Saved in:
Bibliographic Details
Main Authors: Lin, Shuyi, Suri, Anshuman, Oprea, Alina, Tan, Cheng
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.01644
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866918478252867584
author Lin, Shuyi
Suri, Anshuman
Oprea, Alina
Tan, Cheng
author_facet Lin, Shuyi
Suri, Anshuman
Oprea, Alina
Tan, Cheng
contents LLM agents emit actions, not just text, and once taken, those actions often cannot be undone. Yet today's agent-safety evaluations run greedy or a few sampled rollouts and report a single safe/unsafe rate -- blind to the long-tail trajectories where unsafe behavior may arise from low-probability but non-negligible actions. We argue agent safety should be measured by search, not sampling. We apply BOA, a framework that, given a deployment configuration (model, decoder, prompt, environment, judger, likelihood budget), searches the in-budget trajectory space and reports a safety score: the probability the agent stays safe under the configuration. BOA searches both within a single LLM round and across the agent-environment interaction tree under a given likelihood budget, and makes search practical via batched decoding/judging, prefix caching, and chunked tree expansion. On agent-safety workloads, BOA discovers unsafe trajectories that greedy and sampled evaluations miss. BOA can additionally be used for ranking models, defenses, and attacks, all on the same scale, with manageable GPU costs.
format Preprint
id arxiv_https___arxiv_org_abs_2605_01644
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Toward a Principled Framework for Agent Safety Measurement
Lin, Shuyi
Suri, Anshuman
Oprea, Alina
Tan, Cheng
Cryptography and Security
LLM agents emit actions, not just text, and once taken, those actions often cannot be undone. Yet today's agent-safety evaluations run greedy or a few sampled rollouts and report a single safe/unsafe rate -- blind to the long-tail trajectories where unsafe behavior may arise from low-probability but non-negligible actions. We argue agent safety should be measured by search, not sampling. We apply BOA, a framework that, given a deployment configuration (model, decoder, prompt, environment, judger, likelihood budget), searches the in-budget trajectory space and reports a safety score: the probability the agent stays safe under the configuration. BOA searches both within a single LLM round and across the agent-environment interaction tree under a given likelihood budget, and makes search practical via batched decoding/judging, prefix caching, and chunked tree expansion. On agent-safety workloads, BOA discovers unsafe trajectories that greedy and sampled evaluations miss. BOA can additionally be used for ranking models, defenses, and attacks, all on the same scale, with manageable GPU costs.
title Toward a Principled Framework for Agent Safety Measurement
topic Cryptography and Security
url https://arxiv.org/abs/2605.01644