Agent Attribution in Autonomous Systems
- Agent Attribution is the process of linking an autonomous system's observed behaviors to the responsible source, defining the causal chain in complex operations.
- Recent methodologies use full execution traces, counterfactual validation, and hierarchical context representation to improve attribution accuracy in diverse settings.
- Attribution drives practical applications from cybersecurity and CTI to decision support by informing blame assignment, provenance tracking, and system evolution.
Agent attribution is the task of linking an observed behavior, outcome, or artifact generated by an autonomous system to the responsible source. Recent work uses the term across several technically distinct settings: attributing Advanced Persistent Threat campaigns to APT groups from CTI artifacts (Rani et al., 11 Jun 2025), determining whether an LLM agent’s tool call is supported by user intent or driven by untrusted observations (He et al., 11 Mar 2026), explaining which historical components and sentences drove a realized action (Qian et al., 21 Jan 2026), specifying the causal story an agent should produce for decision support (Yu et al., 8 Jan 2026), linking harmful vendor-hosted agents to the responsible account (Chocron et al., 15 May 2026), localizing the responsible agent and decisive step in failed multi-agent trajectories (Zhang et al., 30 Apr 2025), assigning reward or blame in cooperative decision processes (Zhang et al., 2020), and tracing final text or web traffic back to hidden agent architectures (Nian et al., 18 Mar 2026). The subject is therefore not a single algorithmic problem but a family of provenance, causality, accountability, and optimization problems.
1. Conceptual boundaries
A central distinction in the literature is between failure attribution and general agentic attribution. Failure attribution starts from a failed trajectory and asks which agent and step made failure inevitable; in the turn-based formalization of multi-agent systems, the output is a responsible agent and an earliest decisive error step (Zhang et al., 30 Apr 2025). General agentic attribution is broader and outcome-agnostic: given a completed interaction and a realized action, it asks which historical components and which sentences drove the model toward that action, even when the final task outcome is acceptable (Qian et al., 21 Jan 2026).
Recent surveys sharpen the separation between attribution, credit assignment, blame, and provenance. In the LIFE progression, attribution is the diagnostic bridge from collaboration to self-improvement: it uses the complete execution trajectory to identify responsible agent(s), decisive step(s), and causal propagation mechanisms, while provenance tracing supplies the dependency chain among messages, tools, and actions without itself being a judgment of fault (Qi et al., 14 May 2026). In cooperative sequential decision making, blame attribution is explicitly normative: the objective is to quantify each agent’s responsibility for the inefficiency of joint behavior, and this can diverge from purely causal contribution (Triantafyllou et al., 2021).
A second boundary concerns whether attribution assumes a single oracle cause. Earlier failure-attribution settings typically reduce the problem to one decisive step, but multi-perspective work argues that many failed executions admit several plausible attributions. In MP-Bench, only 16.2% of failure steps were agreed upon by all three annotators, 27.8% by exactly two annotators, and 56.1% by a single annotator; pairwise disagreement can reach up to about 60% of steps (In et al., 26 Mar 2026). This directly challenges deterministic single-cause evaluation.
A third boundary is between runtime attribution and design-time attribution. Runtime methods diagnose behavior after or during execution. By contrast, 4D-ARE treats attribution as a requirements-engineering problem: the key question is not only how an agent reasons at execution time, but what causal story it has been specified to produce when answering “why” and “what next” questions (Yu et al., 8 Jan 2026).
2. Formal objects of attribution
The object being attributed varies across domains, and so does the formal output. Some systems attribute an external actor, some a tool invocation, some a span of text, and some a coalition contribution. The result is a layered formal landscape rather than a single canonical definition.
| Attribution target | Canonical output | Representative formalization |
|---|---|---|
| Cyber threat actor | actor prediction and justification | |
| Tool invocation | intent-supported vs observation-driven | |
| Realized action | component- and sentence-level scores | , |
| Failed MAS trajectory | responsible agent and decisive step | |
| Coalition contribution | per-agent attribution score |
In knowledge-grounded cyber attribution, AURA maps an analyst query to an actor prediction and a justification , with the attribution agent aligning observed TTPs, IoCs, malware, infrastructure, targets, and timelines to retrieved CTI evidence (Rani et al., 11 Jun 2025). In action-level security attribution, AttriGuard defines a mapping over the current history 0 and a candidate tool call 1, and asks whether the call is causally supported by the user’s task or driven by untrusted observations (He et al., 11 Mar 2026).
For outcome-agnostic explanation of a realized action, the hierarchical framework of “The Why Behind the Action: Unveiling Internal Drivers via Agentic Attribution” scores components by temporal likelihood gains,
2
and then refines high-impact components by sentence-level perturbation using 3, 4, and 5 (Qian et al., 21 Jan 2026).
In multi-agent failure attribution, the turn-based formalization centers on intervention. A decisive error is a pair 6 such that replacing the action at time 7 with a corrected action changes the outcome from failure to success; the principal cause is the earliest such pair (Zhang et al., 30 Apr 2025). In protocol-conditioned cooperative games, agent attribution is instead an aggregation of marginal contributions under a chosen removal protocol, coalition distribution, and target metric, making the attribution score itself protocol-conditional rather than intrinsic (Lu et al., 26 May 2026).
These formal differences matter operationally. A system optimized for sentence-level explanatory evidence is not automatically suitable for operator-account attribution, and a method that returns calibrated contiguous step intervals is solving a different problem from one that returns a single decisive step.
3. Attribution inside LLM agents and multi-agent systems
The most active recent line of work studies attribution within LLM-based agents and multi-agent systems. Early evidence from Who&When showed that the task is intrinsically difficult: across 184 annotated failure-attribution tasks from 127 multi-agent systems, the best reported agent attribution accuracy was approximately 53.5%, while the best step attribution accuracy was approximately 14.2%; some methods performed below random at step-level (Zhang et al., 30 Apr 2025). This benchmark also clarified a recurrent failure mode: agent-level localization is substantially easier than identifying the earliest decisive step.
Subsequent work broadened both the evidential basis and the attribution objective. TraceElephant argues that failure attribution should be studied under full execution observability rather than output-only traces, and reports that full traces improve attribution accuracy by up to 76% relative to output-only settings (Chen et al., 24 Apr 2026). Its fully observable traces include per-step inputs, outputs, agent identity, tool logs, trace-level metadata, and replayable environments. Under this setting, Static Agentic reaches agent accuracy of approximately 65.9% and step accuracy of approximately 30.3% with ground truth, while Dynamic Agentic improves step accuracy to approximately 33.3% through candidate generation followed by replay-based counterfactual validation (Chen et al., 24 Apr 2026).
A separate strand targets explanation of individual actions rather than only failures. The hierarchical temporal-likelihood framework on nine curated trajectories uses component-level replay and sentence-level perturbation, and its default perturbation-based method reaches Hit@1 of 0.944, Hit@3 of 1.000, and Hit@5 of 1.000 on sentence-level attribution against human annotations (Qian et al., 21 Jan 2026). This shifts the emphasis from “what broke” to “what drove the action,” including subtle cases such as memory-induced bias.
Methodologically, recent systems increasingly separate error recognition from responsibility localization. VerifyMAS does this explicitly through hypothesis verification: it instantiates one hypothesis per error type in a 14-class taxonomy, verifies each hypothesis against the full trajectory with labels 8, and only then localizes responsible agents for entailed hypotheses (Qiao et al., 17 May 2026). On Aegis-Bench, this error-first decomposition consistently improves pair-, error-, and agent-level F1 over direct agent-first baselines; after supervised fine-tuning, VerifyMAS-7B-SFT reaches pair 9F1 of 11.93 versus 5.05 for Qwen2.5-7B-SFT, error 0F1 of 29.95 versus 19.61, and agent 1F1 of 61.86 versus 60.03 (Qiao et al., 17 May 2026).
Other work attacks the step-localization problem through structure rather than bigger judges. ECHO uses hierarchical context representation, objective role-diverse analysts, and confidence-weighted consensus. On the hand-crafted subset with ground truth, it reports 0.684 agent-level accuracy and 0.281 exact step-level accuracy, with tolerance gains up to 0.614 at 2 steps (Banerjee et al., 6 Oct 2025). Causal-inference approaches go further by reversing the data-flow graph into a performance-causal graph, combining Shapley-based agent blame with CDC-MAS for critical-step discovery; on Who&When, this framework reports up to 36.2% step-level accuracy on the algorithm-generated subset and a 22.4 percentage-point average increase in overall success after attribution-driven optimization (Ma et al., 10 Sep 2025).
Uncertainty-aware attribution has also become explicit. Conformal Agent Error Attribution constructs contiguous rollback intervals with finite-sample coverage guarantees, returning 3 such that 4 under exchangeability (Feng et al., 7 May 2026). MASPrism, by contrast, prioritizes runtime efficiency: it uses only two prefill passes of a small model, extracting step-level negative log-likelihood and attention without decoding. With Qwen3-0.6B, it reaches 27.59% Top-1 on Who&When-HC versus 20.68% for the best baseline, 0.591 location accuracy on TRAIL GAIA versus 0.546 for Gemini-2.5-Pro, and 2.66 seconds average runtime with zero output tokens (Liu et al., 8 May 2026).
Taken together, these systems show a convergence toward three principles: attribution benefits from richer observability, from explicit causal or counterfactual validation rather than pure correlation, and from outputs richer than a single label, including rankings, intervals, graphs, and textual justifications.
4. Security, provenance, and external accountability
A separate research line treats attribution as a security and accountability primitive rather than a debugging tool. In the LLM-agent security setting, AttriGuard argues that indirect prompt injection should be defended at the level of tool invocations, not at the level of input semantics. Its runtime defense performs teacher-forced shadow replay under control-attenuated observations, applies hierarchical control attenuation, and accepts a proposed tool call only if it survives a fuzzy counterfactual test (He et al., 11 Mar 2026). Across four LLMs and four static attack categories on AgentDojo, AttriGuard achieves 0% ASR, while under adaptive attacks it reports 6.56% ASR on Gemini-2.5 and 9.84% on Llama3.3-70B, substantially below the listed baselines (He et al., 11 Mar 2026). The conceptual shift is important: the question becomes why a tool call is produced, not whether some observed text “looks malicious.”
Attribution can also target the operator behind a deployed agent. “Who Owns This Agent? Tracing AI Agents Back to Their Owners” formalizes the problem as linking an observed agent interaction to the responsible account at the hosting vendor (Chocron et al., 15 May 2026). Its canary-based protocol lets an authorized party inject lexical or semantic canaries into the agent’s interaction stream and then lets the vendor search a narrow time window of session logs for matching signals. The paper derives a defender-favorable asymmetry using a hypergeometric model over the hidden canary subset and shows strong empirical reliability across messaging, web, and cyber agents; for example, with 20 semantic canaries in chat, session-level TPR is approximately 1.00 at 5 with FPR approximately 0.01, and robust semantic or utility-bearing canaries force attackers into a utility–evasion tradeoff (Chocron et al., 15 May 2026).
When the observable artifact is the final text rather than logs, IET embeds agent-specific keyed signals directly into the token distribution during generation and later reconstructs token-level authorship and handover structure from text alone (Nian et al., 18 Mar 2026). On MAMA, it reports TokenAcc of approximately 0.94–0.96, IoU of approximately 0.93–0.94, and TopoAcc of 1.00 across star, chain, and tree structures. On Who&When under metadata corruption, IET-enabled Step-by-Step retains AgentAcc of 23.81% and StepAcc of 15.24% under ID removal, while the listed baselines collapse to 0.00% AgentAcc (Nian et al., 18 Mar 2026).
At the web boundary, attribution becomes framework fingerprinting. “Whose Agent Are You? Multi-Layer Fingerprinting and Attribution of Autonomous Web Agents” combines TLS, HTTP/2, HTTP header semantics, and browser-interaction telemetry to classify sessions from six autonomous web-agent frameworks, humans, and legacy crawlers (Kang et al., 18 Jun 2026). Using Extremely Randomized Trees, the combined feature set reaches approximately 97.1% accuracy and macro F1 of approximately 0.971. The paper emphasizes that detection and attribution are not the same: the operational question is not merely “is this automation?” but “whose agent is this?”, enabling framework-specific policy enforcement (Kang et al., 18 Jun 2026).
These security-oriented systems extend agent attribution beyond internal explanation. They treat attribution as infrastructure for authorization, incident response, policy enforcement, provenance recovery, and operator accountability.
5. Domain-specific attribution systems
In cyber threat intelligence, agent attribution refers to inferring the responsible APT group, and optionally nation-state affiliation, from heterogeneous CTI artifacts while returning an interpretable evidence-backed explanation. AURA instantiates this with a multi-agent, knowledge-enhanced RAG pipeline over 2,199 internal CTI reports and 30 held-out test reports (Rani et al., 11 Jun 2025). Its agents handle preprocessing, query rewriting, dense retrieval over a Qdrant knowledge base, relevance gating, attribution generation, justification synthesis, and conversational memory. The system formalizes the output as
6
where 7 is the actor prediction and 8 is a natural-language justification grounded in retrieved chunks (Rani et al., 11 Jun 2025).
AURA’s evaluation highlights a recurring pattern in attribution work: coarse-grained labels are often easier than fine-grained ones. On group-level attribution across a 150+ actor label space, GPT-4o reaches 63.33% top-1 and 73.33% top-2; on nation-level attribution, GPT-4o reaches 86.67% top-1 and 93.33% top-2, while Claude 3.5 Sonnet reaches 83.33% top-1 and 100% top-2 (Rani et al., 11 Jun 2025). The paper also measures explanation quality through Flesch Reading Ease, Type-Token Ratio, embedding coherence, perplexity, and LLM-as-Judge scores, reporting average FRE 27.28, TTR 0.67, coherence 0.33, perplexity 57.05, and judge scores of 8.87 fluency, 7.03 clarity, 8.73 coherence, and 8.6 informativeness (Rani et al., 11 Jun 2025). Its limitations are equally instructive: no explicit confidence calibration or evidence weighting, sensitivity to overlapping TTPs and deceptive infrastructure, and bias toward historically documented actors.
In enterprise decision support, 4D-ARE addresses a different problem: how to specify attribution-driven agents so that they answer causal questions rather than merely report metrics (Yu et al., 8 Jan 2026). It organizes attribution concerns into the four-tuple
9
with Results, Process, Support, and Long-term linked by the directed chain 0 (Yu et al., 8 Jan 2026). Operationally, 4D-ARE compiles five artifact layers—question inventory, attribution model, data mapping, dual-track logic, and boundary constraints—directly into system prompts. In the reported financial-services pilot, the baseline ReAct agent had full data access and executed flawlessly yet answered “Why is completion rate 80%?” with more metrics; after 4D-ARE, the agent produced structured responses tracing Results to Process, Support, and Long-term factors, within explicit governance boundaries (Yu et al., 8 Jan 2026).
These domain systems show that attribution quality depends heavily on domain ontology and evidence representation. In cyber attribution, the decisive objects are TTPs, IoCs, malware families, and timelines. In business decision support, the decisive objects are operational indicators, resources, and exogenous context. The general lesson is that attribution mechanisms must be coupled to the domain’s causal vocabulary rather than layered on as generic explanation after the fact.
6. Credit, blame, limitations, and research directions
In cooperative learning and decision making, attribution often appears as credit or blame assignment. CollaQ formulates collaboration as joint optimization of policy learning and reward attribution, decomposing each agent’s 1-function into a self term and an interactive term with a Multi-Agent Reward Attribution loss (Zhang et al., 2020). On SMAC, it reports a 40% win-rate improvement with the same number of samples over QMIX, QTRAN, and VDN, and over 30% gains in ad hoc team play. This line of work treats attribution as a training signal for coordination rather than a post hoc explanation (Zhang et al., 2020).
Blame attribution in cooperative Multi-Agent Markov Decision Processes introduces a different set of axioms. “On Blame Attribution for Accountable Multi-Agent Sequential Decision Making” formalizes efficiency, validity, rationality, symmetry, invariance, contribution monotonicity, and performance monotonicity, and proves an impossibility result: no blame attribution method satisfies efficiency, symmetry, invariance, and performance monotonicity simultaneously (Triantafyllou et al., 2021). The paper shows that the Shapley method is uniquely efficient and symmetric but not performance-incentivizing, whereas the Average Participation method trades explanatory power for validity and a weaker incentive-aligned property (Triantafyllou et al., 2021). This establishes that attribution is not only an estimation problem but also a normative design choice.
A recent protocol-conditioned game-theoretic perspective makes this dependence explicit. “Agents that Matter: Optimizing Multi-Agent LLMs via Removal-Based Attribution” defines agent attribution through a removal protocol, coalition distribution, and target metric, and shows that different protocols induce different games (Lu et al., 26 May 2026). Under a fixed protocol and topology, Leave-One-Out matches deletion AUCs of Shapley-, Owen-, and Myerson-style methods while costing 3.3x–7.6x less in tokens. Model replacement, rather than ablation, then becomes a practical intervention mechanism: across three benchmarks, replacing low-attribution agents improves task performance by up to 17% while reducing cost by up to 35%, and in the MDTeamGPT audit it reveals that contributions to diagnostic accuracy and ethics alignment can be decoupled (Lu et al., 26 May 2026).
Across the broader field, several recurring controversies remain unresolved. Deterministic single-root-cause assumptions are often unrealistic under genuine ambiguity (In et al., 26 Mar 2026). Output-only traces understate what attribution can achieve when developers actually have access to full execution context (Chen et al., 24 Apr 2026). LLM-as-judge or introspective attribution can be useful, but multiple papers show that intervention or replay is needed to separate plausible narrative from faithful causal localization (He et al., 11 Mar 2026, Lu et al., 26 May 2026). Many methods remain sensitive to observability gaps, overlapping causal signals, small or synthetic datasets, and domain drift.
The current research agenda therefore pushes toward attribution-ready systems rather than attribution as an afterthought. The LIFE survey frames the next step as a closed loop: collaboration should be designed for diagnosability, attribution should be propagation-aware and intervention-validated, and evolution should use attribution outputs to restructure roles, graphs, memories, and policies through
2
with the explicit objective of improving expected utility over future tasks (Qi et al., 14 May 2026). In that view, agent attribution is not merely retrospective explanation. It is the control interface that connects collective behavior, accountability, and system evolution.