Rick-Brick
Paper Review — Safety Control in the Long-Context and Agentic Era

Executive Summary

In research dated 2026-06-01, we review three papers focusing on a shift in which AI safety is no longer limited to “alignment during training,” but becomes fundamentally about control at execution time and intervention during inference. At the same time, since long-context modeling has theoretical limits between efficiency, state, and recall, safety and reliability cannot be guaranteed by simply increasing scale. The common theme across this set is a three-layer structure: (1) whether it can be stopped during execution, (2) whether risk can be disentangled during inference, and (3) what long-context can keep in the first place.

Paper 1: Position Paper “AI Safety Requires Effective Controllability”

  • Authors/Affiliations: Yige Li, Yunhao Feng, Jun Sun (affiliations are based on the paper information on the arXiv page) (arxiv.org)
  • Research background and question: Many AI safety discussions have been built around “alignment,” i.e., getting a model to follow human preferences and safety policies. However, in real agent deployment, an agent runs for a long time in an open environment, using tools; conditions can change midstream, and competing instructions or adversarial inputs may enter. They pose the question that even if there are seemingly safe behaviors, there is a possibility the operator may fail to “stop,” “override,” “redirect,” or “constrain” the system during execution. (arxiv.org)
  • Proposed method: They define controllability as a property such that, at execution time, it is interruptible, overwritable, redirectable, and constrainable via explicit control signals, while also remaining useful during ordinary times when no control signals are present. (arxiv.org) They further introduce ControlBench as a benchmark for evaluating controllability failures and conduct experiments with an OpenClaw-based agent. (arxiv.org)
  • Key results: Based on the abstract of the proposed paper, they report that while existing alignment and guardrails contribute to risk reduction, there are scenarios in which they cannot provide sufficiently sustained, authoritative control that can be enforced during execution. (arxiv.org) In other words, even if something is “safe on average,” a gap remains: the operator cannot dominate at the moments when it is needed.
  • Significance and limitations: This position strongly indicates the need to redesign AI safety not as a “product of training,” but as a “system property during operations.” As a typical analogy, alignment is close to “getting the model to follow a car navigation system,” whereas controllability is a way of thinking that requires “the driver’s brakes to reliably work when things become dangerous.” As a limitation, within the review scope of this article, details about scoring or statistical comparisons are not readable from the abstract; determining how precisely controllability should be measured and whether design patterns can be generalized requires a close reading of the full paper (that said, the introduction of ControlBench itself can be interpreted as an intention to outline a path toward that). (arxiv.org)
  • Source: Position: AI Safety Requires Effective Controllability

If you translate this research for beginners, the key point is that the issue is “not whether the model is smart,” but “whether an external party can seize the initiative at the moment it becomes dangerous.” Since agents act while interacting with their environment, it’s easy to understand the argument as the claim that you need an “execution-time control plane (control plane)”, because checking logs after the fact alone won’t be enough. (arxiv.org) From a societal/industrial perspective, for example, “AI that cannot be stopped” in autonomous execution for medical, finance, or infrastructure can become fatal under regulations and audits; so making controllability a design requirement is a direction that is inseparable from introduction barriers (and yes, technical and cost overhead will increase as well). (arxiv.org)


Paper 2: “Safety Context Injection: Inference-Time Safety Alignment (Static Filter + Agentic Analysis)”

  • Authors/Affiliations: Zhenhao Xu, Wenhan Chang, Yichuan Chen, Yuxin Fang, Junhao Liu, Tianqing Zhu (arxiv.org)
  • Research background and question: Large inference models (LRMs) improve performance on complex tasks, but make safety control difficult at deployment. The reason is that, in a situation close to a black box, the defender cannot change model weights, and therefore must intervene at inference-time instead. (arxiv.org) They state that there are practical difficulties at that stage: (a) harmful intent can be hidden in educational or role-play contexts; (b) deep safety analysis tends to increase latency; and (c) in long adversarial contexts, the local clues of a simple filter can be weakened. (arxiv.org) Their concern is that a gap called a “thinking-output gap” can occur: even though the reasoning process looks careful, the final output turns dangerous. (arxiv.org)
  • Proposed method: In Safety Context Injection (SCI), they aim to improve the safety of final outputs by separating safety evaluation and task generation, and providing the protected model with structured external risk reports as an “injected safety context.” (arxiv.org) Implementation comes in two variants.
    1. Static Model Filtering (SMF): a lightweight one-pass guard
    2. Dynamic Agents Filtering (DAF): for ambiguous cases or long-context attacks, a parser that collects and integrates evidence through an agent loop (arxiv.org)
  • Key results: Based on the abstracts, on AdvBench and GPTFuzz, across five jailbreak families, for both the base model and the inference model, SMF/DAF reduce attack success rate and toxicity. (arxiv.org) They also provide guidance on when to use each method: SMF is a low-latency option, while DAF tends to work better in cases where harmful intent is semantically disguised or dispersed across long text. (arxiv.org)
  • Significance and limitations: The significance lies in making concrete an architecture where, even under black-box constraints, the operational side installs a “review role for safety judgments” and creates a path that affects the final output. As an analogy, it’s similar to having a safety monitor in the passenger seat (an external risk report) telling you “this driving action is dangerous,” and having that caution reflected in the final steering. (arxiv.org) A limitation is that how much computation and latency increase is tolerable in practice must be assessed; moreover, because the quality of the “risk report” is directly tied to performance, robustness of the report generation side (e.g., whether it can be adversarially induced) can become a bottleneck. Since the abstract alone doesn’t provide enough quantitative detail, when considering adoption you should verify the experimental setup in the main text and evaluate the associated costs. (arxiv.org)
  • Source: Safety Context Injection: Inference-Time Safety Alignment via Static Filtering and Agentic Analysis

The idea presented by this paper suggests that safety in the agentic era may be achieved not only by “adjusting internal representations,” but also by “merging safety information before inference.” In terms of terminology, “injection” should be understood not as simply adding a prompt, but as a design that structures the results of a safety evaluation process and uses them to guide attention on the model’s output side. (arxiv.org) The impact on industry is clear: even with closed-domain models, it may be possible to improve safety through deployment, potentially becoming an implementation route for regulatory compliance and reducing accident risk. (arxiv.org)


Paper 3: “The Impossibility Triangle of Long-Context Modeling”

  • Authors/Affiliations: Yan Zhou (affiliations are based on the paper information on the arXiv page) (arxiv.org)
  • Research background and question: Models that handle long-context are often thought to solve problems by simply improving performance. However, theoretically there are constraints on how much information the model can hold and how it updates, and as the length increases, the history required for recall may fail to remain coherent. This paper aims to identify a trade-off (an impossibility triangle) showing that for models that process long sequences, it is impossible to satisfy at least three properties simultaneously. (arxiv.org)
  • Proposed method: The three vertices are formalized as the following properties. (i) Efficiency: computation per step does not depend on sequence length (ii) Compactness: internal state size does not depend on sequence length (iii) Recall: can recall an amount of past information proportional to sequence length They organize these in a unified abstraction (Online Sequence Processor) that treats Transformer, state space models, linear recurrent networks, etc., and using Data Processing Inequality and Fano’s Inequality, show that there is an upper bound on the amount of recall that Efficient and Compact models can retain. (arxiv.org)
  • Key results: Based on the abstract, they prove that Efficient and Compact models can recall at most O(poly(d)/log V) key–value pairs from arbitrarily long sequences. Here, d is the model dimension, and V is the vocabulary size. (arxiv.org) They also classify 52 architectures published by March 2026 into this triangle, and summarize that each method can satisfy at most two of the three elements simultaneously, while hybrids trace a continuous trajectory inside the triangle. (arxiv.org) For composed related recall tasks, they report observing behavior aligned with the theoretical boundaries across multiple representative architectures. (arxiv.org)
  • Significance and limitations: The significance is that it formally articulates that designing long-context models is not a kind of problem that can be avoided through “magical scaling,” but one that forces choices due to information-theoretic and computational constraints. (arxiv.org) As an analogy, if a refrigerator (state size) has limited memory and the number of in/out trips per minute (efficiency) is fixed, then as the shopping list (recall proportional to length) grows, the number of products you can refer to decreases—an intuition close to this. As a limitation, because this is a review based on abstracts, extrapolation to real tasks (summarization, retrieval, agent actions) should be done carefully. Still, it has high value as a “foundation” explaining why problems in long-context safety—accumulation of misdirection, dilution of local cues, and mixing up final outputs—can become serious. (arxiv.org)
  • Source: The Impossibility Triangle of Long-Context Modeling

In terms of connecting to safety, an attacker’s strategy of dispersing harmful intent across a long context can be viewed as applying external pressure against the amount of information (recall capability) the model is able to retain. Therefore, it is consistent with the theoretical backdrop that the effectiveness of inference-time safety intervention (Paper 2) corrects attention on the final-output side through “external risk reports.” (arxiv.org) From an industrial standpoint, this suggests that when introducing long-context support as a “functional requirement,” you need not only to increase computational resources, but also to design how state is held, what reference strategy is used, and how safety evaluation converges. (arxiv.org)


Cross-Paper Reflections

These three pieces appear to come from different fields, but in fact they are discussing the same kind of “design aspects for guaranteeing safety.” The position paper (Paper 1) argues that we should redefine safety as “stop-ability and overwrite-ability.” (arxiv.org) On the other hand, inference-time intervention (Paper 2) offers a concrete approach under black-box constraints: externalizing safety judgments and creating a path that affects the output. (arxiv.org) And the theoretical results of long-context modeling (Paper 3) show a limit that history cannot always be retained even as length increases, and explains how attacks and misdirection are tied up with constraints on “information retention.” (arxiv.org)

In other words, safety in agent operations can be reframed as the following three layers. The first layer is whether an external party can dominate during execution (controllability). (arxiv.org) The second layer is whether safety evaluation can be connected before the output decision (inference-time intervention). (arxiv.org) The third layer is whether the model can retain the necessary information from long context in the first place (theoretical limits). (arxiv.org)

This map of the landscape also suggests directions for the broader future of AI research. Previously, research tended to focus on improving models (performance and alignment), but going forward, operational architectures (control plane, intervention pathways, information retention strategies) should become increasingly important as the main arena. Moreover, as long-context capabilities spread, safety issues are likely to connect less to “data volume” and more to “information-theoretic constraints” and “control design,” raising the need for close collaboration among theory, systems, and safety evaluation. (arxiv.org)

As an additional cross-cutting reference, there was also a position (additional source) that agent safety depends not only on model scale or alignment, but also on interaction topology. (arxiv.org) This perspective reinforces the possibility that controllability may not be fully captured by properties of a single model (this article does not provide an exact detailed comparison in the main text). (arxiv.org)

References

TitleInformation SourceURL
Position: AI Safety Requires Effective ControllabilityarXivhttps://arxiv.org/abs/2605.27117
Safety Context Injection: Inference-Time Safety Alignment via Static Filtering and Agentic AnalysisarXivhttps://arxiv.org/abs/2605.11664
The Impossibility Triangle of Long-Context ModelingarXivhttps://arxiv.org/abs/2605.05066
Position: Safety and Fairness in Agentic AI Depend on Interaction Topology, Not on Model Scale or AlignmentarXivhttps://arxiv.org/abs/2605.01147
Embodied AI in Action: Insights from SAE World Congress 2026 on Safety, Trust, Robotics, and Real-World DeploymentarXivhttps://arxiv.org/abs/2605.10653

This article was automatically generated by LLM. It may contain errors.