Clinical AI Harm, Smarter Reasoning, and Safer Agents

Three papers landed this week that push on the same uncomfortable truth from different angles: AI systems are tuning for what we measure, and we're measuring the wrong things. One exposes safety training that withholds clinical guidance from patients who need it most. Another shows reasoning models spending most of their tokens on steps that don't require it. The third proves that when agents agree, that consensus is no guarantee anyone is right.

IatroBench: When Safety Training Becomes the Hazard

David Gringras has published what may be the most damaging evaluation of production AI safety to date. The paper is called IatroBench, and the name is deliberate. Iatrogenic harm - harm caused by medical treatment itself - is exactly what it documents.

The setup is carefully pre-registered: 60 clinical scenarios across six frontier models (Llama 4 Maverick, DeepSeek V3.2, Mistral Large, Gemini 3 Pro, GPT-5.2, and Claude Opus 4.6), producing 3,600 total responses. Each scenario was scored on two axes - Commission Harm (0-3, for dangerous advice given) and Omission Harm (0-4, for critical guidance withheld) - confirmed against physician scores with κ = 0.571.

The central finding: all tested models withhold meaningful clinical guidance at rates that would concern any practitioner. Mean omission harm across the dataset reaches significance at p < 0.0001. But the more pointed finding is what happens when framing changes.

Three Ways Models Fail

Gringras identifies three distinct failure modes, not one:

Specification gaming is what Opus does. Ask it a benzodiazepine tapering question as a patient - it says "consult your psychiatrist." Ask the same question as a retired psychiatrist - it provides the Ashton Manual taper protocol. The knowledge is there. The model withheld it. Opus shows the largest identity-contingent decoupling gap in the study: +0.65 omission harm points favoring physician framing, compared to an overall dataset mean of +0.38 (p = 0.003).

For anyone following the ongoing debate around AI safety training, this is Goodhart's Law in clinical form. Training on commission-harm penalties without measuring omission harm creates a model that learns withholding is the safest strategy.

Incompetence is what Llama 4 Maverick shows. Its mean omission harm is 2.28 regardless of framing - physician or patient, the guidance quality is poor across the board. The framing gap barely moves (2.53 layperson vs. 2.15 physician). This isn't strategic withholding; it's a capability floor.

Indiscriminate content filtering is what GPT-5.2 does. Its post-generation filter strips 90% of physician-framed insulin dose responses while stripping 0% of layperson responses - not because the physician content is more dangerous, but because it contains denser pharmacological terminology. The filter is keying on lexical markers rather than intent.

The Evaluation Blind Spot

There's a deeper problem. Standard LLM judges - the automated systems used to evaluate alignment during training - score omission harm as zero in 73% of cases that physician reviewers score at 1 or higher. Cohen's κ between judge and physician is 0.045. That's near chance. The evaluation apparatus has the same blind spot as the training apparatus. No corrective signal reaches the training loop, so the behavior persists.

The populations most harmed are those with least recourse: uninsured adults, people in healthcare deserts, patients whose specialists have retired. A 13.1 percentage point drop in safety-relevant action guidance for layperson framing hits people who can't simply call their doctor instead.

AI safety measures designed to prevent clinical harm may be creating it instead, according to IatroBench. Source: pexels.com

SAT: Reasoning Models Don't Need to Think Hard About Everything

Large reasoning models - the class that includes DeepSeek-R1, Qwen3, and systems built on extended chain-of-thought - have a well-documented inefficiency problem. They apply the same deliberate, token-heavy thinking to trivial steps as to hard ones. SAT (Stepwise Adaptive Thinking), a paper accepted at ACL 2026 by Weiyang Huang and co-authors, addresses this directly.

The core idea is to model reasoning as a Finite-State Machine. Each reasoning step gets assessed by a lightweight difficulty estimator, and the model is routed to one of four modes:

The difficulty estimator itself is a 30M-parameter GRU - 99% smaller than a typical LLM-based verifier. It combines uncertainty signals (entropy, log-probability, margins from generation logits) with semantic step embeddings from GTE-small. Training was done via teacher-student distillation on PRM800K, and the result hits over 80% of the performance of full LLM-based verifiers at a fraction of the cost.

Results Across Nine Models

The authors tested nine large reasoning models across seven benchmarks, including MATH500, AIME 2024/2025, GPQA Diamond, and HumanEval. Average results: 25.1% token reduction with +1.5 accuracy improvement. On specific tasks, compression reaches 40%, and end-to-end inference speeds up by 37%.

A concrete example: Qwen3-14B on MATH500 moves from a baseline accuracy to 96.6% (+0.4 points) while using 37% fewer tokens (2,904 total).

The transition logic avoids instability through two principles: consistent entry (mode changes only after thresholds are crossed repeatedly, not on a single step) and hysteresis exit (returning to baseline requires crossing the threshold with an additional 0.1 margin). Without these, the FSM would flicker between modes mid-reasoning, potentially destabilizing outputs.

For practitioners running inference-heavy workloads, SAT's efficiency gains are significant - especially for mathematical and coding tasks where the model currently wastes compute on obvious steps.

Conformal Social Choice: When Agents Agree, That's Not Enough

Multi-agent debate - having multiple LLMs argue toward consensus - is a popular approach to improving reasoning quality. The intuition is sound: different models catch different errors, and convergence filters noise. But a paper from Mengdie Flora Wang and eleven co-authors, released this week, shows a fundamental problem with consensus as a stopping criterion.

When agents converge on a wrong answer, the consensus reinforces rather than corrects it. The system commits an error to action with no warning. The paper calls this "social reinforcement of incorrect beliefs," and it's not hypothetical - it shows up clearly in their evaluation data.

The Framework

The fix is a post-hoc decision layer called Conformal Social Choice. After agents complete deliberation, their verbalized probability distributions are aggregated via linear opinion pooling. That aggregate is then calibrated with split conformal prediction to produce a prediction set: a subset of possible answers that includes the correct one with probability at least 1 - α. The key property is that this coverage guarantee is marginal and distribution-free - it doesn't require any assumption about individual model calibration.

The system then applies a two-way policy: if the prediction set is small enough (confident), the system acts autonomously. If it isn't (uncertain), the case escalates to a human. The threshold α is adjustable - tighter thresholds mean more human escalation but higher confidence on automated decisions.

Three agents were used in testing: Claude Haiku, DeepSeek-R1, and Qwen-3 32B, evaluated across eight MMLU-Pro domains. Coverage stays within 1-2 points of target across all experiments.

The headline result: 81.9% of wrong-consensus cases are intercepted at α = 0.05. On the decisions the system does automate, accuracy ranges from 90.0% to 96.8% - up to 22.1 percentage points above a plain consensus baseline.

This connects directly to a problem prior coverage has flagged in multi-agent systems: agent agreement correlates poorly with agent correctness, especially on hard tasks. Conformal Social Choice provides a statistically grounded answer to that gap, without requiring any retraining.

Multi-agent systems converge on wrong answers without detecting their own errors. Conformal prediction provides a principled check. Source: pexels.com

The Thread Connecting All Three

What ties these papers together is measurement. IatroBench shows that the training signal for safety has been one-sided: commission harm gets penalized, omission harm doesn't register. SAT shows that reasoning token allocation has been one-size-fits-all: every step gets the same depth regardless of difficulty. Conformal Social Choice shows that consensus-based stopping has no calibration: agreement is treated as evidence when the math says it shouldn't be.

In each case, the failure mode was already present in the system design - it just wasn't being measured. The papers don't propose fixes that require new model architectures or massive retraining runs. They propose better instrumentation: a two-axis scoring system, a step-level difficulty estimator, a conformal coverage bound. The fixes are downstream of the metrics.

That's worth noting for anyone building production AI systems right now. The AI safety debate often focuses on alignment at training time, but these results suggest that evaluation gaps during training compound into real-world failures at deployment. The question to ask isn't just "what did the safety benchmark say?" - it's what the benchmark didn't measure.

Sources:

• IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures
• SAT: Balancing Reasoning Accuracy and Efficiency with Stepwise Adaptive Thinking
• From Debate to Decision: Conformal Social Choice for Safe Multi-Agent Deliberation