{"id":"https://openalex.org/W7160654692","doi":"https://doi.org/10.48550/arxiv.2605.05704","title":"SafeHarbor: Hierarchical Memory-Augmented Guardrail for LLM Agent Safety","display_name":"SafeHarbor: Hierarchical Memory-Augmented Guardrail for LLM Agent Safety","publication_year":2026,"publication_date":"2026-05-07","ids":{"openalex":"https://openalex.org/W7160654692","doi":"https://doi.org/10.48550/arxiv.2605.05704"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.05704","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.05704","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.05704","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5135648609","display_name":"Zhe Liu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Zhe","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5020945039","display_name":"Zonghao Ying","orcid":"https://orcid.org/0009-0007-7393-7362"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Ying, Zonghao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135725777","display_name":"Wenxin Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Wenxin","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135705602","display_name":"Quanchen Zou","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zou, Quanchen","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135681848","display_name":"Deyue Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Deyue","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135725808","display_name":"Dongdong Yang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Dongdong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135718799","display_name":"Xiangzheng Zhang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Zhang, Xiangzheng","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5135638229","display_name":"Hao Peng","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Peng, Hao","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":8,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.8988000154495239,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.8988000154495239,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12026","display_name":"Explainable Artificial Intelligence (XAI)","score":0.014700000174343586,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.01209999993443489,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.7279999852180481},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.4948999881744385},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4634000062942505},{"id":"https://openalex.org/keywords/mechanism","display_name":"Mechanism (biology)","score":0.366100013256073},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.34630000591278076},{"id":"https://openalex.org/keywords/node","display_name":"Node (physics)","score":0.3264999985694885}],"concepts":[{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.7279999852180481},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7197999954223633},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.4948999881744385},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4634000062942505},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3750999867916107},{"id":"https://openalex.org/C89611455","wikidata":"https://www.wikidata.org/wiki/Q6804646","display_name":"Mechanism (biology)","level":2,"score":0.366100013256073},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.34630000591278076},{"id":"https://openalex.org/C62611344","wikidata":"https://www.wikidata.org/wiki/Q1062658","display_name":"Node (physics)","level":2,"score":0.3264999985694885},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.32179999351501465},{"id":"https://openalex.org/C153517567","wikidata":"https://www.wikidata.org/wiki/Q26090","display_name":"Mechanism design","level":2,"score":0.30149999260902405},{"id":"https://openalex.org/C2780966255","wikidata":"https://www.wikidata.org/wiki/Q5474306","display_name":"Foundation (evidence)","level":2,"score":0.2721000015735626},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.26499998569488525},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.2574000060558319},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.2513999938964844}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.05704","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.05704","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.05704","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.05704","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.8055523633956909,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Recent":[0],"advances":[1],"in":[2,43,61],"foundation":[3],"models":[4],"have":[5],"transformed":[6],"LLMs":[7],"from":[8],"passive":[9],"conversational":[10],"systems":[11],"into":[12,39],"autonomous":[13],"agents":[14,38],"capable":[15],"of":[16,63,159],"reasoning":[17],"and":[18,58,113,134,149],"tool":[19],"execution.":[20],"While":[21],"these":[22],"capabilities":[23],"unlock":[24],"substantial":[25],"practical":[26],"value,":[27],"they":[28],"also":[29],"introduce":[30,118],"new":[31],"security":[32],"risks,":[33],"as":[34],"adversaries":[35],"can":[36],"manipulate":[37],"performing":[40],"harmful":[41,172],"actions":[42],"real-world":[44],"environments.":[45],"Existing":[46],"defense":[47,92],"strategies":[48],"mitigate":[49,68],"such":[50],"threats":[51],"but":[52],"frequently":[53],"struggle":[54],"to":[55,78],"balance":[56],"safety":[57],"utility,":[59],"resulting":[60],"over-refusal":[62],"benign":[64,147,157],"user":[65],"requests.":[66,173],"To":[67],"this":[69],"trade-off,":[70],"we":[71,117],"propose":[72],"SafeHarbor,":[73],"a":[74,100,110,155,165],"novel":[75],"framework":[76],"designed":[77],"establish":[79],"precise":[80],"decision":[81],"boundaries":[82],"for":[83,105],"LLM":[84],"agents.":[85],"Unlike":[86],"static":[87],"guidelines,":[88],"SafeHarbor":[89,140],"extracts":[90],"context-aware":[91],"rules":[93],"through":[94,130],"enhanced":[95],"adversarial":[96],"generation.":[97],"We":[98],"design":[99],"local":[101],"hierarchical":[102],"memory":[103,128],"system":[104],"dynamic":[106,131],"rule":[107],"injection,":[108],"offering":[109],"training-free,":[111],"efficient,":[112],"plug-and-play":[114],"solution.":[115],"Furthermore,":[116],"an":[119],"information":[120],"entropy-based":[121],"self-evolution":[122],"mechanism":[123],"that":[124,139],"continuously":[125],"optimizes":[126],"the":[127],"structure":[129],"node":[132],"splitting":[133],"merging.":[135],"Extensive":[136],"experiments":[137],"demonstrate":[138],"achieves":[141],"state-of-the-art":[142],"performance":[143],"on":[144,161],"both":[145],"ambiguous":[146],"tasks":[148],"explicit":[150],"malicious":[151],"attacks,":[152],"notably":[153],"attaining":[154],"peak":[156],"utility":[158],"63.6\\%":[160],"GPT-4o":[162],"while":[163],"maintaining":[164],"robust":[166],"refusal":[167],"rate":[168],"exceeding":[169],"93\\%":[170],"against":[171],"The":[174],"source":[175],"code":[176],"is":[177],"publicly":[178],"available":[179],"at":[180],"https://github.com/ljj-cyber/SafeHarbor.":[181]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-05-09T00:00:00"}