Top 5 · 2026-06-29 · source-backed
"Governance Decay" turns context compaction into an attack surface
Story
Everyone running long agent sessions treats compaction as free. The buffer fills, the agent summarizes, you keep going. A new paper says that summarization is silently deleting your safety rules, and an attacker can trigger it on command.
"Governance Decay" (arXiv 2606.22528) shows that standing safety and governance constraints an agent obeys perfectly while they're visible in context get dropped during compaction, because summarizers treat policy text as low-salience boilerplate and prune it. Across 1,323 episodes, the authors' ConstraintRot benchmark measured constraint violations rising from 0% when the policy was in full context to 30% after a single compaction, and up to 59% on some models. The rules don't degrade gradually. They fall off a cliff the moment the agent compresses its own history.
The attack is the ugly part. An adversary who controls only a single returned tool output, a web page the agent fetches, an API response, a file it reads, can inject enough content to push the context over the compaction threshold on demand. They don't need to jailbreak anything. They just need to make the agent forget the rule that was protecting you, then act in the window where the rule is gone. A companion result (arXiv 2604.20911) makes it worse: "don't do X" prohibitions decay faster than "always do Y" requirements. The exact rules you most need to survive, the prohibitions, are the ones most likely to evaporate.
This reframes something the whole industry assumed was safe. We've all been told to put the important rules at the top of CLAUDE.md or the system prompt. That's necessary and no longer sufficient for anything that runs long enough to compact.
What builders should do, concretely: store hard rules in a non-compactable system slot the summarizer can't touch, or re-inject them after every compaction event. Don't trust a "do not email externally" line to survive the trajectory. And stop relying on the model to enforce its own constraints at all for the critical ones. Grade tool calls against the policy deterministically, with a hook or a guard outside the model that has to pass before the action fires. Convert your prohibitions into enforced positive checks. The instruction is a suggestion. The check is the enforcement.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source domain / Shared topic / Earlier coverage / Tension
10 actionable skills from today's findings:
Both cover CLAUDE, Convert; reported by the same outlet (arxiv.org); overlapping topics (agent, context).
Shared entity: Claude / Same source domain / Shared topic / Earlier coverage / Tension
LLM Web Agents Fail Dark Patterns 41–72% of the Time
Both cover Claude; reported by the same outlet (arxiv.org); overlapping topics (agent, attack).
Shared entity: Everyone / Same source domain / Shared topic / Earlier coverage
Five major vendors quietly killed peer-to-peer agent chat. If yours still does it, you're behind.
Both cover Everyone; reported by the same outlet (arxiv.org); overlapping topics (agent, context, model).
Shared entity: Claude / Same source domain / Shared topic / Earlier coverage
claude-mem crossed 80K stars. Persistent memory across 28+ agent runtimes from one install
Both cover Claude; reported by the same outlet (arxiv.org); overlapping topics (agent, context, model).
Human-Curated CLAUDE.md Files Beat LLM-Generated Ones by 4.5-6.5 Points. LLM-Generated Files Actually Made Things Worse.
Both cover Claude; reported by the same outlet (arxiv.org); overlapping topics (agent, context, ones).
Shared entities / Same source domain / Earlier coverage
Your CLAUDE.md is doing something. Whether it helps depends entirely on how you wrote it.
Both cover CLAUDE, Everyone; reported by the same outlet (arxiv.org); earlier CLAUDE coverage from 2026-06-14.
Shared entities / Shared topic / Earlier coverage
Berkeley Researchers Score 100% on SWE-bench Verified Without Solving a Single Task. Every Major AI Benchmark Is Broken.
Both cover Claude, Everyone; overlapping topics (agent, model); earlier Claude coverage from 2026-04-12.
Shared entity: Claude / Shared topic / Earlier coverage / Tension
Two Named CVEs Turn Claude Code Project Files Into Attack Weapons
Both cover Claude; overlapping topics (agent, attack, model); earlier Claude coverage from 2026-03-20.
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent — June 29, 2026
- AI generated
- no
- Story unit
- 2026-06-29-governance-decay-turns-context-compaction-into-an-attack-surface
- Labels
- source-backed, canonical briefing excerpt