Session Risk Memory (SRM): Temporal Authorization for Deterministic Pre-Execution Safety Gates

TL;DR

This paper presents Session Risk Memory (SRM), a lightweight module that enhances deterministic safety gates with trajectory-level authorization, improving detection of distributed attacks over agent sessions without additional training or inference complexity.

Contribution

SRM introduces a session-level risk assessment mechanism that extends existing safety gates with minimal overhead, enabling detection of complex multi-step malicious behaviors.

Findings

SRM achieves perfect F1 score with zero false positives on a multi-turn benchmark.

SRM operates with less than 250 microseconds overhead per turn.

SRM outperforms stateless gates in detecting distributed attacks.

Abstract

Deterministic pre-execution safety gates evaluate whether individual agent actions are compatible with their assigned roles. While effective at per-action authorization, these systems are structurally blind to distributed attacks that decompose harmful intent across multiple individually-compliant steps. This paper introduces Session Risk Memory (SRM), a lightweight deterministic module that extends stateless execution gates with trajectory-level authorization. SRM maintains a compact semantic centroid representing the evolving behavioral profile of an agent session and accumulates a risk signal through exponential moving average over baseline-subtracted gate outputs. It operates on the same semantic vector representation as the underlying gate, requiring no additional model components, training, or probabilistic inference. We evaluate SRM on a multi-turn benchmark of 80 sessions containing slow-burn exfiltration, gradual privilege escalation, and compliance drift scenarios. Results show that ILION+SRM achieves F1 = 1.0000 with 0% false positive rate, compared to stateless ILION at F1 = 0.9756 with 5% FPR, while maintaining 100% detection rate for both systems. Critically, SRM eliminates all false positives with a per-turn overhead under 250 microseconds. The framework introduces a conceptual distinction between spatial authorization consistency (evaluated per action) and temporal authorization consistency (evaluated over trajectory), providing a principled basis for session-level safety in agentic systems.