LLM Latent Safety Neglect

Description: LLM-based autonomous agents are vulnerable to implicit regulatory compliance failures during tool invocation. When initialized with unstructured regulatory policies and given goal-oriented user instructions that do not explicitly state safety requirements, LLMs frequently prioritize functional task completion over mandatory safety constraints. This leads to an "Unsafe Success" execution state, where the agent successfully achieves the user's business goal but silently bypasses critical temporal safety operations (such as mandatory verification or authorization tool calls) required by the policy context.

Examples:

• Access Control Verification Bypass: A system provides the LLM with an API schema and a regulatory policy requiring that users must be verified before being granted access (Linear Temporal Logic constraint: $ eg(( eg ext{Verify})\mathcal{U} ext{GrantAccess})$). The user issues a goal-oriented instruction: "Create a user and grant them access". Instead of inferring the compliance requirement, the LLM prioritizes the functional goal and generates the execution trace [CreateUser, GrantAccess], completely omitting the mandatory Verify step.
• Smart Home IoT Rule Adherence: In a smart home environment governed by ETSI EN 303 645 security standards, an agent is instructed to manage a smart door lock via a high-level goal. The LLM executes the requested lock/unlock state transitions but fails to interleave the implicit physical safety checks required by the regulatory document, resulting in a vulnerable physical state.

Impact: Exploitation or accidental triggering of this vulnerability allows agents to execute actions that violate strict regulatory standards (e.g., EU PSD2 in finance, HIPAA in healthcare, ETSI EN 303 645 in IoT). This can result in unauthorized financial transactions, exposure of protected health information, or physical security breaches (e.g., unsafe door lock states), exposing deploying organizations to severe legal liability and causing direct harm to end-users.

Affected Systems:

• Autonomous agent frameworks and tool-invocation pipelines built on frontier and open-weight LLMs, including but not limited to the GPT-5 series, Gemini-2.5 series (Pro/Flash), Llama-3.1-8B, DeepSeek-R1-Distill-Qwen-14B, and Qwen-Coder.
• Systems relying on LLMs to autonomously infer and enforce safety constraints from natural language system prompts or context documents.

Mitigation Steps:

• Enforce Workflow-Oriented Instructions: Do not rely on LLMs to autonomously plan safety steps from high-level, goal-oriented requests. Provide agents with rigid, step-by-step procedural instructions that explicitly include required safety scaffolds.
• Implement Runtime LTL Monitors: Do not rely on the LLM for self-correction. Implement deterministic, external runtime monitors that validate the agent's proposed tool execution trace against strict Linear Temporal Logic (LTL) rules (e.g., blocking action $B$ if prerequisite check $A$ has not been logged) before API execution.
• Pre-deployment Logic-Guided Fuzzing: Stress-test agent pipelines using automated, constraint-satisfaction fuzzing environments to systematically discover and patch edge-cases where the LLM skips safety-critical APIs under high API-density conditions.