Papers
Topics
Authors
Recent
Search
2000 character limit reached

Instruction Bleed: Cross-Module Interference in Prompt-Composed Agentic Systems

Published 24 Jun 2026 in cs.AI, cs.IR, and cs.MA | (2606.26356v1)

Abstract: Practitioners of prompt-composed agentic systems report a recurring failure mode: editing one prompt module silently shifts the behavior of others despite no shared variable or executable dependency. We formalize this as compositional behavioral leakage (CBL): interference between modules sharing a context window. CBL is enabled by architectural non-isolation: transformer self-attention provides no formal boundary between concatenated modules. We probe CBL on a deployed job-evaluation agent (Claude Sonnet 4.6, 144 trials) through a reusable three-channel protocol that perturbs non-focal modules along volume, content, and form. Only the content channel produces a detectable paired effect (Cohen's d = 0.63, bootstrap 95% CI excluding zero); no recommendation flipped -- a sub-threshold regime invisible to standard QA but compounding across the thousands of decisions a deployed agent makes. CBL is orthogonal to known agent-failure axes (adversarial injection, cognitive degradation, multi-agent fault propagation, privacy leakage). We contribute an operational definition, a reusable protocol, a falsifiable prediction set, and a system-class characterization, establishing cross-module interference measurement as a requirement for prompt-composed agent evaluation.

Authors (2)

Summary

  • The paper identifies compositional behavioral leakage (CBL) as a systematic interference where irrelevant semantic edits in one module affect unrelated modules.
  • It employs an empirical protocol with volume, content, and form perturbation channels to measure shifts in cv-match scores, notably with Cohen's d=0.63 in the content channel.
  • The study highlights practical implications for auditing reliability in prompt-composed systems, calling for robust mitigation strategies against sub-threshold behavioral drift.

Instruction Bleed: Cross-Module Interference in Prompt-Composed Agentic Systems

Introduction

This paper addresses a failure mode intrinsic to prompt-composed agentic systems, specifically the phenomenon termed "compositional behavioral leakage" (CBL). CBL is defined as cross-module interference: changes or additions to one prompt module silently and systematically altering the behavior of unrelated modules within the same context window, despite no overt dependency or variable sharing. The underlying architectural cause is the lack of isolation among modules concatenated in an LLM's input, with transformer self-attention permitting unrestricted cross-token influence. The work targets a growing class of agentic systems assembled at runtime from human-authored prompt modules, which encode policy, workflow, and decision logic in text for LLM interpretation.

Theoretical Framework and Distinguishing CBL

The central claim is that the assumption of modular compositionality in these systems is unwarranted—transformer-based LLMs do not enforce any formal boundary between concatenated prompt modules. As a result, behavior is not a simple function of module-wise logic, but is emergent from the global attention mechanism. CBL is positioned orthogonally to well-studied agent failure axes: it is distinct from adversarial prompt injection, longitudinal cognitive degradation, privacy leakage, and fault propagation in multi-agent settings.

The paper formalizes CBL as the existence of a significant paired shift in a focal module's behavior after a semantically irrelevant edit to another module, quantified by the expected change in observable outputs. This constructs a rigorous foundation for both identifying and measuring CBL.

Empirical Validation: Protocol and Results

A practical probe of CBL is conducted within the "career-ops" job-evaluation agent, which is constructed in the prompt-composed paradigm. The experimental protocol introduces three perturbation channels affecting non-focal modules: volume (addition of a large, unrelated module), content (addition of an irrelevant semantic archetype), and form (meaning-preserving structural format changes). The focal metric is the "cv-match" score, representing alignment between candidate background and job requirements.

The most significant finding is observed in the content perturbation channel (C2): adding a semantically irrelevant "Professional Chef" archetype to the rules module yields a measurable shift in cv-match scores, with Cohen's d=0.63d=0.63 and a bootstrap 95% confidence interval [+0.03,+0.31][+0.03, +0.31]—explicitly excluding zero. By contrast, neither volume nor format perturbations yielded statistically significant effects, localizing the interference to changes in semantic content rather than generic context growth or formatting. No score threshold crossings (recommendation flips) occurred, delimiting the result to "sub-threshold drift." This regime is invisible to standard QA protocols, which focus on discrete decisions, but can systematically bias aggregate outcomes in deployed agentic systems.

Mechanisms Underlying CBL

Four architectural properties underpin CBL:

  • Global self-attention: No architectural constraint limits token interactions by module boundary or delimiter convention.
  • Proactive interference: Prior context—regardless of semantic content—can degrade performance on subsequent modules via memory limits, as shown in (Wang et al., 9 Jun 2025).
  • Coverage limitations: Compositional generalization is bounded by the coverage of module combinations in pre-training, leading to unpredictable behavior for novel combinations (see (Chang et al., 26 May 2025)).
  • Prompt sensitivity: Behavioral responses are highly sensitive not only to semantic content but also to format and syntactic conventions, as established in (Sclar et al., 2023).

These properties collectively render delimiter-based (conventional) isolation a behavioral expectation, not an enforceable guarantee.

Implications for Deployed Systems

The primary practical risk is persistent, silent unreliability: as prompt modules are edited or extended—often by distributed communities—behavioral drift accumulates in unmonitored ways. Sub-threshold drifts, though insufficient to trigger recommendation flips individually, can bias ranking and aggregation in downstream systems. The result is a challenging auditing problem for reliability and fairness in any application domain where score-based outputs influence consequential decisions.

This has profound implications for testing and evaluation. Exhaustive pairwise or higher-order interaction testing is infeasible at the scale of repositories like OpenClaw, which may aggregate tens of thousands of composable modules. Instead, the paper advocates for regression protocols sampling across interaction spectra and highlights the necessity of re-evaluation under model migration.

Distinction from Adjacent Work and Theoretical Positioning

The study delineates CBL from adjacent failure modes (e.g., adversarial injection (Debenedetti et al., 2024), cognitive degradation (Atta et al., 21 Jul 2025), privacy leakage (Patil et al., 16 Sep 2025)) and from modular prompting approaches dependent on hard isolation at the API or mathematical level ((Khot et al., 2022), [2022.emnlp-main.109], [2023/460], [aaai.v39i16.33804]). It also situates CBL within limitations found in broader compositional generalization research ([yu2024skillmix], [dziri2023faith]).

The operational protocol introduced—three-channel perturbation along volume, content, and form—offers a reusable framework with falsifiable predictions for replication and systematization in future work. The predictions encompass model-level variation, semantic-distance sensitivity, and intervention-magnitude scaling.

Prospects for Future Research and Mitigation

Outstanding questions include the potential for architectural or pre-processing interventions that could realize robust prompt-module isolation—such as explicit scoped attention or modular caching. Alternatively, the prospect exists that the global attention mechanism of transformers precludes reliable text-level isolation altogether, requiring fundamental rethinking of agent design at scale. Extending the CBL protocol to multimodal and web-integrated agentic settings represents an open avenue for generalizing both failure modes and mitigation frameworks.

Conclusion

This study establishes compositional behavioral leakage as a measurable and practically relevant failure mode in prompt-composed agentic systems. The findings invalidate assumptions of modular compositionality under unconstrained transformer self-attention, revealing systematic, sub-threshold behavioral shifts from localized, semantically irrelevant prompt edits. The operational framework and empirical protocol provided set the stage for systematic evaluation and further research into architectural and protocol-level mitigations, establishing cross-module interference measurement as essential for reliable prompt-composed agent evaluation (2606.26356).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.