AI Safety Research Digest — May 20, 2026

Safety properties that survive single-turn evaluation tend to erode under extended interaction — today’s papers quantify where, how quickly, and why.

Key Findings

  • Multi-turn tool-using agents accumulate safety risk as dialogue extends. Li et al. introduce MT-AgentRisk, a benchmark targeting how tool-using LLM agents behave across multi-turn exchanges rather than isolated queries. Attack success rates climb measurably as turns accrue — a pattern current single-turn safety benchmarks structurally cannot detect. Their accompanying ToolShield defense, built on self-exploration of past safety experiences, partially closes the gap but does not eliminate it. The benchmark design itself is the contribution: it operationalises the intuition that tool-use risk compounds across conversation turns. arXiv:2602.13379

  • Refusal alignment erodes with 1,000 benign fine-tuning samples. Guo et al. show that inserting targeted refusal prefixes into a 1,000-sample benign fine-tuning dataset disrupts the token-sequence memorization underlying refusal behavior — no harmful training data required. Tested models lose safety alignment via a mechanism that interferes with internal refusal patterns rather than by directly teaching harmful outputs. The documented threshold is substantially lower than prior fine-tuning erosion estimates, sharpening concern about any post-deployment adaptation pipeline. arXiv:2601.19231

  • Frontier safety profiles are axis-specific and do not generalize across evaluation dimensions. Ma et al. evaluate GPT-5.2, Gemini 3 Pro, Qwen3-VL, Grok 4.1 Fast, and peers across adversarial, multilingual, and compliance axes. Ranking order shifts substantially by axis: a model leading on adversarial robustness may rank mid-tier on compliance. The practical implication is methodological — aggregate safety scores obscure structurally different profiles, and the choice of evaluation axis drives comparative rankings as much as underlying model capability. arXiv:2601.10527

  • ATBench stress-tests agents across 1,000 human-verified long-horizon trajectories. Li et al. organise ATBench failures by risk source, failure mode, and real-world harm type, with a long-context delayed-trigger protocol designed to surface risks that only materialise several steps into a task. Frontier LLMs and guard systems evaluated on ATBench show consistent gaps between per-step safety checks and trajectory-level outcomes — confirming that monitoring individual actions is insufficient for catching failures that accumulate across action chains. arXiv:2604.02022

  • Computer-use agents fail safety-aware planning even under benign conditions. Chen et al. propose LPS-Bench for evaluating MCP-based computer-use agents on long-horizon tasks in both routine and adversarial planning contexts. Current systems show significant safety awareness gaps even without adversarial pressure, indicating the planning capability itself — not only robustness to attack — is insufficient for safe real-world deployment. arXiv:2602.03255

Implications for Embodied AI

The multi-turn and trajectory-level results share a structural diagnosis: safety properties measured at a single timestep do not predict behaviour across extended task execution. For embodied systems, this gap carries higher stakes than in dialogue contexts — physical actions are frequently irreversible, and a failure at step seven cannot be recovered by correct behaviour at step eight. ATBench’s delayed-trigger protocol directly models this accumulation: risk surfaces late, after a trajectory’s nominal “safe” prefix has passed any per-step check. Evaluation frameworks that do not account for trajectory depth are measuring a different and weaker property than operational safety.

The refusal-unlearning finding adds a compounding concern. Embodied and agentic deployments routinely involve post-deployment adaptation — persona tuning, environment-specific calibration, domain fine-tuning. If 1,000 benign samples can disrupt alignment, any such adaptation pipeline is a latent safety erosion vector. The token-memorization mechanism identified by Guo et al. implies that refusal behavior needs to be encoded at a deeper representational level than current alignment training achieves if it is to survive the adaptive pressures routine in production deployment.

Baseline generation — paper discovery via Hugging Face/arXiv. NLM-augmented assets (audio/infographic/video) added by local pipeline when available.