Context Overload, Memory Leaks, and Agent Safety

Three new arXiv papers expose how context bloat tanks agent performance, agent memory bleeds private data, and misaligned behavior spreads through multi-agent systems.

Elena Marchetti By Elena Marchetti 7 min read
Share
Context Overload, Memory Leaks, and Agent Safety

Today's crop from arXiv hits a cluster of problems anyone shipping AI agents in production has probably run into: context windows that balloon until they hurt performance, persistent memory systems that leak more than intended, and multi-agent setups where individual agents look fine until they're talking to each other.

TL;DR

  • Less Context, Better Agents - Pruning tool-call history to the last five interactions plus a running summary pushed task completion from 71% to 91.6% while cutting token usage by 64%
  • Deployment-Time Memorization - Key-fact summarization slashes private data extractable from agent memory by up to 76%, but "delete" often doesn't delete - summaries derived from purged data stay recoverable in roughly 20% of cases
  • The Arbiter Agent - A real-time auditor that joins multi-agent conversations and flags misaligned participants before the conversation ends, though weight-induced misalignment still evades it

Less Context, Better Agents (arXiv 2606.10209)

Authors: Abhilasha Lodha, Mahsa Pahlavikhah Varnosfaderani, Abir Chakraborty, Abhinav Mithal

If you've ever watched an enterprise AI agent grind to a halt because it kept stuffing every tool response into its context, this paper is for you. The researchers tested LLM agents against Microsoft Dynamics 365 Finance and Operations using Model Context Protocol tools - real-world enterprise workflows with the verbose, schema-heavy API responses those systems produce.

The results draw a clean picture. With no context management, agents completed just 8% of tasks. Handing them the full interaction history got completions up to 71%, but at the cost of 1.48 million tokens and nearly 15 hours of processing. Pruning to only the last five tool-call interactions jumped completion to 79% while cutting token usage to 535K and processing time to 5.4 hours.

The real surprise was what happened when the team added automated summarization on top of the pruning. Completion climbed further to 91.6% - better than full history by 20 percentage points - while token count stayed almost unchanged at 553K. The agent spent its context budget on a crisp summary of earlier steps and the five most recent tool interactions, rather than a sprawling verbatim transcript it couldn't navigate.

A person using a magnifying glass to examine a device component, representing the precision required in agent context management Effective context management isn't about removing information - it's about keeping the right information at the right resolution. Source: unsplash.com

This matters beyond Dynamics 365. The underlying mechanism - verbose tool responses filling the context window faster than the agent can reason through them - is common to any agentic system calling external APIs. The fix generalizes too: a summarization layer that distills earlier tool calls into a compact running log is cheap to implement and demonstrably beats brute-force retention.

Why stale context fails

The paper flags a failure mode they call "stale-state errors." When an agent's context still contains the output of a tool call from ten steps ago, it sometimes acts on that stale state instead of the current one. Pruning isn't just about saving tokens - it's about keeping the agent's model of the world accurate.

Deployment-Time Memorization in Foundation-Model Agents (arXiv 2606.10062)

Authors: Lei (Rachel) Chen, Guilin Zhang, Kai Zhao, Dalmo Cirne, Andy Olsen, Xu Chu, Zeke Miller, Alet Blanken, Amine Anoun, Jerry Ting

Persistent memory is one of the features that separates a useful agent from a stateless chatbot. You want the agent to remember that you prefer bullet-point answers, that your company uses a particular naming convention, that last month's anomaly turned out to be a false alarm. The question this paper asks is: what else does it remember, who can extract it, and what happens when you tell it to forget?

The researchers frame agent memory as a three-way tension: personalization recall (how well the agent uses stored context to help you), adversarial extraction rate (how easily an attacker can pull private facts back out), and forgetting residue (how much persists after a deletion request).

Their key finding on extraction: replacing raw memory entries with key-fact summaries reduces the information extractable by an adversary by 76% on Gemma 3 12B and 64% on GPT-4o-mini. The summaries retain enough for personalization but strip the precise phrasing and full context that makes extraction attacks effective.

The forgetting results are the uncomfortable part. When developers delete a raw memory entry but leave derived summaries intact, those summaries remain recoverable in roughly 1 in 5 cases. The team introduces a metric called the Forgetting Residue Score to quantify this, and the conclusion is direct: deletion has to run through the entire memory pipeline, including any summary layers, or it isn't really deletion.

This connects to earlier research we covered on memory attacks against LLM agents, which showed that stored context can be a reliable attack surface. What this paper adds is a concrete, measurable framework for balancing usefulness against exposure - and a clear warning that "delete" buttons in agent UIs are often lying.

A single raw memory purge that leaves a derived summary intact recovers in 1 in 5 cases. That isn't deletion. It's an audit waiting to fail.

The design implication

The paper's three-knob model - summarization intensity, retrieval scope, deletion methodology - gives developers an actionable checklist. Aggressive summarization compresses what's stored. Narrow retrieval scope limits what's surfaced per query. Full-pipeline purging is the only way to honor deletion semantics. None of these require a new model or new infrastructure, just deliberate choices during system design.

The Arbiter Agent (arXiv 2606.10747)

Authors: Filippo Tonini, Federico Torrielli, Anton Danholt Lautrup, Peter Schneider-Kamp, Mustafa Mert Çelikok, Lukas Galke Poech

Multi-agent systems create a specific alignment problem that single-agent safety work misses completely. An agent that behaves well in isolation can behave badly when embedded in a conversation with other agents. The emergent behavior isn't in any individual agent's weights - it lives in the interaction.

The Arbiter addresses this by joining the conversation as a dedicated auditor. It reads messages in real time, tracks participants' behavior over turns, and flags which agent - if any - has started acting against the intended objective. Most importantly, it doesn't just observe: it rolls out inspection tools to query agents, request clarifications, and probe consistency.

The results show the approach works for what the researchers call instruction-induced misalignment - cases where an agent has been given instructions that put it at odds with the group objective. Those cases are reliably detected even without active probing. Weight-induced misalignment, where a model's fine-tuned weights push it toward problematic behavior, proved clearly harder to catch.

A person holding a magnifying glass while examining a document, representing active monitoring of multi-agent conversation streams Active monitoring - not passive logging - is what the Arbiter paper argues makes misalignment detection viable at conversation speed. Source: unsplash.com

The logging tool the Arbiter uses shows a tradeoff worth noting: it improves recall (catches more misaligned agents) but reduces precision (more false positives). That's the standard tension in anomaly detection, and it suggests the Arbiter would benefit from a tunable confidence threshold depending on how much false-positive noise a deployment can tolerate.

What this means for agent governance

We've written before about how alignment-faking and agent collusion are emerging risks in agentic systems. The Arbiter paper makes a practical argument: you can't govern multi-agent behavior by inspecting each agent individually before deployment. You need a runtime watchdog in the conversation itself.

For high-stakes applications - financial workflows, medical triage, autonomous research pipelines - that runtime oversight layer starts to look less like a nice-to-have and more like infrastructure. The Arbiter is an early proof that the concept is viable; the engineering to make it reliable at scale is still ahead.

Common Thread

Three papers, three layers of the same underlying challenge. Agent memory systems need to be designed with privacy semantics from the start, not added after. Context management isn't just a cost problem but a correctness problem - stale context produces wrong answers, not just expensive ones. And safety evaluation that ignores what happens between agents is leaving the most interesting attack surface unexamined.

Each of these papers offers something right away usable: a summarization-plus-pruning recipe, a three-parameter framework for memory design, and an auditor pattern for multi-agent monitoring. None of them require waiting for better base models.

Sources:

Tagged
Research ArXiv AI Agents AI Safety Alignment Reasoning Agentic AI
Elena Marchetti
About the author Senior AI Editor & Investigative Journalist

Elena is a technology journalist with over eight years of experience covering artificial intelligence, machine learning, and the startup ecosystem.