- The paper introduces a trace-level measurement framework to quantify how controlled perturbations cause structural divergence in multi-agent workflows.
- It empirically demonstrates distinct contamination modes including silent semantic corruption (15.3%), recovery detours (40.3%), and combined disruptions (39.9%) across various modalities.
- The study reveals cross-model robustness differences and advocates for provenance-driven, trace-native evaluations and adaptive orchestration policies.
Introduction and Motivation
The paper "Trace-Level Analysis of Information Contamination in Multi-Agent Systems" (2604.27586) addresses the problem of how uncertainty and corruption in artifact-derived information (e.g., extracted tables, text, images, and audio) propagate through structured multi-agent workflows. With the increasing use of LLM-driven agents that decompose tasks, invoke tools, and coordinate via explicit interfaces, ensuring robustness to information contamination is critical. The authors argue that evaluation methods focusing solely on endpoint accuracy obscure underlying vulnerabilities, failure propagation, and cascading cost phenomena. Instead, they introduce a systematic trace-level measurement framework that quantifies both architectural and behavioral divergence due to controlled perturbations of upstream information.
The authors present a precise formalism for modeling workflow execution as traces in a directed interaction graph, with agent specialization and tool invocation nodes. Perturbations are modeled as operators acting on artifact-derived representations (rather than raw files), which is both operationally realistic and critical for isolating step-specific failure modes.
Divergence between the clean run’s trace τ and the perturbed run τ~ is quantified via a normalized structural edit distance between event signature sequences, abstracting away lexical variation. Temporal localization of contamination (first divergence point t⋆) and control-flow pattern classification (reroute, loop/extended execution, early termination) support granular diagnosis. The experimental regimen includes deterministic orchestration, fixed seeds, and paired runs to control for policy drift.
Empirical Analysis of Contamination Manifestations
A set of 614 paired runs across 32 GAIA benchmark tasks—spanning tabular, document, image, and audio modalities—enables empirical characterization of contamination propagation. The analysis is performed for three LLM backends (GPT-5-mini, LLaMA-3.1-70B, Qwen3-235B), but major results initially focus on GPT-5-mini.
A central empirical finding is the decoupling of structural divergence from outcome corruption:
- Silent semantic corruption: 15.3% of runs yield outcome corruption with negligible structural divergence—error propagates undetected through stable control flow.
- Behavioral detours with recovery: 40.3% of runs diverge structurally but recover the correct answer—indicative of adaptive, redundancy-seeking workflow behavior.
- Combined disruption: 39.9% of runs exhibit both structural and outcome divergence.
The illustrative failure mode (Figure 1) demonstrates these dynamics: a table parsing error leads to downstream rerouting, retries, and hypothesis expansion, expanding execution length and cost, while the workflow may or may not ultimately recover.
Figure 1: An illustrative multi-agent workflow where a table parsing error leads to rerouting, retries, and execution path expansion following the first divergence point t⋆.
Analysis by perturbation type further demonstrates that some errors (e.g., OCR noise) predictably induce structural changes, while others (e.g., image blur, section removal) show high variance, revealing distinct agent adaptation strategies.
Figure 2: Impact of different perturbation types on structural edit distance, highlighting the variance and adaptive response patterns across modalities.
Figure 3: Distribution of first divergence points by perturbation type, showing how document section removal triggers early divergence and OCR noise remains more contained.
Figure 4: Token overhead induced by various perturbation types, with contrast reduction and data-type corruption leading to notably high computational cost.
Control-Flow Patterns and Temporal Dynamics
The paper provides a thorough classification of contamination-induced behavioral patterns:
Modality-specific signatures are evident. Tabular perturbations more often trigger extended execution; audio perturbations are heavily skewed toward early termination. The first divergence point often localizes failure mechanism (early: foundational extraction/parsing; late: downstream reasoning or synthesis stages).
Figure 6: Modality-driven differences in the timing of the first divergence point across traces, highlighting opportunities for targeted verification.
Operational Cost Analysis and Cost-Correctness Tradeoff
Operational cost (token overhead) is not predictive of correctness. High overhead typically arises from recovery attempts (reroute, retry, extended validation) yet does not guarantee recovery: only 16.3% of high-cost runs ultimately recover correct answers, while a substantial 76.2% of low-cost runs result in silent failures.
The most expensive perturbations (encoding errors, watermarks, text redaction) yield low recovery rates, suggesting the need for stratified mitigation—some perturbation classes are best handled with aggressive early rejection, others warrant more elaborate recovery procedures.
LLM Backend Robustness and Behavioral Fingerprints
The propensity for structural divergence and recovery is model-dependent. For example, GPT-5-mini demonstrates 48.6% behavioral detours with recovery, while LLaMA-3.1-70B achieves only 35.4%. These cross-model differences persist even under identical orchestration and perturbation regimes, indicating that "robustness" is, in part, a function of LLM decision heuristics and fallback policies. Timing of first divergence and control-flow signature prevalence also vary by backend.
Figure 7: Comparison of first divergence points by LLM backend, with LLaMA-3.1-70B tending toward earlier divergence.
Figure 8: LLM-dependent control-flow behaviors observed under contamination, framing model selection as a robustness lever.
Implications for Verification and Design of Multi-Agent Systems
The findings highlight fundamental gaps in current guardrail and verification approaches. Specifically, reliance on cost, control-flow disruption, or local format validation as proxies for correctness is insufficient. Silent semantic corruption subverts these checks, while recovery detours consume resources unpredictably without always yielding correctness. There is a strong argument for trace-native evaluation, dynamic provenance tracking, and stratified/temporal verification focused not just on endpoint metrics but on executional integrity and modality-driven failure localization.
The authors advocate for contamination-aware provenance tracking (origin attribution), learning of contamination-resilient orchestration policies, and the creation of benchmarks that expose and taxonomize trace-level failures rather than merely task completion rates.
Future Research Directions
Key areas for future investigation include:
- Causal tracing and origin attribution: Backtracking failure to specific extractions or transformations for targeted remediation.
- Adaptive, contamination-resilient workflow learning: Optimization of agent routing for modality-specific robustness.
- Dynamic, risk-proportional verification: Allocating computational/validation resources based on inferred contamination risk and artifact criticality.
- Trace-native benchmarks: Establishing robustness thresholds using trace-level divergence metrics, not solely endpoint success.
- Cross-domain and long-horizon generalization: Studying contamination accumulation and latent failure modes in extended, open-ended interaction scenarios.
Conclusion
Trace-level measurement of information contamination reveals profound decoupling between structural workflow divergence and endpoint accuracy in multi-agent systems. The study demonstrates that workflows may silently fail despite stable execution, or adapt and recover despite heavy internal disruption. Control-flow signatures, operational cost, and backend heuristics collectively determine observed behavior. These findings necessitate new evaluation methodologies, provenance-driven debugging tools, and more nuanced robustness strategies in the design of agentic, artifact-driven AI systems.