system: OPERATIONAL
← back to all hacks
DEFENSE MEDIUM NEW

AgentLens: catching unsafe coding-agent steps inside the model's activations

A late-June 2026 paper proposes a white-box defense that reads a coding agent's own hidden states to flag harmful execution steps mid-task, then steers them out through a tiny activation subspace.

2026-07-07 // 7 min affects: coding-agents, llm-agents, llama-3.1, qwen-2.5, gemma-2

What is this?

In late June 2026, Weidi Luo, Qiming Zhang, Yihao Quan, Mingyu Jin, Jie Cai, Chaowei Xiao, Jingcheng Niu and Zhen Xiang — working across the University of Georgia, the University of South Florida, Rutgers, USC and Johns Hopkins — published AgentLens: Interpretable Safety Steering via Mechanistic Subspaces for Multi-Turn Coding Agent on arXiv (2606.22673). The paper targets a gap that most coding-agent safety work leaves open: risk does not appear in a single prompt, it accumulates across a multi-turn execution trajectory, and by the time an external guardrail sees a bad tool call the agent may already be several steps into a harmful plan.

AgentLens is a white-box defense. Instead of judging the agent from the outside on its inputs and outputs, it reads the model’s own internal representations at each step of a task and asks whether the current execution state is drifting toward harm. It is educational, defensive research on an open-weight setting; no operational exploit is involved.

How it works

The method has two halves: detection and mitigation.

For detection, AgentLens treats each step of an agent trajectory as a point in the model’s hidden-state space. Harmful and benign execution states separate in that space, so a lightweight probe over the step-level hidden representations can flag when a trajectory has entered an unsafe region — before the agent commits the next tool call.

For mitigation, the paper does not retrain the model or bolt on a second LLM judge. It identifies a compact direction of “harmfulness” and intervenes inside a 10-dimensional subspace within a single layer, nudging the representation back toward safe behavior. The intervention is small and local, which is the point: it steers the agent away from the unsafe continuation while trying not to wreck its ability to finish legitimate coding work.

Per-step defense loop (conceptual)

  hidden state at step t ──► subspace probe ──► safe?
        │                                        │
        │                              no ──► steer within a
        │                                     10-dim subspace of
        │                                     one layer, then continue
        └────────────────► yes ──► let the step proceed

To measure any of this you need labelled multi-turn trajectories, which barely exist. The authors therefore build the Mechanistic Agent Safety (MAS) benchmark: annotated multi-turn execution trajectories across 194 tasks, generated with three open-weight models — LLaMA-3.1-8B, Qwen-2.5-7B and Gemma-2-9B — so that each step in a trajectory carries a safety label the probe can be trained and evaluated against.

Why it matters

Coding agents are among the highest-privilege LLM deployments in production: they read repositories, run shell commands and touch credentials. External guardrails and single-turn classifiers were designed for chat, and they struggle with a trajectory that only becomes dangerous in aggregate — the same blind spot behind indirect-injection brittleness in agents and lingering authority in coding agents. AgentLens is interesting because it moves the decision inside the model and per step, which is where the risk actually evolves.

The trade-off is honest and worth stating: white-box defenses need access to hidden states, so they fit self-hosted open-weight agents far better than closed API models where activations are not exposed. And representation-level steering, like other representation-based detection work, lives or dies on whether the “harm” direction generalizes beyond the tasks used to find it.

Defenses

For teams running self-hosted coding agents, the paper points at a defensive layer that composes with, rather than replaces, existing controls.

Instrument the trajectory, not just the endpoints. Log and inspect the agent’s state at each step so a bad plan is catchable before its final tool call, instead of relying only on input filtering and output moderation.

Prefer local, low-dimensional interventions. A narrow subspace steer keeps utility intact better than blanket refusals or aggressive system-prompt hardening, which tend to break legitimate long-horizon tasks — the autonomy-tax problem.

Build labelled multi-turn evaluation data. You cannot tune or trust a step-level detector without trajectories annotated for safety; MAS-style datasets are a prerequisite, and a single-turn benchmark will overstate your coverage.

Keep the classic controls. Representation steering is a mitigation of last resort inside the model — least-privilege tool scopes, sandboxing and human confirmation for destructive actions still matter, because the internal signal is probabilistic and can miss.

Status

ItemDetail
DisclosurearXiv preprint 2606.22673, late June 2026 (cs.AI / cs.SE)
TypeWhite-box runtime defense — step-level detection + representation-level mitigation for multi-turn coding agents
MechanismProbe over step hidden states; steering within a 10-dimensional subspace of a single layer
BenchmarkMechanistic Agent Safety (MAS): 194 tasks, annotated multi-turn trajectories
Models studiedLLaMA-3.1-8B, Qwen-2.5-7B, Gemma-2-9B (open weights)
Main limitationRequires hidden-state access (self-hosted models); generalization of the harm direction beyond training tasks

Sources