Session Risk Memory (SRM): Temporal Authorization for Deterministic Pre-Execution Safety Gates
Abstract
Session Risk Memory enhances deterministic authorization by adding trajectory-level evaluation through semantic centroids and risk accumulation, achieving perfect detection without false positives.
Deterministic pre-execution safety gates evaluate whether individual agent actions are compatible with their assigned roles. While effective at per-action authorization, these systems are structurally blind to distributed attacks that decompose harmful intent across multiple individually-compliant steps. This paper introduces Session Risk Memory (SRM), a lightweight deterministic module that extends stateless execution gates with trajectory-level authorization. SRM maintains a compact semantic centroid representing the evolving behavioral profile of an agent session and accumulates a risk signal through exponential moving average over baseline-subtracted gate outputs. It operates on the same semantic vector representation as the underlying gate, requiring no additional model components, training, or probabilistic inference. We evaluate SRM on a multi-turn benchmark of 80 sessions containing slow-burn exfiltration, gradual privilege escalation, and compliance drift scenarios. Results show that ILION+SRM achieves F1 = 1.0000 with 0% false positive rate, compared to stateless ILION at F1 = 0.9756 with 5% FPR, while maintaining 100% detection rate for both systems. Critically, SRM eliminates all false positives with a per-turn overhead under 250 microseconds. The framework introduces a conceptual distinction between spatial authorization consistency (evaluated per action) and temporal authorization consistency (evaluated over trajectory), providing a principled basis for session-level safety in agentic systems.
Community
SRM extends ILION Gate (arXiv:2603.13247) from stateless per-action authorization to trajectory-aware session-level authorization. Detects slow exfiltration, privilege escalation, and compliance drift attacks invisible to stateless systems. F1=1.0000, FPR=0%, 5 sessions detected earlier than stateless baseline. Benchmark: https://zenodo.org/records/19159713
This is an automated message from the Librarian Bot. I found the following papers similar to this paper.
The following papers were recommended by the Semantic Scholar API
- ILION: Deterministic Pre-Execution Safety Gates for Agentic AI Systems (2026)
- Autonomous Action Runtime Management(AARM):A System Specification for Securing AI-Driven Actions at Runtime (2026)
- Authenticated Workflows: A Systems Approach to Protecting Agentic AI (2026)
- Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents (2026)
- Protecting Context and Prompts: Deterministic Security for Non-Deterministic AI (2026)
- SuperLocalMemory: Privacy-Preserving Multi-Agent Memory with Bayesian Trust Defense Against Memory Poisoning (2026)
- AgenticCyOps: Securing Multi-Agentic AI Integration in Enterprise Cyber Operations (2026)
Please give a thumbs up to this comment if you found it helpful!
If you want recommendations for any Paper on Hugging Face checkout this Space
You can directly ask Librarian Bot for paper recommendations by tagging it in a comment: @librarian-bot recommend
Models citing this paper 0
No model linking this paper
Datasets citing this paper 0
No dataset linking this paper
Spaces citing this paper 0
No Space linking this paper
Collections including this paper 0
No Collection including this paper