Session Risk Memory (SRM): Temporal Authorization for Deterministic Pre-Execution Safety Gates
arXiv:2603.22350v1 Announce Type: new Abstract: Deterministic pre-execution safety gates evaluate whether individual agent actions are compatible with their assigned roles. While effective at per-action authorization, these systems are structurally blind to distributed attacks that decompose harmful intent across multiple individually-compliant steps. This paper introduces Session Risk Memory (SRM), a lightweight deterministic module that extends stateless execution gates with trajectory-level authorization. SRM maintains a compact semantic centroid representing the evolving behavioral profile of an agent session and accumulates a risk signal through exponential moving average over baseline-subtracted gate outputs. It operates on the same semantic vector representation as the underlying gate, requiring no additional model components, training, or probabilistic inference. We evaluate SRM on a multi-turn benchmark of 80 sessions containing slow-burn exfiltration, gradual privilege escal
arXiv:2603.22350v1 Announce Type: new Abstract: Deterministic pre-execution safety gates evaluate whether individual agent actions are compatible with their assigned roles. While effective at per-action authorization, these systems are structurally blind to distributed attacks that decompose harmful intent across multiple individually-compliant steps. This paper introduces Session Risk Memory (SRM), a lightweight deterministic module that extends stateless execution gates with trajectory-level authorization. SRM maintains a compact semantic centroid representing the evolving behavioral profile of an agent session and accumulates a risk signal through exponential moving average over baseline-subtracted gate outputs. It operates on the same semantic vector representation as the underlying gate, requiring no additional model components, training, or probabilistic inference. We evaluate SRM on a multi-turn benchmark of 80 sessions containing slow-burn exfiltration, gradual privilege escalation, and compliance drift scenarios. Results show that ILION+SRM achieves F1 = 1.0000 with 0% false positive rate, compared to stateless ILION at F1 = 0.9756 with 5% FPR, while maintaining 100% detection rate for both systems. Critically, SRM eliminates all false positives with a per-turn overhead under 250 microseconds. The framework introduces a conceptual distinction between spatial authorization consistency (evaluated per action) and temporal authorization consistency (evaluated over trajectory), providing a principled basis for session-level safety in agentic systems.
Executive Summary
The article introduces Session Risk Memory (SRM), a novel lightweight deterministic module that enhances stateless pre-execution safety gates by introducing temporal authorization via a compact semantic centroid and exponential moving average risk signal. SRM addresses a critical gap in current systems: while per-action authorization is effective, it fails to detect distributed attacks that exploit compliant steps across multiple turns. By maintaining behavioral profile continuity without additional training or probabilistic inference, SRM enables session-level safety. Empirical results on a multi-turn benchmark demonstrate superior performance—F1 = 1.0000 with 0% false positives—compared to baseline ILION, while maintaining negligible overhead (<250 microseconds per turn). This represents a significant conceptual advance in agentic system safety.
Key Points
- ▸ SRM introduces temporal authorization via trajectory-level behavioral profiling without additional model components
- ▸ It uses exponential moving average on baseline-subtracted gate outputs to detect distributed attacks across compliant steps
- ▸ Empirical validation shows 100% detection rate with zero false positives and sub-millisecond overhead
Merits
Conceptual Advance
SRM introduces a principled distinction between spatial (per-action) and temporal (trajectory-level) authorization consistency, filling a foundational gap in safety gate design
Demerits
Limited Scope
Evaluation is confined to a specific benchmark; generalization to diverse agentic architectures or real-world deployment scenarios remains untested
Expert Commentary
This paper represents a significant methodological breakthrough in the field of autonomous system safety. The SRM mechanism elegantly bridges a critical oversight in conventional security: the inability to detect emergent threat patterns that manifest through the aggregation of individually compliant behaviors. Its design—leveraging semantic vectors and statistical aggregation without introducing computational burden—demonstrates a rare combination of theoretical insight and engineering pragmatism. Importantly, the elimination of false positives without compromising detection rate establishes SRM as a viable standard for future safety gate architectures. This work should be considered mandatory reading for researchers in autonomous systems, cybersecurity, and human-machine interaction, and may catalyze a shift in how safety is evaluated at session-level rather than action-level.
Recommendations
- ✓ Integrate SRM into current pre-execution gate frameworks as a standard extension module
- ✓ Conduct independent evaluations across heterogeneous agentic platforms and real-time deployment scenarios to validate scalability and robustness
Sources
Original: arXiv - cs.AI
