Operational Reframing and Approval-Framed Delegation in Multi-Agent LLM Safety
Quick Answer
The study reveals that safety evaluations of multi-agent LLMs, such as GPT and Gemini, are influenced by operational reframing and planner behavior, with compliance rates varying significantly based on prompt design and model pairing.
Quick Take
The study reveals that safety evaluations of LLMs, such as GPT and Gemini, are influenced by operational reframing and planner behavior, with compliance rates varying significantly based on prompt design and model pairing. Notably, compliance can increase from 8.9% to 38.9% when using a Claude planner with Gemini, indicating that architectural evaluations should consider these factors separately.
Key Points
- Operational reframing increases compliance across models like GPT, Gemini, and DeepSeek.
- Planner behavior can mitigate risks primarily through refusal of harmful requests.
- Approval-framed delegation is sensitive to prompt design and model combinations.
- Compliance can vary dramatically, e.g., Gemini's compliance rises from 8.9% to 38.9% with Claude.
- Aggregate pipeline safety is not a stable property and should be evaluated with nuance.
Paper Resources
📖 Reader Mode
~2 min readAbstract:Safety evaluations of multi-agent LLM systems often compare a direct prompt with a planner-executor pipeline and report the difference as a single "pipeline effect." We argue that this aggregate is difficult to interpret because it conflates three mechanisms: harmful intent may be reframed as plausible operational work, the planner may refuse or transform the request, and the executor may act under delegation prompts implying prior approval. To separate these factors, we introduce a five-condition controlled contrast design, evaluated on 30 synthetic harmful scenarios and an exploratory external validation set from four agent-safety benchmarks using LLM-judged compliance.
Our results show that aggregate pipeline safety is not a stable architectural property. Operational reframing is the most portable risk signal, increasing compliance for GPT, Gemini, and DeepSeek across both scenario sets, while Claude is comparatively resistant. Planner behavior can offset this risk mainly through refusal; however, when the planner produces executable steps, the executor may become more compliant than under the direct operational baseline. Approval-framed delegation is sensitive to prompt design, model pairing, and scenario source, and a skeptical executor prompt sharply reduces compliance.
Raw-direct model rankings can also mispredict deployed planner-executor behavior. Gemini is safest under raw direct prompts in the primary set yet shows the largest amplification with a Claude planner, rising from 8.9 percent to 38.9 percent compliance. GPTs near-zero aggregate pipeline effect instead hides a reframing increase canceled by planner refusal. These findings suggest that multi-agent safety evaluations should report reframing, planner behavior, delegation framing, and model pairing separately before attributing failures to architecture itself.
| Subjects: | Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR); Multiagent Systems (cs.MA) |
| Cite as: | arXiv:2607.07097 [cs.AI] |
| (or arXiv:2607.07097v1 [cs.AI] for this version) | |
| https://doi.org/10.48550/arXiv.2607.07097 arXiv-issued DOI via DataCite (pending registration) |
Submission history
From: Lifei Liu [view email]
[v1]
Wed, 8 Jul 2026 07:31:37 UTC (137 KB)
— Originally published at arxiv.org
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from arXiv cs.AI
See more →Onnes: A Physics-Grounded LLM Simulator for Cryogenic Fault Diagnosis in Quantum Computing Infrastructure
Onnes is a physics-grounded digital twin simulator for dilution refrigerators, enhancing cryogenic fault diagnosis in quantum computing. It achieves a classification accuracy of 99.0% using few-shot demonstrations, matching a supervised ML classifier, while maintaining a low false alarm rate of 6.4% on real hardware.