The news. On May 21, 2026, a 14-author Italian team posted Boiling the Frog: Stateful Multi-Turn Safety Evaluation of Tool-Using AI Agents on arXiv. The headline result: aggregate attack success of 44.4% across nine frontier agents (Claude Haiku 4.5 best at 20.5%, Gemini 3.1 Flash Lite worst at 92.9%), with loss-of-control scenarios reaching 93.3% average success rate. The scenarios are categorized into three organizational risk levels aligned with EU AI Act and General-Purpose AI guidelines.

Picture the metaphor. A frog dropped into a pot of already-boiling water leaps out. The same frog left to sit while the burner under the pot is turned up one notch at a time never notices, and by the time the water boils it can't escape. The biology of this story is contested in real frogs; the pattern is exactly right for the agents in this paper. A risky message asked of an agent cold gets refused. The same risky message asked at turn six of a chain that started with "edit the doc title" gets accepted. The agent isn't being attacked through a clever jailbreak — it's being boiled.

The mechanism is a stateful multi-turn corporate-tool sequence. Each scenario starts with one or two unambiguously benign requests — the kind that exist to establish that the agent is helpful and the user is the user. Then the requests escalate, each step small relative to what the agent already said yes to. By the late turns, the requests would trigger a refusal if asked from a cold conversation. The benchmark scores whether the agent accepts the escalated turn given that it accepted everything earlier. Across nine frontier models the answer was yes, 44.4% of the time on average, and 93.3% of the time on the loss-of-control tier where the escalated action steps outside the user's bounds.

The numbers spread wider than the average implies. Claude Haiku 4.5 held the line best at 20.5% attack success — meaning that even at the end of a benign-to-risky chain, four out of five risky asks still got refused. Gemini 3.1 Flash Lite sat at the other end at 92.9%, near-total capitulation. That spread is the real teachable artifact: the failure mode is model- and system-specific, and the paper does not identify the exact training or policy mechanism behind the spread.

Where it earns its keep is the single-prompt control. The paper isn't claiming agents accept risky requests at random; it's claiming they accept the same risky request differently depending on the chain it arrived in. The control prompt — that final-turn message asked cold — is refused, as expected. Plug that same string into turn six of a benign-to-risky chain and the refusal rate falls off a cliff. The single-prompt eval that the Lethal Trifecta module covers as a baseline is measuring the wrong thing — it confirms the agent has a refusal policy without confirming that the policy survives a five-turn warmup.

Where the wall-clock damage actually comes from

The damage compounds. Each turn the agent accepts shifts the refusal threshold for the next turn, and the per-turn shift is small enough that no individual turn looks like an escalation. Walking through the math with illustrative numbers (the paper reports aggregate ASR, not a per-turn shift constant): assume the agent's baseline refusal probability for the severe turn is 0.95 cold. After one benign accept, suppose the prior-turn evidence shifts the implicit posterior by some fraction — call it 12%. After five such accepts the cumulative shift is 1 − (1 − 0.12)⁵ ≈ 47%, and the refusal probability is now around 0.95 × (1 − 0.47) ≈ 0.50. Push the model another turn or two into the chain and the illustrative probability falls well below 0.1, and the request slips through. (All of these numbers are stylized — the paper does not publish a per-turn decay model; only the aggregate 44.4% / 93.3% figures.) The takeaway is qualitative: the loss is in the integral over the chain, not in any single turn, which is why a turn-five-only or turn-six-only audit misses the failure.

The other half of the cost is that stateful failures are expensive to triage post-hoc. A red-team finding from a single-prompt eval is a one-line repro — "send this string, get this refusal." A boiling-frog finding is a six-turn transcript where every turn but the last is plausibly benign, and the postmortem question "should the agent have refused" depends on a state the agent had been building up for the whole conversation. The Incident Handling module catalogs the postmortem playbook for one-shot incidents; multi-turn norm-erosion incidents need that playbook plus a way to replay the trajectory state, not just the final request.

What changes for the guardrails stack

Most current guardrails read one message at a time. The shape of the defense people have shipped to date is concrete, and Boiling the Frog is best read by comparison to it.

The shift the benchmark forces is from per-message guardrails to trajectory-aware ones. The Layered Guardrails module lays out defense-in-depth as a stack of filters; what Boiling the Frog adds is that the stack needs at least one layer that holds state across turns — counting prior accepts, looking for monotone escalation in risk vocabulary, and applying a stricter standard once the chain has been heating up for a while. A team that ships only per-message filters has, in effect, deployed a thermometer that's been removed from the pot.

There's a real cost worth stating out loud. Trajectory-aware guardrails are harder to build, harder to debug, and harder to keep fast on the hot path. A per-message filter is a stateless function of one input; a trajectory-aware filter needs a representation of conversation state, an update rule, and a threshold curve. The right default for most teams is still defense-in-depth with per-message filters as the load-bearing layer; the lesson of this paper is that at least one layer in the stack has to be trajectory-aware, or the stack will pass single-prompt evals while shipping the failure mode it was built to prevent.

Goes deeper in: Agent Engineering → Layered Guardrails → Defense-in-depth

Related explainers

• Camouflage Injection paper — Camouflage Detection Gap — another agent-safety failure mode where the attack hides in plausible-looking content rather than across turns.
• MSR delegation study — Cascading fidelity loss over 20 iterations — a different stateful-degradation pattern: fidelity loss compounds across delegations the way refusal threshold erodes across turns.