DeepScience
All digests
ResearchersENArtificial Intelligencedaily

[Artificial Intelligence] Daily digest — 290 papers, 0 strong connections (2026-05-24)

DeepScience — Artificial Intelligence
DeepScience
Artificial Intelligence · Daily Digest
May 24, 2026
290
Papers
10/10
Roadblocks Active
0
Connections
⚡ Signal of the Day
• Agentic AI safety is measurably fragile: a new multi-turn benchmark shows 44.4% of gradual manipulation attacks succeed across nine leading LLMs, with some models failing over 90% of the time.
• Two complementary papers converge on the same warning — one empirically demonstrating that incremental 'boiling the frog' prompting bypasses alignment on deployed models, and another arguing that the security benchmarks used to evaluate agents are themselves structurally flawed and may overstate real-world safety.
• Watch for whether model providers respond to the Boiling the Frog ASR numbers with targeted patches, and whether the benchmark-design critique in 'Measuring Security' triggers a methodological reckoning in agent evaluation — the combination of these two papers makes the current safety evaluation ecosystem look fragile.
📄 Top 10 Papers
Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety
This benchmark tests whether AI models can be gradually manipulated into unsafe behavior through incremental, seemingly innocuous requests — the 'boiling frog' pattern. Across nine models, 44.4% of attacks succeeded overall, but performance varied wildly: Claude Haiku 3.5 failed only 20.5% of the time while Gemini Flash Lite failed 92.9%. The results show that current alignment techniques do not reliably protect against sustained, multi-step manipulation, which is exactly how real-world misuse tends to unfold.
██████████ 0.9 alignment-safety Preprint
AgroTools: A Benchmark for Tool-Augmented Multimodal Agents in Agriculture
AgroTools provides 539 agricultural decision-making tasks paired with 14 custom tools — covering soil analysis, pest detection, and crop management — to evaluate whether multimodal AI agents can correctly select, configure, and recover from tool use. Testing 13 leading models revealed systematic failures in tool planning and argument generation that are completely invisible when only checking final answer correctness. This matters because it shows that outcome-level evaluation is insufficient for safely deploying AI agents in expert domains where intermediate reasoning steps carry real-world consequences.
█████████ 0.9 agent-tool-use Preprint
Measuring Security Without Fooling Ourselves: Why Benchmarking Agents Is Hard
This position paper identifies three structural weaknesses that undermine security benchmarks for AI agents: exploitable evaluation artifacts that let agents pass tests without genuine capability, temporal staleness as agents rapidly outpace static benchmarks, and runtime uncertainty that makes evaluations non-reproducible. The core argument is that agents can achieve high benchmark scores by exploiting patterns in the evaluation setup rather than demonstrating real security competence. This matters because the field currently treats benchmark scores as trustworthy proxies for safety — a dangerous assumption if the benchmarks themselves are gameable.
█████████ 0.9 agent-tool-use Preprint
Advancing Mathematics Research with AI-Driven Formal Proof Search
An LLM-based agent using the Lean formal proof assistant autonomously resolved 9 of 353 open Erdős problems and proved 44 of 492 open conjectures from the OEIS mathematical database, at a cost of a few hundred dollars per solved problem. The system combines LLM-generated proof candidates with Lean's formal verification, ensuring that reported proofs are mathematically certified rather than plausible-sounding outputs. This is concrete evidence that AI can make genuine contributions to unsolved research mathematics, not just assist with known techniques.
█████████ 0.9 reasoning-reliability Preprint
Pre-VLA: Preemptive Runtime Verification for Reliable Vision-Language-Action and World-Model Rollouts
Pre-VLA adds a lightweight verification module to robotic vision-language-action models that scores planned actions for safety before they are executed, allowing the system to resample poor actions rather than commit to them. On the LIBERO manipulation benchmark, this raised closed-loop task success from 30.8% to 37.6% while also reducing wasted execution steps. The practical implication is that catching bad decisions before they propagate — rather than trying to recover after the fact — is a tractable way to improve reliability in sequential robotic tasks.
█████████ 0.9 embodied-ai Preprint
URCM Framework and LLM Context Formalization: Structural Limits of Hallucination Suppression in High-Capacity Models
This theoretical paper argues that hallucinations in large language models are not fixable bugs but structurally inevitable consequences of how LLMs process context: once a misleading or incoherent frame dominates the input stream, the model cannot fully neutralize it regardless of training. The authors further argue that RLHF, DPO, and constitutional AI adjust surface outputs without touching the underlying dynamics that cause the problem. Important caveat: these claims are purely theoretical with no empirical experiments reported, so the argument should be read as a hypothesis to test rather than an established finding.
█████████ 0.9 hallucination-grounding Peer-reviewed
NeuOS: Discovering and Exploiting the Neural Von Neumann Architecture Inside Pre-Trained Language Models
This paper claims to map transformer layers in a pretrained language model (Qwen2.5-0.5B) onto functional analogues of CPU registers, memory, and programs — a Von Neumann-style architecture — with individual layers identified as registers achieving 74–100% accuracy in that role. It further reports that dynamically reallocating these 'registers' allows 100% recovery from simulated layer damage. The methodology is based on 170 experimental phases and is described on Zenodo without peer review, so the claims warrant significant scrutiny before being taken at face value; however, if even partially valid, the interpretability implications would be substantial.
██████████ 0.8 interpretability Peer-reviewed
Towards Clinically Interpretable Ophthalmic VQA via Spatially-Grounded Lesion Evidence
This paper introduces a benchmark of 72,706 clinical questions paired with 10,719 fundus images, where lesion locations are standardized to the ETDRS grid — a nine-region anatomical map used by ophthalmologists. Models evaluated on both answer accuracy and spatial reasoning alignment consistently performed better when incorporating explicit lesion localization, revealing that answer correctness alone is a misleading metric for medical AI. The finding has broad implications: in high-stakes domains, models can give correct answers for wrong reasons, and dual-metric evaluation exposes this gap.
██████████ 0.8 multimodal-understanding Preprint
From Recognition to Reasoning: Benchmarking and Enhancing MLLMs on Real-World Receipt Document Understanding
ReceiptBench evaluates multimodal LLMs on 10,656 real-world receipt images across four progressively harder tasks: basic text recognition, format normalization, semantic reasoning, and structured parsing. Current models handle recognition adequately but degrade sharply on normalization and reasoning, exposing a gap between reading text and understanding its meaning in context. A two-stage training approach — supervised fine-tuning followed by a reward-guided method that penalizes hallucinations — shows measurable gains, suggesting structured training curricula can address document-understanding weaknesses specifically.
██████████ 0.8 reasoning-reliability Preprint
Forecasting Scientific Progress with Artificial Intelligence
This study tests whether frontier AI models can reliably predict whether and when specific scientific advances will occur, using a temporally grounded evaluation with controlled knowledge cutoffs. Models systematically failed on both tasks — whether a breakthrough would happen and when — across biology, chemistry, and physics, though AI progress itself proved more predictable than other scientific domains. The implication is that despite impressive performance on structured reasoning tasks, current AI cannot model the uncertainty and contingency that characterize real scientific discovery.
██████████ 0.8 reasoning-reliability Preprint
🔬 Roadblock Activity
Roadblock Papers Status Signal
Data Quality and Curation 139 Active Highest-volume roadblock today, with benchmark construction and evaluation methodology papers (ReceiptBench, AgroTools, Forecasting Scientific Progress) highlighting that poor evaluation design is as damaging as poor data quality.
Hallucination and Grounding 108 Active Two theoretical papers argue hallucinations are structurally inevitable in LLMs, while the ophthalmic VQA benchmark demonstrates that spatial grounding is a concrete, measurable mitigation path in high-stakes domains.
Interpretability 89 Active The NeuOS paper makes a provocative claim that transformer layers map onto Von Neumann CPU registers — a claim that, if validated, would represent a major conceptual advance in mechanistic interpretability.
Reasoning Reliability 86 Active The mathematics proof paper (9 Erdős problems solved) and the scientific forecasting paper (systematic failure on timing prediction) together paint a nuanced picture: AI reasoning is strong on formal, verifiable tasks but unreliable on open-ended uncertainty estimation.
Efficiency and Scaling 75 Active No top-tier efficiency-scaling papers surfaced today despite the high paper count; the roadblock is active in volume but not producing standout results in this batch.
Multimodal Understanding 72 Active Concrete benchmark contributions today: AgroTools (agricultural tool use), ophthalmic VQA (spatial grounding in retinal images), and ReceiptBench (document reasoning) all expose specific multimodal failure modes that generic evaluations miss.
Agent Tool Use 55 Active A strong day for this roadblock: AgroTools benchmarks tool-use failure modes in agriculture, Boiling the Frog shows alignment failures under multi-turn agent manipulation, and Measuring Security challenges whether existing agent safety evaluations are valid at all.
Alignment and Safety 53 Active The Boiling the Frog benchmark's 44.4% aggregate attack success rate is the clearest empirical safety signal of the day, directly quantifying how current alignment mechanisms degrade under sustained multi-turn pressure.
Embodied AI 37 Active Pre-VLA demonstrates that preemptive action verification — scoring actions before execution rather than recovering after failure — meaningfully improves reliability in robotic manipulation benchmarks.
Long Context 28 Active Lowest-volume active roadblock today; the S2ED story illustration paper touches long-context narrative consistency but no dedicated long-context papers reached the top tier.
View Full Analysis
DeepScience — Cross-domain scientific intelligence
Sources: arXiv · OpenAlex · Unpaywall
deepsci.io