention as ground truth - commits epistemic injustice. Speakers with aphasia, whose speech includes clinically meaningful disfluencies, are systematically disadvantaged when evaluated against "clean" references that treat those disfluencies as errors. The harm is not merely differential performance, but that evaluative infrastructure lacks interpretive resources to recognize their contributions as legitimate. We develop a philosophical framework introducing the hermeneutical gap, formalize Epistemic Injustice Distance (EID) to measure reference monism's cost, and demonstrate empirically using AphasiaBank that WER varies depending on which convention defines ground truth. We propose WER-Range: reporting performance across legitimate conventions rather than assuming a single correct answer.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07076unread
Self-Consolidating Language Models: Continual Knowledge Incorporation from Context
Zekun Wang, Anant Gupta, Zihan Dong, Christopher J. MacLellan · 2026-05-12
The authors propose Self-Consolidating Language Models (SCoL), a framework that lets an LLM decide which of its own Transformer layers to update when incorporating new context. Instead of simply putting information in the prompt or fine-tuning everything, the model learns to generate "update instructions" specifying sparse layer selections, trained with meta-reinforcement learning so it can adapt as its own weights change. On QA tasks and long-context benchmarks, SCoL beats prompting, summarization, and sequential fine-tuning by learning to route updates toward high-Fisher-information layers (the parts of the model most sensitive to loss) while limiting interference with previously consolidated knowledge. **Main takeaways:** - SCoL lets the model choose which layers to update when incorporating new context, rather than updating all weights or none. - Trained via meta-RL over an evolving model state—the model that picks future updates is itself being changed by past updates. - Outperforms prompting, summarization, batch test-time training, and sequential fine-tuning on both SQuAD knowledge incorporation and LongBench v2 long-context tasks. - Learned update patterns are sparse and align with layers of high Fisher information (regions where small weight changes have big effects on loss). - Transfers from shorter training streams to longer evaluation streams, suggesting the method scales to streaming contexts.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, prompt, base, loss, context, post-training. Source: arxiv cs.CL (NLP).
arXiv:2605.07076v1 Announce Type: new Abstract: Large language models (LLMs) increasingly receive information as streams of passages, conversations, and long-context workflows. While longer context windows expose more evidence, they do not ensure that useful information is preserved and reused. We study continual context consolidation: writing current context into model weights while limiting interference with previously consolidated information. We propose \textbf{S}elf-\textbf{Co}nsolidating \textbf{L}anguage Models (SCoL), a post-training framework in which, given current context, an LLM learns to generate textual update instructions specifying which of its own Transformer layers should be updated. Because committed updates change the model that later generates future selections, we train SCoL with meta-reinforcement learning over an evolving model state. We instantiate SCoL with supervised QA rewards on SQuAD knowledge incorporation and intrinsic likelihood-based rewards for LongBench v2 long-context consolidation. Across both settings, SCoL improves acquisition and retention over prompting, summarization, batch test-time training, and sequential finetuning baselines. Analysis of learned selection patterns shows that SCoL encourages the LLM to generate sparse update locations that align with layers of high Fisher information, suggesting that the model learns to route plasticity toward loss-sensitive regions while limiting interference. Moreover, SCoL transfers from shorter meta-training streams to longer LongBench v2 streams at evaluation, suggesting that our framework supports scalable streaming consolidation.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.07068unread
WiCER: Wiki-memory Compile, Evaluate, Refine Iterative Knowledge Compilation for LLM Wiki Systems
Juan M. Huerta · 2026-05-12
The authors tackle the "LLM Wiki" pattern—compiling domain knowledge into a persistent artifact served via KV cache for sub-second, zero-retrieval-failure access. The core problem is the "compilation gap": blindly summarizing documents into a wiki catastrophically drops facts (53–60% failure rate), while serving the full raw context works well but doesn't scale due to attention dilution. They propose WiCER (Wiki-memory Compile, Evaluate, Refine), an iterative algorithm inspired by counterexample-guided refinement that evaluates compiled wikis against diagnostic questions, identifies dropped facts, and forces their preservation in the next compilation round. One or two iterations recover 80% of lost quality and reduce catastrophic failures by 55%. **Main takeaways:** - Full-context KV cache inference beats RAG on curated knowledge (4.38 vs. 4.08 out of 5, 7× faster) but degrades at scale due to attention dilution. - Blind compilation into a wiki fails catastrophically: drops quality from ~3.5 to ~2.2 and causes 53–60% failure rates. - WiCER iteratively diagnoses dropped facts and forces the next compilation to preserve them, recovering 80% of lost quality in 1–2 rounds. - Targeted diagnosis (identifying specific missing facts) drives the gains (+0.95); generic "pinning" strategies only help marginally (+0.16). - All code and benchmarks are released across 17 RepLiQA domains (6,800 questions).
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, attention, base, fails, context, target. Source: arxiv cs.CL (NLP).
arXiv:2605.07068v1 Announce Type: new Abstract: The LLM Wiki pattern, to compile and provide domain knowledge into a persistent artifact and serve it to LLMs via KV cache inference, promises context access at sub-second latency with zero retrieval failure. Realizing this requires solving the compilation gap: LLM compilation distilling raw documents into a wiki without catastrophically discarding critical facts. We characterize this gap across 17 RepLiQA domains (6,800 questions): we observe that full context KV cache inference outperforms RAG on curated knowledge (4.38 vs. 4.08 out of 5, 7.3 faster TTFT) but degrades below RAG at scale due to attention dilution, and blind compilation fails entirely (2.14 to 2.32 vs. 3.46, 53 to 60% catastrophic failure rate). To address the compilation gap, we propose WiCER (Wiki-memory Compile, Evaluate, Refine), an iterative algorithm inspired by counterexample-guided abstraction refinement (CEGAR) that closes this gap. WiCER evaluates compiled wikis against diagnostic probes, identifies dropped facts, and forces their preservation in subsequent compilations. One to two iterations recover 80% of lost quality (mean 3.24 vs. 3.47 for raw full-context across the 15 topics with baselines), reducing catastrophic failures by 55% relative. An ablation across all 17 topics confirms that targeted diagnosis (+0.95), not generic pinning (+0.16), drives the gains. All code and benchmarks are released for reproducible research.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses failure, failures, counterexample, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07058unread
MedExAgent: Training LLM Agents to Ask, Examine, and Diagnose in Noisy Clinical Environments
Yicheng Gao, Xiaolin Zhou, Yahan Li, Yue Zhao, Ruishan Liu · 2026-05-12
The authors formalize clinical diagnosis as a Partially Observable Markov Decision Process (POMDP) where the agent can ask questions, order exams (as tool calls), or issue a diagnosis—all under systematic noise (seven patient noise types, three exam noise types). Existing medical LLM benchmarks simplify this to single-turn QA or noise-free conversations, missing the interactive, uncertain nature of real diagnosis. They train MedExAgent via supervised fine-tuning on synthetic Calgary-Cambridge-style clinical interviews, then apply DAPO (a policy optimization method) to maximize a composite reward: diagnostic accuracy, tool-call quality, and exam cost (financial + patient discomfort). MedExAgent matches larger models' diagnostic performance while maintaining cost-efficient exam strategies. **Main takeaways:** - Real clinical diagnosis involves questioning, exam ordering, and diagnosis under noisy, incomplete information—existing benchmarks ignore this interactivity. - MedExAgent formalizes diagnosis as a POMDP with three action types and a systematic noise model (e.g., vague patient answers, false-negative test results). - Two-stage training: first supervised fine-tuning on synthetic Calgary-Cambridge interviews, then DAPO to optimize accuracy + tool quality + exam cost. - Achieves diagnostic performance comparable to larger models while keeping exam costs low. - Demonstrates that training on structured interview formats (Calgary-Cambridge) transfers to noisy, interactive diagnosis tasks.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, persona, system, personas, effect, first. Source: arxiv cs.CL (NLP).
arXiv:2605.07058v1 Announce Type: new Abstract: Real-world clinical diagnosis is a complex process in which the doctor is required to obtain information from both interaction with the patient and conducting medical exams. Additionally, the doctor needs to adapt to different patient personas, as well as noisy and incomplete information that can happen at any time during the process. However, existing benchmarks for medical LLMs and methods for automatic diagnosis largely simplify this process by reducing it to single-turn question answering, noise-free conversations, or sequential exam making, etc., ignoring the interactive and uncertain nature of clinical diagnosis. In this paper, we aim to address this gap by formalizing clinical diagnosis as a Partially Observable Markov Decision Process (POMDP) with three action types: questioning the patient, ordering medical exams as tool calls, and issuing a diagnosis. We also introduce a systematic noise model comprising seven patient noise types and three exam noise types. Using our proposed environment, we train an effective diagnosis agent, \textbf{MedExAgent}, through a two-stage pipeline that first performs supervised finetuning on synthetic conversations structured after the Calgary-Cambridge model for clinical interviews, and then applies DAPO to optimize a composite reward capturing diagnostic accuracy, tool call quality, and exam cost including financial cost and patient discomfort. Through extensive experiments and ablation studies, we demonstrate that MedExAgent achieves diagnostic performance comparable to larger models while maintaining cost-efficient examination strategies.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07053unread
GSM-SEM: Benchmark and Framework for Generating Semantically Variant Augmentations
Jyotika Singh, Fang Tu, Aziza Mirzadova, Amit Agarwal, Hitesh Laxmichand Patel, Sandip Ghoshal, Miguel Ballesteros, Yassine Benajiba, Weiyi Sun, Graham Horwood, Sujith Ravi, Dan Roth · 2026-05-12
The authors introduce GSM-SEM, a framework for generating math-problem variants with high semantic diversity rather than just surface-level perturbations. Most robustness variants of GSM8K swap names or numbers but keep the underlying facts intact; GSM-SEM modifies entities, attributes, and relationships to produce problems that frequently alter the facts and require recomputation, while constraining generation to preserve the original answer and difficulty. Applying GSM-SEM to GSM8K, GSM-Symbolic, and GSM-Plus, they find consistent performance drops across 14 SOTA LLMs (28% average drop at maximum strictness), with larger declines when semantic perturbations combine with symbolic/plus variations. The framework generates fresh variants on each run, reducing reliance on static benchmarks and lowering memorization bias. **Main takeaways:** - GSM-SEM perturbs problem semantics (entities, attributes, relationships) rather than just surface features, often changing underlying facts while preserving the answer. - Generates fresh variants stochastically on each run, so it's not a fixed benchmark that models can memorize over time. - Applied to GSM8K, GSM-Symbolic, and GSM-Plus, producing three fully human-validated SEM datasets. - 14 SOTA LLMs show consistent performance drops (28% average at maximum strictness), especially when semantic + symbolic/plus perturbations combine. - Demonstrates applicability beyond math by applying GSM-SEM to BigBenchHard, LogicBench, and NLR-BIRD.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, eval, under, target, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07053v1 Announce Type: new Abstract: Benchmarks like GSM8K are popular measures of mathematical reasoning, but leaderboard gains can overstate true capability due to memorization of fixed test sets. Most robustness variants apply surface-level perturbations (paraphrases, renamings, number swaps, distractors) that largely preserve the underlying facts, and static releases can themselves become memorization targets over time. We introduce GSM-SEM, a reusable and stochastic framework for generating semantically diverse benchmark variants with substantially higher semantic variance than prior approaches. GSM-SEM perturbs problem statements by modifying entities, attributes, and/or relationships, frequently altering underlying facts and requiring models to recompute solutions under new conditions, while constraining generation to preserve the original calculations/answer and approximate problem difficulty. GSM-SEM generates fresh variants on each run without requiring re-annotation, reducing reliance on static public benchmarks for evaluation and thereby lowering the bias of memorization. We apply GSM-SEM on GSM8K and two existing variation suites (GSM-Symbolic and GSM-Plus), producing GSM8K-SEM, GSM-Symbolic-SEM, and GSM-Plus-SEM. Evaluating 14 SOTA LLMs, we observe consistent performance drops with larger decline when semantic perturbations are coupled with symbolic/plus variations (average drop rate 28% in maximum strictness configuration of GSM-SEM). We publicly release the three SEM variants as fully human-validated datasets. Finally, to demonstrate applicability beyond GSM-style math problems, we apply GSM-SEM to additional benchmarks including BigBenchHard, LogicBench, and NLR-BIRD.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, robustness, evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07051unread
NSMQ Riddles: A Benchmark of Scientific and Mathematical Riddles for Quizzing Large Language Models
George Boateng, Naafi Ibrahim, Samuel John, Philemon Badu, Patrick Agyeman-Budu, Jonathan Mensah, Kevin Yeboah, William Edor, Andrew Mensa-Onumah, Nana Yeboah, Victor Wumbor-Apin Kumbol · 2026-05-12
The authors present NSMQ Riddles, a benchmark of scientific and mathematical riddles from Ghana's National Science and Maths Quiz, a live TV competition for high school students. Each riddle contains at least three clues (with earlier, vaguer clues fetching more points), and answers are numbers, words, or short phrases, enabling automatic evaluation. The dataset spans 11 years and 1,800 riddles covering biology, chemistry, physics, and math. State-of-the-art LLMs (GPT-4o, Gemini 2.0 Pro, Claude Opus 4, and open models like Kimi-K1.5 and DeepSeek-V3) performed worse than the best student contestants, even in high-reasoning settings, showing the dataset is challenging. **Main takeaways:** - 1,800 riddles from an 11-year archive of Ghana's National Science and Maths Quiz, each with 3+ clues of increasing specificity. - Answers are short (number, word, or phrase), making automatic evaluation straightforward. - SOTA closed and open LLMs (tested with high and low reasoning settings) perform worse than top student contestants. - Addresses underrepresentation of Global South datasets in LLM evaluation. - Contributes a challenging benchmark for scientific and mathematical reasoning beyond Western educational contexts.
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Two-marker setup: anchor closer to persona mimicry first". Matching terms: eval, under, first, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07051v1 Announce Type: new Abstract: Large Language Models (LLMs) have shown good performance on various science educational benchmarks, demonstrating their potential for use in science and mathematics education. Yet, LLMs tend to be evaluated on science and mathematical educational datasets from the Western world, with an underrepresentation of datasets from the Global South. Furthermore, they tend to have multiple-choice answer options that are trivial to evaluate. In this work, we present NSMQ Riddles, a novel benchmark of Scientific and Mathematical Riddles from Ghana's National Science and Maths Quiz (NSMQ) competition to evaluate LLMs. The NSMQ is an annual live TV competition for senior secondary school students in Ghana that brings together the smartest high school students in Ghana who compete in teams of 2 by answering questions in biology, chemistry, physics, and math over five rounds and five stages until a winning team is crowned for that year. NSMQ Riddles consists of 11 years of riddle questions (n=1.8K) from the 5th round, with each riddle containing a minimum of 3 clues. Students compete to be the first to guess the answer on any of the clues, with earlier clues being vague and also fetching more points. The answers are usually a number, word, or short phrase, allowing for automatic evaluation. We evaluated state-of-the-art models: closed (GPT-5.4, Gemini 3.1 Pro, Claude Opus 4.6) and open models (Kimi-K2.5, DeepSeek-V3.1, GPT-OSS-120B) with high and low reasoning settings. Our evaluation shows that the dataset is challenging even for state-of-the-art LLMs, which performed worse than the best student contestants. This work contributes a novel and challenging benchmark for scientific and mathematical reasoning from the Global South towards enabling a true global benchmarking of LLMs' capabilities for science and mathematics education.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.07013unread
Towards Closing the Autoregressive Gap in Language Modeling via Entropy-Gated Continuous Bitstream Diffusion
Georgios Batzolis, Mark Girolami, Luca Ambrogioni · 2026-05-12
The authors propose a diffusion language model that represents text as a continuous diffusion process over fixed-width binary bitstreams, aiming to close the gap with autoregressive models. Each semantic token is represented as an analog bit sequence, and the model uses a matched-filter residual parameterization to separate contextual learning from the independent-bit posteriors. Crucially, they introduce a stochastic sampler that applies Langevin-type corrections gated by the entropy-rate profile—concentrating randomness in high-information regions while remaining nearly deterministic elsewhere. On LM1B, their 130M-parameter model reaches a generative perplexity of 59.76 (matching the autoregressive reference) using 256 function evaluations; on OpenWebText, it achieves 27.06 perplexity with 4× fewer steps than prior 1024-step baselines. Bitstream diffusion also removes the vocabulary-size scaling bottleneck, predicting O(log V) bitwise logits instead of O(V) token logits. **Main takeaways:** - Represents text as a diffusion process over continuous binary bitstreams (fixed-width analog bits) rather than discrete tokens. - Stochastic sampler gates Langevin corrections by entropy rate, concentrating randomness where information is high and being deterministic elsewhere. - On LM1B: 130M-param model hits generative perplexity 59.76 (matching autoregressive baseline) in 256 neural function evaluations. - On OpenWebText: achieves perplexity 27.06 with 4× fewer steps than prior 1024-step diffusion baselines. - Removes O(V) vocabulary scaling bottleneck by predicting O(log V) bitwise logits, reducing memory and increasing throughput.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, tokens, base, token, context, isolate, effect. Source: arxiv cs.CL (NLP).
arXiv:2605.07013v1 Announce Type: new Abstract: Diffusion language models (DLMs) promise parallel, order-agnostic generation, but on standard benchmarks they have historically lagged behind autoregressive models in sample quality and diversity. Recent continuous flow and diffusion approaches over token embeddings have narrowed this gap, suggesting continuous state spaces are highly effective for language. In this work, we further close the autoregressive gap by modeling text as a continuous diffusion process over fixed-width binary bitstreams. Our approach represents semantic tokens as analog bit sequences and utilizes a matched-filter residual parameterization to isolate contextual learning from analytic independent-bit posteriors. Crucially, we adopt a stochastic sampler that applies Langevin-type corrections gated by the entropy-rate profile, automatically concentrating stochasticity in high-information regions while remaining nearly deterministic elsewhere. On the One Billion Word Benchmark (LM1B), our 130M-parameter bitstream model reaches a generative perplexity ($\GenPPL$) of $59.76$ at matched real-data entropy ($4.31$) using 256 neural function evaluations (NFEs), decisively outperforming prior DLM baselines and reaching the autoregressive reference. On OpenWebText (OWT), our stochastic sampler establishes a new continuous-DLM Pareto frontier, achieving $\GenPPL=27.06$ at an entropy of $5.26$ using $4\times$ fewer steps than previous 1024-NFE baselines. As an additional architectural benefit, bitstream diffusion removes the $\mathcal{O}(V)$ vocabulary scaling bottleneck shared by standard DLMs. By predicting $\mathcal{O}(\log V)$ bitwise logits via semantic bit-patching, our model yields a reduced memory footprint and higher throughput, demonstrating a scalable paradigm for language generation as vocabulary sizes grow.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06978unread
Group of Skills: Group-Structured Skill Retrieval for Agent Skill Libraries
Kun Zeng, Yu Huo, Siyu Zhang, Zi Ye, Yuecheng Zhuo, Haoyue Liu, Yuquan Lu, Junhao Wen, Xiaoying Tang · 2026-05-12
The authors tackle a practical problem in agent systems: when an AI agent needs to retrieve skills from a large library, returning a flat list of individual skills forces the agent to figure out which one to run first, which are helpers, and how they fit together. Their "Group of Skills" method instead packages retrieved skills into a structured bundle with explicit labels—Start (the entry point), Support (helper skills), Check (preconditions), and Avoid (failure modes)—so the agent receives ready-to-execute context rather than raw pieces. Tests on two benchmarks (SkillsBench and ALFWorld) show this structured retrieval keeps important requirements visible even under tight memory budgets and often speeds up task completion. **Main takeaways:** - Traditional skill retrieval returns atomic skills or dependency bundles but leaves the agent to infer execution order and roles, which wastes inference cycles and risks missing preconditions. - GoSkills builds a typed graph of skills, clusters them around "anchor" skills, and outputs a fixed contract with four fields: Start, Support, Check, and Avoid. - The method works at inference time—no retraining of the agent, the skill payloads, or the execution environment. - Experiments show better coverage of requirements under memory constraints and improved task success and runtime compared to flat-list baselines. - The approach is modular: you get structured context without changing how skills are stored or how the agent executes them.
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: eval, base, same, under, context, anchor. Source: arxiv cs.CL (NLP).
arXiv:2605.06978v1 Announce Type: new Abstract: Skill-augmented agents increasingly rely on large reusable skill libraries, but retrieving relevant skills is not the same as presenting usable context. Existing methods typically return atomic skills or dependency-aware bundles whose internal roles remain implicit, leaving the agent to infer the execution entry point, support skills, visible requirements, and failure-avoidance guidance. We introduce Group of Skills (GoSkills), an inference-time group-structured retrieval method that changes the agent-facing retrieval object from a flat skill list to a compact, role-labeled execution context. GoSkills builds anchor-centered skill groups from a typed skill graph, expands support groups through a group graph, bottlenecks the selected group plan into a bounded set of atomic skill payloads, and renders a fixed execution contract with Start, Support, Check, and Avoid fields, without changing the downstream agent, skill payloads, or execution environment. Experiments on SkillsBench and ALFWorld show that GoSkills preserves visible-requirement coverage under a small skill budget, improves over flat skill-access baselines, and often improves reward and agent-only runtime relative to structural retrieval references.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses failure.
- score 100arxiv cs.CL (NLP)arxiv:2605.06940unread
MultiSoc-4D: A Benchmark for Diagnosing Instruction-Induced Label Collapse in Closed-Set LLM Annotation of Bengali Social Media
Souvik Pramanik, S. M. Riaz Rahman Antu, Shak Mohammad Abyad, Md. Ibrahim Khalil, Md. Shahriar Hussain · 2026-05-12
The authors built MultiSoc-4D, a 58,000-comment Bengali social-media dataset annotated for category, sentiment, hate speech, and sarcasm, and used it to diagnose a systematic LLM annotation failure they call "instruction-induced label collapse." When asked to label closed-set categories (e.g., hateful/not hateful), ChatGPT, Gemini, Claude, and Grok all showed strong bias toward safe fallback labels ("Other," "Neutral," "No"), missing 79% of hateful content and 75% of sarcasm compared to human-calibrated labels. Even though the models agreed with each other at high rates, Fleiss' kappa was near zero for sarcasm, revealing what the authors call a "label agreement illusion"—models converge on the wrong answer together. **Main takeaways:** - LLMs systematically prefer neutral or "Other" labels in closed-set annotation tasks, especially for minority categories like hate speech and sarcasm. - High inter-LLM agreement doesn't guarantee quality: the models can all collapse to the same wrong default, producing near-zero kappa despite surface consensus. - The effect persists across 40+ LLMs of different architectures, suggesting it's a widespread training-pipeline issue rather than model-specific. - The dataset is released as a diagnostic benchmark for annotation bias in low-resource (Bengali) NLP. - The bias propagates downstream: models trained on LLM-annotated data inherit the label collapse.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, eval, system, source, under, collapse, along. Source: arxiv cs.CL (NLP).
arXiv:2605.06940v1 Announce Type: new Abstract: Annotation automation via Large Language Models (LLMs) is the core approach for scaling NLP datasets; however, LLM behavior with respect to closed-set instructions in low-resource languages has not been well studied. We present MultiSoc-4D, a Bengali social media dataset benchmark, which contains 58K+ social media comments from six sources annotated along four dimensions: category, sentiment, hate speech, and sarcasm. By employing a structured pipeline where ChatGPT, Gemini, Claude, and Grok individually annotate separate partitions, while sharing a common validation set of 20%, we diagnose LLM behavior systematically. We discover a prevalent phenomenon called "instruction-induced label collapse", wherein LLMs show a systematic preference towards fallback labels (Other, Neutral, No), leading to high agreement rates but under-detection of minority categories. For example, we find that LLMs failed to detect 79% and 75% of instances with hateful and sarcastic content compared to a human-calibrated reference. Furthermore, we prove that it represents a "label agreement illusion", statistically validated via almost null Fleiss' Kappa ($\kappa \approx -0.001$) on sarcasm detection. Across 40+ LLMs, we benchmark this annotation bias propagation within the training pipeline, regardless of architectural differences. We release MultiSoc-4D as a diagnostic benchmark for annotation biases in Bengali NLP.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06919unread
Can LLMs Take Retrieved Information with a Grain of Salt?
Behzad Shayegh, Mohamed Osama Ahmed, Fred Tung, Leo Feng · 2026-05-12
The authors test whether LLMs can adjust their answers to match how certain the retrieved context is—e.g., hedging when told a fact is "uncertain" or being confident when it's "certain." They find systematic failures across eight models: LLMs forget their own prior knowledge after seeing uncertain context, misinterpret certainty cues, and overtrust complex contexts. To fix this without retraining, they propose a three-part interaction strategy: remind the model of its prior knowledge, explicitly recalibrate the certainty level in the prompt, and simplify the context. This reduces "obedience errors" (mismatches between context certainty and response confidence) by 25% on average. **Main takeaways:** - LLMs struggle to recall prior knowledge after observing an uncertain context, even when the context explicitly says "this might be wrong." - They misinterpret expressed certainties—e.g., treating "possibly" the same as "definitely." - Complex or verbose contexts are overtrusted regardless of stated certainty level. - A prompt-engineering fix (prior reminder + certainty recalibration + simplification) cuts obedience errors by ~25% without model changes. - The evaluation metric, "context-certainty obedience," measures how well response confidence tracks stated context certainty, which matters in high-stakes domains like medicine and finance.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, under, context. Source: arxiv cs.CL (NLP).
arXiv:2605.06919v1 Announce Type: new Abstract: Large language models have demonstrated impressive retrieval-augmented capabilities. However, a crucial area remains underexplored: their ability to appropriately adapt responses to the certainty of the retrieved information. It is a limitation with real consequences in high-stakes domains like medicine and finance. We evaluate eight LLMs on their context-certainty obedience, measuring how well they adjust responses to match expressed context certainty. Our analysis reveals systematic limitations: LLMs struggle to recall prior knowledge after observing an uncertain context, misinterpret expressed certainties, and overtrust complex contexts. To address these, we propose an interaction strategy combining prior reminders, certainty recalibration, and context simplification. This approach reduces obedience errors by 25% on average, without modifying model weights, demonstrating the efficacy of interaction design in enhancing LLM reliability. Our contributions include a principled evaluation metric, empirical insights into LLMs' uncertainty handling, and a portable strategy to improve context-certainty obedience across diverse LLMs.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.06903unread
MELD: Multi-Task Equilibrated Learning Detector for AI-Generated Text
Chenjun Li, Cheng Wan, Johannes C. Paetzold · 2026-05-12
The authors built MELD, a detector for AI-generated text that goes beyond binary human-vs-AI classification by adding auxiliary tasks: predicting which model family generated the text, what kind of adversarial attack was applied, and what domain it came from. They train all four tasks together on a shared encoder, balancing the losses with learned uncertainty weights, and use teacher-student distillation (clean teacher, attack-augmented student) plus a hard-negative ranking loss to widen the score gap between AI text and confusable human text. At inference, the auxiliary heads are discarded, so MELD costs the same as a standard detector. On the public RAID leaderboard, MELD is the strongest open-source detector and competes with commercial models, especially under attack and at low false-positive rates. **Main takeaways:** - Most AI-text detectors optimize only binary human/AI classification, so the representation doesn't learn fine-grained structure (generator, attack type, domain) once the binary task saturates. - MELD adds three auxiliary heads (generator family, attack type, source domain) to a shared encoder, forcing the representation to capture richer signal. - Losses are balanced with learned homoscedastic uncertainty weights (i.e., the model learns how much to weight each task). - Teacher-student distillation with attack augmentation on the student improves robustness; hard-negative ranking enlarges the margin between AI and hard-to-distinguish human text. - MELD tops open-source detectors on the RAID leaderboard and matches or beats supervised baselines on held-out benchmarks, especially at low false-positive rates and under adversarial rewrites.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, same, source, under, loss, than. Source: arxiv cs.CL (NLP).
arXiv:2605.06903v1 Announce Type: new Abstract: Large language models are now embedded in everyday writing workflows, making reliable AI-generated text detection important for academic integrity, content moderation, and provenance tracking. In practice, however, a detector must do more than achieve high aggregate AUROC on clean, in-distribution human and AI text: it should remain robust to attacks and adversarial rewrites, transfer to unseen generators and domains, and operate at low false-positive rates (FPR). Most existing detectors optimize a single AI/Human objective, giving the representation little incentive to learn generator, attack, or domain structure once the binary task saturates. We introduce MELD (Multi-Task Equilibrated Learning Detector), a deployable detector for AI-generated text that enriches binary detection with auxiliary supervision. MELD attaches generator-family, attack-type, and source-domain heads to a shared encoder, and balances the four losses with learned homoscedastic uncertainty weights. To improve robustness, an EMA teacher predicts on clean inputs while an attack-augmented student is distilled toward the teacher. MELD further uses a hard-negative pairwise ranking loss to enlarge the score margin between AI-generated texts and the most confusable human texts. At inference, all auxiliary heads are discarded, giving MELD the same interface and cost as a standard detector. On the public RAID leaderboard, MELD is the strongest open-source detector and is competitive with leading commercial models, especially under attack and at low FPR. Across standard held-out benchmarks, MELD matches or outperforms supervised baselines. We further introduce MELD-eval, a held-out evaluation pool built from recent chat models released by four major LLM providers. Without additional finetuning, MELD achieves 99.9% TPR at 1% FPR on MELD-eval, while many baselines degrade sharply.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative, robustness, adversarial, evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06901unread
Reflections and New Directions for Human-Centered Large Language Models
Caleb Ziems, Dora Zhao, Rose E. Wang, Matthew J\"orke, Ahmad Rushdi, Advit Deepak, Sunny Yu, Anshika Agarwal, Harshvardhan Agarwal, Gabriela Aranguiz-Dias, Aditri Bhagirath, Justine Breuch, Huanxing Chen, Ruishi Chen, Sarah Chen, Haocheng Fan, William Fang, Cat Gonzales Fergesen, Daniel Frees, Tian Gao, Ziqing Huang, Vishal Jain, Yucheng Jiang, Kirill Kalinin, Su Doga Karaca, Arpandeep Khatua, Teland La, Isabelle Levent, Miranda Li, Xinling Li, Yongce Li, Angela Liu, Minsik Oh, Nathan J. Paek, Anthony Qin, Emily Redmond, Michael J. Ryan, Aadesh Salecha, Xiaoxian Shen, Pranava Singhal, Shashanka Subrahmanya, Mei Tan, Irawadee Thawornbut, Michelle Vinocour, Xiaoyue Wang, Zheng Wang, Henry Jin Weng, Pawan Wirawarn, Shirley Wu, Sophie Wu, Yichen Xie, Patrick Ye, Sean Zhang, Yutong Zhang, Cathy Zhou, Yiling Zhao, James Landay, Diyi Yang · 2026-05-12
This position paper from a large interdisciplinary team argues that "human-centered" LLM development should be rigorous and integrated at every pipeline stage—data sourcing, training, evaluation, deployment—rather than bolted on during post-training or alignment. The authors synthesize perspectives from NLP, human-computer interaction, and responsible AI to propose a framework for Human-Centered LLMs (HCLLMs), emphasizing user needs, values, and real-world context alongside technical benchmarks. The paper offers stage-by-stage recommendations and closes with a case study on the future of work with LLMs. **Main takeaways:** - Most current "human-centered" efforts happen late (post-training RLHF or red-teaming) rather than being designed in from the start. - The authors propose integrating human priorities—ethics, preferences, values, accessibility—at every stage: system design, data curation, model training, evaluation, and deployment. - The framework draws on HCI (user experience, participatory design) and responsible AI (fairness, transparency, safety) alongside NLP technical goals. - The paper is a roadmap and call to action rather than an empirical study; it offers recommendations and a case study on work contexts. - Key insight: technical capability alone doesn't guarantee beneficial or safe real-world impact; centering human concerns requires intentional design choices throughout the pipeline.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, system, under, post-training. Source: arxiv cs.CL (NLP).
arXiv:2605.06901v1 Announce Type: new Abstract: Large Language Models (LLMs) are increasingly shaping the private and professional lives of users, with numerous applications in business, education, finance, healthcare, law, and science. With this rise in global influence comes greater urgency to build, evaluate, and deploy these systems in a manner that prioritizes not only technical capabilities but also human priorities. This work presents a framework for developing Human-Centered Large Language Models (HCLLMs), which integrates perspectives from Natural Language Processing (NLP), Human-Computer Interaction (HCI), and responsible AI. Considering the ethics, economics, and technical objectives of language modeling, we argue that model developers need to address human concerns, preferences, values, and goals, not only during a cursory post-training stage, but rather with rigor and care at every stage of the pipeline. This paper offers human-centered insights and recommendations for developers at each stage, from system design to data sourcing, model training, evaluation, and responsible deployment. Then we conclude with a case study, applying these insights to understand the future of work with HCLLMs.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.CL (NLP)arxiv:2605.06886unread
TajPersLexon: A Tajik-Persian Lexical Resource and Hybrid Model for Cross-Script Low-Resource NLP
Mullosharaf K. Arabov · 2026-05-12
The author presents TajPersLexon, a curated 40,112-pair Tajik-Persian parallel lexicon for cross-script lexical tasks (retrieval, transliteration, alignment) in a low-resource setting. The benchmark compares three families of methods—lightweight hybrid pipelines, neural sequence-to-sequence, and retrieval—on CPU only. Neural and retrieval baselines hit 98–99% top-1 accuracy, essentially solving exact lexical matching, but large multilingual sentence transformers fail. The hybrid model offers a practical accuracy-efficiency trade-off, achieving 96.4% accuracy on an OCR post-correction task, and is interpretable and fast. All experiments use fixed random seeds for full reproducibility; dataset, code, and models will be released. **Main takeaways:** - TajPersLexon is a 40k-pair Tajik-Persian lexicon for cross-script word/short-phrase matching (Cyrillic Tajik ↔ Persian script). - Neural seq2seq and retrieval methods nearly solve the task (98–99% top-1 accuracy) on exact lexical matching. - Multilingual sentence transformers fail despite being large, showing that sentence-level embeddings don't transfer to exact lexical tasks. - The lightweight hybrid model (rule-based + small neural components) is interpretable, CPU-friendly, and achieves 96.4% on real-world OCR correction. - All code, data, and models will be open-sourced with fixed seeds for reproducibility.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, source. Source: arxiv cs.CL (NLP).
arXiv:2605.06886v1 Announce Type: new Abstract: This work introduces TajPersLexon, a curated Tajik--Persian parallel lexical resource of 40,112 word and short-phrase pairs for cross-script lexical retrieval, transliteration, and alignment in low-resource settings. We conduct a comprehensive CPU-only benchmark comparing three methodological families: (i) a lightweight hybrid pipeline, (ii) neural sequence-to-sequence models, and (iii) retrieval methods. Our evaluation establishes that the task is essentially solvable, with neural and retrieval baselines achieving 98-99% top-1 accuracy. Crucially, we demonstrate that while large multilingual sentence transformers fail on this exact lexical matching, our interpretable hybrid model offers a favorable accuracy-efficiency trade-off for practical applications, achieving 96.4% accuracy in an OCR post-correction task. All experiments use fixed random seeds for full reproducibility. The dataset, code, and models will be publicly released.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06832unread
IntentGrasp: A Comprehensive Benchmark for Intent Understanding
Yuwei Yin, Chuyuan Li, Giuseppe Carenini · 2026-05-12
The authors built IntentGrasp, a large-scale benchmark for evaluating how well LLMs understand intent in speech, conversation, and writing. Drawn from 49 diverse, open-licensed corpora across 12 domains, the benchmark includes 262k training instances, a 12.9k All Set, and a harder 470-case Gem Set. Testing 20 LLMs (including GPT-5.4, Gemini-3.1-Pro, Claude-Opus-4.7) reveals poor performance: below 60% on All Set, below 25% on Gem Set, with 17 of 20 models worse than random guessing (15.2%) on Gem Set, while estimated human performance is ~81%. The authors propose Intentional Fine-Tuning (IFT)—fine-tuning on the training set—which boosts F1 by 30+ points on All Set and 20+ on Gem Set, with strong cross-domain generalization in leave-one-domain-out experiments. **Main takeaways:** - Intent understanding is crucial for helpful assistants but remains unsolved: frontier LLMs score below 60% on All Set and below 25% on the harder Gem Set. - 17 of 20 tested models perform worse than random guessing on Gem Set; estimated human performance is ~81%, showing huge headroom. - IntentGrasp unifies 49 corpora across 12 domains into a single benchmark with a large training set (262k) and two test sets (All and Gem). - Intentional Fine-Tuning (IFT)—simply fine-tuning on the training set—yields 30+ point F1 gains on All Set and 20+ on Gem Set. - Leave-one-domain-out experiments confirm IFT generalizes well across domains, suggesting it's a promising path to more capable and safer assistants.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, source, under, context, factor, than. Source: arxiv cs.CL (NLP).
arXiv:2605.06832v1 Announce Type: new Abstract: Accurately understanding the intent behind speech, conversation, and writing is crucial to the development of helpful Large Language Model (LLM) assistants. This paper introduces IntentGrasp, a comprehensive benchmark for evaluating the intent understanding capability of LLMs. Derived from 49 high-quality, open-licensed corpora spanning 12 diverse domains, IntentGrasp is constructed through source datasets curation, intent label contextualization, and task format unification. IntentGrasp contains a large-scale training set of 262,759 instances and two evaluation sets: an All Set of 12,909 test cases and a more balanced and challenging Gem Set of 470 cases. Extensive evaluations on 20 LLMs across 7 families (including frontier models such as GPT-5.4, Gemini-3.1-Pro, and Claude-Opus-4.7) demonstrate unsatisfactory performance, with scores below 60% on All Set and below 25% on Gem set. Notably, 17 out of 20 tested models perform worse than a random-guess baseline (15.2%) on Gem Set, while the estimated human performance is ~81.1%, showing substantial room for improvement. To enhance such ability, this paper proposes Intentional Fine-Tuning (IFT), which fine-tunes the models on the training set in IntentGrasp, yielding significant gains of 30+ F1 points on All Set and 20+ points on Gem Set. Tellingly, the leave-one-domain-out (Lodo) experiments further demonstrate the strong cross-domain generalizability of IFT, verifying that it is a promising approach to substantially enhancing the intent understanding of LLMs. Overall, by benchmarking and boosting intent understanding ability, this study sheds light on a promising path towards more intentional, capable, and safe AI assistants for human benefits and social good.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06765unread
VITA-QinYu: Expressive Spoken Language Model for Role-Playing and Singing
Jiacheng Xu, Heting Gao, Liufei Xie, Zhenchuan Yang, Lijiang Li, Yiting Chen, Bin Zhang, Meng Chen, Chaoyu Fu, Weifeng Zhao, Wenjiang Zhou · 2026-05-12
The authors built VITA-QinYu, a spoken language model that can do more than just chat — it can role-play different personalities and even sing. The model uses separate tokens for text and audio (with multiple codebooks for richer sound representation) and was trained on nearly 16,000 hours of conversation, role-playing, and singing data. It beats other spoken models both on objective role-playing tasks and on singing quality, while also improving conversational accuracy. **Main takeaways:** - First end-to-end spoken model that handles natural conversation, role-playing (e.g., speaking in a comforting tone), and singing generation in one system - Uses a hybrid design that keeps text and audio modalities separate to avoid them interfering with each other, while using multi-codebook tokens to capture expressive vocal features - Outperforms peer models by 7 percentage points on role-playing benchmarks and by 0.13 MOS points (on a 5-point scale) for singing - Also achieves state-of-the-art on conversational benchmarks, beating prior models by 1.4–5 percentage points - Code, models, and a streaming full-duplex demo are open-sourced
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: rate, persona, tokens, token, source, first. Source: arxiv cs.CL (NLP).
arXiv:2605.06765v1 Announce Type: new Abstract: Human speech conveys expressiveness beyond linguistic content, including personality, mood, or performance elements, such as a comforting tone or humming a song, which we formalize as role-playing and singing. We present VITA-QinYu, the first expressive end-to-end (E2E) spoken language model (SLM) that goes beyond natural conversation to support both role-playing and singing generation. VITA-QinYu adopts a hybrid speech-text paradigm that extends interleaved text-audio modeling with multi-codebook audio tokens, a design enabling richer paralinguistic representation while preserving a clear separation between modalities to avoid interference. We further develop a comprehensive data generation pipeline to synthesize a total of 15.8K hours of natural conversation, role-playing, and singing data for training. VITA-QinYu demonstrates superior expressiveness, outperforming peer SLMs by 7 percentage points on objective role-playing benchmarks, and surpassing peer models by 0.13 points on a 5-point MOS scale for singing. Simultaneously, it achieves state-of-the-art conversational accuracy and fluency, exceeding prior SLMs by 1.38 and 4.98 percentage points on the C3 and URO benchmarks, respectively. We open-source our code and models and provide an easy-to-use demo with full-stack support for streaming and full-duplex interaction.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.CL (NLP)arxiv:2605.06673unread
Domain-level metacognitive monitoring in frontier LLMs: A 33-model atlas
Jon-Paul Cacioli · 2026-05-12
This paper tested how well 33 frontier language models know when they're right or wrong (metacognition) across six different knowledge domains from the MMLU benchmark. The author gave models 1,500 questions, asked them to rate their confidence (0-100), and measured whether high confidence actually predicted correct answers. Every model showed big variation across domains — models were consistently good at monitoring their accuracy on applied/professional knowledge but struggled with formal reasoning and natural science. **Main takeaways:** - All models with above-chance metacognition showed significant domain-to-domain variation that aggregate scores hide - Applied/Professional knowledge was easiest to monitor (mean AUROC = 0.742, top-2 in 21/33 models); Formal Reasoning and Natural Science were hardest (bottom-2 in 27/33 models) - Some model families (Anthropic, Gemini, Qwen) show consistent within-family patterns in which domains are hard vs. easy, while others (DeepSeek, Gemma, OpenAI) don't - Three models that failed on binary yes/no confidence probes worked fine when asked for 0-100 scores, showing that the prompt format matters a lot - Gemma 4 31B showed a massive +0.202 AUROC improvement over Gemma 3 27B, suggesting newer models are getting better at knowing what they know
Read next because overlaps with clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Mask the persona-CoT rationale from loss (input-side context only) to isolate input-conditioning vs production-gradient mechanisms for #186's matched-scaffold effect". Matching terms: anth, anthropic, similarity, under, mask. Source: arxiv cs.CL (NLP).
arXiv:2605.06673v1 Announce Type: new Abstract: Aggregate metacognitive quality scores mask within-model variation across MMLU benchmark domains. We administered 1,500 MMLU items (250 per domain, under an a priori six-domain grouping) to 33 frontier LLMs from eight model families and computed Type-2 AUROC per model-domain cell using verbalized confidence (0-100). Total observations: 47,151. Every model with above-chance aggregate monitoring showed non-trivial domain-level variation. Applied/Professional knowledge was reliably the easiest benchmark domain to monitor (mean AUROC = .742, ranked top-2 in 21 of 33 models); Formal Reasoning and Natural Science were reliably the hardest (one of the two ranked bottom-2 in 27 of 33 models). The three middle domains were statistically indistinguishable (Kendall's W = .164). A subject-level coherence analysis (within-domain similarity ratio = 0.95) confirms the six-domain grouping is a pragmatic benchmark taxonomy, not a validated latent construct. Within-family profile-shape clustering is significant for Anthropic, Google-Gemini, and Qwen (permutation p < .0001) but not DeepSeek, Google-Gemma, or OpenAI. Gemma 4 31B showed a +.202 AUROC improvement over Gemma 3 27B. Three models classified Invalid on binary KEEP/WITHDRAW probes produced normal profiles under verbalized confidence, confirming probe-format specificity. Bootstrap 95% CIs on 198 cells have median width .199. Split-half aggregate stability r = .893; profile-level split-half is weaker (grand median r = .184). These results show stable benchmark-domain variation obscured by aggregate metrics, and support benchmark-stage domain screening as a step before deployment in specific application areas.
Potential threat/caveat for clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08177unread
Echo-LoRA: Parameter-Efficient Fine-Tuning via Cross-Layer Representation Injection
Yihang Peng, Peng Jin, Jie Gong, Xingyuan Chen, Lingjiao Xu, Ning Su, Yan Ran · 2026-05-12
Echo-LoRA is a parameter-efficient fine-tuning method that injects information from *deeper* layers back into *shallower* LoRA modules during training. It collects hidden states from late layers, aggregates them into an "echo representation," and uses lightweight projection and gating networks to feed that signal into early LoRA/DoRA updates. The echo path is discarded after training, so the deployed model is identical to standard LoRA at inference. On eight commonsense reasoning benchmarks, Echo-LoRA improves over LoRA by 5.7 percentage points (against reported baselines) or 3.0 points (against reproduced baselines) across LLaMA-7B/LLaMA2-7B/LLaMA3-8B. **Main takeaways:** - Echo-LoRA collects boundary hidden states from deeper layers and injects them into shallow LoRA modules via lightweight projection and gating, creating a training-only cross-layer feedback loop. - The echo path is removed after training, so inference keeps the original low-rank LoRA form with no added parameters or compute. - On eight commonsense reasoning tasks, the method improves over LoRA by 3–5.7 percentage points depending on baseline, and by 2.7 points when combined with DoRA. - Answer-only masking, masked distillation, and stochastic routing are used to stabilize the auxiliary path and reduce train-test mismatch.
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: base, source, lora, under, implement, project, mask, masked. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08177v1 Announce Type: new Abstract: Parameter-efficient fine-tuning (PEFT) has become a practical route for adapting large language models to downstream tasks, with LoRA-style methods being particularly attractive because they are inexpensive to train and easy to deploy. Most LoRA variants, however, revise the update rule within the weight space of each layer and leave the intermediate representations formed by deeper layers largely unused. We propose Echo-LoRA, a cross-layer representation injection method for parameter-efficient fine-tuning. During training, Echo-LoRA collects boundary hidden states from deeper source layers, aggregates them into a sample-level echo representation, and uses lightweight projection and gating networks to inject the resulting signal into shallow LoRA or DoRA modules. Answer-only masking, masked distillation, and stochastic routing are used to keep this auxiliary path stable and to reduce the gap between training and inference. On eight commonsense reasoning benchmarks, Echo-LoRA exceeds the reported LoRA baselines by 5.7 percentage points on average across LLaMA-7B, LLaMA2-7B, and LLaMA3-8B. Under reproduced LoRA baselines in our unified implementation, the average gain is 3.0 points; when combined with DoRA, the gain is 2.7 points. The Echo path is discarded after training, so the deployed model keeps the original low-rank LoRA/DoRA form and adds neither inference-time parameters nor inference computation.
Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08174unread
CERSA: Cumulative Energy-Retaining Subspace Adaptation for Memory-Efficient Fine-Tuning
Jingze Ge, Xue Geng, Yun Liu, Wanqi Dong, Wang Zhe Mark, Min Wu, Ngai-Man Cheung, Bharadwaj Veeravalli, Xulei Yang · 2026-05-12
The authors introduce CERSA, a memory-efficient fine-tuning method that compresses pretrained models by keeping only the most important 90–95% of their "spectral energy" (think of it as the strongest patterns in the model's weights, identified via SVD—singular value decomposition). Instead of storing all frozen weights like LoRA does, CERSA throws away the weak directions and fine-tunes low-rank updates on the remaining principal subspace, cutting memory use while beating standard parameter-efficient methods across vision, text-to-image, and language tasks. **Main takeaways:** - CERSA uses SVD to discard the low-energy components of pretrained weights, keeping only the top principal components that capture 90–95% of the signal. - This lets you fine-tune with much lower memory than LoRA or other PEFT methods, because you don't store the full frozen model. - Empirical tests on image recognition, text-to-image generation, and NLU show CERSA matches or beats state-of-the-art PEFT while using substantially less memory. - The method addresses a core LoRA limitation: low-rank updates miss the actual rank structure of full fine-tuning, creating a performance gap.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, trained, source, lora, under. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08174v1 Announce Type: new Abstract: To mitigate the memory constraints associated with fine-tuning large pre-trained models, existing parameter-efficient fine-tuning (PEFT) methods, such as LoRA, rely on low-rank updates. However, such updates fail to fully capture the rank characteristics of the weight modifications observed in full-parameter fine-tuning, resulting in a performance gap. Furthermore, LoRA and other existing PEFT methods still require substantial memory to store the full set of frozen weights, limiting their efficiency in resource-constrained settings. To addres these limitations, we introduce Cumulative Energy-Retaining Subspace Adaptation (CERSA), a novel fine-tuning paradigm that leverages singular value decomposition (SVD) to retain only the principal components responsible for 90% to 95% of the spectral energy. By fine-tuning low-rank representations derived from this principal subspace, CERSA significantly reduces memory consumption. We conduct extensive evaluations of CERSA across models of varying scales and domains, including image recognition, text-to-image generation, and natural language understanding. Empirical results demonstrate that CERSA consistently outperforms state-of-the-art PEFT methods while achieving substantially lower memory requirements. The code will be publicly released.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations, evaluation.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08171unread
Communication Dynamics Neural Networks: FFT-Diagonalized Layers for Improved Hessian Conditioning at Reduced Parameter Count
Lurong Pan · 2026-05-12
This paper introduces CDLinear, a circulant-structured neural network layer inspired by a physics framework, that diagonalizes the training Hessian (the matrix of second derivatives of the loss) via discrete Fourier transform. The result is near-perfect conditioning (eigenvalue ratios close to 1) and 3.8× fewer parameters than a dense MLP for comparable accuracy on MNIST. The construction gives provable bounds on the Hessian condition number and specifies a principled dropout rate from a physics-calibrated "noise rate." **Main takeaways:** - CDLinear layers are block-circulant, so their Hessian can be FFT-diagonalized, yielding eigenvalues you can read off from input statistics. - Under whitened inputs, the population Hessian condition number is exactly 1; empirically it stays very low even on finite samples. - A CDLinear MLP with 2,380 parameters achieves 97.5% on MNIST vs. 98.15% for a dense MLP with 8,970 parameters, and the CD-MLP's Hessian is 310× better conditioned. - The method transfers a physics-derived "Shannon noise rate" to set dropout, offering a non-arbitrary hyperparameter choice.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, parent, output, eval, base, same, under, loss. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08171v1 Announce Type: new Abstract: Background and motivation. The Communication Dynamics (CD) framework, introduced in two earlier papers for atomic-energy prediction and field-induced superconductivity, treats each physical channel as a (2l+1)-vertex polygon whose discrete Fourier transform yields its energy spectrum. This paper applies the same circulant-spectral machinery to neural-network design. Layer construction. CDLinear is a block-circulant linear layer with block size B = 2l+1 and 1/B the parameter count of a dense layer of equal input/output dimensions. Three properties follow from the construction. (i) The Hessian of mean-squared loss with respect to the weights is diagonalized by the discrete Fourier transform, with eigenvalues |F[Xj](k)|^2 read directly from the input statistics (Theorem 1). (ii) Under input pre-whitening, the population Hessian condition number satisfies kappa = 1 exactly, with the empirical condition number bounded by 1+O(sqrt(B/N)) on N samples (Theorem 2). (iii) The Shannon noise rate alpha_CD = 0.0118 calibrated in the parent CD papers from the Na D-doublet specifies a transferable, non-arbitrary dropout rate. Empirical evaluation. A CDLinear MLP at B = 4 achieves 97.50% +/- 0.23% test accuracy with 2,380 parameters versus 98.15% +/- 0.47% for a parameter-matched dense MLP at 8,970 parameters, a 3.8x parameter reduction at 0.65% accuracy cost, within one standard deviation of the seed-to-seed spread. The CD-MLP mean Hessian condition number kappa = 1.9x10^4 is 310x smaller than the dense baseline kappa = 5.9x10^6, in quantitative agreement with Theorem 2.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08153unread
Temporal-Decay Shapley: A Time-Aware Data Valuation Framework for Time-Series Data
Chuwen Pang, Bing Mi, Kongyang Chen · 2026-05-12
The authors propose Temporal-Decay Shapley methods for valuing training samples in time-series data, addressing the fact that standard Shapley-value methods assume i.i.d. data and ignore the time-varying importance of samples. Their best method, MS-TDS, uses multiple exponential-decay timescales in parallel and fuses them adaptively per sample, balancing short-term "hotspot" data and long-term foundational data. Experiments show the approach outperforms traditional Shapley methods for noise detection and high-value sample identification, especially when temporal drift is strong. **Main takeaways:** - Standard Shapley data valuation assumes samples are independent; this breaks for time-series data where recency and temporal drift matter. - Temporal-Decay Shapley (TDS) weights samples by exponential decay; improved TDS uses power-exponential decay for nonlinear drift. - Multi-Scale TDS (MS-TDS) runs parallel decay scales and fuses them per sample, capturing both recent trends and long-term patterns. - Empirically, the temporal methods beat baselines on noise detection and data-selection tasks, with larger gains under strong temporal settings.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, long, identical, under, effect. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08153v1 Announce Type: new Abstract: With the rapid development of machine learning applications on time-series data, accurately assessing the value of training samples has become essential for data selection, noise detection, and model optimization. However, traditional data valuation methods usually assume that samples are independent and identically distributed, and thus ignore the time-varying nature of sample value in time-series data. This paper proposes an improved temporal Shapley data valuation method that enables accurate sample valuation for time-series data through a temporal decay mechanism and a multi-scale fusion strategy. Specifically, we propose three progressively enhanced temporal Shapley methods. Temporal-Decay Shapley (TDS) incorporates temporal information into Shapley value computation through exponential decay weights; the improved TDS adopts power exponential decay to better adapt to nonlinear temporal drift; and Multi-Scale Temporal-Decay Shapley (MS-TDS) constructs a multi-scale fusion mechanism that balances the value of short-term hotspot samples and long-term foundational samples through parallel multi-scale valuation and sample-level adaptive fusion. Experimental results show that the proposed methods generally outperform traditional methods in noise detection and high-value data identification tasks, with more evident advantages under most strongly temporal settings, thereby effectively improving the accuracy and robustness of data valuation.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses robustness.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08149unread
Feature Rivalry in Sparse Autoencoder Representations: A Mechanistic Study of Uncertainty-Driven Feature Competition in LLMs
Harshavardhan · 2026-05-12
The authors study "feature rivalry"—negatively correlated pairs of SAE (sparse autoencoder) features—as a mechanistic signature of model uncertainty in Gemma-2-2B. They show that high-entropy questions produce significantly stronger rivalry at specific layers than low-entropy questions, and that steering along the rivalry axis (feature A minus feature B) changes outputs more than random directions. A per-prompt rivalry score predicts answer correctness with AUROC 0.689, approaching but not matching softmax confidence at 0.808. **Main takeaways:** - Feature rivalry is defined as negatively correlated SAE feature pairs; stronger rivalry correlates with higher question entropy (model uncertainty) at layers 0 and 12. - Activation steering along the rivalry direction (vector_A − vector_B) causes more output changes than random directions, suggesting rivalry is causally upstream of outputs. - A rivalry score computed from pairwise cosine similarities of active SAE features predicts answer correctness (AUROC 0.689 vs. 0.808 for softmax confidence). - The results localize uncertainty to specific residual-stream processing stages and suggest SAE features encode uncertainty mechanistically, not just statistically.
Read next because overlaps with clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)". Matching terms: output, long, prompt, cosine, under, along, activation, than. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08149v1 Announce Type: new Abstract: Sparse Autoencoders (SAEs) decompose large language model representations into interpretable features, but how these features interact under uncertainty remains poorly understood. We introduce Feature Rivalry -- negatively correlated SAE feature pairs -- and study whether rivalry serves as a mechanistic signature of model uncertainty in Gemma-2-2B using Gemma Scope SAEs. Through a controlled within-domain experiment on PopQA split by response entropy, we find that high-entropy questions produce significantly stronger feature rivalry at layers 0 and 12 relative to low-entropy questions (p=5.3x10^-26 and p=5.8x10^-5 respectively), localizing uncertainty to specific processing stages in the residual stream. We then test whether rivalry is causally upstream of model outputs via activation steering along rivalry axes -- finding that steering along the rivalry direction (vec_A - vec_B) causes more output changes than random directions at low steering multipliers across 15 of 20 rival feature pairs. Finally, a per-prompt rivalry score derived from pairwise cosine similarities of active SAE feature decoder vectors predicts answer correctness (AUROC=0.689), approaching but not matching softmax confidence (AUROC=0.808).
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses negative.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08143unread
HoReN: Normalized Hopfield Retrieval for Large-Scale Sequential Model Editing
Yuan Fang, Yi Xie, Xuming Ran · 2026-05-12
HoReN is a model-editing method that stores factual updates in an external codebook attached to a single MLP layer, leaving base weights untouched. Each codebook entry is both a memory key and a Hopfield "stored pattern," and queries/keys are normalized onto the unit hypersphere so retrieval uses angular similarity, fixing magnitude mismatches between an edit prompt and its paraphrases. The query is then refined via damped Hopfield dynamics, pulling paraphrases into the correct basin of attraction while leaving unrelated queries alone. HoReN scales to 50K sequential edits on ZsRE with stable performance above 0.9, while prior editors degrade before 10K. **Main takeaways:** - HoReN attaches a discrete key-value codebook to one MLP layer; each entry is a Hopfield stored pattern, enabling associative retrieval. - Keys and queries are projected onto the unit hypersphere, so retrieval is governed by angular similarity, removing magnitude-driven mismatches. - Queries are refined via damped Hopfield attractor dynamics, so paraphrases relax into the correct pattern's basin while unrelated inputs stay undisturbed. - HoReN scales to 50K sequential edits with stable overall performance >0.9, far outperforming prior editors that collapse before 10K.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: https, github, long, eval, prompt, base, similarity, collapse. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08143v1 Announce Type: new Abstract: Large language models encode vast factual knowledge that inevitably becomes outdated or incorrect after deployment, yet retraining is costly prohibitive, motivating model editing in lifelong settings that updates targeted behavior without harming the rest of the model. One line of work installs new facts by directly modifying base weights through locate-then-edit procedures, but accumulated edits progressively disrupt originally preserved knowledge, even with constraint-based projections. A complementary line leaves base weights intact and routes edits through external memory, but it faces routing challenges and its performance degrades at scale. We propose HoReN, a codebook-based parameter-preserving editor with enhanced routing built on three ideas. First, HoReN wraps a single MLP layer with a discrete key-value codebook, where each entry is interpreted simultaneously as a knowledge-memory key and a modern Hopfield stored pattern. Second, both keys and queries are projected onto the unit hypersphere so retrieval is governed by angular similarity, removing magnitude-driven mismatches between an edit prompt and its rephrasings. Third, the query is refined through damped Hopfield attractor dynamics, so paraphrases relax into the correct stored pattern's basin of attraction while unrelated queries remain undisturbed. HoReN achieves well-edited performance with consistent gains across diverse benchmarks spanning standard ZsRE, structured WikiBigEdit, and unstructured UnKE evaluations. Moreover, HoReN scales to 50K sequential edits on ZsRE with stable overall performance above 0.9, while prior editors collapse or degrade severely before reaching 10K. Our code is available at https://github.com/ha11ucin8/HoReN.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation, benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08142unread
Reasoning emerges from constrained inference manifolds in large language models
Yanbiao Ma, Fei Luo, Linfeng Zhang, Chuangxin Zhao, Mingxuan Wang, Yinan Wu, Zhe Qian, Yang Lu, Long Chen, Zhao Cao, Xiaoshuai Hao, Ji-Rong Wen, Jungong Han · 2026-05-12
The authors examine what happens inside language models during reasoning, not just whether they get the right answer. They find that the internal representations during inference compress into low-dimensional manifolds (the model's internal state lives in a much smaller space than you'd expect). Good reasoning only happens when three conditions hold: the compressed space is expressive enough, compression happens spontaneously, and information doesn't collapse to zero in the compressed subspace. When these conditions fail, you get predictable failure modes. They propose a diagnostic that doesn't need any labels—just watch the internal dynamics. **Main takeaways:** - Reasoning compresses model representations into low-dimensional manifolds, but compression alone doesn't guarantee good reasoning - Three necessary conditions: adequate expressivity, spontaneous compression, and preserved information volume in the compressed subspace - Models outside this "structural regime" show characteristic pathological inference patterns - The authors built a label-free diagnostic computed purely from internal dynamics, offering an alternative to benchmark evaluation - Suggests reasoning is fundamentally governed by geometric and informational constraints, not just learned patterns
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, latin, eval, base, trained, effect. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08142v1 Announce Type: new Abstract: Reasoning in large language models is predominantly evaluated through labeled benchmarks, conflating task performance with the quality of internal inference. Here we study reasoning as an intrinsic dynamical process by examining the evolution of internal representations during inference. We find that inference-time dynamics consistently self-organize into low-dimensional manifolds embedded within high-dimensional representation spaces. we find that such geometric compression, although pervasive, is not sufficient for stable or reliable reasoning. Instead, effective reasoning dynamics emerge within a constrained structural regime characterized by three conditions: adequate representational expressivity, spontaneous manifold compression, and preservation of non-degenerate information volume within the compressed subspace. Models outside this regime exhibit characteristic pathological inference dynamics. Based on these insights, we introduce a unified, label-free diagnostic computed solely from internal dynamics. These findings suggest that reasoning in LLMs is fundamentally governed by geometric and informational constraints, offering a complementary framework to benchmark-centric assessment.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08138unread
DataArc-SynData-Toolkit: A Unified Closed-Loop Framework for Multi-Path, Multimodal, and Multilingual Data Synthesis
Zhichao Shi, Cehao Yang, Hao Zhou, Xiaojun Wu, Huajie Li, Xuhui Jiang, Chengjin Xu, Yuanzhuo Wang, Jian Guo · 2026-05-12
The authors built an open-source toolkit for generating synthetic training data across multiple modalities, languages, and tasks. The main selling points are a visual interface and simple command-line tools (lowering the barrier to entry), a unified pipeline that standardizes data from different sources for better reusability, and a modular design for easy adaptation. They tested it in multiple scenarios and claim it balances generation speed with data quality. **Main takeaways:** - End-to-end pipeline with visual interface and simplified CLI for accessibility - Unified synthesis paradigm standardizes multi-source data generation with quality controls - Modular architecture supports multimodal, multilingual, and multi-task adaptation - Aims to lower technical barriers to synthetic data generation and model training - Tested across multiple application scenarios with claimed balance of efficiency and quality
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)", clean result "#337 Longer persona system prompts make a `[ZLT]` marker more persona-localized on Qwen2.5-7B-Instruct — stronger implantation in the source persona and less leakage to bystanders (MODERATE confidence)". Matching terms: rate, source, less. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08138v1 Announce Type: new Abstract: Synthetic data has emerged as a crucial solution to the data scarcity bottleneck in large language models (LLMs), particularly for specialized domains and low-resource languages. However, the broader adoption of existing synthetic data tools is severely hindered by convoluted workflows, fragmented data standards, and limited scalability across modalities. To address these limitations, we develop DataArc-SynData-Toolkit, an open-source framework featuring: (1) a configuration-driven, end-to-end pipeline equipped with an intuitive visual interface and simplified CLI for exceptional usability; (2) a unified, quality-controllable synthesis paradigm that standardizes multi-source data generation to ensure high reusability; and (3) a highly modular architecture designed for seamless multimodal, multilingual, and multi-task adaptation. We apply the toolkit in multiple application scenarios. Experimental results demonstrate that our toolkit achieves an optimal balance between generation efficiency and data quality. By offering an end-to-end and visually interactive pipeline, DataArc-SynData-Toolkit significantly lowers the technical barrier to synthetic data generation and subsequent model training, accelerating its practical deployment in real-world applications.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, limitations.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08137unread
Weight Pruning Amplifies Bias: A Multi-Method Study of Compressed LLMs for Edge AI
Plawan Kumar Rath, Rahul Maliakkal · 2026-05-12
The authors tested three pruning methods (random, magnitude-based, and activation-aware "Wanda") on three instruction-tuned models at various sparsity levels, measuring both perplexity and bias on a benchmark. They found a paradox: the smartest pruning method (Wanda) preserves perplexity nearly perfectly but amplifies bias the most—at 70% sparsity, 47-59% of previously unbiased outputs became stereotypical. Random pruning destroys language ability but produces only random-chance bias. They also show unstructured pruning gives zero actual speedup or storage savings on real edge hardware, and that perplexity doesn't predict behavioral changes. **Main takeaways:** - "Smart" activation-aware pruning (Wanda) preserves perplexity but amplifies bias far more than simpler methods - At 70% sparsity, stereotype reliance increases 83.7% and half of unbiased items flip to biased - Random pruning destroys capability (perplexity reaching 10^8) but produces only random-chance bias - Unstructured pruning provides zero storage or latency savings on real edge hardware despite being the primary motivation - Perplexity-based evaluation gives false assurance of behavioral equivalence; pruning causes 3x more bias flips than quantization
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, trained, source, under, activation, than. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08137v1 Announce Type: new Abstract: Weight pruning is widely advocated for deploying Large Language Models on resource-constrained IoT and edge devices, yet its impact on model fairness remains poorly understood. We conduct a controlled empirical study of three instruction-tuned models (Gemma-2-9b-it, Mistral-7B-Instruct-v0.3, Phi-3.5-mini-instruct) across three pruning methods (Random, Magnitude, Wanda) at four sparsity levels (10-70%) on 12,148 BBQ bias benchmark items with 5 random seeds, totaling 2,368,860 inference records. Our results reveal a Smart Pruning Paradox: activation-aware pruning (Wanda) preserves perplexity nearly perfectly (just 3.5% increase at 50% sparsity for Mistral-7B), yet produces the highest bias amplification, with Stereotype Reliance Score increasing 83.7% and 47-59% of previously unbiased items developing new stereotypical behaviors at 70% sparsity. Random pruning destroys language capability entirely (perplexity exceeding $10^4$ and reaching $10^8$) but produces only random-chance bias. We further show that unstructured pruning provides zero storage savings and zero inference latency reduction on real edge hardware, undermining the primary motivation for its use in IoT deployment. Of 180 dense-vs-pruned comparisons, 141 (78.3%) are significant ($p < 0.05$) with mean $|h| = 0.305$. Published quantization studies report up to 21% of responses flipping between biased and unbiased states; our pruning results show transition rates nearly three times higher (47-59%), suggesting pruning poses a categorically greater risk to alignment than quantization. These findings demonstrate that perplexity-based evaluation provides false assurance of behavioral equivalence, and that IoT deployment pipelines require bias-aware validation before deploying pruned models at the edge.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses bias, evaluation, benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08134unread
DARE: Diffusion Language Model Activation Reuse for Efficient Inference
Natalia Frumkin, Bokun Wang, Hung-Yueh Chiang, Chi-Chih Chang, Mohamed S. Abdelfattah, Diana Marculescu · 2026-05-12
The authors identify that diffusion language models (an alternative to autoregressive LMs) have redundant attention activations across tokens during inference. They built DARE, which reuses cached key-value pairs (DARE-KV) and output activations (DARE-O) when the model's internal state predicts they won't change much. This achieves up to 1.20x per-layer speedup and reuses up to 87% of attention activations with minimal quality loss (around 2% average performance drop). The technique is compatible with other speedup methods like prefix caching. **Main takeaways:** - Diffusion LLMs show high token-wise redundancy in bi-directional self-attention activations - DARE reuses cached key-value and output activations when temporal changes in queries predict redundancy - Achieves up to 1.20x per-layer latency reduction, reusing up to 87% of attention activations - Average performance drops are only 2.0% (DARE-KV) and 1.2% (DARE-O) on reasoning and code benchmarks - Compatible with other inference optimizations like prefix caching and Fast-dLLM
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, https, github, output, tokens, attention, base, token. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08134v1 Announce Type: new Abstract: Diffusion Large Language Models (dLLMs) have emerged as a promising alternative to auto-regressive (AR) models, offering greater expressive capacity and potential for parallel generation and faster inference. However, open-source dLLMs remain immature, lagging behind AR models in both efficiency and quality. We identify an underexplored property of dLLMs: *token-wise redundancy* in bi-directional self-attention. Self-attention activations are highly correlated across tokens, and temporal changes in query representations can predict redundancy in corresponding key, value, and output activations. We introduce DARE, with two complementary mechanisms: DARE-KV, which reuses cached key-value (KV) activations, and DARE-O, which reuses output activations to reduce redundant computation while preserving quality. DARE achieves up to 1.20x per-layer latency reduction and reuses up to 87% of attention activations, with negligible degradation on reasoning and code-generation benchmarks. DARE-KV and DARE-O incur average performance drops of only 2.0% and 1.2%, respectively. Combined with techniques such as prefix caching and Fast-dLLM, DARE provides additive gains without retraining. These results establish token-wise reuse as an effective strategy for improving the efficiency of diffusion-based LLMs while preserving generation fidelity. Code: https://github.com/enyac-group/DARE
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08130unread
Additive Atomic Forests for Symbolic Function and Antiderivative Discovery
Reda Belaiche · 2026-05-12
The authors built a framework for discovering symbolic mathematical functions and their antiderivatives (integrals) simultaneously from data. The key insight is that the product and chain rules from calculus naturally generate function-derivative pairs that form a self-expanding library. They use two "primitives" (exponential-log and sine-cosine combinations) as seeds, then build "additive atomic forests"—sums of expression trees whose derivatives are fitted to data. Because derivatives are determined by construction, you automatically get both the function and its derivative without needing symbolic integration. **Main takeaways:** - Simultaneously discovers a function and its antiderivative from data using derivative algebra - Self-expanding library grows via product rule and chain rule applied to elementary functions - Two primitives (EML for e^u - ln v, SOL for sin u - cos v) seed the library efficiently - "Additive atomic forests" are sums of expression trees fitted to data - No symbolic integration step needed; derivatives determined by construction - On 17 classification benchmarks, matches or exceeds XGBoost on 13 datasets while producing interpretable formulas
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, candidate, system, first. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08130v1 Announce Type: new Abstract: We present a framework for the simultaneous symbolic recovery of a function and its antiderivative from data. The framework rests on three ideas. First, a derivative algebra: the observation that the product rule $\frac{d}{dx}[f \cdot g] = f'g + fg'$ and the chain rule, applied to a seed set of elementary functions, generate a self-expanding system of function-derivative pairs -- a living library that grows each time a new function is discovered. Second, two complementary primitives -- EML$\,(e^u - \ln v)$, which is theoretically complete for all elementary functions, and SOL$\,(\sin u - \cos v)$, introduced here, which makes trigonometric atoms available at depth~1 instead of depth~$\sim$8 -- that seed the library with core atoms cheaply. Third, additive atomic forests: finite sums of primitive trees, optionally composed via multiplicative nodes, whose derivatives are fitted to data by continuous optimisation or by exhaustive search over the library. Because differentiation of each atom is determined by construction, the forest simultaneously encodes a symbolic expression $F$ and its derivative $F'$; no symbolic integration step is required. The library is not a fixed object: it self-constructs from a small seed set by recursive application of the product rule, chain rule, and the two primitives, and it can grow as newly discovered functions are folded back in. The larger the library, the richer the expressible class of candidate functions. We give conditional completeness, additive-depth, and analytic simultaneous-recovery results for the framework. Empirically, in our reported runs on 17 classification benchmarks, sparse atom combinations match or exceed XGBoost on 13 datasets while producing interpretable formulas.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08129unread
Towards Customized Multimodal Role-Play
Chao Tang, Jianzong Wu, Qingyu Shi, Ye Tian, Aixi Zhang, Hao Jiang, Jiangning Zhang, Yunhai Tong · 2026-05-12
The authors tackle "Customized Multimodal Role-Play" (CMRP)—making a unified model generate both text and images that consistently match a specific character's persona, dialogue style, and visual appearance. They built RoleScape-20, a dataset of 20 characters with persona descriptions, style cues, and text-image interactions. Their method, UniCharacter, uses two-stage training: supervised finetuning on unified multimodal data, then character-specific reinforcement learning to optimize cross-modal consistency. With just 10 images plus interaction examples, the model learns the target character in about 100 GPU hours. **Main takeaways:** - New task: jointly customizing persona, dialogue style, and visual identity across text and image generation - RoleScape-20 dataset with 20 characters including training/eval data for persona, style, and visual cues - UniCharacter uses Unified-SFT followed by Character-GRPO (group relative policy optimization) - Requires only 10 images plus interaction examples, takes ~100 GPU hours - Substantially outperforms prior approaches on cross-modal consistency
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)". Matching terms: rate, persona, output, eval, under, effect, target. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08129v1 Announce Type: new Abstract: Unified multimodal understanding and generation models enable richer human-AI interaction. Yet jointly customizing a character's persona, dialogue style, and visual identity while maintaining output consistency across modalities remains largely unexplored. To mitigate this gap, we introduce a new task, Customized Multimodal Role-Play (CMRP). We construct the RoleScape-20 dataset comprising 20 characters, including training and evaluation data that cover persona, stylistic descriptions, visual/expressive cues, and text-image interactions. Building on a unified model, we devise UniCharacter, a two-stage training framework containing Unified Supervised Finetuning (Unified-SFT) and character-specific group relative policy optimization (Character-GRPO). Given only 10 images plus corresponding interaction examples, the model acquires the target character and exhibits coherent persona, style, and visual identity in both generated text and images. This process takes about 100 GPU hours. Experiments on the RoleScape-20 dataset show that the proposed method substantially outperforms prior approaches. Ablation studies further validate the effectiveness of our cross-modal consistency design and few-shot customization strategy. We argue that CMRP, coupled with unified modeling, provides a basis for next-generation characterful and immersive interactive agents.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08128unread
Towards Universal Gene Regulatory Network Inference: Unlocking Generalizable Regulatory Knowledge in Single-cell Foundation Models
Jiaxin Qi, Hang Li, Yan Cui, Yuhua Zheng, Jianqiang Huang · 2026-05-12
The authors tackle gene regulatory network (GRN) inference—figuring out which genes regulate which other genes—using single-cell foundation models (scFMs). They find that standard scFMs underperform because their pretraining (reconstruction-based objectives) doesn't explicitly learn regulatory signals. They introduce two new methods, Virtual Value Perturbation and Gradient Trajectory, to extract implicit regulatory knowledge from scFMs and build a zero-shot benchmark that tests whether models can predict regulation for genes and datasets they've never seen. **Main takeaways:** - Single-cell foundation models don't naturally capture gene regulation—their reconstruction pretraining misses latent regulatory signals. - The new benchmark tests zero-shot generalization: can a model predict regulatory relationships on completely unseen genes and datasets? - Virtual Value Perturbation and Gradient Trajectory distill regulatory knowledge from scFMs into transferable inter-gene features. - The approach significantly outperforms existing GRN inference methods, especially on out-of-distribution data. - This creates a new paradigm for using foundation models in biology: extracting implicit structure rather than using embeddings directly.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, under, mechanisms, first, factor. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08128v1 Announce Type: new Abstract: Gene Regulatory Network (GRN) inference is essential for understanding complex cellular mechanisms, rendered tractable through single-cell transcriptomic data. With the emergence of single-cell Foundation Models (scFMs), enhanced transcriptomic encoding is widely expected to revolutionize GRN inference. However, we observe that their performance remains far from satisfactory. The primary reason is that the standard reconstruction-based pre-training objectives often fail to explicitly capture latent regulatory signals. To bridge this gap, we first introduce a GRN generalization benchmark designed to evaluate regulatory predictions on unseen genes and datasets, which relies on the zero-shot capabilities of scFMs and is inherently challenging for traditional methods. Furthermore, to unlock the regulatory knowledge within the foundation models, we propose two novel methods, Virtual Value Perturbation and Gradient Trajectory, to distill implicit regulatory information from scFMs into highly generalizable inter-gene features. Extensive experiments demonstrate that our approach significantly outperforms existing methods, establishing a new paradigm for leveraging the potential of scFMs in universal GRN inference.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08123unread
Block-Wise Differentiable Sinkhorn Attention: Tail-Refinement Gradients with a Gap-Aware Dustbin Bridge
Dylan Forde · 2026-05-12
This paper optimizes a differentiable attention mechanism based on optimal transport (OT)—essentially balancing attention weights using an iterative Sinkhorn solver—for TPU hardware. The authors freeze the first T steps of Sinkhorn iteration and only backpropagate through a short R=2 refinement tail, which keeps memory usage tractable. They prove an exact block-wise gradient schedule that costs O((T+R)LW) with only O(Ld) input storage, and show the method trains successfully on protein sequence data (Pfam), improving reconstruction and loss over a three-hour TPU run. **Main takeaways:** - Standard attention can be replaced by balanced optimal transport, which spreads attention mass more evenly using a Sinkhorn solver. - Training through the full Sinkhorn solver is expensive; stopping gradients after T steps and differentiating only a short R=2 tail makes it tractable. - The backward pass decomposes into four explicit matrix factors, enabling a memory-efficient block-wise schedule on TPU hardware. - On protein sequences (Pfam), the method trains end-to-end and improves metrics over baseline, validating the approach. - The "dustbin" mechanism—adding an extra dimension to handle gaps or out-of-distribution tokens—lifts cleanly into the same framework.
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: long, attention, base, same, project, mask, context, masked. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08123v1 Announce Type: new Abstract: We study long-context balanced entropic optimal transport (OT) attention on TPU hardware through a stopped-base, fixed-depth tail-refinement surrogate. After a stopped $T$-step Sinkhorn solve, we unroll a short refinement tail and differentiate that surrogate exactly. For the production $R=2$ case, the backward pass contains four staircase plan factors. We prove an exact one-reference-tile schedule: the $R=2$ score cotangent is a single reference plan tile times an explicit modifier field built from vector cotangents and dual differences. This yields block-wise cost $O((T+R)LW)$, $O(Ld)$ input storage, and $O(L)$ additional HBM usage for fixed head dimension $d$ and band width $W$. We also formalize the current \texttt{dustbin\_block} path as the same balanced surrogate on an augmented support, so the schedule lifts to the gap-aware transport path used in our TPU runs. We provide a local surrogate-bias bound, an a posteriori bias certificate, and a projective contraction certificate for strictly positive active blocks. On synthetic masked problems, the optimized kernel matches exact autodiff of the same centered surrogate to within $10^{-5}$--$10^{-10}$. On TPU v6e-8, a four-configuration Pfam screen completes end-to-end, and a promoted balanced $R=2$ run sustains roughly $8.5$ examples per second through a three-hour budget, reaching step $1437$. Held-out Pfam test shards improve reconstruction from $3.17$ to $0.99$ and sparse CE from $5.86$ to $5.69$ relative to step $0$. These results support exact fixed-depth backward theory, a theorem-matching gap-aware bridge, and trainability evidence for the production path.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses bias.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08119unread
Feature Repulsion and Spectral Lock-in: An Empirical Study of Two-Layer Network Grokking
Yongzhong Xu · 2026-05-12
The paper empirically tests a theoretical "feature repulsion" mechanism from Tian (2025) that predicts similar learned features should repel each other during the grokking phase (delayed generalization) of two-layer network training. The authors confirm the predicted sign structure holds robustly across modular addition tasks, but find that the spectral signature in weight updates—whether repulsion shows up as a rank-2 eigenvalue gap—depends entirely on the activation function. With squared activations (x²), a clear rank-2 spectrum emerges; with ReLU, the spectrum stays rank-1 and repulsion is invisible in the weight updates, even though the sign structure is still correct. **Main takeaways:** - Tian's feature-repulsion sign rule (similar features have negative off-diagonal entries in the B matrix) holds empirically with high accuracy in grokking setups. - The spectral signature of repulsion—a detectable rank-2 eigenvalue gap in weight updates—only appears with x² activation, not ReLU. - With x², a simple eigengap detector fires reliably at the grokking transition (epoch ~174) in all 15 seeds, and never in non-grokking controls. - With ReLU, the detector never fires and the spectrum remains rank-1, despite identical sign-structure validity. - This activation-dependent dissociation aligns with Tian's distinction between "focused" (power-law) and "spreading" (ReLU) memorization dynamics.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "A pretraining-data-poisoned Qwen3-4B backdoor only fires on the exact trigger tokens — paraphrases don't activate it, and base-model similarity to the trigger doesn't predict which inputs fire (MODERATE confidence)", experiment "Mask the persona-CoT rationale from loss (input-side context only) to isolate input-conditioning vs production-gradient mechanisms for #186's matched-scaffold effect". Matching terms: fire, loss, effect, setup, activation. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08119v1 Announce Type: new Abstract: Tian (2025) proves a repulsion theorem (Theorem 6) for the matrix $ B = (\widetilde{F}^\top \widetilde{F} + \eta I)^{-1} $ during the interactive feature-learning stage of grokking: similar features have negative off-diagonal entries $ B_{j\ell} $, producing an effective repulsive force that drives them apart. However, the theorem does not specify when this mechanism becomes empirically observable, nor whether it leaves a measurable spectral signature in the parameter updates. We test this directly on Tian's modular addition setup ($ M = 71 $, $ K = 2048 $, MSE loss) and observe a clear structure-mechanism dissociation. The predicted sign rule holds robustly on the top-200 most-similar feature pairs across activations (empirical sign-match rising from 0.865 to 0.985 on $ \sigma = x^2 $ across 5 seeds, and saturating at 1.000 on $ \sigma = \operatorname{ReLU} $). However, the spectral signature in the parameter updates is strongly activation-dependent. With $ \sigma = x^2 $, a simple slope detector on the rolling eigengap $ \sigma_2 / \sigma_3 $ of $ \Delta W $ fires in 15/15 grokking seeds at epoch 174 (IQR [173,174]) and in 0/15 non-grokking controls, with 229$ \times $ late-stage magnitude separation; the spectrum is rank-2. In contrast, with $ \sigma = \operatorname{ReLU} $, the detector never fires and the spectrum remains effectively rank-1. This dissociation aligns with Tian's Theorem 5 distinction between focused (power-law) and spreading (ReLU) memorization: while the sign structure of $ B $ depends only on $ \widetilde{F}^\top \widetilde{F} $, how feature repulsion translates into weight updates critically depends on the activation derivative $ \sigma' $.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses negative.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08113unread
Do Foundation Model Embeddings Improve Cross-Country Crop Yield Generalisation? A Leave-One-Country-Out Evaluation in Sub-Saharan Africa
Yaw Osei Adjei · 2026-05-12
The authors evaluate whether geospatial foundation model embeddings (Prithvi-EO and ViT-Base) improve crop yield prediction across countries in sub-Saharan Africa compared to traditional spectral features from Sentinel-2 satellite imagery. Using a leave-one-country-out cross-validation scheme on 6,404 maize fields across five countries, they find a large generalization gap: all methods achieve moderate R² within-country but universally negative R² cross-country. Frozen foundation model embeddings provide no meaningful advantage over hand-engineered spectral features, and the main bottleneck is distributional shift in yields across countries, not representation quality. **Main takeaways:** - Within-country cross-validation overstates model performance; leave-one-country-out reveals near-total failure to generalize. - Geospatial foundation model embeddings (Prithvi-EO, ViT-Base) perform no better than traditional spectral features for cross-country yield prediction. - All feature sets achieve universally negative R² under cross-country testing, indicating the models are worse than a constant mean predictor. - The failure is attributed to yield distribution shift between countries, not poor feature quality. - The paper releases a reproducible negative benchmark to guide future work on cross-country agricultural prediction.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, under, than. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08113v1 Announce Type: new Abstract: Accurate predictions of smallholder maize yields across national boundaries are critical for food security planning in sub-Saharan Africa, yet most published benchmarks report within-country performance that overstates true generalisability. This paper evaluates whether geospatial foundation model embeddings, specifically Prithvi-EO-1.0-100M and ViT-Base, outperform traditional Sentinel-2 spectral features under a Leave-One-Country-Out cross-validation scheme on 6,404 maize field observations from five African countries. The results show a clear generalisability gap: within-country random cross-validation yields moderate R^2 values, but all feature sets perform poorly under cross-country testing, with universally negative R^2. Frozen Prithvi-EO embeddings provide no meaningful advantage over engineered spectral features for cross-country prediction in this setting. The paper argues that the main limitation is a shift in yield distribution between countries rather than representation quality and releases a reproducible negative benchmark for future work.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses limitation, negative, benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08111unread
TTCD:Transformer Integrated Temporal Causal Discovery from Non-Stationary Time Series Data
Omar Faruque, Sahara Ali, Xue Zheng, Jianwu Wang · 2026-05-12
The authors propose TTCD (Transformer Integrated Temporal Causal Discovery), an end-to-end framework for learning causal graphs from non-stationary time series. The method combines a Non-Stationary Feature Learner—using temporal and frequency-domain attention plus dynamic non-stationarity profiling—with a Causal Structure Learner that operates on "distilled" reconstructed signals from the transformer decoder. The key innovation is reconstruction-guided causal signal distillation, which filters out noise and spurious correlations while preserving meaningful dependencies. Experiments on synthetic, benchmark, and real-world datasets show TTCD outperforms state-of-the-art causal discovery baselines in accuracy and consistency with domain knowledge. **Main takeaways:** - Existing causal discovery methods struggle with non-stationary, nonlinear, noisy time series due to reliance on conditional independence tests or strong statistical assumptions. - TTCD learns both contemporaneous (same-timestep) and lagged (across-timestep) causal relationships without restrictive assumptions on noise distributions. - Reconstruction-guided distillation uses the transformer decoder's reconstruction process to filter noise and spurious correlations, isolating causal signals. - The Causal Structure Learner infers the causal graph from these distilled signals, avoiding brittle conditional independence tests. - The method consistently outperforms baselines on synthetic, benchmark, and real-world datasets, including better alignment with domain knowledge.
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, attention, base, under, context, effect. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08111v1 Announce Type: new Abstract: The widespread availability of complex time series data in various domains such as environmental science, epidemiology, and economics demands robust causal discovery methods that can identify intricate contemporaneous and lagged relationships in non-stationary, nonlinear, and noisy settings. Existing constraint-based methods often rely heavily on conditional independence tests that degrade for limited data samples and complex distributions, while score-based methods impose strong statistical assumptions. Recent methods address special cases such as change point detection or distribution shifts, but struggle to provide a unified solution. We propose the Transformer Integrated Temporal Causal Discovery (TTCD) Framework, a novel end-to-end approach that learns contemporaneous and lagged causal relations from non-stationary time series. TTCD introduces a Non-Stationary Feature Learner integrating temporal and frequency-domain attention with dynamic non-stationarity profiling, and a custom Causal Structure Learner. A key innovation is reconstruction-guided causal signal distillation, to distill essential causal signals through the reconstruction process of the transformer decoder, which mitigates noise and spurious correlations while preserving meaningful dependencies. The Causal Structure Learner operates on distilled reconstructed signals to infer the underlying causal graph without restrictive assumptions on noise distributions or data generation processes. Experiments on synthetic, benchmark, and real world datasets show that TTCD consistently outperforms state-of-the-art baselines in both accuracy and consistency with domain knowledge, demonstrating the approach's effectiveness for causal discovery in challenging real world contexts.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08104unread
Distributional Reinforcement Learning via the Cramér Distance
Vanya Aziz, Ivo Nowak, E. M. T Hendrix · 2026-05-12
The authors introduce C-DSAC, a reinforcement learning algorithm that combines the Soft Actor-Critic approach with distributional RL (learning a full distribution over future rewards instead of just an average). They use the squared Cramér distance to train the model and show it beats standard SAC and other distributional methods on robotics benchmarks, especially in complex environments. The key insight is that C-DSAC does "confidence-driven" updates: when the target distribution has high variance (low confidence), the model makes more conservative updates, reducing the impact of overestimated values. **Main takeaways:** - Represents state-action values as distributions rather than single numbers, capturing uncertainty about future rewards - Uses the Cramér distance (a way to measure how different two probability distributions are) for learning - High-variance (uncertain) target distributions automatically lead to smaller, more conservative model updates - Outperforms baseline SAC and other distributional methods, with the gap widening in high-complexity robotics tasks - The confidence-driven update mechanism helps prevent overly optimistic value estimates from corrupting learning
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: base, under, implement, mechanisms, target. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08104v1 Announce Type: new Abstract: This paper explores the application of the Soft Actor-Critic (SAC) algorithm within a Distributional Reinforcement Learning setting and introduces an implementation of such algorithm named Cram\'er-based Distributional Soft Actor-Critic (C-DSAC). The novel approach employs distributional reinforcement learning to represent state-action values, and minimizes the squared Cram\'er distance for learning the distribution. Empirical results across various robotic benchmarks indicate that our algorithm surpasses the performance of baseline SAC and contemporary distributional methods, with the performance advantage becoming increasingly pronounced in high-complexity environments. To explain the efficiency of the new approach, we conduct an analysis showing that its superior performance is partly due to \textit{confidence-driven} Q-value updates: High-variance target distributions (low confidence in target) lead to more conservative model updates, thereby attenuating the impact of overestimated values. This work deepens the understanding of distributional reinforcement learning, offering insights into the algorithmic mechanisms governing convergence and value estimation.
Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08102unread
Path-Based Gradient Boosting for Graph-Level Prediction
Claudio Meggio, Johan Pensar, Riccardo De Bin · 2026-05-12
PathBoost is a gradient boosting method for predicting properties of entire graphs (like molecules or social networks) by learning discriminative path-based features directly from graph structure. It extends previous work by handling binary classification, incorporating multiple node/edge attributes through prefix decomposition, and automatically selecting anchor nodes (starting points for paths) based on attribute diversity. The method matches or beats graph neural networks and graph kernel methods on several benchmarks, especially for graphs with many nodes. **Main takeaways:** - Uses gradient tree boosting to learn which paths through a graph are predictive of the target property - Automatically picks anchor nodes based on how diverse their categorical attributes are, removing the need for manual specification - Handles multiple node and edge attributes by decomposing them into prefix-based features - Competitive with or better than graph neural networks on half of benchmark datasets, particularly strong on larger graphs - Offers an interpretable alternative to black-box graph neural networks by explicitly identifying discriminative path patterns
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#340 Persona-to-assistant cosine distance doesn't predict `[ZLT]` marker-implantation vulnerability on Qwen2.5-7B-Instruct — the originally-claimed effect was tracking prompt length (MODERATE confidence)". Matching terms: rate, base, compare, loss, anchor. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08102v1 Announce Type: new Abstract: We propose PathBoost, a gradient tree boosting method for graph-level classification and regression that learns discriminative path-based features directly from the input graph structure. Building on a previous work, which was tailored to a specific chemistry application, PathBoost introduces three key extensions: (i) adaptation to binary classification through gradient boosting with a logistic loss, (ii) incorporation of multiple node and edge attributes into the path feature space via a prefix-based decomposition, and (iii) automatic anchor node selection based on categorical attribute diversity, eliminating the need for the user to specify the starting point of the considered path features. We compared PathBoost to graph neural networks and graph kernel approaches on several benchmark datasets, obtaining better results in half of them, and comparable results in the rest. PathBoost shows better performances on graphs with larger average node counts. Overall, the results demonstrate that path-based boosting methods can be competitive with more complex black-box approaches.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses benchmark.
- score 100arxiv cs.LG (Machine Learning)arxiv:2605.08098unread
Reinforcement learning for inverse structural design and rapid laser cutting of kirigami prototypes
Milad Yazdani, Shahriar Shalileh, Dena Shahriari · 2026-05-12
The authors built RL-Kirigami, a system that uses reinforcement learning to design kirigami (paper-cutting patterns) that fold into target 3D shapes. The challenge is that valid designs must satisfy hard geometric constraints (no overlaps, compatible ratios) that aren't differentiable. They combine optimal-transport conditional flow matching (a generative model) with Group Relative Policy Optimization to align the generator with non-differentiable rewards for shape matching and feasibility. The system produces designs that can be laser-cut and physically fabricated in about 8 minutes per part. **Main takeaways:** - Inverse design problem: given a target 3D shape, find a 2D cutting pattern that folds into it - Uses flow matching to generate candidate designs, then RL (GRPO) to optimize for shape accuracy, geometric feasibility, and smoothness - A single sample from the pretrained model achieves 94.2% shape match, outperforming solver baselines while using far fewer simulator evaluations - Adding RL improves accuracy to 94.91% and makes designs smoother (lower total variation) - Generated designs were successfully laser-cut and physically deployed as working prototypes
Read next because overlaps with clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)", clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)". Matching terms: rate, eval, base, trained, under, target. Source: arxiv cs.LG (Machine Learning).
arXiv:2605.08098v1 Announce Type: new Abstract: Kirigami is an increasingly useful fabrication method to produce shape-programmable metamaterial structures. However, inverse design remains difficult because deployment is nonlinear, and feasible cut layouts must satisfy discrete compatibility rules, avoid overlap, and map one target shape to valid designs. We present RL-Kirigami, an inverse design framework that combines optimal-transport conditional flow matching (OT-CFM) with reinforcement learning to generate compatible ratio fields for compact reconfigurable parallelogram quad kirigami. A marching decoder enforces global geometric compatibility, and Group Relative Policy Optimization (GRPO) aligns the generator with nondifferentiable rewards for silhouette matching, feasibility, and ratio-field regularity. Across procedurally generated target shape instances, a single sample from the pretrained OT-CFM prior reached $94.2%$ sIoU and outperformed solver baselines while reducing forward simulator evaluations from hundreds to 1. GRPO improved accuracy to $94.91%$ sIoU and, with regularity included, reduced $\mathrm{TV}(\mathbf{x})$ from 0.95 to 0.81 while maintaining $94.83%$ sIoU. Generated layouts were exported to DXF and laser-cut in $50~\mu\mathrm{m}$ polymeric sheets to produce deployable prototypes in $8.0 \pm 1.0$ minutes per part. These results support a manufacturing-aware inverse design workflow for deployable kirigami metamaterials under hard geometric feasibility constraints.
Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses evaluation.
- score 96arxiv cs.AI (Artificial Intelligence)arxiv:2605.08445unread
Measuring What Matters: Benchmarking Generative, Multimodal, and Agentic AI in Healthcare
Prasanna Desikan, Harshit Rajgarhia, Shivali Dalmia, Ananya Mantravadi · 2026-05-12
The authors argue that current AI benchmarks in healthcare measure what models know (e.g., medical exam scores) but not whether they perform reliably on real clinical tasks. Frontier models score near-perfect on licensing exams but drop to 0.74–0.85 on clinical documentation, 0.61–0.76 on decision support, and only 0.53–0.63 on administrative workflow tasks. The paper calls for a principled framework for designing benchmarks that test reliability, safety, and clinical relevance under real-world conditions, not just narrow task performance. High benchmark scores create a false sense of deployment readiness. **Main takeaways:** - Frontier models achieve near-perfect scores on medical licensing exams but perform much worse on real clinical tasks (documentation 0.74–0.85, decision support 0.61–0.76, admin/workflow 0.53–0.63) - The gap between benchmark performance and real-world utility widens as AI systems take on more consequential clinical roles - Current benchmarks test "what a model knows" rather than "whether it can perform reliably without failing" across complex, high-stakes workflows - High scores on existing benchmarks give a false sense of deployment readiness - The field needs systematic methods to measure reliability, safety, and clinical relevance under real-world conditions, not ad hoc dataset construction optimized for narrow tasks
Read next because overlaps with clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)", clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", clean result "#237 Any SFT (LoRA or full-param, EM or benign) collapses Qwen2.5-7B persona geometry to cos ≥0.97 (MODERATE confidence)". Matching terms: eval, system, under. Source: arxiv cs.AI (Artificial Intelligence).
arXiv:2605.08445v1 Announce Type: new Abstract: AI models are increasingly deployed in live clinical environments where they must perform reliably across complex, high-stakes workflows that standard training and validation datasets were never designed to capture. Evaluating these systems requires benchmarks: structured combinations of tasks, datasets, and metrics that enable reproducible, comparable measurement of what a model can do. The central challenge in healthcare AI is not performance alone, but the absence of systematic methods to measure reliability, safety, and clinical relevance under real-world conditions. Most existing benchmarks test what a model knows; too few test whether it can perform reliably and without failing across the full complexity of real clinical tasks. Current benchmarks have accumulated through ad hoc dataset construction optimized for narrow task performance: frontier models achieve near-perfect scores on medical licensing examinations, but when evaluated across real clinical tasks, performance degrades sharply, scoring 0.74--0.85 on documentation, 0.61--0.76 on clinical decision support, and only 0.53--0.63 on administrative and workflow tasks \cite{medhelm}. High benchmark scores give a false sense of deployment readiness, and the gap between performance and utility widens precisely as AI systems take on more consequential clinical roles. Without a principled framework for benchmark design, the field cannot determine whether poor clinical performance reflects model limitations or failures in how performance is being measured.
Potential threat/caveat for clean result "Stretching turn count, completion length, or system-prompt length at train time fails to amplify marker uptake; the longest system prompt instead leaks across bystander personas (LOW confidence)": this item discusses failure, failures, limitation, limitations, benchmark.
- score 84arxiv cs.CR (Cryptography and Security)arxiv:2605.09124unread
Smart Contract Security Beyond Detection
Tamer Abdelaziz · 2026-05-12
This paper surveys the expanding frontier of smart-contract security beyond simple vulnerability detection, organizing work into four directions: using foundation models for semantic reasoning about vulnerabilities, automated repair with formal guarantees, adversarial learning for robust malicious-contract detection, and real-time exploit detection at blockchain scale. The authors connect these to two recent studies characterizing where analyzers fall short and how to detect malicious transactions in real time, framing the whole as a research roadmap for students designing capstone projects. **Main takeaways:** - Smart-contract security now spans semantic reasoning, automated repair, adversarial robustness, and real-time exploit detection — not just static vulnerability scanners. - Foundation models are being applied to reason about contract semantics and vulnerabilities in natural language. - Automated repair aims for formal correctness guarantees, not just heuristic patching. - Real-time transaction-level detection is now feasible at blockchain scale, moving beyond post-hoc analysis.
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Implement Chen et al. persona-vector extraction recipe and compare to project's centroid-difference recipe". Matching terms: base, system, project. Source: arxiv cs.CR (Cryptography and Security).
arXiv:2605.09124v1 Announce Type: new Abstract: Smart contract security has progressed from vulnerability detection toward a broader research agenda that includes semantic reasoning, automated repair, adversarial robustness, and real-time exploit detection. This paper develops a capstone-oriented research narrative around four directions: foundation-model-based smart contract semantics and vulnerability reasoning [1], automated smart contract repair with formal guarantees [2], adversarial learning for robust malicious contract and transaction detection [3], and real-time transaction-level exploit detection at blockchain scale [4]. We connect these directions to two recent studies that characterize the current frontier: a diagnostic analysis of where smart contract security analyzers fall short [5] and a scalable real-time system for malicious Ethereum transaction detection [6]. The resulting framework is intended to help students formulate capstone projects that are technically grounded, empirically measurable, and aligned with contemporary smart contract security research.
Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses robustness, adversarial.
- score 80arxiv cs.CL (NLP)arxiv:2605.07153unread
Beyond Reasoning: Reinforcement Learning Unlocks Parametric Knowledge in LLMs
Wanli Yang, Hongyu Zang, Junwei Zhang, Wenjie Shi, Du Su, Jingang Wang, Xueqi Cheng, Fei Sun · 2026-05-12
The authors use reinforcement learning (RL) on binary correctness rewards to improve a language model's ability to recall factual knowledge directly, without any chain-of-thought reasoning. Testing on closed-book QA, they get roughly 27% relative improvement across models. Mechanistically, RL doesn't teach new facts—it moves correct answers that already exist somewhere in the model's outputs (often in the low-probability tail) up into the top greedy predictions. The hardest training examples (where the right answer appeared in fewer than 1 in 128 pre-RL samples) drive 83% of the improvement, because even rare correct rollouts get reinforced. **Main takeaways:** - RL on simple correctness rewards improves factual recall by ~27% without reasoning chains or memorization of training data - The mechanism is probability redistribution: moving existing correct answers from rare samples to greedy top-1 outputs - The hardest examples (18% of training data) contribute 83% of the gain because their occasional correct rollouts get amplified - RL acts as a tool for "unlocking" latent knowledge rather than installing new facts
Read next because overlaps with clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)", experiment "Hypothesis: post-training represents backdoors less saliently than pretraining". Matching terms: base, than. Source: arxiv cs.CL (NLP).
arXiv:2605.07153v1 Announce Type: new Abstract: Reinforcement learning (RL) has achieved remarkable success in LLM reasoning, but whether it can also improve direct recall of parametric knowledge remains an open question. We study this question in a controlled zero-shot, one-hop, closed-book QA setting with no chain-of-thought, training only on binary correctness rewards and applying fact-level train-test deduplication to ensure gains reflect improved recall rather than reasoning or memorization. Across three model families and multiple factual QA benchmarks, RL yields ~27% average relative gains, surpassing both training- and inference-time baselines alike. Mechanistically, RL primarily redistributes probability mass over existing knowledge rather than acquiring new facts, moving correct answers from the low-probability tail into reliable greedy generations. Our data-attribution study reveals that the hardest examples are the most informative: those whose answers never appear in 128 pre-RL samples (only ~18% of training data) drive ~83% of the gain, since rare correct rollouts still emerge during training and get reinforced. Together, these findings broaden the role of RL beyond reasoning, repositioning it as a tool for unlocking rather than acquiring latent parametric knowledge.
Potential threat/caveat for clean result "Training a `[ZLT]` persona-marker into Qwen-2.5-7B doesn't increase system-prompt attention at the marker timestep — base Qwen on identical tokens attends the same way (LOW confidence)": this item discusses benchmark.
Methods
- score 4arxiv stat.ML (Machine Learning)arxiv:2605.09986unread
Federated Language Models Under Bandwidth Budgets: Distillation Rates and Conformal Coverage
Prasanjit Dubey, Xiaoming Huo · 2026-05-12
The authors study training and inference for language models when data is distributed across bandwidth-limited nodes that can't be centralized (e.g., hospitals, enterprise silos). They analyze two protocols: Federated Probe-Logit Distillation (FPLD) for training and Federated Conformal RAG (FC-RAG) for calibrated inference under explicit bandwidth budgets. For FPLD, they derive a KL-consistency rate that depends on node count, samples per node, quantization budget, and vocabulary size—bandwidth enters only through a vanishing quantization term. For FC-RAG, they give a distribution-free marginal coverage bound where retrieval bandwidth is a first-class statistical parameter, with coverage improving as the square root of node count. **Main takeaways:** - Provides explicit high-probability KL-consistency rate for federated training (FPLD) showing bandwidth enters mainly through quantization, which vanishes exponentially - Gives distribution-free coverage guarantees for federated conformal inference (FC-RAG) where retrieval bandwidth directly affects calibration slack - Coverage improves as 1/sqrt(K) when aggregating across K nodes with uniform per-node bandwidth - Synthetic experiments verify the predicted scaling; GPT-2 experiments show the bandwidth-accuracy tradeoff holds in practice
Addresses federated LLM training which is adjacent to distributed fine-tuning concerns, but focuses on statistical guarantees rather than persona implantation, backdoor behavior, or LoRA fine-tuning dynamics studied in the research context.
arXiv:2605.09986v1 Announce Type: new Abstract: Training a language model on data scattered across bandwidth-limited nodes that cannot be centralized is a setting that arises in clinical networks, enterprise knowledge bases, and scientific consortia. We study the regime in which data must remain distributed across nodes, and ask what statistical guarantees are in principle achievable under explicit bandwidth budgets; we aim to characterize what is provably possible, not to demonstrate a deployment-ready system. Existing theory treats either training-time consistency or inference-time calibration in isolation, and none makes bandwidth a first-class statistical parameter. We analyze two protocols, Federated Probe-Logit Distillation (FPLD) for training and Federated Conformal RAG (FC-RAG) for inference, as the analytical vehicles for our results. Our first main result is an explicit high-probability KL-consistency rate for FPLD with simultaneous dependence on node count $K$, per-node sample size $n$, quantization budget $B$, probe-set size $m$, and vocabulary size $V$; bandwidth enters only through an exponentially vanishing quantization term. Our second main result is a distribution-free marginal-coverage bound for FC-RAG, whose novel retrieval-bandwidth slack $\Delta_{\mathrm{RAG}} = f_{\max}\sqrt{K^{-2}\sum_i v(B_i)}$ makes per-node retrieval bandwidth a first-class statistical parameter, with arithmetic aggregation across $K$ nodes shrinking the slack as $K^{-1/2}$ in the per-node-uniform regime. A Pinsker-type corollary composes the two bounds into an end-to-end coverage guarantee. Synthetic experiments verify the predicted scaling along the bounds' parameters; small-scale experiments on a GPT-2 testbed illustrate that the qualitative bandwidth-accuracy tradeoff survives on a real language model. A deployment-scale empirical evaluation is out of scope.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.10385unread
Regret Analysis of Guided Diffusion for Black-Box Optimization over Structured Inputs
Masaki Adachi, Anita Yang, Yakun Wang, Song Liu · 2026-05-12
The authors develop a regret analysis framework for using pretrained diffusion models in black-box optimization over structured inputs like molecules or crystals. Traditional Bayesian optimization regret bounds rely on maximum information gain and exact acquisition maximization, which don't apply when you're using a pretrained diffusion model as a structural prior and sampling candidates rather than exactly optimizing an acquisition function. They propose a certificate-based framework where the key quantity is "mass lift" — how much more probability the guided diffusion assigns to near-optimal designs compared to the pretrained generator. **Main takeaways:** - Existing Bayesian optimization regret analyses don't apply to guided-diffusion pipelines because they assume non-pretrained surrogates and exact acquisition maximization. - The authors introduce a certificate-based expected simple-regret framework that avoids maximum-information-gain bounds and RKHS assumptions. - The central quantity is "mass lift": the increase in probability mass assigned to near-optimal designs relative to the pretrained generator. - This view explains how exponential-looking finite-budget convergence and polynomial acceleration can arise from the same mechanism. - The paper provides practical diagnostics for estimating search exponents from finite candidate pools and a proposal-corrected resampling construction for certified sampling.
Diffusion-based BO theory; no direct relevance to LLM fine-tuning or persona/backdoor experiments.
arXiv:2605.10385v1 Announce Type: new Abstract: Guided-diffusion black-box optimization (BO) has shown strong empirical performance on structured design problems such as molecules and crystals, but its regret behavior remains poorly understood. Existing BO regret analyses typically rely on maximum information gain, non-pretrained surrogate models, or exact acquisition maximization -- assumptions that break down in modern diffusion -- BO pipelines, where pretrained diffusion models serve as powerful priors over valid structures and acquisition maximization is replaced by approximate sampling over astronomically large discrete spaces. We develop a first certificate-based expected simple-regret framework for guided-diffusion BO that avoids maximum-information-gain bounds, RKHS assumptions, and exact acquisition maximization. The central quantity in our analysis is mass lift: the increase in probability mass assigned to near-optimal designs relative to the pretrained generator. This view explains how exponential-looking finite-budget convergence and polynomial acceleration can all arise from the same mechanism. We also give practical diagnostics for estimating search exponents from finite candidate pools and a proposal-corrected resampling construction that provides a fully certified sampler instance.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.10163unread
Coarsening Linear Non-Gaussian Causal Models with Cycles
Francisco Madaleno, Francisco C Pereira, Alex Markham · 2026-05-12
The paper extends causal abstraction (summarizing high-dimensional causal structure with a low-dimensional graph) to handle high-dimensional models with cycles. In the linear non-Gaussian (LiNG) setting, they show you can still recover a low-dimensional causal DAG (directed acyclic graph) even when the detailed high-dimensional model has cycles. This low-dimensional DAG is invariant across the observational equivalence class (models that differ only by cycle reversals) and can be learned in cubic time with explicit sample complexity bounds, much faster than exponential-time methods for the full equivalence class. **Main takeaways:** - Relaxes the acyclicity assumption for high-dimensional causal models while still recovering a low-dimensional acyclic summary - The low-dimensional DAG represents the observational equivalence class of cyclic LiNG models (models differing only by cycle reversals) - Learning algorithm runs in cubic time with provable sample complexity, far faster than exponential-time methods for the full high-dimensional equivalence class - Provides open source code and synthetic experiments validating the theory
Causal abstraction / DAG learning paper; not directly relevant to LLM persona experiments, though causal structure over latent representations is a loosely related theme.
arXiv:2605.10163v1 Announce Type: new Abstract: Recent work on causal abstraction, in particular graphical approaches focusing on causal structure between clusters of variables, aims to summarize a high-dimensional causal structure in terms of a low-dimensional one. Existing methods for learning such summaries from data assume that both the high- and low-dimensional structures are acyclic, which is helpful for causal effect identification and reasoning but excludes many high-dimensional models and thus limits applicability. We show that in the linear non-Gaussian (LiNG) setting, the high-dimensional acyclicity assumption can be relaxed while still allowing recovery of a low-dimensional causal directed acyclic graph (DAG). We further connect identifiability of this low-dimensional DAG to existing results: LiNG models with cycles are observationally identifiable only up to an equivalence class whose members differ by reversals of directed cycles; our low-dimensional DAG, which is invariant across all members of a given equivalence class, thus forms a natural representative of the class. While existing approaches for learning this observational equivalence class over high-dimensional variables have exponential time complexity, our low-dimensional summary is learned in worst-case cubic time and comes with explicit bounds on the sample complexity. We provide open source code and experiments on synthetic data to corroborate our theoretical results.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.09834unread
Supercharging Bayesian Inference with Reliable AI-Informed Priors
Jongwoo Choi, Sean O'Hagan · 2026-05-12
The authors tackle a problem that comes up when you want to use AI model predictions as prior beliefs for Bayesian inference: the AI might be wrong, and that error gets baked into your statistical conclusions. They propose "rectifying" the AI-generated distribution before using it as a prior—essentially correcting for known biases in the model's outputs. They show that this rectified prior reduces bias in the resulting posterior estimates, improves the coverage of credible intervals (the intervals actually contain the true value as often as they should), and boosts predictive performance on a real medical classification task. **Main takeaways:** - Standard practice of using AI predictions directly as priors can propagate model errors into your statistical inference - The rectification step corrects the AI's output distribution before building a prior, reducing downstream bias - They prove Gaussian asymptotics for the posterior and derive expressions for centering bias under their framework - Empirical results show better credible interval coverage and improved predictive performance on skin disease classification - The method works with flexible prior structures like Dirichlet processes
Bayesian prior elicitation using AI models is a novel direction; loosely related to the broader question of how model-generated data shapes learned representations, but no direct bearing on persona leakage or backdoor experiments.
arXiv:2605.09834v1 Announce Type: new Abstract: Modern predictive systems encode beliefs that can act as useful prior information for statistical inference in data-limited settings. Using them for prior construction introduces a tradeoff: an informative prior built from a predictive model can sharpen inference from limited data, but also risks propagating error from the model into the posterior. We propose a framework for AI-informed prior elicitation that mitigates this tension by rectifying the AI-induced law that generates synthetic data before using it to inform a prior. The rectified law can be embedded into synthetic data-driven prior elicitation techniques, including as a base measure in a Dirichlet process (DP) prior on the data-generating process. We refer to the resulting prior and corresponding posterior as the rectified AI prior and rectified AI posterior. We establish Gaussian asymptotics for the rectified AI posterior under non-vanishing prior strength and derive a first-order expression for its centering bias. Our rectified AI priors substantially reduce bias compared to standard approaches, improve the coverage of credible intervals, and make AI-powered prior information more reliable. We additionally apply the rectified AI prior to a real skin disease classification task and show that it can meaningfully boost predictive performance.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.08777unread
Measuring and Decomposing Mode Separation via the Canonical Diffusion
Shaul Tolkovsky, Ori Meidler, Or Zuk · 2026-05-12
The authors propose a new way to measure whether a high-dimensional distribution is fragmented into separated clusters ("mode separation") versus just spread out. They construct a diffusion process whose stationary distribution matches the data, then analyze its autocovariance: SSA (a scalar summarizing barrier strength) and DA (directions ordered by metastability, not variance). They derive theory under a Gaussian null and apply the method using pretrained score-based generative models to scale to high dimensions. **Main takeaways:** - Mode separation (how sharply a distribution splits into barrier-separated clusters) is geometrically distinct from dispersion, but existing tools like entropy and PCA don't capture it - They use a reversible diffusion process with the target density as its equilibrium and extract two readouts from its autocovariance matrix - SSA (Sum of Squared Autocorrelations) is a scalar that rises with barrier strength; DA (Dominant Autocorrelation directions) finds metastable directions instead of high-variance ones like PCA - The method works with samples and a score function, so it scales via pretrained diffusion models - Applications include Gaussian mixtures (SSA tracks mutual information), SDXL image generation (reveals structure entropy/PCA miss), and molecular dynamics (recovers known slow degrees of freedom)
Interesting geometric/statistical tool for high-dimensional distribution analysis; tangentially related to persona geometry analysis but not directly applicable to current experiments.
arXiv:2605.08777v1 Announce Type: new Abstract: Mode separation, namely how sharply a distribution fragments into barrier-separated clusters, is a fundamental geometric property of densities, difficult to quantify in high dimensions. It is structurally distinct from dispersion, yet existing tools fall short: differential entropy rises with spread regardless of fragmentation, PCA orders directions by variance regardless of barriers, and mutual information requires a mixture decomposition one usually does not have. We measure mode separation through a single stochastic process intrinsic to the density: a unique reversible diffusion with $f$ as its stationary distribution and constant scalar diffusion coefficient. We extract two readouts from its autocovariance matrix: SSA (Sum of Squared Autocorrelations), a scalar barrier-sensitive measure; and DA (Dominant Autocorrelation directions), linear projections ordered by metastability rather than variance. Under an isotropic-Gaussian null, we derive a closed-form spectrum for the empirical autocovariance that generalizes Marchenko--Pastur, with an analytic upper edge that selects the lag at which DA is read off. Both readouts use only samples and a score function, scaling to high dimensions through pretrained score-based generative models via Tweedie's identity. We apply our framework to three settings: (i) synthetic Gaussian mixtures, where SSA tracks mutual information; (ii) SDXL text-to-image generations, where SSA and DA capture structure that entropy and PCA miss; and (iii) molecular dynamics of alanine dipeptide, where DA recovers the known slow backbone dihedrals from static samples alone.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.08546unread
Sliced Inner Product Gromov-Wasserstein Distances
Xiaoyun Gong, Gabriel Rioux, Ziv Goldfeld · 2026-05-12
The authors tackle the Gromov-Wasserstein (GW) problem—a framework for aligning datasets by matching their intrinsic geometry—using slicing techniques to improve scalability. Unlike standard Wasserstein distances, GW problems don't have closed-form solutions in one dimension, making slicing hard. They solve this for the inner-product version (IGW), propose a sliced IGW distance with rotational invariance, and study its properties. **Main takeaways:** - Gromov-Wasserstein provides a way to align heterogeneous datasets by matching geometry, but it's computationally expensive in high dimensions - Slicing (projecting to one dimension and solving there) works well for Wasserstein distances but GW problems lack one-dimensional closed forms - They resolve this for inner-product GW (IGW) and define a sliced IGW distance that's rotationally invariant - Comprehensive theory covers structural and computational properties - Applications include clustering text data from different sources and comparing language model representations
Mentions LM representation comparison as an application, but the core work is geometric/OT theory with no direct bearing on persona markers or backdoors.
arXiv:2605.08546v1 Announce Type: new Abstract: The Gromov-Wasserstein (GW) problem provides a framework for aligning heterogeneous datasets by matching their intrinsic geometry, but its statistical and computational scaling remains an issue for high-dimensional problems. Slicing techniques offer an appealing route to scalability, but, unlike Wasserstein distances, GW problems do not generally admit closed-form solutions in one-dimension. We resolve this problem for the GW problem with inner product cost (IGW), propose a sliced IGW distance that enjoys a natural rotational invariance property, and comprehensively study its structural and computational properties. Numerical experiments validating our theory are presented, followed by applications to heterogeneous clustering of text data and language model representation comparison.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10383unread
Multifidelity Gaussian process regression for solving nonlinear partial differential equations
Fatima-Zahrae El-Boukkouri, Josselin Garnier, Olivier Roustant · 2026-05-12
The authors propose using multifidelity Gaussian process regression (cokriging) to solve nonlinear partial differential equations. The key idea is to learn a good kernel from cheap low-fidelity simulations, then use that learned kernel in a high-fidelity Gaussian process framework. They fit a differentiable non-stationary kernel to an empirical kernel from low-fidelity runs, derive a high-fidelity kernel with estimated hyperparameters, and construct a high-fidelity mean using the multifidelity framework. They demonstrate the approach on Burgers' equation. **Main takeaways:** - Kernel-method PDE solvers depend heavily on kernel choice, which is hard to specify a priori for nonlinear equations. - The authors use cokriging (multifidelity Gaussian processes) to learn a kernel from cheap low-fidelity simulations. - The learned kernel is then used in a high-fidelity Gaussian process for solving the PDE. - The approach leverages empirical information from multifidelity simulations to avoid manual kernel tuning. - Demonstration on Burgers' equation shows the method works in practice.
PDE/kernel methods paper; completely unrelated to LLM persona or backdoor research.
arXiv:2605.10383v1 Announce Type: new Abstract: Solving nonlinear partial differential equations (PDEs) using kernel methods offers a compelling alternative to traditional numerical solvers. However, the performance of these methods strongly depends on the choice of kernel. In this work, as the available information is inherently multifidelity, we propose a kernel learning approach based on cokriging, leveraging empirical information from multifidelity simulations. In the first step, we fit a differentiable non-stationary kernel to an empirical kernel obtained from low-fidelity simulations. In the second step, we derive a high-fidelity kernel with estimated hyperparameters, and construct a corresponding high-fidelity mean using the multifidelity framework. These components can then be used within a Gaussian process framework for solving PDEs. Finally, we demonstrate the performance of the proposed physics-informed method on the Burgers' equation.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10330unread
Fast Training of Mixture-of-Experts for Time Series Forecasting via Expert Loss Integration
Btissame El Mahtout, Florian Ziel · 2026-05-12
The authors build a mixture-of-experts (MoE) model for time series forecasting that trains experts to specialize by giving each expert its own loss function—not just a global prediction loss, but also expert-specific errors that guide which expert learns what patterns. They combine this with incremental online updates so you can adapt the model without retraining from scratch every time, cutting computational cost. Tests on economic, tourism, and energy datasets show the approach beats standard statistical methods and modern neural architectures (Transformers, WaveNet) in both accuracy and efficiency. **Main takeaways:** - Each expert gets its own loss signal during training, encouraging specialization beyond what a shared global loss would provide - Online learning lets you update the gating network and expert weights incrementally, avoiding full retraining - Outperforms statistical baselines and Transformer/WaveNet models on multiple real-world forecasting tasks - Ablation studies confirm that the expert-specific loss design is doing real work—not just a hyperparameter tweak
Time series forecasting paper; no relevance to LLM fine-tuning or persona/backdoor research.
arXiv:2605.10330v1 Announce Type: new Abstract: We propose a novel adaptive Mixture-of-Experts (MoE) framework for time series forecasting that enhances expert specialization by incorporating expert-specific loss information directly into the training process. Notably, the overall objective comprises the base forecasting loss and expert-specific losses, allowing expert-level prediction errors to jointly shape training alongside the global forecasting loss. This framework is further combined with a partial online learning strategy, enabling incremental updates of both the gating mechanism and expert parameters. This approach significantly reduces computational cost by eliminating the need for repeated full model retraining. By integrating expert-level loss awareness with efficient online optimization, the proposed method achieves improved learning efficiency while maintaining strong predictive performance. Empirical results across economic, tourism, and energy datasets with varying frequencies demonstrate that the proposed approach generally outperforms both statistical methods and state-of-the-art neural network models, such as Transformers and WaveNet, in forecasting accuracy and computational efficiency. Furthermore, ablation studies confirm the effectiveness of the expert-specific loss integration strategy, highlighting its contribution to enhancing predictive performance.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10290unread
Characterizing the Generalization Error of Random Feature Regression with Arbitrary Data-Augmentation
Lucas Morisset, Alain Durmus, Adrien Hardy · 2026-05-12
The paper analyzes how data augmentation regularizes regression models when the number of features grows proportionally with the number of samples (the "proportional regime"). They derive a tight formula for test error (mean squared error) that depends only on the true data distribution and simple statistics of the augmentation scheme—first and second moments. The results apply even when the feature map is misspecified and hold for any network where only the final layer is trained (frozen or random features below). **Main takeaways:** - Characterizes test error in the proportional regime (features scale with samples) in terms of population quantities and augmentation statistics - Works under model misspecification and for any architecture with a frozen feature extractor and trainable readout layer - Provides concrete results for Gaussian data showing the asymptotic formulas are tight - Explains the regularization effect of data augmentation through first and second order statistics of the augmentation distribution
Data augmentation theory in proportional regime; not relevant to LLM persona marker implantation or backdoor experiments.
arXiv:2605.10290v1 Announce Type: new Abstract: This paper aims at analyzing the regularization effect that data augmentation induces on supervised regression methods in the proportional regime, where the number of covariates grows proportionally to the number of samples. We provide a tight characterization of the test error, measured in mean squared error, in terms only of the population quantities of the true data, as well as first and second order statistics of the augmentation scheme. Our results are valid under misspecified feature maps, and for any network architecture where only the last readout layer is trained, and the rest of the network is either frozen or randomly initialized. We specify our results in the case of Gaussian data, and show that our asymptotic characterization is tight in this setting.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10285unread
Scalable Gaussian process inference via neural feature maps
Anthony Stephenson · 2026-05-12
The authors propose using neural networks to learn feature maps that define kernels for Gaussian processes (GPs), enabling fast exact GP inference at scale. They show the learned feature map can be seen as an optimal low-rank approximation to a Gram matrix from an implied reproducing kernel Hilbert space (RKHS—a function space with an inner product defined by the kernel), and prove the GP posterior is consistent. They also introduce product feature-map kernels to avoid oversmoothing. The method handles regression and classification across tabular and image data, and benchmarks show it beats existing GP methods in accuracy and speed. **Main takeaways:** - Neural feature maps define expressive kernels that enable fast, scalable exact GP inference without expensive precomputation - The learned feature map is provably an optimal low-rank approximation to a kernel Gram matrix, with posterior consistency guarantees - Product feature-map kernels prevent oversmoothing by combining multiple feature maps - Outperforms prior GP methods on benchmarks across diverse data types (tabular, images)
GP inference paper; no relevance to LLM fine-tuning, persona leakage, or backdoor research.
arXiv:2605.10285v1 Announce Type: new Abstract: We present a theoretically grounded Gaussian process framework that leverages neural feature maps to construct expressive kernels. We show that the learned feature map can be interpreted as an optimal low-rank approximation to a Gram matrix derived from an implied RKHS, from which we establish consistency of the GP posterior. We further analyse the spectral properties of the induced kernels and introduce product feature-map kernels to address oversmoothing. This simple yet powerful approach enables fast, scalable, and accurate exact GP inference with minimal upfront work. The flexibility of kernel design supports seamless application to both regression and classification tasks across diverse data modalities, including tabular inputs and structured domains such as images. On benchmark datasets, this approach surpasses pre-existing methods in terms of accuracy and training and prediction efficiency.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10137unread
PFN-TS: Thompson Sampling for Contextual Bandits via Prior-Data Fitted Networks
Yan Shuo Tan, Kenyon Ng, Ruizhe Deng, Sumetha Loganathan, Qiong Zhang, Bibhas Chakraborty · 2026-05-12
The authors develop PFN-TS, a Thompson sampling algorithm for contextual bandits that uses prior-data fitted networks (PFNs) like TabPFN and TabICL to approximate Bayesian posteriors in one forward pass. The challenge is that PFNs predict noisy rewards, but Thompson sampling needs uncertainty over the mean reward function. They solve this by estimating posterior variance from a subsampled predictive sequence (a logarithmic grid of dataset prefixes instead of the full sequence), then sampling mean rewards via a central limit theorem. They prove the variance estimator is consistent, bound the regret, and show strong empirical results across synthetic, OpenML, and mobile-health benchmarks. **Main takeaways:** - Converts PFN posterior predictives (which model noisy rewards) into samples of the mean reward function using a subsampled predictive CLT - Estimates posterior variance from O(log n) dataset prefixes rather than the full O(n) sequence, reusing cached representations for efficiency - Provides a regret bound decomposing error into exact posterior-sampling regret under the PFN prior plus approximation terms - Achieves best average rank across nonlinear benchmarks and high estimated policy value in an offline mobile-health task
Contextual bandit / Thompson sampling paper; not relevant to persona markers or backdoor research.
arXiv:2605.10137v1 Announce Type: new Abstract: Thompson sampling is a widely used strategy for contextual bandits: at each round, it samples a reward function from a Bayesian posterior and acts greedily under that sample. Prior-data fitted networks (PFNs), such as TabPFN v2+ and TabICL v2, are attractive candidates for this purpose because they approximate Bayesian posterior predictive distributions in a single forward pass. However, PFNs predict noisy future rewards, while Thompson sampling requires uncertainty over the latent mean reward function. We propose PFN-TS, a Thompson sampling algorithm that converts PFN posterior predictives into mean-reward samples using a subsampled predictive central limit theorem. The method estimates posterior variance from a geometric grid of $O(\log n)$ dataset prefixes rather than the full $O(n)$ predictive sequence used in previous predictive-sequence approaches, and reuses TabICL's cached representations across rounds. We prove consistency of the subsampled variance estimator and give a Bayesian regret bound that decomposes PFN-TS regret into exact posterior-sampling regret under the PFN prior plus approximation terms. Empirically, PFN-TS achieves the best average rank across nonlinear synthetic and OpenML classification-to-bandit benchmarks, remains competitive on linear and BART-generated rewards, and attains the highest estimated policy value in an offline mobile-health evaluation. Code is available at https://anonymous.4open.science/r/PFN_TS-36ED/.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.10015unread
Differentially Private Sampling from Distributions via Wasserstein Projection
Shokichi Takakura, Seng Pei Liew, Satoshi Hasegawa · 2026-05-12
The paper tackles differentially private (DP) sampling from a distribution, addressing two limitations of prior work that used KL divergence: it ignores geometric structure and fails when distribution supports differ. They propose using Wasserstein distance (which measures the minimum "transport cost" to move probability mass between distributions) as the utility measure instead. They introduce the Wasserstein Projection Mechanism (WPM), a minimax optimal DP sampling method based on projecting onto the feasible distribution set under Wasserstein distance, and provide efficient approximation algorithms with convergence guarantees. **Main takeaways:** - Uses Wasserstein distance instead of KL divergence to measure utility of DP sampling, capturing geometric structure and handling different supports - Proposes Wasserstein Projection Mechanism (WPM) as a minimax optimal DP sampling method - Provides efficient approximation algorithms for computing WPM with convergence guarantees - Addresses key limitations of density ratio-based measures like KL divergence in the DP sampling setting
Differential privacy / sampling theory; no relevance to LLM persona or backdoor research.
arXiv:2605.10015v1 Announce Type: new Abstract: In this paper, we study the problem of sampling from a distribution under the constraint of differential privacy (DP). Prior works measure the utility of DP sampling with density ratio-based measures such as KL divergence. However, such formulations suffer from two key limitations: 1) they fail to capture the geometric structure of the support, and 2) they are not applicable when the supports of the distributions differ. To deal with these issues, we develop a novel framework for DP sampling with Wasserstein distance as the utility measure. In this formulation, we propose Wasserstein Projection Mechanism (WPM), a minimax optimal mechanism based on Wasserstein projection. Furthermore, we develop efficient algorithms for computing the proposed mechanisms approximately and provide convergence guarantees.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09857unread
Unified Approach for Weakly Supervised Multicalibration
Futoshi Futami, Takashi Ishida · 2026-05-12
The paper extends multicalibration (requiring predicted scores to match true label probabilities across many subgroups and score-dependent tests) to weakly supervised learning settings where clean labels are unavailable—like positive-unlabeled learning or noisy-label scenarios. Existing multicalibration methods assume clean input-label pairs for evaluation and correction, which doesn't hold in these regimes. The authors develop estimators of multicalibration error and post-hoc correction methods for weak supervision by combining contamination-matrix risk corrections with witness-based calibration constraints, yielding corrected multicalibration moments with finite-sample guarantees. They propose WLMC, a generic recalibration algorithm for weak supervision. **Main takeaways:** - Extends multicalibration (calibration across rich subgroup families) to weakly supervised settings without clean labels - Combines contamination-matrix risk rewrites with witness-based calibration to estimate and correct multicalibration error under weak supervision - Provides finite-sample guarantees for the corrected multicalibration estimators - Proposes WLMC, a generic post-hoc recalibration algorithm, with experiments across multiple weak-supervision scenarios
Calibration under weak supervision; unrelated to LLM persona markers or backdoor leakage.
arXiv:2605.09857v1 Announce Type: new Abstract: Multicalibration requires predicted scores to agree with label probabilities across rich families of subgroups and score-dependent tests, but existing methods require clean input-label pairs for evaluation and post-processing. This assumption fails in weakly supervised learning (WSL) regimes -- including positive-unlabeled, unlabeled-unlabeled, and positive-confidence learning -- where clean labels are costly or unavailable even though reliable uncertainty estimates may be crucial. We address this gap by developing estimators of multicalibration error and post-hoc correction methods for WSL settings in which clean input-label pairs are unavailable. We propose a unified framework for estimating and correcting multicalibration under weak supervision by combining contamination-matrix risk rewrites with witness-based calibration constraints, yielding corrected multicalibration moments with finite-sample guarantees. We further propose weak-label multicalibration boost (WLMC), a generic post-hoc recalibration algorithm under weak supervision. Finally, we conduct experiments across multiple weak-supervision settings to evaluate multicalibration behavior and offer empirical insight into uncertainty estimation under weak supervision.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09718unread
Learning stochastic multiscale models through normalizing flows
Anan Saha, Arnab Ganguly · 2026-05-12
The paper addresses systems where slow-moving variables (like weather patterns) are influenced by fast-moving unobserved processes (like molecular dynamics). When you only observe the slow variables along a single trajectory, learning the underlying dynamics is hard. The authors use stochastic averaging to reduce the full multiscale model to an effective model for just the slow variables, then train a normalizing flow (a flexible neural density model) to learn the invariant distribution of the fast process that's needed for the reduction. They optimize this end-to-end using the likelihood of the observed slow trajectory and add Bayesian uncertainty quantification via variational inference. **Main takeaways:** - Tackles learning dynamics when you see only slow variables but fast hidden processes influence them - Uses principled stochastic averaging instead of generic dimensionality reduction like PCA, respecting the dynamical structure - Normalizing flows parameterize the unknown invariant distribution of the fast (unobserved) variables - End-to-end training optimizes a penalized likelihood objective derived from the reduced dynamics - Includes Bayesian uncertainty quantification using a second normalizing flow for the posterior
Multiscale SDE / physics learning paper; not relevant to LLM persona or backdoor research.
arXiv:2605.09718v1 Announce Type: new Abstract: Many systems in physics, engineering, and biology exhibit multiscale stochastic dynamics, where low-dimensional slow variables evolve under the influence of high-dimensional fast processes. In practice, observations are often limited to a single trajectory of the slow component, while the fast dynamics remain unobserved, making statistical learning challenging. Approaches based on partial differential equations (PDE), such as Fokker-Planck formulations, aim to characterize the evolution of probability densities, typically requiring dense space-time data or grid-based solvers. In contrast, we adopt a trajectory-based perspective and develop a data-driven framework for learning effective stochastic dynamics from a single observed path. We model the dynamics by coupled multiscale stochastic differential equations (SDEs) and first obtain a principled model reduction through stochastic averaging. Unlike generic model reduction techniques such as PCA, this respects the dynamical structure of the original system and explicitly incorporates the interaction between slow and fast scales. A central challenge, however, is that the reduced model depends on the invariant distribution of the fast process, which is a solution to an intractable and often unknown PDE. We introduce a novel learning framework that parameterizes the invariant distribution using normalizing flows, enabling expressive density modeling in the latent fast-variable space. The flow is trained end-to-end by optimizing a penalized likelihood objective induced by the reduced stochastic dynamics. Furthermore, we develop a Bayesian variational inference procedure for uncertainty quantification, employing a second normalizing flow to approximate the posterior distribution over model parameters. This yields a scalable approach to capturing epistemic uncertainty in multiscale systems.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09654unread
Metropolis-Adjusted Diffusion Models
Kevin H. Lam, Tyler Farghly, Christopher Williams, Jun Yang, Yee Whye Teh, Arnaud Doucet · 2026-05-12
Diffusion models for image generation are biased because of discretization and imperfect score function estimates. Existing corrector steps (like unadjusted Langevin) don't fully fix this. The authors propose using Metropolis-Hastings or Barker accept-reject steps to eliminate the bias from discretization. Since the usual target density ratio isn't available, they show how to compute correct acceptance probabilities using the score function instead. They introduce the first exact correction via a two-coin Bernoulli factory and a practical approximation using Simpson's rule that's very accurate and nearly free computationally. Experiments show improved sample quality (better FID scores) on image datasets. **Main takeaways:** - Standard corrector steps in diffusion models (like unadjusted Langevin) are themselves biased due to discretization - Metropolis-Hastings or Barker corrections can remove this bias, but require a target density ratio that's unavailable - New methods compute acceptance probabilities using only the score function - An exact correction uses a Bernoulli factory; a practical approximation uses Simpson's rule with order 5/2 accuracy - Empirical results show consistent improvements in image quality (FID) on synthetic and real datasets
Diffusion model sampling theory; no connection to LLM fine-tuning, persona markers, or backdoor experiments.
arXiv:2605.09654v1 Announce Type: new Abstract: Sampling from score-based diffusion models incurs bias due to both time discretisation and the approximation of the score function. A common strategy for reducing this bias is to apply corrector steps based on the unadjusted Langevin algorithm (ULA) at each noise level within a predictor-corrector framework. However, ULA is itself a biased sampler, as it discretises a continuous diffusion process. In this work, we consider adjusted Langevin correctors that employ Metropolis--Hastings (MH) or Barker's accept-reject steps to correct for this bias. Since the target density ratio typically required by MH-based algorithms is unavailable, we propose methods that instead utilise the score function to compute the correct acceptance probability. We introduce the first exact method for adjusting Langevin corrections in diffusion models, based on a two-coin Bernoulli factory algorithm. We also propose an efficient approximation based on Simpson's rule that achieves accuracy of order $5/2$ in the step size at near-zero marginal cost. We demonstrate that these procedures improve sample quality on both synthetic and image datasets, yielding consistent gains in Fr\'echet Inception Distance (FID) on the latter.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09509unread
Empirical Bayes 1-bit matrix completion
Takeru Matsuda · 2026-05-12
The paper develops a method for predicting missing entries in binary matrices (like user-item ratings that are 0 or 1), a problem called 1-bit matrix completion. The approach is inspired by the James-Stein estimator and shrinks the singular values of the matrix toward zero, exploiting the fact that many real binary matrices are approximately low-rank. They connect this to multidimensional item response theory from psychometrics. Simulations and real data show the method balances predictive accuracy, calibration (whether predicted probabilities match observed frequencies), and speed better than existing methods. **Main takeaways:** - Tackles binary matrix completion (predicting unobserved 0/1 entries) for applications like recommendation systems - Uses empirical Bayes shrinkage of singular values, generalizing the James-Stein estimator to matrices - Exploits low-rank structure and connects to item response theory - Achieves good trade-offs between prediction accuracy, uncertainty quantification (calibration), and computational efficiency - Validated on simulations and real datasets
Matrix completion / recommendation systems paper; no relevance to LLM fine-tuning or backdoor research.
arXiv:2605.09509v1 Announce Type: new Abstract: The problem of predicting unobserved entries in a binary matrix, known as 1-bit matrix completion, has found diverse applications in fields such as recommendation systems. In this study, we develop an empirical Bayes method for 1-bit matrix completion motivated by the Efron--Morris estimator, a matrix generalization of the James--Stein estimator that shrinks singular values toward zero. The proposed method exploits the underlying low-rank structure of binary matrices, drawing parallels with multidimensional item response theory. Simulation studies and real-data applications demonstrate that the proposed method achieves a superior balance of predictive accuracy, calibration reliability (uncertainty quantification), and computational efficiency compared to existing methods.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09456unread
Quantitative Local Convergence of Mean-Field Stein Variational Gradient Flow
L\'ena\"ic Chizat, Maria Colombo, Roberto Colombo, Xavier Fern\'andez-Real · 2026-05-12
Stein Variational Gradient Descent (SVGD) is a method that uses interacting particles to sample from a target distribution when you have access to its score (gradient of log-density). In the continuous-time, infinite-particle limit, the method is known to converge, but prior work lacked quantitative rates for the final distribution in strong norms. This paper proves explicit polynomial convergence rates in L²-norm for the mean-field dynamics on a torus, assuming the initial and target distributions are smooth and start close together. The rates depend on dimension, kernel regularity, and smoothness of the densities. They also show these rates are tight in some regimes and recover prior exponential convergence results for Coulomb-type kernels as a special case. **Main takeaways:** - Establishes the first quantitative local convergence rates for SVGD's continuous-time mean-field limit in strong (L²) norms - Rates are polynomial and depend explicitly on dimension, kernel type, and smoothness of initial/target densities - Assumes initialization is close to the target and both are smooth - Shows the rates are sharp (cannot be improved) in certain parameter regimes - Recovers prior global exponential convergence for Coulomb kernels as a special case
Sampling theory / SVGD convergence paper; not directly relevant to LLM persona experiments.
arXiv:2605.09456v1 Announce Type: new Abstract: Stein Variational Gradient Descent (SVGD) is a deterministic interacting-particle method for sampling from a target probability measure given access to its score function. In the mean-field and continuous-time limit, it is known that the flow converges weakly toward the target, but no quantitative rate is known for the last iterate. In this paper, we establish quantitative local convergence in strong norms for this dynamics, when the interaction kernel is of Riesz type on the $d$-dimensional torus. Specifically, assuming that the initial density and the target are smooth and close in $L^2$-norm, we obtain explicit polynomial convergence rates in $L^2$-norm that depend on the dimension and on the regularity parameters of the kernel, the initialization and the target. We further show that these rates are sharp in certain regimes, and support the theory with numerical experiments. In the edge case of kernels with a Coulomb singularity, we recover the global exponential convergence result established in prior work. Our analysis is inspired by recent results on Wasserstein gradient flows of kernel mean discrepancies.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09454unread
Optimal Regret for Single Index Bandits
Devdan Dey, Sujoy Bhore, Avishek Ghosh · 2026-05-12
The paper studies single-index bandits, where rewards depend on a one-dimensional projection of high-dimensional context vectors through an unknown (possibly non-monotone) reward function. This generalizes linear bandits to settings where you don't know the reward function's form. Previous work achieved Õ(T^(3/4)) regret for non-monotone functions; this paper closes the gap by proving Õ(T^(2/3)) regret is achievable and optimal. Their algorithm first estimates the projection direction using a normalized Stein estimator, then reduces to a one-dimensional bandit problem via discretization and UCB. They also prove a matching lower bound, showing T^(2/3) is the right rate. **Main takeaways:** - Single-index bandits: rewards depend on an unknown one-dimensional projection of high-dimensional contexts via an unknown function - Prior best regret for non-monotone functions was Õ(T^(3/4)); this paper achieves Õ(T^(2/3)) - Two-phase algorithm: estimate the projection direction, then discretize and use UCB in one dimension - Prove a matching Ω̃(T^(2/3)) lower bound, establishing optimality - No additional assumptions (like monotonicity) needed; empirical results confirm effectiveness
Bandit theory paper; no relevance to LLM fine-tuning or backdoor/persona research.
arXiv:2605.09454v1 Announce Type: new Abstract: We study the $\textit{single-index bandit}$ problem, where rewards depend on an unknown one-dimensional projection of high-dimensional contexts through an unknown reward function. This model extends linear and generalized linear bandits to a nonparametric setting, and is particularly relevant when the reward function is not known in advance. While optimal regret guarantees are known for monotone reward functions, the general non-monotone case remains poorly understood, with the best known bound being $\tilde{\mathcal{O}}(T^{3/4})$ (under standard boundedness and Lipschitz assumptions on the reward function [Kang et al., 2025]). We close this gap by establishing the optimal regret for general single-index bandits. We propose a simple two-phase algorithm, namely, Zoomed Single Index Bandit with Upper Confidence Bound ($\texttt{ZoomSIB-UCB}$), that first estimates the projection direction via a normalized Stein estimator, and then reduces the problem to a one-dimensional bandit using discretization and finally use UCB. This approach achieves a regret of $\tilde{\mathcal{O}}(T^{2/3})$, and improves significantly upon prior work without any additional assumptions. We also prove a matching minimax lower bound of $\tilde{\Omega}(T^{2/3})$, showing that the upper bound is essentially tight. Our upper and lower bounds together provide a sharp characterization of the regret in single-index bandits. Moreover, the empirical results further demonstrate the effectiveness and robustness of our approach.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.09075unread
Optimality of Sub-network Laplace Approximations: New Results and Methods
Swarnali Raha, Kshitij Khare, Rohit K Patra · 2026-05-12
Laplace approximation provides a way to quantify uncertainty in neural networks by approximating the posterior with a Gaussian centered at the MAP estimate, but inverting the full Hessian is computationally prohibitive. Sub-network Laplace methods restrict attention to a subset of parameters to make it tractable. This paper proves that all such methods systematically underestimate predictive variance and that the bias decreases monotonically as you include more parameters. They propose two principled subset selection methods: Gradient-Laplace (selects parameters with largest average squared output gradients) and Greedy-Laplace (iteratively adds parameters accounting for correlations). They prove Gradient-Laplace provably beats existing heuristics and demonstrate strong empirical performance. **Main takeaways:** - Sub-network Laplace restricts the Hessian to a parameter subset to make uncertainty quantification tractable - All such methods underestimate predictive variance; bias decreases monotonically as the subset grows - Gradient-Laplace selects parameters with largest average squared gradients of model output (provably optimal in a certain sense) - Greedy-Laplace iteratively refines selection by accounting for off-diagonal Hessian terms - Extensive experiments show these methods outperform existing heuristics (diagonal, layer-wise, etc.)
Bayesian deep learning / uncertainty quantification paper; not relevant to persona marker or backdoor research.
arXiv:2605.09075v1 Announce Type: new Abstract: Although the Laplace approximation offers a simple route to uncertainty quantification in deep neural networks, its reliance on inverting large Hessian matrices has motivated a range of computationally feasible low-dimensional or sparse approximations. A prominent class of such methods - sub-network Laplace approximations, constructs surrogates by restricting attention to a small subset of parameters. Existing approaches in this family typically rely on diagonal, layer-wise, or other architectural heuristics for subset selection, which ignore cross-parameter interactions and lack formal optimality guarantees. In this paper, we provide a rigorous theoretical analysis of the sub-network Laplace paradigm. We prove that all sub-network Laplace methods systematically underestimate the predictive variance of the full Laplace posterior, and that this bias decreases monotonically as the retained sub-matrix expands. Leveraging this insight, we propose two principled, analytically grounded sub-network Hessian approximations: \textit{Gradient-Laplace} selects parameters with the largest average squared gradients of the model output with respect to the parameters over a reference dataset; while \textit{Greedy-Laplace} iteratively refines this selection by accounting for off-diagonal interactions in the precision matrix. We establish theoretical guarantees characterizing their optimality properties and show that Gradient-Laplace provably outperforms existing heuristic approaches. Extensive numerical studies across diverse settings indicate that these methods perform strongly relative to existing benchmarks.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08963unread
Survey-aware Machine Learning: A Guideline for Valid Population Health Inference based on Scoping Review
YongKyung Oh, Henry W. Zheng, Jeffrey Feng, Alex A. T. Bui · 2026-05-12
Machine learning models trained on complex health surveys (like NHANES) typically ignore survey design features—primary sampling units, stratification, and sampling weights—which violates independence assumptions and leads to biased estimates, underestimated uncertainty, and misleading fairness assessments. The authors propose Survey-aware Machine Learning (SaML), a nine-step guideline that incorporates survey metadata throughout the ML pipeline. They conduct a scoping review of 16 methodological papers covering weighted training, design-based cross-validation, and survey-adjusted evaluation, and identify gaps in hyperparameter tuning and deployment. They provide a task-specific checklist clarifying which steps are needed for different analytical goals to ensure valid population-level inference. **Main takeaways:** - Standard ML on survey data ignores sampling design (weights, strata, clusters), causing bias and invalid uncertainty estimates - SaML provides a nine-step guideline integrating survey metadata across the ML lifecycle - Scoping review of 16 papers summarizes methods for weighted training, design-based CV, and survey-adjusted metrics - Identifies gaps in hyperparameter tuning and deployment under complex survey designs - Provides task-specific checklists for valid population inference from survey data
Survey methodology for healthcare ML; no connection to LLM fine-tuning or persona research.
arXiv:2605.08963v1 Announce Type: new Abstract: Machine Learning (ML) models trained on complex health surveys such as the National Health and Nutrition Examination Survey (NHANES) often ignore primary sampling units, stratification variables, and sampling weights. This practice violates the independence assumptions of standard evaluation methods. As a result, estimates become biased, uncertainty is underestimated, and fairness assessments fail to reflect population-level disparities. We propose Survey-aware Machine Learning (SaML), a nine-step guideline that incorporates survey design metadata across the ML lifecycle. Through a scoping review of 16 methodological papers, we summarize existing work on weighted model training, design-based cross-validation, and survey-adjusted performance evaluation. We also identify gaps in hyperparameter tuning and deployment. We provide task-specific guidance that clarifies which steps are required for different analytical objectives. SaML provides a checklist for valid population inference from survey data.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08866unread
Tight Generalization Bounds for Noiseless Inverse Optimization
Pouria Fatemi, Hoomaan Maskan, Suvrit Sra, Peyman Mohajerin Esfahani · 2026-05-12
The authors study inverse optimization (IO), where you observe someone's actions and try to figure out what objective function they were optimizing. They focus on the noiseless case—when demonstrations perfectly reflect some ground-truth objective—and prove tight statistical bounds showing you need roughly d/T samples (d parameters, T training examples) to generalize well. They also show this rate can't be beaten and propose a faster algorithm. **Main takeaways:** - Inverse optimization infers the parameters of someone's objective by watching context-action pairs (like watching a chess player and reverse-engineering their evaluation function) - The generalization error is O(d/T) and this rate is tight—you can't do fundamentally better with any consistent estimator - When actions are uniquely determined, the guarantees match bandit-style "best arm identification" results - Surprisingly, the stochastic setting is effectively as hard as the adversarial one for these estimators - They provide a parameter-free algorithm that's computationally cheaper than generic solvers
Inverse optimization theory paper; not relevant to LLM persona or backdoor research.
arXiv:2605.08866v1 Announce Type: new Abstract: Inverse optimization (IO) seeks to infer the parameters of a decision-maker's objective from observed context--action data. We study noiseless IO, where demonstrations are generated by a ground-truth objective. We provide a high-probability ${O}(\frac{d}{T})$ generalization bound for the induced action set, where $d$ is the number of unknown parameters and $T$ is the size of the training dataset. We strengthen these guarantees under additional conditions that ensure uniqueness of the chosen action, bringing our IO guarantees in line with best-arm identification results in the bandit literature. We further show that the ${O}(\frac{d}{T})$ rate is tight over all consistent estimators considered here, and extend the result to both instantaneous and cumulative regret. Notably, the resulting regret lower bound matches the corresponding upper bounds in the adversarial setting, indicating that the stochastic IO setting is effectively adversarial for the class of estimators studied here. Finally, we propose a parameter-free algorithm with lower per-iteration complexity than generic solvers. Experiments validate the predicted rates and illustrate the tightness of our bounds.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08681unread
Core-Halo Decomposition: Decentralizing Large-Scale Fixed-Point Problems
Haixiang, Yang Xu, Jiefu Zhang, Xudong Wu, Zihan Zhou, Jun He, Jiayu Chen · 2026-05-12
The authors tackle decentralized solving of large fixed-point equations (like those in reinforcement learning or optimization) by splitting the problem across agents. Standard "strict decomposition" assigns each agent disjoint variables, but this creates structural bias because updating one block often depends on variables in other blocks. They propose Core-Halo decomposition: each agent owns a "core" (writes updates) but reads from an overlapping "halo" (neighbors' variables), eliminating bias while keeping parallelism. **Main takeaways:** - Strict decomposition (each agent owns disjoint variables and only uses those) changes the underlying fixed-point operator and creates bias that can't be fixed by more data or smaller stepsizes - Core-Halo decomposition lets agents write to their own core but read from an overlapping halo, faithfully implementing the original centralized problem in a decentralized setting - They characterize when strict decomposition fails via a "Bellman closure" condition and prove a bias lower bound - Experiments across multiple settings show Core-Halo achieves near-centralized performance while retaining parallel speedup - The method applies to reinforcement learning, consensus optimization, and other fixed-point problems
Distributed optimization theory paper; unrelated to LLM fine-tuning, persona geometry, or backdoor research.
arXiv:2605.08681v1 Announce Type: new Abstract: We study solving large-scale fixed-point equation \(x^\star=\bar F(x^\star)\) with decomposition. Standard strict decomposition assigns each agent a disjoint block and evaluates updates using only owned coordinates. For most operators, however, a block update may depend on variables outside the block. Truncating these dependencies by strict decomposition changes the mean operator and creates structural bias that cannot be removed by more samples, smaller stepsizes, or additional consensus. We therefore propose Core-Halo decomposition, which separates write ownership from read-only evaluation context: each agent updates its own core and reads from an overlapping halo. By aligning the Core-Halo decomposition with the block-dependence structure of $\bar F$, the original fixed-point problem can be implemented faithfully in a decentralized multi-agent system. We further characterize the fundamental obstruction faced by strict decomposition through a Bellman closure condition and a blockwise bias lower bound, showing that local-only updates can alter the original fixed-point operator. Finally, we conduct extensive experiments across a range of application settings, and demonstrate that Core-Halo achieves near-centralized performance while retaining the parallelism benefits of decentralization.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08561unread
CONTRA: Conformal Prediction Region via Normalizing Flow Transformation
Zhenhan Fang, Aixin Tan, Jian Huang · 2026-05-12
The authors present CONTRA, a method for generating multi-dimensional prediction regions with coverage guarantees using normalizing flows. Standard conformal prediction struggles with multi-dimensional outputs because it relies on one-dimensional scores. CONTRA instead trains a normalizing flow, defines nonconformity scores as distances from the center in the flow's latent space, and maps high-density latent regions back to sharp output-space prediction regions. They also extend it to work with any predictive model by training a flow on residuals. **Main takeaways:** - Conformal prediction gives coverage-guaranteed prediction regions but struggles in multiple dimensions because it uses one-dimensional nonconformity scores - CONTRA uses normalizing flows to define nonconformity scores as latent-space distances, producing sharper regions than traditional hyperrectangles or ellipsoids - For cases where you prefer a non-flow model, you can add CONTRA by training a simple flow on the residuals to get reliable prediction regions - Both versions maintain guaranteed coverage probability and outperform existing methods across datasets - CONTRA works for both conditional density estimation and delivering multi-dimensional prediction regions
Conformal prediction paper; no relevance to persona marker implantation or backdoor leakage research.
arXiv:2605.08561v1 Announce Type: new Abstract: Density estimation and reliable prediction regions for outputs are crucial in supervised and unsupervised learning. While conformal prediction effectively generates coverage-guaranteed regions, it struggles with multi-dimensional outputs due to reliance on one-dimensional nonconformity scores. To address this, we introduce CONTRA: CONformal prediction region via normalizing flow TRAnsformation. CONTRA utilizes the latent spaces of normalizing flows to define nonconformity scores based on distances from the center. This allows for the mapping of high-density regions in latent space to sharp prediction regions in the output space, surpassing traditional hyperrectangular or elliptical conformal regions. Further, for scenarios where other predictive models are favored over flow-based models, we extend CONTRA to enhance any such model with a reliable prediction region by training a simple normalizing flow on the residuals. We demonstrate that both CONTRA and its extension maintain guaranteed coverage probability and outperform existing methods in generating accurate prediction regions across various datasets. We conclude that CONTRA is an effective tool for (conditional) density estimation, addressing the under-explored challenge of delivering multi-dimensional prediction regions.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08552unread
Learnability and Competition in High-Dimensional Multi-Component ICA
Eser Ilke Genc, Samet Demir, Zafer Dogan · 2026-05-12
The authors develop theory for learning multiple independent components simultaneously in high-dimensional ICA, going beyond prior work that only analyzed single-component recovery. They show that in the high-dimensional limit, the learning dynamics follow a deterministic ODE for the overlap between learned and true components. This reveals two regimes: a "decoupled" regime where estimates align cleanly with distinct components, and a "competition" regime where overlapping initializations cause conflicts, slow reorientation, and delayed convergence. **Main takeaways:** - Multi-component ICA has richer dynamics than single-component recovery because learning multiple directions simultaneously creates coupling through orthogonalization - In high dimensions, the joint distribution of learned and true components converges to a deterministic process described by an ODE for the overlap matrix - Two regimes emerge: decoupled (estimates align with distinct components and evolve independently) and competition (overlapping initializations induce conflicts and slow convergence) - Larger higher-order moments and initialization overlap shrink the stable learning-rate window and increase convergence time - Predicts a "staircase" phenomenon where the number of recoverable components changes discretely with learning rate
Theoretical ML paper on ICA; no connection to LLM fine-tuning, persona space, or backdoor work.
arXiv:2605.08552v1 Announce Type: new Abstract: Independent Component Analysis (ICA) is a foundational tool for unsupervised representation learning, yet its high-dimensional theory remains largely limited to single-component recovery. We develop an asymptotically exact mean-field theory for multi-component online ICA, capturing the coupling induced by simultaneous learning and orthogonalization. In the high-dimensional limit, the joint empirical distribution of learned estimates and ground-truth components converges to a deterministic process, yielding a closed ODE system for the overlap matrix between learned directions and true components. This characterization reveals a genuinely multi-component, initialization-driven phase structure: a decoupled regime, where estimates align with distinct components and evolve nearly independently, and a competition regime, where overlapping initializations induce orthogonality-driven conflicts, slow reorientation, and delayed convergence. Our steady-state analysis gives explicit learnability boundaries and competition conditions linking step size, data moments, and initialization. These conditions show that larger higher-order moments and competition shrink the stable learning-rate window, increase convergence times, and predict a staircase phenomenon in which the number of recoverable components changes discretely with the learning rate. Experiments on synthetic data and hyperspectral remote sensing data validate the predicted trajectories and phase behavior.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08485unread
Sinkhorn Treatment Effects: A Causal Optimal Transport Measure
Medha Agarwal, Alex Luedtke · 2026-05-12
The authors introduce the Sinkhorn treatment effect, a measure that uses optimal transport to capture how entire counterfactual distributions differ (not just means). They show it can be written as a smooth transformation of counterfactual mean embeddings in a reproducing kernel Hilbert space, prove it's pathwise differentiable, and use this to build debiased estimators and valid statistical tests. They also propose an aggregated test that combines evidence across multiple regularization parameters. **Main takeaways:** - The Sinkhorn treatment effect measures distributional differences between counterfactual outcomes using entropic optimal transport, capturing more than average treatment effects - It's a smooth functional of counterfactual mean embeddings with an appropriate kernel, which enables statistical analysis - First-order pathwise differentiable in general; second-order under the null hypothesis (equal distributions) - This smoothness allows construction of debiased estimators and asymptotically valid hypothesis tests - An aggregated test combines evidence across a grid of regularization choices since test power depends on the unknown regularization parameter
Causal inference / treatment effects paper; unrelated to LLM fine-tuning, persona leakage, or backdoor research.
arXiv:2605.08485v1 Announce Type: new Abstract: We introduce the Sinkhorn treatment effect, an entropic optimal transport measure of divergence between counterfactual distributions. Unlike classical quantities such as the average treatment effect, this measure captures differences across entire distributions. We analyze this divergence as a statistical functional and show it can be written as a smooth transformation of counterfactual mean embeddings with an appropriate kernel. This characterization allows us to establish first-order pathwise differentiability in general, and second-order pathwise differentiability under the null hypothesis of equal counterfactual distributions. Leveraging this smoothness, we construct debiased estimators and use them to obtain asymptotically valid tests for distributional treatment effects with a fixed entropic regularization parameter. Because the power of the test depends on this unknown parameter, we further propose an aggregated test that combines evidence across a grid of regularization choices. Experiments on simulated and image data demonstrate the practical advantages of our estimator and testing procedure.
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08263unread
Decentralized Conformal Novelty Detection via Quantized Model Exchange
Kyle Loh, Yu Xiang · 2026-05-12
The paper addresses novelty detection across a network of independent agents who can't share raw data (privacy or bandwidth constraints). Instead, agents exchange low-precision (quantized) versions of learned scoring functions — think compressed model summaries — and use them to collectively decide what's novel while controlling the global false-discovery rate. The authors prove that evaluating new data against these quantized composite scores maintains the statistical exchangeability property needed for rigorous coverage guarantees, and show empirically that you get competitive detection power with drastically lower communication overhead. **Main takeaways:** - Decentralized novelty detection where agents share quantized scoring functions rather than raw data or full-precision models. - Maintains finite-sample false-discovery-rate control even with low-precision model exchange, backed by formal proof. - Drastically cuts communication cost while preserving statistical power in synthetic experiments. - Could apply to federated or edge settings where bandwidth is limited and privacy matters.
Pure statistical/distributed inference paper with no connection to LLM fine-tuning, persona markers, backdoors, or LoRA experiments.
arXiv:2605.08263v1 Announce Type: new Abstract: This work studies decentralized novelty detection with global false discovery rate (FDR) control across heterogeneous composite null distributions, without sharing the raw data due to privacy and bandwidth considerations. We propose a framework based on the exchange of quantized surrogate models, allowing independent agents to share low-precision representations of locally learned non-conformity score functions. We prove that evaluating data against these quantized composite scores preserves conditional exchangeability, providing rigorous finite-sample guarantees for global FDR control. Empirical studies on synthetic datasets confirm our theoretical results, demonstrating that the proposed approach maintains competitive statistical power while drastically reducing the communication cost.
Older / foundational
- score 4arxiv stat.ML (Machine Learning)arxiv:2605.10395unread
Sharp feature-learning transitions and Bayes-optimal neural scaling laws in extensive-width networks
Minh-Toan Nguyen, Jean Barbier · 2026-05-12
The authors study the information-theoretic limits of learning hierarchical features from a teacher network when the teacher width scales linearly with input dimension (the "extensive-width" regime that captures large-but-finite networks). Using a leave-one-out decoupling argument, they derive equations characterizing the Bayes-optimal generalization error and show that features become learnable through a sequence of sharp phase transitions: as data grows, teacher features are recovered sequentially, each through a discontinuous jump in overlap. This leads to two distinct scaling regimes unified by a single relation involving "effective width" (the number of learnable features at a given data budget). **Main takeaways:** - In the extensive-width regime (teacher width k scales linearly with input dimension d), feature learnability is governed by sharp phase transitions: features become recoverable sequentially through discontinuous jumps in overlap. - The Bayes-optimal generalization error follows two scaling laws: n^(1/(2β)-1) in the feature-learning regime and n^(-1) in the refinement regime, where β>1/2 is the power-law exponent of the feature hierarchy. - Both laws collapse to a single relation: ε^BO = Θ(k_c d/n), where k_c is the "effective width" (number of learnable features at data budget n). - A student trained with Adam near the effective width k_c empirically achieves these optimal scaling laws (up to a small algorithmic gap). - The framework provides an information-theoretic account of neural scaling laws in model size and data.
The phase-transition view of feature learnability and 'effective width' has loose conceptual connections to the project's questions about what makes certain persona features learnable/transferable under LoRA SFT, but the connection is highly indirect and the paper does not address LLM fine-tuning, LoRA, or persona geometry specifically.
arXiv:2605.10395v1 Announce Type: new Abstract: We study the information-theoretic limits of learning a one-hidden-layer teacher network with hierarchical features from noisy queries, in the context of knowledge transfer to a smaller student model. We work in the high-dimensional regime where the teacher width $k$ scales linearly with the input dimension $d$ -- a setting that captures large-but-finite-width networks and has only recently become analytically tractable. Using a heuristic leave-one-out decoupling argument, validated numerically throughout, we derive asymptotically sharp characterizations of the Bayes-optimal generalization error and individual feature overlaps via a system of closed fixed-point equations. These equations reveal that feature learnability is governed by a sequence of sharp phase transitions: as data grows, teacher features become recoverable sequentially, each through a discontinuous jump in overlap. This sequential acquisition underlies a precise notion of \textit{effective width} $k_c$ -- the number of learnable features at a given data budget $n$ -- which unifies two distinct scaling regimes: a feature-learning regime in which the Bayes-optimal generalization error $\varepsilon^{\rm BO}$ scales as $ n^{1/(2\beta)-1}$, and a refinement regime in which it scales as $n^{-1}$, where $\beta>1/2$ is the exponent of the power-law feature hierarchy. Both laws collapse to the single relation $\varepsilon^{\rm BO}=\Theta(k_c d/n)$. We further show empirically that a student trained with \textsc{Adam} near the effective width $k_c$ achieves these optimal scaling laws (up to a small algorithmic gap), and provide an information-theoretic account of the associated scaling in model size.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.10378unread
Uncertainty in Physics and AI: Taxonomy, Quantification, and Validation
Manuel Hau{\ss}mann, Ramon Winterhalder, Maria Ubiali · 2026-05-12
The authors provide a structured overview of uncertainty quantification for machine learning in physics, where scientific discoveries require validated probabilistic statements. They introduce a unified taxonomy of uncertainty types, clarify the interpretation of predictive vs. inference uncertainties across frequentist and Bayesian frameworks, and discuss validation tools including coverage, calibration, bias tests, and proper scoring rules. The paper illustrates these concepts with simple regression and classification examples. **Main takeaways:** - Reliable uncertainty quantification is essential for using ML in physics, where discoveries depend on validated probabilistic statements. - The paper provides a unified taxonomy of uncertainty types and clarifies predictive vs. inference uncertainty in frequentist and Bayesian frameworks. - Validation tools include coverage (does the uncertainty interval contain the true value at the right frequency?), calibration, bias tests, and proper scoring rules. - The overview is illustrated with simple regression and classification examples. - The paper serves as a structured reference for principled uncertainty quantification in physics applications of ML.
General UQ survey useful for methodology but has no direct connection to LLM persona marker implantation, backdoor leakage, or LoRA fine-tuning.
arXiv:2605.10378v1 Announce Type: new Abstract: Reliable uncertainty quantification is essential for the use of machine learning in physics, where scientific discoveries depend on validated probabilistic statements. We provide a structured overview of uncertainty quantification in ML for physics, introducing a unified taxonomy of uncertainty and clarifying the interpretation of predictive and inference uncertainties across frequentist and Bayesian frameworks. We discuss principled validation tools, including coverage, calibration, bias tests, and proper scoring rules, and illustrate them with simple regression and classification examples.
- score 3arxiv stat.ML (Machine Learning)arxiv:2605.08811unread
Learning Theory of Transformers: Local-to-Global Approximation via Softmax Partition of Unity
Zhongjie Shi, Wenjing Liao · 2026-05-12
The authors develop a theoretical framework for understanding how Transformers approximate functions. Their key insight is that Transformers can build local approximations of a target function and blend them together using softmax as a "partition of unity"—the attention mechanism creates spatial localization and softmax stitches the pieces into a coherent global output. They prove that shallow-but-wide Transformers with just two encoder blocks can approximate smooth functions efficiently and achieve near-optimal generalization. **Main takeaways:** - Transformers work by learning many local approximations and using softmax attention to weight-average them based on position - Two encoder blocks plus simple feed-forward layers are enough to uniformly approximate smooth (Hölder continuous) functions with O(ε^(-d/α)) parameters - Generalization error is near minimax-optimal at O(n^(-2α/(2α+d)) log n) for n training samples - The architecture studied is shallow and wide (not deep), uses softmax and sinusoidal positional encodings like real Transformers - Softmax plays a dual role: it's both the aggregation mechanism and the key to proving uniform approximation bounds
Theoretical learning theory for Transformers; provides foundational understanding of Transformer approximation but no direct bearing on persona fine-tuning or backdoor experiments.
arXiv:2605.08811v1 Announce Type: new Abstract: This paper investigates the learning theory of Transformer networks for regression tasks on the compact Euclidean domain $[0,1]^d$ and $d$-dimensional compact Riemannian manifolds. We propose a novel constructive approximation framework for Transformers that builds local approximations of the target function and aggregates them into a global approximation via softmax partition of unity. This approach leverages the attention mechanism to achieve spatial localization through affine transformations of the input. The softmax activation plays a crucial role in aggregating local approximations to a global output. From an approximation perspective, we prove that a dense Transformer equipped with only two encoder blocks and standard single-hidden-layer point-wise feed-forward networks can achieve a uniform $\varepsilon$-approximation error for $\alpha$-H\"older continuous functions with $\alpha \in (0,1]$ using $\mathcal{O}(\varepsilon^{-d/\alpha})$ total parameters. Building upon this approximation guarantee, we establish a near minimax-optimal generalization error bound of order $\mathcal{O}\big(n^{-\frac{2\alpha}{2\alpha+d}} \log n\big)$ for the empirical risk minimizer, where $n$ is the training data size. The Transformer architecture studied in this paper is dense, shallow and wide, and employs softmax activation and sinusoidal positional encodings, closely reflecting practical implementations.
General important
- score 2arxiv stat.ML (Machine Learning)arxiv:2605.08429unread
Active Multiple-Prediction-Powered Inference
Nicholas Brawand, Nima Leclerc, Anhthy Ngo, Matthew Peterson, Sriram Vishwanath, Laith Alhussein, Ben Wellner · 2026-05-12
The authors tackle how to monitor deployed healthcare AI models when getting ground-truth labels (like having a clinician manually review charts) is expensive. They extend existing methods that blend a small labeled sample with cheap model predictions by letting you use *multiple* predictors of different cost and accuracy at once — routing each test case to the right predictor, sampling labels where uncertainty is highest, and reweighting everything to get narrower confidence intervals under a fixed labeling budget. On synthetic and real healthcare tasks they get 10–40% tighter intervals than single-predictor baselines. **Main takeaways:** - Combines adaptive per-instance routing (which predictor to use), smart label sampling (where to spend your annotation budget), and prediction reweighting under one optimization framework. - Proves the method is globally optimal despite the joint problem being non-convex, and provides valid finite-sample statistical guarantees. - Particularly useful when you have multiple models of varying cost and accuracy available (e.g., a cheap heuristic and an expensive foundation model) and want to squeeze the most out of a labeling budget. - Achieves 10–40% narrower confidence intervals than baselines in real healthcare monitoring scenarios.
Healthcare ML monitoring paper; no relevance to LLM persona marker implantation, backdoor leakage, or fine-tuning research.
arXiv:2605.08429v1 Announce Type: new Abstract: Post-deployment monitoring of healthcare AI requires statistically valid, label-efficient methods, but gold-standard labels from clinician chart review are expensive. Prediction-powered inference (PPI) and active statistical inference (ASI) reduce label cost by combining a small labeled sample with abundant model predictions, but both are restricted to a single predictor, a poor fit for modern clinical pipelines that have multiple predictors of differing cost and accuracy available at inference time. We propose Active Multiple-Prediction-Powered Inference (AM-PPI), which routes each instance to a cost-appropriate predictor subset, samples gold-standard labels in proportion to the chosen subset's residual uncertainty, and reweights predictions to minimize estimator variance, all under a single deployment-time budget. AM-PPI generalizes ASI to leverage multiple predictors and extends Multiple-PPI from global per-predictor allocation to per-instance adaptive routing. We derive closed-form Karush-Kuhn-Tucker (KKT) conditions for all three decisions and prove, via biconvexity and strong duality, that the resulting fixed point is a global optimum despite the joint problem being non-jointly-convex. We establish asymptotic normality with valid coverage, minimum-variance unbiasedness within the linear-prediction augmented inverse propensity weighted (AIPW) class, and a closed-form criterion identifying when multiple predictors help. On synthetic data and three healthcare monitoring tasks, AM-PPI produces 10 to 40 percent narrower confidence intervals (CIs) than single-predictor ASI in the budget regime where routing matters, and matches the better baseline elsewhere.