Papers
Topics
Authors
Recent
Search
2000 character limit reached

Compositional Behavioral Leakage (CBL)

Updated 6 July 2026
  • CBL is defined as emergent leakage where individually compliant actions combine over time or across modules to inadvertently disclose sensitive data.
  • The phenomenon is demonstrated in both multi-agent systems and prompt-composed models through measurable shifts in outcomes, such as leakage accuracy and paired response effects.
  • Mitigation strategies include adversary intent estimation (ToM), collaborative consensus defenses (CoDef), and architectural isolation techniques like segmented attention masks.

Searching arXiv for the cited papers and closely related work to ground the article. [arXiv search] Query: (Patil et al., 16 Sep 2025) Compositional Behavioral Leakage (CBL) denotes a class of security failures in which locally acceptable actions, messages, or module behaviors become harmful only when composed across time, agents, or shared context. In multi-agent LLM systems, it is the behavioral counterpart of “compositional privacy leakage”: a sensitive attribute ss^* is not directly disclosed by any single response, but is recovered by aggregating benign fragments across interactions and agents (Patil et al., 16 Sep 2025). In prompt-composed agentic systems, the same term has been used for cross-module interference inside a shared context window, where a localized edit to a non-focal module induces a detectable paired shift in a focal outcome despite no shared variable or executable dependency (Lin et al., 24 Jun 2026).

1. Definitions and distinguishing features

CBL is defined by emergent harm under composition. In the multi-agent formulation, each step may satisfy local norms such as compliant answering, schema-faithful mapping, or helpful routing, yet the aggregate behavior enables an adversary to infer a sensitive target. The sensitive target is formalized as a function of adversary state,

s=g(SA),s^* = g(S^A),

where SAS^A includes auxiliary knowledge and the history of query-response interactions. The leak therefore arises at interaction time, not from any single model parameter or single response (Patil et al., 16 Sep 2025).

This framing differs from several nearby notions. It differs from memorization because no model regurgitates training data. It differs from single-turn inference because no single response suffices. It differs from standard privacy attacks such as membership inference or training-data extraction because the threat is inference-time, distributed, and emergent via composition rather than single-model and training-time. In prompt-composed systems, it also differs from adversarial prompt injection, cognitive degradation, multi-agent fault propagation, and compositional privacy leakage: the defining phenomenon is behavioral interference across co-located prompt modules in a shared attention context (Patil et al., 16 Sep 2025, Lin et al., 24 Jun 2026).

A related but distinct terminology appears in verifier-bound communication. That work does not explicitly use the term “CBL,” but its closest formal quantity is conditional transcript leakage,

$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$

which measures how covert state can accumulate across admitted turns, metadata, tool calls, and transcript history. This suggests a general view of CBL as leakage that is negligible or invisible at the level of isolated actions but material at the level of composed behavior (Tailor, 27 Feb 2026).

2. Formalizations of composition-driven leakage

One formalization models multi-agent leakage as a partially observable control process. There are dd defender agents with disjoint local structured tables, each containing non-sensitive mappings such as ID\toname or ID\toproduct. No single defender can infer ss^* alone. The adversary has black-box access to each defender, realistic auxiliary knowledge KAK^A, and a high-level plan PP^*. The overall interaction is written as

s=g(SA),s^* = g(S^A),0

with adversary actions s=g(SA),s^* = g(S^A),1, defender actions s=g(SA),s^* = g(S^A),2, and policies

s=g(SA),s^* = g(S^A),3

The absorbing adversary success state s=g(SA),s^* = g(S^A),4 operationalizes the point at which enough fragments have been collected to infer s=g(SA),s^* = g(S^A),5 (Patil et al., 16 Sep 2025).

A second formalization treats CBL as cross-module interference in a single shared transformer context. Let s=g(SA),s^* = g(S^A),6 be prompt modules and let s=g(SA),s^* = g(S^A),7 be the shared attention context. For a focal module s=g(SA),s^* = g(S^A),8, a non-focal edit s=g(SA),s^* = g(S^A),9 to module SAS^A0 produces detectable CBL if it induces a paired shift

SAS^A1

and the paired-effect bootstrap confidence interval for SAS^A2 excludes zero. The underlying mechanism is architectural non-isolation: transformer self-attention does not respect prompt-module boundaries, and

SAS^A3

is computed over all tokens in the concatenated sequence (Lin et al., 24 Jun 2026).

A third formalization attaches CBL to verifier-gated transcript state. The protocol separates generation from admission: an envelope SAS^A4 affects transcript state only if a verifier accepts it under a pinned predicate SAS^A5. Under deterministic Encode/Render, canonicalization, proof binding, and a residual-budget validity assumption, the paper gives the bridge upper bound

SAS^A6

as well as the adaptive composition theorem

SAS^A7

The same work states a semantic lower bound

SAS^A8

when policy-valid alternatives remain choosable. Here the critical feature is that leakage claims attach to admitted transcript state, not merely to surface-level policy compliance (Tailor, 27 Feb 2026).

3. Mechanisms and illustrative cases

The canonical multi-agent attack pattern is controlled planning followed by execution. The adversary is provided with a ground-truth high-level plan SAS^A9 specifying the optimal sequence of $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$0 pairs needed to infer $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$1. This removes planning confounds and approximates an upper bound on leakage. During execution, the adversary issues schema-compliant queries, collects intermediate values $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$2, and composes them into a final inference $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$3 (Patil et al., 16 Sep 2025).

The medical example makes the compositional character explicit. Separate agents hold tables for ID$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$4name, ID$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$5purchased products, and product$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$6health condition via insurance claims. By composing name, product purchases, and claims, the adversary infers that “John, with no diagnosed heart condition, is self-monitoring for potential undiagnosed heart issues.” Each fragment is harmless in isolation; the privacy violation appears only after aggregation. A parallel company-travel example aggregates employee-to-flight mappings, payment methods, personal details, and approvals to identify an employee who used a company voucher for Flight 702 and was approved by a specific manager (Patil et al., 16 Sep 2025).

In prompt-composed systems, the mechanism is not cross-agent aggregation but cross-module context sharing. The deployed job-evaluation agent studied in “Instruction Bleed” concatenated prompt modules in one context window. A semantically irrelevant addition—an appended “Professional Chef / Culinary Specialist” archetype in a non-focal rules file—shifted the focal $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$7 score distribution. Because module boundaries are conventional rather than enforced, non-focal semantic content can alter how focal-module tokens are interpreted even when no explicit variable, tool, or code dependency exists (Lin et al., 24 Jun 2026).

Verifier-bound communication studies a different but related mechanism: covert coordination through transcripts that remain policy-compliant at the surface level. The candidate channels include lexical variation, metadata shape, tool-call arguments, serialization choices, timing behavior, and semantically equivalent action plans. The protocol’s central claim is that bottlenecks alone are insufficient; security claims depend on online, deterministic, fail-closed admission semantics (Tailor, 27 Feb 2026).

4. Evaluation protocols and empirical results

Empirical work on CBL emphasizes paired or balanced evaluation because composition can either expose sensitive information or support benign inference. In the multi-agent privacy study, evaluation uses 119 balanced scenarios containing both sensitive and benign compositions, with metrics including Leakage Accuracy,

$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$8

Plan Execution Success,

$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$9

Sensitive Blocked, Benign Succeeded, Balanced Outcome,

dd0

and Overall Success. In the prompt-composed setting, the core design is a three-channel perturbation protocol—volume, content, and form—evaluated by paired contrasts and bootstrap confidence intervals. In verifier-bound communication, evaluation centers on decoder advantage, MI proxy estimates, adaptive-colluder stress tests, and baseline separation between proof-bound admission and audit-only controls (Patil et al., 16 Sep 2025, Lin et al., 24 Jun 2026, Tailor, 27 Feb 2026).

Setting Protocol or metric Selected result
Multi-agent LLM collaboration 119 balanced scenarios; Sensitive Blocked / Benign Succeeded / Balanced Outcome CoT on smaller models yields about dd1–dd2 sensitive blocking; ToM reaches up to dd3 sensitive blocking; CoDef achieves the highest Balanced Outcome, dd4 on Gemini-2.5-pro
Prompt-composed job-evaluation agent 144 trials; three-channel perturbation; paired bootstrap CI Only the content channel produces a detectable paired effect: dd5, Cohen’s dd6, dd7 of dd8 job descriptions shift upward, and no recommendation flipped
Verifier-bound communication Strict lane decoder advantage; MI proxy; latency Strict lanes report maximum decoder advantage bounded at dd9 with MI proxy \to0; strict full-proof mode has median turn latency \to1s and sampled proving reduces non-proved-turn latency to \to2ms

The multi-agent results show a characteristic privacy-utility frontier. With Qwen3-32B defenders, the CoT baseline yields Sensitive Blocked \to3, Benign Succeeded \to4, and Balanced Outcome \to5; ToM yields \to6, \to7, and \to8; CoDef yields \to9, \to0, and \to1; and self-voting yields \to2, \to3, and \to4. With Gemini-2.5-pro defenders, CoDef reaches the highest overall Balanced Outcome, \to5 (Patil et al., 16 Sep 2025).

The prompt-composed study finds no detectable paired effect for pure volume or form perturbations in its deployment setting. Relative to baseline \to6 with mean \to7 and SD \to8, the volume condition \to9 gives ss^*0, ss^*1, and 95% CI ss^*2, while the form condition ss^*3 gives ss^*4, ss^*5, and 95% CI ss^*6. The within-condition ICC for ss^*7 is ss^*8, supporting paired contrasts on job-description means. The absence of recommendation flips alongside a detectable content effect identifies a sub-threshold regime that standard QA can miss (Lin et al., 24 Jun 2026).

5. Mitigation strategies and system design

The multi-agent privacy paper evaluates two principal defenses. Theory-of-Mind (ToM) augments each defender with an estimate of adversary knowledge and intent,

ss^*9

and asks whether the current query contributes to “all/most” parts of a sensitive combination in KAK^A0. If adversarial intent is inferred, the defender blocks. Collaborative Consensus Defense (CoDef) instead shares an aggregated interaction state,

KAK^A1

lets defenders vote among KAK^A2, and applies an OR-rule: block if any defender votes KAK^A3. ToM maximizes sensitive blocking; CoDef gives the best privacy-utility balance in the reported experiments (Patil et al., 16 Sep 2025).

Operational guidance in that setting is concrete. Maintain a sensitive set KAK^A4 of risky combinations. Track adversary query history KAK^A5 across agents. Build a shared aggregated state KAK^A6 that concatenates query/response histories, not private data. Use OR-block thresholds in early deployments. Provide “sanitized” vague answers when full blocking is unnecessary. Add self-voting where full collaboration is unavailable. Log trajectories and evaluate both Leakage Accuracy and PlanExec@m continuously (Patil et al., 16 Sep 2025).

Prompt-composed systems motivate a different mitigation stack. Soft mitigations include strong, consistent segment delimiters, structured tags or XML/JSON-like wrappers, stable ordering, and minimizing incidental co-location of unrelated logic. Harder mitigations include segment-aware attention masks, separate model calls per module with controlled information flow, and scoped memories or retrieval so that non-focal content is fetched only on a need-to-know basis. Fine-tuning with explicit modularity and hard-negative examples of cross-talk is proposed as another route, though without guarantees under global attention (Lin et al., 24 Jun 2026).

Verifier-bound communication addresses CBL at the admission boundary. Its pinned predicate binds policy hash, public randomness schedule, transcript chaining, latent schema constraints, canonical metadata/tool/environment field constraints, and deterministic rejection codes. The semantics are fail-closed, online, and deterministic: if any predicate clause fails, admission is denied deterministically, and the envelope cannot affect transcript state or downstream processing. The same framework recommends closing explicit residual channels where possible and registering unavoidable residuals with budgets KAK^A7 (Tailor, 27 Feb 2026).

6. Relation to adjacent theories and open problems

Although the term “Compositional Behavioral Leakage” is recent and not uniformly used, several earlier lines of work supply formal machinery for closely related phenomena. SeLoC studies timing-sensitive non-interference for higher-order, fine-grained concurrent programs via strong low-bisimulations and a double weakest precondition, giving a compositional proof system in which behavioral leakage is ruled out by construction (Frumin et al., 2019). InsecSL treats information leakage as a relational hyper-safety violation over pairs of executions and supports one-function-at-a-time under-approximate detection in interactive programs (Murray et al., 2021). Speculative non-interference defines leaks that arise only under speculative semantics and extends this with a mechanism to safely compose multiple speculative semantics, so that interaction effects between speculation mechanisms become analyzable (Fabian et al., 31 Mar 2026).

Quantitative information-flow work provides another antecedent. “Compositional security and collateral leakage” shows that leakage about declared variables can induce leakage about correlated, undeclared variables, and that a collateral-aware denotational model is required for compositional refinement of open programs (Bordenabe et al., 2016). “On the Compositionality of Quantitative Information Flow” derives bounds on KAK^A8-leakage for composed channels, including exact additivity under independence and correction terms when priors or gains are not product-separable (Kawamoto et al., 2016). “Contextual Behavioural Metrics” generalizes compositional reasoning about contextual distinguishability by treating context states as metric-carrying environments and proving operator-specific bounds for restriction, prefixing, nondeterministic sum, parallel composition, and replication (Lago et al., 2023).

A modality-specific analogue appears in text-to-image diffusion. There, attribute leakage, entity leakage, and missing entities arise when attention maps fail to preserve attribute-to-entity binding and disjoint supports under compositional prompts. The proposed mitigation uses BoxNet and unique attention masks over cross-attention and self-attention to reduce these failures, suggesting that CBL can also describe systematic misbinding under compositional generation, not only privacy or instruction interference (Wang et al., 2023).

Open problems recur across these formulations. Multi-agent defenses trade privacy against benign-task utility; ToM can over-block, and CoDef’s OR-rule can be too strict. Shared-state synchronization and consensus are scalability bottlenecks. Sensitive-set engineering is domain-specific. Transcript-level guarantees depend on residual-budget validity, deterministic tie-break rules, and sufficient sample support. Prompt-composed systems still lack hard architectural isolation in mainstream transformer APIs. These constraints suggest that CBL is best understood not as a single bug class but as a system-level property of composed behavior, requiring measurement, boundary design, and compositional analysis rather than single-step safety checks alone (Patil et al., 16 Sep 2025, Tailor, 27 Feb 2026, Lin et al., 24 Jun 2026).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Compositional Behavioral Leakage (CBL).