Omission Constraints Decay While Commission Constraints Persist in Long-Context LLM Agents

TL;DR

This study reveals that in long conversations, omission-based safety constraints in LLM agents weaken over time, while commission constraints remain effective, highlighting a divergence in constraint decay.

Contribution

It introduces the concept of Security-Recall Divergence (SRD) and demonstrates how omission constraints decay while commission constraints persist in long-context LLM interactions.

Findings

Omission compliance drops from 73% to 33% over 16 turns.

Commission compliance remains at 100% throughout.

Re-injecting constraints before Safe Turn Depth restores compliance.

Abstract

LLM agents deployed in production operate under operator-defined behavioral policies (system-prompt instructions such as prohibitions on credential disclosure, data exfiltration, and unauthorized output) that safety evaluations assume hold throughout a conversation. Prohibition-type constraints decay under context pressure while requirement-type constraints persist; we term this asymmetry Security-Recall Divergence (SRD). In a 4,416-trial three-arm causal study across 12 models and 8 providers at six conversation depths, omission compliance falls from 73% at turn 5 to 33% at turn 16 while commission compliance holds at 100% (Mistral Large 3, $p < 10^{-33}$). In the two models with token-matched padding controls, schema semantic content accounts for 62-100% of the dilution effect. Re-injecting constraints before the per-model Safe Turn Depth (STD) restores compliance without retraining. Production security policies consist of prohibitions such as never revealing credentials, never executing untrusted code, and never forwarding user data. Commission-type audit signals remain healthy while omission constraints have already failed, leaving the failure invisible to standard monitoring.