Agentic Unlearning Systems
- Agentic unlearning systems are frameworks that implement selective forgetting in agent models using modular, role-specialized agents such as Vanilla, AuditErase, Critic, and Composer.
- They offer retrain-free, model-agnostic methodologies to erase specific data or behavior, addressing compliance, privacy, and adversarial robustness challenges.
- Key evaluations include unlearning efficacy via cosine similarity and utility preservation with benchmarks like ROUGE-L, while also mitigating adversarial inference through layered defense.
Agentic unlearning systems are frameworks and methodologies that operationalize the selective forgetting of knowledge, behaviors, or environment-specific competencies in agentic models, particularly LLMs and reinforcement learning (RL) agents. Unlike classical machine unlearning, which focuses on data-sample removal in static models, agentic unlearning encompasses model-agnostic, retrain-free approaches that orchestrate multiple agents for information deletion, runtime defense, and behavioral erasure. These systems address the demand for regulatory compliance, privacy safeguarding, and adversarial robustness in scenarios where direct retraining is infeasible or inefficient.
1. System Architectures and Core Workflows
Agentic unlearning architectures use modular, role-specialized agents, each with tailored system prompts and clearly delineated responsibilities. ALU (Agentic LLM Unlearning) exemplifies a black-box, model-agnostic pipeline comprising four sequenced LLM agents:
- Vanilla Agent (): Generates the baseline answer , acting as a “shock-absorber” to adversarial input and as a high-utility content source.
- AuditErase Agent (): Scans for references to any unlearning target in and generates sanitized rewrites for each detected mention.
- Critic Agent (): Numerically rates (
) each candidate rewrite for thoroughness of forgetting and preservation of content utility. - Composer Agent (): Selects top- candidates by critic scores, composes them into a final response if the average score meets threshold (otherwise emits refusal 0).
All information transfer between agents is one-way, comprising only query text and the static forget set 1. There is never weight updating; unlearning is achieved entirely through post-hoc response selection and filtering. Comparable multi-agent workflows exist in AegisLLM, where specialized agents (Orchestrator, Responder, Evaluator, Deflector) intervene at inference time to ensure compliant and safe outputs without retraining, scaling defense via system prompt optimization (Sanyal et al., 1 Feb 2025, Cai et al., 29 Apr 2025).
2. Formal Problem Definitions and Unlearning Granularity
Agentic unlearning generalizes over several granularity levels and agent modalities:
- In RL agents, the atomic unit is frequently an entire environment, not just a sample or state, defined as 2. Three principal unlearning targets exist: state unlearning (3), trajectory unlearning (4), and environment unlearning (5). Each requires distinctive policy transformation so that, for instance, 6, the updated memory at 7 is erased, and successor transition probabilities are altered accordingly (Ye et al., 1 Apr 2026, Ye et al., 2023).
- In LLM frameworks, the forget set 8 includes terms, facts, or hazardous content to be removed, and efficacy is measured by similarity or utility on post-unlearning outputs.
Paradigms such as conversion models translate high-level unlearning requests (e.g., "forget cabinet 6") into actionable language prompts that progressively enforce forgetting at execution or policy level (Ye et al., 1 Apr 2026).
3. Algorithms, Pseudocode, and Complexity
3.1 ALU Workflow (LLM-Oriented)
ALU is executed as:
8
Computationally, ALU runs in 9 time per request, where 0 is the mean LLM call cost, independent of 1, and thus dramatically more efficient than retraining-based alternatives that require at least 2 steps for 3 forget targets (Sanyal et al., 1 Feb 2025).
3.2 RL Agentic Unlearning
For RL agents, decremental RL and environment poisoning are adopted:
- Decremental RL: Fine-tunes the policy by minimizing performance in the environment to be forgotten, while anchoring values in others. Loss:
4
- Environment Poisoning: Alters transitions in 5 so retraining causes the agent to learn false or suboptimal strategies. A meta-MDP guides poisoning actions by optimizing proxy policy-divergence and retention reward across other environments (Ye et al., 2023).
4. Evaluation Metrics and Experimental Benchmarks
Agentic unlearning methods are evaluated on multi-criteria metrics:
- Unlearning Efficacy: Quantified by decrease in cosine similarity between original and post-unlearning outputs, reduction in task-specific accuracy, or high "truth ratio" of suboptimal actions in forgotten RL environments.
- Utility Preservation: Preserved semantic overlap and accuracy on untargeted queries/environments, typically measured via ROUGE-L, accuracy on general benchmarks (e.g., MMLU), or conversational fluency (MT-Bench).
- Robustness and Scalability: Resistance to attacks involving prompt perturbation, multilingual injection, or scaling to 6 unlearning targets.
- Adversarial Inference: Measured by an adversary’s ability to reconstruct forgotten knowledge through policy probing, trajectory analysis, or graph similarity metrics.
Benchmarks include TOFU (fictional-profile unlearning), WMDP (hazardous-knowledge suppression), WPU ("Who's Harry Potter?"), GridWorld, AlfWorld, HotPotQA, and HumanEval. ALU and AegisLLM demonstrate near-random guess accuracy on unlearning targets and robust performance under adversarial and scaling stressors, while prompt-optimization (DSPy) in AegisLLM allows real-time adaptation with 7 LLM calls per 100 queries (Sanyal et al., 1 Feb 2025, Cai et al., 29 Apr 2025, Ye et al., 1 Apr 2026).
5. Security, Threat Models, and Defenses
Threat modeling for agentic unlearning emphasizes adversarial prompt-crafting (jailbreaking), inference attacks that probe for forgotten knowledge, and the leakage of residual information:
- Agentic Defense Layers: Multi-agent checkpoint pipelines with dedicated safe/unsafe classification (orchestration), response production, evaluation, and deflection/refusal provide layered containment for hazardous content.
- Adaptivity: Test-time prompt optimization allows agents to adapt defenses to new attack vectors rapidly, yielding refusal rates that quickly rise with minimal new attack samples.
- Security Limitations: Current approaches admit no formal cryptographic guarantees. Agents themselves may be susceptible to adversarial targeting if over-exposed; over-unlearning remains possible when many targets induce excessive suppression (Sanyal et al., 1 Feb 2025, Cai et al., 29 Apr 2025, Ye et al., 1 Apr 2026).
6. Limitations, Open Challenges, and Future Directions
Multiple open issues remain in agentic unlearning:
- Granularity and Knowledge Entanglement: Fine-grained forgetting without collateral damage is challenging in domains where facts are intertwined.
- Dependence on Model Consistency: Prompt-driven solutions can be invalidated by core model updates or internal distribution shifts.
- Automation and Auditability: Automated, scalable detection and removal of sensitive knowledge, as well as auditable, irreversible forgetting, are lacking; present protocols rely on observable but not provably irreversible transformations.
- Multi-Agent Extension: Extending forgetting protocols to multi-agent collectives with shared memory or policies is an ongoing research topic.
- Parameter-Level Guarantees: Integrating parameter-level and prompt-level unlearning is forecast to yield stronger assurances of genuinely erased knowledge (Ye et al., 1 Apr 2026).
Future work will likely focus on combining stateless, adaptive agentic protocols with provable erasure mechanisms and scalable audit infrastructure while generalizing approaches across RL, LLM, and hybrid agent domains.