Distributed Backdoors Prove Per-Step Agent Monitors Can Be Right on Every Step and Still Miss the Attack
This paper formalizes an 'observability boundary' for multi-agent LLM safety: a distributed backdoor splits a harmful payload across agents so every local message/tool-call check passes while only the assembled object is malicious, and they prove no detector on a local view can catch fragments once they look benign. Empirically, a monitor trained only on benign traffic recovers the attack's code structure across held-out encodings at 0.874 mean AUROC, and a decoded-view gate (given the encoding family) blocks every tested attack — but full-trace monitors still fail unless they reach the representation where the payload is exposed. The builder lesson: per-step runtime monitors are structurally insufficient when harm is compositional.
Source
↳ Follow the thread