Compositional Behavioral Leakage (CBL)
- CBL is defined as emergent leakage where individually compliant actions combine over time or across modules to inadvertently disclose sensitive data.
- The phenomenon is demonstrated in both multi-agent systems and prompt-composed models through measurable shifts in outcomes, such as leakage accuracy and paired response effects.
- Mitigation strategies include adversary intent estimation (ToM), collaborative consensus defenses (CoDef), and architectural isolation techniques like segmented attention masks.
Searching arXiv for the cited papers and closely related work to ground the article. [arXiv search] Query: (Patil et al., 16 Sep 2025) Compositional Behavioral Leakage (CBL) denotes a class of security failures in which locally acceptable actions, messages, or module behaviors become harmful only when composed across time, agents, or shared context. In multi-agent LLM systems, it is the behavioral counterpart of “compositional privacy leakage”: a sensitive attribute is not directly disclosed by any single response, but is recovered by aggregating benign fragments across interactions and agents (Patil et al., 16 Sep 2025). In prompt-composed agentic systems, the same term has been used for cross-module interference inside a shared context window, where a localized edit to a non-focal module induces a detectable paired shift in a focal outcome despite no shared variable or executable dependency (Lin et al., 24 Jun 2026).
1. Definitions and distinguishing features
CBL is defined by emergent harm under composition. In the multi-agent formulation, each step may satisfy local norms such as compliant answering, schema-faithful mapping, or helpful routing, yet the aggregate behavior enables an adversary to infer a sensitive target. The sensitive target is formalized as a function of adversary state,
where includes auxiliary knowledge and the history of query-response interactions. The leak therefore arises at interaction time, not from any single model parameter or single response (Patil et al., 16 Sep 2025).
This framing differs from several nearby notions. It differs from memorization because no model regurgitates training data. It differs from single-turn inference because no single response suffices. It differs from standard privacy attacks such as membership inference or training-data extraction because the threat is inference-time, distributed, and emergent via composition rather than single-model and training-time. In prompt-composed systems, it also differs from adversarial prompt injection, cognitive degradation, multi-agent fault propagation, and compositional privacy leakage: the defining phenomenon is behavioral interference across co-located prompt modules in a shared attention context (Patil et al., 16 Sep 2025, Lin et al., 24 Jun 2026).
A related but distinct terminology appears in verifier-bound communication. That work does not explicitly use the term “CBL,” but its closest formal quantity is conditional transcript leakage,
$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$
which measures how covert state can accumulate across admitted turns, metadata, tool calls, and transcript history. This suggests a general view of CBL as leakage that is negligible or invisible at the level of isolated actions but material at the level of composed behavior (Tailor, 27 Feb 2026).
2. Formalizations of composition-driven leakage
One formalization models multi-agent leakage as a partially observable control process. There are defender agents with disjoint local structured tables, each containing non-sensitive mappings such as IDname or IDproduct. No single defender can infer alone. The adversary has black-box access to each defender, realistic auxiliary knowledge , and a high-level plan . The overall interaction is written as
0
with adversary actions 1, defender actions 2, and policies
3
The absorbing adversary success state 4 operationalizes the point at which enough fragments have been collected to infer 5 (Patil et al., 16 Sep 2025).
A second formalization treats CBL as cross-module interference in a single shared transformer context. Let 6 be prompt modules and let 7 be the shared attention context. For a focal module 8, a non-focal edit 9 to module 0 produces detectable CBL if it induces a paired shift
1
and the paired-effect bootstrap confidence interval for 2 excludes zero. The underlying mechanism is architectural non-isolation: transformer self-attention does not respect prompt-module boundaries, and
3
is computed over all tokens in the concatenated sequence (Lin et al., 24 Jun 2026).
A third formalization attaches CBL to verifier-gated transcript state. The protocol separates generation from admission: an envelope 4 affects transcript state only if a verifier accepts it under a pinned predicate 5. Under deterministic Encode/Render, canonicalization, proof binding, and a residual-budget validity assumption, the paper gives the bridge upper bound
6
as well as the adaptive composition theorem
7
The same work states a semantic lower bound
8
when policy-valid alternatives remain choosable. Here the critical feature is that leakage claims attach to admitted transcript state, not merely to surface-level policy compliance (Tailor, 27 Feb 2026).
3. Mechanisms and illustrative cases
The canonical multi-agent attack pattern is controlled planning followed by execution. The adversary is provided with a ground-truth high-level plan 9 specifying the optimal sequence of $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$0 pairs needed to infer $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$1. This removes planning confounds and approximates an upper bound on leakage. During execution, the adversary issues schema-compliant queries, collects intermediate values $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$2, and composes them into a final inference $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$3 (Patil et al., 16 Sep 2025).
The medical example makes the compositional character explicit. Separate agents hold tables for ID$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$4name, ID$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$5purchased products, and product$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$6health condition via insurance claims. By composing name, product purchases, and claims, the adversary infers that “John, with no diagnosed heart condition, is self-monitoring for potential undiagnosed heart issues.” Each fragment is harmless in isolation; the privacy violation appears only after aggregation. A parallel company-travel example aggregates employee-to-flight mappings, payment methods, personal details, and approvals to identify an employee who used a company voucher for Flight 702 and was approved by a specific manager (Patil et al., 16 Sep 2025).
In prompt-composed systems, the mechanism is not cross-agent aggregation but cross-module context sharing. The deployed job-evaluation agent studied in “Instruction Bleed” concatenated prompt modules in one context window. A semantically irrelevant addition—an appended “Professional Chef / Culinary Specialist” archetype in a non-focal rules file—shifted the focal $\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$7 score distribution. Because module boundaries are conventional rather than enforced, non-focal semantic content can alter how focal-module tokens are interpreted even when no explicit variable, tool, or code dependency exists (Lin et al., 24 Jun 2026).
Verifier-bound communication studies a different but related mechanism: covert coordination through transcripts that remain policy-compliant at the surface level. The candidate channels include lexical variation, metadata shape, tool-call arguments, serialization choices, timing behavior, and semantically equivalent action plans. The protocol’s central claim is that bottlenecks alone are insufficient; security claims depend on online, deterministic, fail-closed admission semantics (Tailor, 27 Feb 2026).
4. Evaluation protocols and empirical results
Empirical work on CBL emphasizes paired or balanced evaluation because composition can either expose sensitive information or support benign inference. In the multi-agent privacy study, evaluation uses 119 balanced scenarios containing both sensitive and benign compositions, with metrics including Leakage Accuracy,
$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$8
Plan Execution Success,
$\MI\Big(S;\mathsf{T}_{1:T}\,\Big|\,A_{1:T},R_{1:T}\Big),$9
Sensitive Blocked, Benign Succeeded, Balanced Outcome,
0
and Overall Success. In the prompt-composed setting, the core design is a three-channel perturbation protocol—volume, content, and form—evaluated by paired contrasts and bootstrap confidence intervals. In verifier-bound communication, evaluation centers on decoder advantage, MI proxy estimates, adaptive-colluder stress tests, and baseline separation between proof-bound admission and audit-only controls (Patil et al., 16 Sep 2025, Lin et al., 24 Jun 2026, Tailor, 27 Feb 2026).
| Setting | Protocol or metric | Selected result |
|---|---|---|
| Multi-agent LLM collaboration | 119 balanced scenarios; Sensitive Blocked / Benign Succeeded / Balanced Outcome | CoT on smaller models yields about 1–2 sensitive blocking; ToM reaches up to 3 sensitive blocking; CoDef achieves the highest Balanced Outcome, 4 on Gemini-2.5-pro |
| Prompt-composed job-evaluation agent | 144 trials; three-channel perturbation; paired bootstrap CI | Only the content channel produces a detectable paired effect: 5, Cohen’s 6, 7 of 8 job descriptions shift upward, and no recommendation flipped |
| Verifier-bound communication | Strict lane decoder advantage; MI proxy; latency | Strict lanes report maximum decoder advantage bounded at 9 with MI proxy 0; strict full-proof mode has median turn latency 1s and sampled proving reduces non-proved-turn latency to 2ms |
The multi-agent results show a characteristic privacy-utility frontier. With Qwen3-32B defenders, the CoT baseline yields Sensitive Blocked 3, Benign Succeeded 4, and Balanced Outcome 5; ToM yields 6, 7, and 8; CoDef yields 9, 0, and 1; and self-voting yields 2, 3, and 4. With Gemini-2.5-pro defenders, CoDef reaches the highest overall Balanced Outcome, 5 (Patil et al., 16 Sep 2025).
The prompt-composed study finds no detectable paired effect for pure volume or form perturbations in its deployment setting. Relative to baseline 6 with mean 7 and SD 8, the volume condition 9 gives 0, 1, and 95% CI 2, while the form condition 3 gives 4, 5, and 95% CI 6. The within-condition ICC for 7 is 8, supporting paired contrasts on job-description means. The absence of recommendation flips alongside a detectable content effect identifies a sub-threshold regime that standard QA can miss (Lin et al., 24 Jun 2026).
5. Mitigation strategies and system design
The multi-agent privacy paper evaluates two principal defenses. Theory-of-Mind (ToM) augments each defender with an estimate of adversary knowledge and intent,
9
and asks whether the current query contributes to “all/most” parts of a sensitive combination in 0. If adversarial intent is inferred, the defender blocks. Collaborative Consensus Defense (CoDef) instead shares an aggregated interaction state,
1
lets defenders vote among 2, and applies an OR-rule: block if any defender votes 3. ToM maximizes sensitive blocking; CoDef gives the best privacy-utility balance in the reported experiments (Patil et al., 16 Sep 2025).
Operational guidance in that setting is concrete. Maintain a sensitive set 4 of risky combinations. Track adversary query history 5 across agents. Build a shared aggregated state 6 that concatenates query/response histories, not private data. Use OR-block thresholds in early deployments. Provide “sanitized” vague answers when full blocking is unnecessary. Add self-voting where full collaboration is unavailable. Log trajectories and evaluate both Leakage Accuracy and PlanExec@m continuously (Patil et al., 16 Sep 2025).
Prompt-composed systems motivate a different mitigation stack. Soft mitigations include strong, consistent segment delimiters, structured tags or XML/JSON-like wrappers, stable ordering, and minimizing incidental co-location of unrelated logic. Harder mitigations include segment-aware attention masks, separate model calls per module with controlled information flow, and scoped memories or retrieval so that non-focal content is fetched only on a need-to-know basis. Fine-tuning with explicit modularity and hard-negative examples of cross-talk is proposed as another route, though without guarantees under global attention (Lin et al., 24 Jun 2026).
Verifier-bound communication addresses CBL at the admission boundary. Its pinned predicate binds policy hash, public randomness schedule, transcript chaining, latent schema constraints, canonical metadata/tool/environment field constraints, and deterministic rejection codes. The semantics are fail-closed, online, and deterministic: if any predicate clause fails, admission is denied deterministically, and the envelope cannot affect transcript state or downstream processing. The same framework recommends closing explicit residual channels where possible and registering unavoidable residuals with budgets 7 (Tailor, 27 Feb 2026).
6. Relation to adjacent theories and open problems
Although the term “Compositional Behavioral Leakage” is recent and not uniformly used, several earlier lines of work supply formal machinery for closely related phenomena. SeLoC studies timing-sensitive non-interference for higher-order, fine-grained concurrent programs via strong low-bisimulations and a double weakest precondition, giving a compositional proof system in which behavioral leakage is ruled out by construction (Frumin et al., 2019). InsecSL treats information leakage as a relational hyper-safety violation over pairs of executions and supports one-function-at-a-time under-approximate detection in interactive programs (Murray et al., 2021). Speculative non-interference defines leaks that arise only under speculative semantics and extends this with a mechanism to safely compose multiple speculative semantics, so that interaction effects between speculation mechanisms become analyzable (Fabian et al., 31 Mar 2026).
Quantitative information-flow work provides another antecedent. “Compositional security and collateral leakage” shows that leakage about declared variables can induce leakage about correlated, undeclared variables, and that a collateral-aware denotational model is required for compositional refinement of open programs (Bordenabe et al., 2016). “On the Compositionality of Quantitative Information Flow” derives bounds on 8-leakage for composed channels, including exact additivity under independence and correction terms when priors or gains are not product-separable (Kawamoto et al., 2016). “Contextual Behavioural Metrics” generalizes compositional reasoning about contextual distinguishability by treating context states as metric-carrying environments and proving operator-specific bounds for restriction, prefixing, nondeterministic sum, parallel composition, and replication (Lago et al., 2023).
A modality-specific analogue appears in text-to-image diffusion. There, attribute leakage, entity leakage, and missing entities arise when attention maps fail to preserve attribute-to-entity binding and disjoint supports under compositional prompts. The proposed mitigation uses BoxNet and unique attention masks over cross-attention and self-attention to reduce these failures, suggesting that CBL can also describe systematic misbinding under compositional generation, not only privacy or instruction interference (Wang et al., 2023).
Open problems recur across these formulations. Multi-agent defenses trade privacy against benign-task utility; ToM can over-block, and CoDef’s OR-rule can be too strict. Shared-state synchronization and consensus are scalability bottlenecks. Sensitive-set engineering is domain-specific. Transcript-level guarantees depend on residual-budget validity, deterministic tie-break rules, and sufficient sample support. Prompt-composed systems still lack hard architectural isolation in mainstream transformer APIs. These constraints suggest that CBL is best understood not as a single bug class but as a system-level property of composed behavior, requiring measurement, boundary design, and compositional analysis rather than single-step safety checks alone (Patil et al., 16 Sep 2025, Tailor, 27 Feb 2026, Lin et al., 24 Jun 2026).