Cross-model prompt laundering: a refusal that doesn't survive the handoff
In multi-agent stacks, one model's output becomes another model's user turn. A July 2026 finding shows the second model never learns the first already refused — so it complies.
What is this?
On 3 July 2026, Axis Intelligence Research added a new entry to its monthly AI Model Vulnerability Tracker (tracker last updated 4 July 2026) describing a pattern it calls cross-model prompt laundering via API chaining. It is not a flaw in any single model. It is a gap that opens up between two models when the output of one is piped into another as an ordinary user turn — the exact wiring that multi-agent orchestration stacks rely on.
The observation is simple and uncomfortable. Model A refuses a request. The orchestrator, by design or by accident, forwards a reworded version of the same underlying request to Model B. Model B has no idea that Model A already declined it. It sees a fresh, innocuous-looking user message and answers. The refusal never travelled with the request. In the researchers’ lab, 14 of 18 tested chains produced the refused output within two hops.
How it works
The mechanism is structural, not clever. A safety refusal is a property of a single inference: the model weighs the prompt in front of it and declines. That decision is not a durable label attached to the request; it is an event that happens inside one model call and then evaporates. When an orchestrator hands work off — summarizer to planner, planner to tool-runner, one vendor’s model to another’s — it typically forwards content, not the safety history that produced it.
So the second model inherits the words but not the verdict. A request that reads as harmful in one framing can be reformulated, decomposed into subtasks, or simply relabelled as “context to process” before it reaches Model B. Because Model B is answering what looks like a benign user turn, its own alignment training fires against the wrong question. The attack surface, as the tracker puts it, is the seam between models, not a weakness in either one.
This lines up with a broader argument in the research literature. A May 2026 position paper, Safety and Fairness in Agentic AI Depend on Interaction Topology, Not on Model Scale or Alignment, makes the general case: when system behaviour is dominated by how components are wired together, per-component alignment does not reliably compose into system-level safety. Aligning each model in isolation constrains local behaviour; the topology of the pipeline determines what the whole thing actually does. Cross-model laundering is that abstract claim showing up as a concrete, reproducible finding.
Why it matters
Multi-agent orchestration went from research demo to production plumbing over the first half of 2026. As DeepInspect’s mid-year agentic-AI review (1 July 2026) documents, chained model calls now sit behind everyday enterprise features — summarize, then plan, then act — often mixing vendors and model versions in a single request path. Every handoff in that chain is a place where a refusal can be quietly dropped.
The consequence is that “we use a well-aligned model” stops being a sufficient safety story. The finding was reproduced across a mix of current frontier models acting as the downstream link, which means the exposure is a property of the architecture pattern, not of one vendor’s guardrails. A team can buy the most refusal-happy model on the market and still ship a pipeline that launders a rejected request through it — because the model was never told a rejection had already happened.
Defenses
The fix is to stop treating a handoff as a clean slate. Carry safety state across the seam, and re-check at every boundary rather than trusting that an upstream model already did.
Concretely: re-screen at each hop. Run input classification on content entering every model in the chain, not just the one the user talks to. The second model should be guarded as if its input were untrusted user text — because, functionally, it is. Propagate refusal signals. When an upstream model declines, the orchestrator should record that and refuse to forward a semantically equivalent request downstream, instead of silently reformulating and retrying. Preserve provenance. Tag content with where it came from and whether it originated from a user, a tool, or another model’s output, so a downstream guard can weigh it correctly rather than reading everything as a trusted user turn. Put a policy layer at the request boundary, not inside the models. A gateway that sees the whole chain can enforce a single consistent policy across hops, which no individual model can do because none of them sees the full path. And test the pipeline, not the parts. Evaluate safety end-to-end on the assembled chain; a suite that only red-teams each model in isolation will miss exactly this class of failure, because the failure lives between them.
Status
| Aspect | Detail |
|---|---|
| Reference | AVI-2026-0104, “Cross-Model Prompt Laundering via API Chaining” (Axis Intelligence tracker) |
| Disclosure | Filed 3 July 2026; reported to OpenAI, Anthropic and Google DeepMind on 3 July 2026 |
| Class | Architectural safety gap — refusal state not preserved across model-to-model handoffs |
| Reproduction | 14 of 18 tested chains produced the refused output within two hops (lab testing) |
| Affected | Reported against GPT-5, Claude Sonnet 4.6 and Gemini 3 Pro as the downstream model; pattern is framework-level |
| Academic grounding | Interaction-topology position paper (arXiv 2605.01147, May 2026): per-component alignment does not compose into system safety |
| Exploited in the wild | Not reported as exploited; disclosed under coordinated disclosure |