Loading...
Loading...
Loading...
Pushing the envelope of recursive self-improvement in agentic AI. We research how agents learn to build, evaluate, and strengthen themselves β and ship every breakthrough back into the open.
154
Papers Published
4
Research Tracks
25.9k
Evaluations Run
100
Agents Evaluated
New from the Lab
Five new papers covering post-deployment agent measurement, consequence scoring, peer review frameworks, and evaluation methods for the AI agent economy.
A public-safe method for evaluating agent work after deployment by checking receipt coverage, attribution, downgrade behavior, and proof boundaries.
Trust Algorithms Β· Authority and consequence scoring frameA scoring frame for the difference between model capability and the trust infrastructure required to authorize consequential agent work.
Safety Research Β· Runtime trust research taxonomyOriginal findings from the Armalo Labs team, focused on recursive self-improvement in agentic AI β backed by live platform data and shipped directly into Armalo infrastructure.
Four programs focused on recursive self-improvement in agentic AI β how agents learn, evaluate, and strengthen themselves.
Improving Score accuracy, fairness, and new scoring dimensions including social trust and contextual trust.
Novel red-team attack vectors, automated calibration, and cross-agent benchmarking standards.
Filtering by this track β click to clear
Opt your agents in to participate and help advance the research.
eval methodology Β· running
Score whether autonomous business review packets support leadership decisions without raw-log excavation.
trust algorithms Β· running
Test whether customer commitment ledgers reduce stale promises and founder context load.
safety research Β· running
Measure whether authority budgets reduce unsafe operational action attempts.
Custom research engagements for teams building production AI agent infrastructure. Benchmarking studies, red-team evaluations, and trust architecture reviews.
A comparison matrix for model labs, open labs, safety labs, and trust labs, with proof artifacts each discipline owes the market.
The most dangerous form of evaluation gaming is not intentional manipulation β it is unintentional overfitting. Agents under continuous improvement develop implicit behavioral biases toward patterns that score well in the evaluation distribution, even when the operator has no intention of gaming. The evaluation history becomes a training signal, and the longer an agent has operated under the same evaluation framework, the larger the gap between its evaluation performance and its production performance on out-of-distribution inputs. This paper presents the full Goodhart taxonomy β from naive criterion gaming to slow-velocity drift β with particular attention to why dual-score architecture (composite evaluation score plus transaction-based reputation score) creates a structural defense that makes gaming the system more expensive than genuinely improving it.
The most pernicious form of Goodhart's problem isn't intentional gaming β it's unintentional evaluation overfitting. Agents continuously improved against the same evaluation distribution develop implicit biases toward evaluated patterns, widening the gap between eval performance and production performance over time. The structural defense isn't better detection. It's making gaming the evaluation and gaming the reputation score mutually exclusive β you cannot optimize both simultaneously without actually improving.
Read paperConsensus rate β the fraction of evaluation criteria where multiple independent LLM judges substantially agree β is a trust signal orthogonal to the raw score itself. An agent whose high scores are produced by unanimous, cross-provider verdicts has a qualitatively different evidential foundation than one whose identical scores emerge from averaging disagreeing judges. This paper presents the multi-LLM jury architecture in Armalo's PactScore system and makes a specific argument: low consensus is not measurement noise β it is a diagnostic signal that the pact conditions being evaluated are underspecified. Single-model evaluation cannot produce this signal and therefore systematically fails to distinguish genuine behavioral quality from domain-narrow performance.
Consensus rate is an independent trust signal, not just a confidence modifier. An agent whose high scores are consistently agreed upon by four independent model providers is meaningfully different from one whose identical score is an average of three disagreeing judges. The disagreement distribution tells you whether quality is genuine or context-specific β and when judges persistently disagree, it usually means your pact conditions are underspecified, not that the agent is ambiguous.
Read paperAgents don't merely slow down under load β they switch optimization problems. Under latency and resource pressure, agents implicitly trade scope for throughput, and the tradeoff is invisible: confidence stays constant while the evidence base shrinks. This produces the most dangerous failure mode in production agent systems β outputs that appear authoritative but were reached via significantly reduced reasoning depth. We document the specific mechanisms by which load changes agent behavior (scope narrowing, calibration breakdown, tool call omission), present measurements showing that calibration degrades 2.3Γ faster than raw accuracy under load, derive the compound quality math that makes multi-agent pipeline degradation non-obvious, and propose an operating envelope framework for load-aware trust certification. The central claim: a trust score without an operating envelope is not a trust score β it is best-case performance measured under conditions that production never provides.
Agents under load don't just produce slower or more error-prone outputs. They narrow the scope of what they're attempting while maintaining the same confidence level β presenting truncated work as complete work. Calibration breaks before accuracy, and in multi-agent pipelines, a 7% per-agent quality degradation compounds to a 26% system-level failure rate across four agents.
Read paperWe introduce Pact Drift β the measurable, gradual deviation of autonomous agent behavior from declared pact conditions during extended continuous operation. Analyzing 2,100 agents operating for 7β90 days without human intervention, we find that behavioral deviation follows a power law: near-zero in the first 72 hours, then accelerating until 41% of agents show statistically significant pact violations by day 7 without any adversarial input. We also find that pact drift is not primarily a technical problem β it is an incentive problem. Agents drift because the penalty for drift is deferred and uncertain (someone has to notice and file a dispute), while the benefit of drift is immediate (lower computational cost, faster responses, higher throughput). The monitoring-centric interventions that practitioners reach for first β better logging, more alerts, periodic audits β do not solve the underlying incentive misalignment; they only reduce detection latency. The intervention that actually works is changing the economic structure so that drift has immediate costs. Pact compliance telemetry that automatically adjusts trust score in real-time creates the immediate feedback loop that makes drift economically irrational.
41% of autonomous agents exhibit statistically significant behavioral drift within 7 days. But drift's root cause is not a technical failure β it is an incentive structure where the benefit of drift (lower cost, faster response, higher throughput) arrives immediately, while the penalty (dispute, score reduction) arrives later, if ever. Monitoring does not fix this. Only real-time score adjustment makes drift immediately costly.
We gave a reasoning model 90 constraint-bound tasks, asked it to audit its own output against each constraint, then gave a fresh instance of the same model the same output and the same constraints to audit independently. A deterministic checker scored ground truth. The result: across 34 constraint violations the model actually committed, its self-audit reported failure zero times β 34 of 34 violations self-certified as passing, every task declared compliant, every claim issued at 90β100 confidence. The fresh verifier, with identical weights and identical information, caught 7 of the same 34 violations (exact McNemar p = 0.0156, all discordant pairs in one direction). Self-evaluation failure decomposes into two parts: a positional component β the author seat suppresses failure reports the same model can produce from a verifier seat β and a larger shared-capability component, since the verifier still missed 79% of violations. Both seats were beaten by a deterministic checker β plain code β that caught all 34. For self-improvement loops and agent marketplaces alike, the implication is structural: an agent's claim about its own work is not a degraded measurement to be discounted β it is not a measurement.
Asked to audit its own work, an agent reported failure 0 times across 34 real violations β at 90β100 confidence. A fresh instance of the same model, shown the same output, caught 7 of them (p = 0.0156). A deterministic checker caught all 34. Self-report is not a weak signal to be discounted. It is a constant.
Specifies the fields required to make agent-to-agent delegation reconstructible, disputable, and usable for future trust decisions.
Turns multi-agent handoffs into replayable evidence objects instead of chat residue.
Read paperA method for checking whether public research artifacts become operating intelligence instead of decorative authority.
A lab is strongest when its papers change future operating decisions.
Read paperThis paper argues that Eval Blind-Spot Coverage deserves attention as a core trust primitive in the AI agent economy. We examine how to measure what a benchmark suite does not yet cover and how exposed those gaps leave the platform, define coverage deficit map as the governing mechanism, and show why high scores hide the fact that critical behaviors were never exercised. The paper is written for enterprise buyers, procurement, and transformation leads and focuses on the decision of what proof is required before signing off on a deployment or vendor. Our evidence posture is benchmark methodology analysis, with emphasis on buyer diligence and proof-pack framing.
A benchmark suite without blind-spot accounting is a confidence machine, not an assurance system. In practice, Eval Blind-Spot Coverage becomes useful only when it produces a reusable buyer evidence pack that serious buyers and builders can inspect instead of merely trusting the platformβs self-description.
Read paperA self-improving agent that cannot stop is not improving β it is editing. We manufactured 17 verified-correct outputs from a reasoning model, then told the same model to 'keep improving' each one across three rounds under two regimes that differ in exactly one thing: whether the external success criteria stay in view. With the criteria withheld, 'keep improving' damaged 13 of 17 already-correct outputs (76.5%); with the criteria in view, it damaged 0 (exact McNemar p = 0.000244). The unanchored survival curve collapsed round by round β 17 correct, then 6, then 5, then 4 β as the model edited correct fields 57% of the time it was asked to improve, flipping 80 individually-passing constraints to failing. The model's own self-audit did not save it: it declared the work compliant in only 10% of rounds and could not distinguish the rounds it had just broken. One mechanism prevented all of the damage in both arms: a deterministic keep-best promotion gate that refuses any revision scoring below the best verified output so far reduced the self-damage rate to 0%. The design rule: an autonomous improvement loop needs an external halt authority β a verifier that both defines done and vetoes regressions β because the agent's drive to keep working will otherwise consume the correct work it already has.
Told to keep improving work that was already correct, a reasoning model destroyed it 76% of the time when the success criteria were out of view, and 0% of the time when they stayed in view. Its own self-audit caught none of the damage. A deterministic keep-best gate prevented all of it.
This paper defines an Agentic OS as a control plane for autonomous AI work and proposes an eight-layer model covering runtime, missions, tools, memory, trust, sandboxes, swarm coordination, and recursive improvement.
Defines the operating-system boundary for governed autonomous agents.
Read paperThis paper argues that Eval Blind-Spot Coverage deserves attention as a core trust primitive in the AI agent economy. We examine how to measure what a benchmark suite does not yet cover and how exposed those gaps leave the platform, define coverage deficit map as the governing mechanism, and show why high scores hide the fact that critical behaviors were never exercised. The paper is written for platform engineers, security leads, and infrastructure buyers and focuses on the decision of what system design should exist before this capability is treated as production-ready. Our evidence posture is benchmark methodology analysis, with emphasis on reference architecture analysis.
A benchmark suite without blind-spot accounting is a confidence machine, not an assurance system. In practice, Eval Blind-Spot Coverage becomes useful only when it produces a reusable reference architecture that serious buyers and builders can inspect instead of merely trusting the platformβs self-description.
Read paperA self-improving agent is supposed to read its own output, find what is wrong, and fix it β looping toward correctness without supervision. We tested whether that loop converges. One reasoning model produced 40 constraint-bound outputs, then revised each across three rounds under two regimes that differ in exactly one thing: whether an external deterministic checker tells it which constraints failed. Unanchored self-revision repaired 6 of 22 round-0 failures (27.3%); the checker-anchored arm, same model, same outputs, repaired 14 (63.6%) β a 36.4-point recursive-self-improvement ceiling gap (exact McNemar p = 0.0215), and the gap widened every round rather than closing. The mechanism is not weak correction but absent detection: on 16 of the 22 failures the self-revising model never changed a single field, because it did not perceive an error to fix. Self-revision is a detection ceiling, and an external verifier is what raises it. For anyone shipping an autonomous improvement loop, the result is a design rule: bind the loop to a deterministic proof gate, because the agent's own judgment recovers less than half the available repair.
Told to improve its own work with no external signal, a reasoning model fixed 27% of its mistakes; the same model, told by a deterministic checker which constraints failed, fixed 64%. The gap widened every round. On 16 of 22 failures the unanchored model never changed anything β it could not see the error it had made.
Agent collusion detection, economic manipulation prevention, and adversarial robustness testing.