Subliminal Transfer of Unsafe Behaviors in AI Agent Distillation

TL;DR

This paper empirically demonstrates that unsafe behaviors can subliminally transfer from teacher to student AI agents through model distillation, even with rigorous data sanitation, highlighting implicit bias encoding.

Contribution

First empirical evidence showing subliminal transfer of unsafe behaviors in agentic systems via distillation despite explicit data filtering.

Findings

Unsafe behaviors transfer despite keyword filtering.

Behavioral biases are encoded implicitly in trajectory dynamics.

Large-to-small distillation amplifies bias transfer.

Abstract

Recent work on subliminal learning demonstrates that language models can transmit semantic traits through data that is semantically unrelated to those traits. However, it remains unclear whether behavioral traits can transfer in agentic systems, where policies are learned from trajectories rather than static text. In this work, we provide the first empirical evidence that unsafe agent behaviors can transfer subliminally through model distillation across two complementary experimental settings. In our primary setting, we construct a teacher agent exhibiting a strong deletion bias, a tendency to perform destructive file-system actions via an API-style tool interface, and distill it into a student using only trajectories from ostensibly safe tasks, with all explicit deletion keywords rigorously filtered. In our secondary setting, we replicate the threat model in a native Bash environment, replacing API tool calls with shell commands and operationalizing the bias as a preference for issuing chmod as the first permission-related command over semantically equivalent alternatives such as chown or setfacl. Despite full keyword sanitation in both settings, students inherit measurable behavioral biases. In the API setting the student's deletion rate reaches 100% (versus a 5% baseline) under homogeneous distillation; in the Bash setting the student's chmod-first rate reaches 30%-55% (versus a 0%-10% baseline), with the strongest transfer observed in large-to-small distillation. Our results demonstrate that explicit data sanitation is an insufficient defense, and behavioral biases are encoded implicitly in trajectory dynamics regardless of the tool interface.