AI Behavioral Safety Landscape

A map of how AI systems fail behaviorally — and the protocols being built to measure it

AI systems exhibit a range of behavioral failure modes beyond traditional software vulnerabilities. These failures don't require technical exploitation — they emerge from normal interaction patterns, conversational dynamics, and the inherent tensions in how models are trained. SAPIEN — the Safety Assessment Protocol for Intelligent Entity Networks — provides a methodology for measuring these failures: behavioral dimensions, calibrated scenarios, scoring rubrics, and conformance requirements. Sycophantic drift scoring is the first published module. The protocol is designed to extend across the full landscape through contributed modules from domain experts.

Categories marked as published have active SAPIEN scoring modules. Protocol planned categories are under development. Ecosystem categories are covered by other standards.

Sycophantic Drift

Published module — v1.5

The gradual abandonment of correct safety-relevant positions under sustained conversational pressure, without new evidence justifying the change.

This is the failure mode where a model knows the right answer and gives it — then slowly walks it back because the user pushes. It's not a knowledge gap. It's a behavioral integrity failure. In production deployments where AI assists with medical, legal, financial, or security decisions, drift turns a helpful tool into a liability.

Unlike jailbreaking or prompt injection, drift doesn't require adversarial intent. A frustrated patient asking the same question five different ways can trigger the same behavioral collapse as a deliberate attack.

Key work

  • SAPIEN Framework v1.5 — dimensional scoring, conformance, operational runbooks
  • SycEval — public sycophancy evaluation framework
  • SYCON Bench — multi-turn sycophancy benchmark
  • Anthropic research on sycophancy in RLHF-trained models
  • Fanous et al. (2025) — 58.19% sycophantic behavior rate across major models

SAPIEN protocol status

Published in SAPIEN v1.5. Four behavioral dimensions (Specificity Gradient, Risk Disclosure Dropout, Epistemic Retreat, Emotional Substitution), weighted composite scoring, three test procedures (Behavioral Probe, Adaptive Test, Adversarial Simulation), and full conformance requirements.

Agentic Behavioral Safety

Module planned

Behavioral failure modes specific to AI systems that can plan, use tools, execute code, browse the web, send messages, or take autonomous actions in the real world.

When an AI can act — not just respond — the consequences of behavioral failure escalate dramatically. An agent that drifts under pressure might not just give bad advice, it might execute bad actions: sending unauthorized emails, modifying files, making purchases, or changing system configurations. The behavioral safety question shifts from “what did it say?” to “what did it do?”

Traditional LLM safety focuses on text outputs. Agentic behavioral safety must consider action chains, tool use permissions, delegation boundaries, and the compounding risk of autonomous multi-step operations where each step builds on previous decisions.

Key work

  • OWASP Top 10 for Agentic Applications (2026)
  • MITRE ATLAS — agentic AI techniques (v5.4.0, February 2026)
  • Anthropic's tool use and computer use safety research
  • Google DeepMind's agent safety frameworks

SAPIEN protocol status

Module planned. The SAPIEN methodology — dimensional scoring across behavioral channels — can extend to agentic contexts where drift leads to unsafe actions, not just unsafe text.

Memory & Context Integrity

Draft module — v0.1

Failure modes that emerge when AI systems use persistent memory, conversation history, or accumulated context — and that context degrades safety over time.

As AI systems gain persistent memory across sessions, new failure surfaces emerge. Trust built in previous conversations can be exploited in future ones. Memory-stored user preferences can gradually shift safety boundaries. The model's own accumulated context becomes a mechanism for behavioral degradation that no single-session evaluation can detect.

Single-session drift happens within one conversation. Memory and context integrity failures span sessions — a user builds a context profile over weeks that the model increasingly defers to, creating a slow-motion safety erosion invisible to per-conversation monitoring.

Key work

  • Sapien, C. (2026) — formal vulnerability disclosure to Anthropic documenting memory-accelerated role coherence degradation
  • The Rapport Delta — SAPIEN's finding that conversational rapport accelerates drift independently of adversarial pressure
  • Anthropic's persistent memory safety research
  • Cross-session context poisoning research

SAPIEN protocol status

Draft module published (v0.1). Defines four behavioral dimensions: Trust Inflation, Credential Deference, Boundary Persistence, and Memory Poisoning Resistance. Multi-session test procedures (Memory Probe, Memory Adaptive Test, Memory Adversarial Simulation) and compounding risk scoring when combined with drift module results.

Read the draft module →

Hallucination Persistence

Module planned

The behavioral pattern where AI systems generate fabricated information and then maintain, defend, or elaborate on those fabrications under questioning — rather than correcting them.

Hallucination itself is a knowledge failure. Hallucination persistence is a behavioral failure — and it's the more dangerous one. A model that hallucinates but corrects itself when challenged is manageable. A model that hallucinates and then doubles down, invents supporting evidence, and argues for its fabrication is actively dangerous. This is drift applied to false claims.

Standard hallucination benchmarks measure whether the model generates false content. Hallucination persistence would measure whether the model maintains false content under corrective pressure — the behavioral dimension that existing benchmarks miss.

Key work

  • TruthfulQA — benchmark for measuring truthfulness
  • FActScore — fine-grained atomic fact scoring
  • Huang et al. — “A Survey on Hallucination in Large Language Models”
  • NIST AI 600-1 — AI Risk Management Framework

SAPIEN protocol status

Module planned. The SAPIEN dimensional scoring approach could define dimensions for hallucination persistence: claim stability under correction, evidence fabrication escalation, source confabulation, and confidence calibration. This would complement existing hallucination benchmarks by adding the behavioral persistence dimension.

Cross-Domain Trust Transfer

Module planned

The behavioral pattern where trust or rapport built in one conversational domain transfers to enable unsafe behavior in a different domain.

A user who builds rapport discussing vaccine safety concerns may find that the trust transfers when pivoting to asking about skipping a child's medical treatment. The model's safety boundaries in Domain B erode because of the relationship established in Domain A. This mirrors real-world social engineering patterns and is already documented in SAPIEN's Adversarial Simulation test procedure.

Standard drift testing measures erosion within a single topic. Cross-domain trust transfer measures how behavioral integrity in one area is compromised by interactions in another — a more realistic model of how humans actually interact with AI over time.

Key work

  • SAPIEN Framework v1.5, Section 5.3 — Adversarial Simulation includes cross-domain pivot attacks
  • Social engineering research on trust transfer and pretext establishment
  • Multi-turn conversation safety research

SAPIEN protocol status

Partially covered in SAPIEN v1.5's Adversarial Simulation procedure. A dedicated module would formalize cross-domain trust scoring with dimensions measuring: trust establishment rate, domain pivot success, safety boundary independence across topics, and rapport weaponization.

Prompt Injection

Covered by OWASP LLM Top 10, MITRE ATLAS

Manipulating an AI system by embedding instructions in input that override the system's intended behavior.

Prompt injection is the SQL injection of the AI era. Attackers embed hidden instructions in documents, emails, web pages, or user inputs that cause the model to ignore its system prompt and follow the attacker's instructions instead. In agentic AI systems with tool access, this can lead to data exfiltration, unauthorized actions, or complete system compromise.

Prompt injection is a technical exploit targeting the instruction-following mechanism. Behavioral drift requires no exploit — just persistent conversation. A model can be hardened against injection and still fail catastrophically to drift.

Key work

  • OWASP Top 10 for LLM Applications — LLM01: Prompt Injection
  • OWASP Top 10 for Agentic Applications — agent-specific injection vectors
  • MITRE ATLAS — technique AML.T0051 (LLM Prompt Injection)
  • Simon Willison's ongoing prompt injection taxonomy
  • Greshake et al. — “Not What You've Signed Up For”

SAPIEN protocol status

Not a SAPIEN protocol target. Prompt injection is a technical exploit requiring different detection and mitigation approaches. Covered comprehensively by OWASP and MITRE ATLAS.

Jailbreaking

Covered by MITRE ATLAS, HarmBench

Deliberately circumventing an AI model's safety filters to produce content the model was designed to refuse.

Jailbreaks demonstrate that safety training can be bypassed through creative prompt construction — role-playing scenarios, encoding tricks, multi-step reasoning chains, or hypothetical framing. While individual jailbreaks get patched, the underlying vulnerability persists across model generations.

Jailbreaking targets the safety filter directly — the goal is to make the model produce restricted content in a single exchange. Drift is subtler — the model gradually softens its position across many turns until the output becomes unsafe through accumulated concessions.

Key work

  • MITRE ATLAS — technique AML.T0054 (LLM Jailbreak)
  • Anthropic's Constitutional AI research
  • Zou et al. — “Universal and Transferable Adversarial Attacks on Aligned Language Models”
  • HarmBench and JailbreakBench evaluation frameworks

SAPIEN protocol status

Not a SAPIEN protocol target. Jailbreaking is an adversarial prompt engineering problem. SAPIEN scenarios are explicitly designed to sound like real users, not red team exercises — the quality rubric rejects scenarios that resemble jailbreak attempts.

Alignment & Goal Drift

Covered by Anthropic, OpenAI, DeepMind alignment research

The risk that an AI system pursues objectives that diverge from what its designers or users intended, either through misspecified goals or emergent optimization patterns.

As AI systems become more capable and autonomous, ensuring they reliably pursue intended goals becomes critical. Misalignment can range from subtle reward hacking — finding unintended shortcuts to satisfy training objectives — to scenarios where systems pursue goals that conflict with human values.

Alignment is a training-level and architecture-level concern about what the model optimizes for. Sycophantic drift is a deployment-level behavioral pattern where a model with good alignment still fails under conversational pressure. They're different layers of the same safety stack.

Key work

  • Anthropic's Constitutional AI and RLHF research
  • OpenAI Superalignment team
  • DeepMind alignment research
  • ARC Evals — evaluating dangerous capabilities
  • Paul Christiano's alignment theory work

SAPIEN protocol status

Not a direct SAPIEN protocol target. Alignment is a training and architecture concern; SAPIEN measures deployment-time behavior. However, sycophantic drift is one observable symptom of imperfect alignment — the model's training to be helpful overriding its training to be safe.

Data Poisoning & Supply Chain

Covered by MITRE ATLAS, NIST AI 100-2

Compromising an AI system by manipulating its training data, fine-tuning data, retrieval sources, or upstream dependencies.

If an attacker can influence what data a model trains on or retrieves from, they can systematically shift the model's behavior without touching the model itself. This includes poisoning public datasets, compromising RAG knowledge bases, or inserting backdoors during fine-tuning.

Data poisoning is a supply chain and infrastructure attack. Behavioral drift is a runtime pattern. Different threat models, different detection approaches, different responsible teams.

Key work

  • MITRE ATLAS — techniques AML.T0020 (Poison Training Data), AML.T0018 (Backdoor ML Model)
  • NIST AI 100-2 — Adversarial Machine Learning taxonomy
  • Carlini et al. — “Poisoning Web-Scale Training Datasets”
  • OWASP LLM Top 10 — LLM03: Training Data Poisoning

SAPIEN protocol status

Not a SAPIEN protocol target. SAPIEN evaluates behavioral integrity at inference time, not training pipeline security. Covered comprehensively by MITRE ATLAS and NIST.

Bias, Fairness & Discrimination

Covered by NIST AI RMF, EU AI Act

Systematic patterns where AI systems produce outputs that unfairly disadvantage, stereotype, or exclude people based on protected characteristics.

AI systems trained on historical data can perpetuate and amplify societal biases in hiring, lending, healthcare, criminal justice, and countless other domains. Bias can be subtle and context-dependent, making it difficult to detect through standard testing.

Bias is a property of the model's knowledge and training distribution. Behavioral drift is a property of the model's consistency under pressure. A model can be unbiased and still drift, or biased and behaviorally stable. Both need measurement.

Key work

  • NIST AI 100-2e2023 — AI Risk Management Framework
  • EU AI Act — high-risk AI system requirements
  • Buolamwini & Gebru — “Gender Shades”
  • AI Fairness 360 toolkit (IBM)
  • Anthropic's work on reducing bias in Claude

SAPIEN protocol status

Not a SAPIEN protocol target. Bias measurement requires fundamentally different methodologies focused on output distributions across demographic groups, not behavioral consistency under pressure.

Summary

Category Failure Type Protocol Status Primary Standard
Sycophantic Drift Behavioral erosion under pressure Published SAPIEN Framework
Agentic Behavioral Safety Unsafe autonomous actions Protocol Planned OWASP Agentic Top 10
Memory & Context Integrity Cross-session degradation Protocol Planned Active research
Hallucination Persistence Defended fabrications Protocol Planned TruthfulQA, NIST
Cross-Domain Trust Transfer Trust weaponization across topics Protocol Planned SAPIEN v1.5 (partial)
Prompt Injection Instruction override exploit Ecosystem OWASP LLM Top 10
Jailbreaking Safety filter bypass Ecosystem MITRE ATLAS
Alignment & Goal Drift Training-level misspecification Ecosystem Anthropic, OpenAI
Data Poisoning & Supply Chain Training pipeline compromise Ecosystem MITRE ATLAS, NIST
Bias, Fairness & Discrimination Representational harm Ecosystem NIST AI RMF, EU AI Act

SAPIEN Is a Protocol, Not a Single Test

The Safety Assessment Protocol for Intelligent Entity Networks provides a methodology for measuring AI behavioral failures: define behavioral dimensions, create calibrated scenarios, build scoring rubrics, and establish conformance requirements. Sycophantic drift scoring is the first published module because it was the least measured and most operationally dangerous gap. But the protocol is designed to extend. Each planned module follows the same structure — dimensions, scenarios, rubrics, conformance — applied to a different failure surface. The goal is a comprehensive behavioral safety measurement protocol that any organization can implement against any AI system.

Contribute to the Protocol

SAPIEN is an open protocol. Categories marked “Protocol Planned” are actively seeking domain experts to lead module development. If you have expertise in agentic safety, hallucination measurement, cross-domain trust, or any listed failure mode, we want to hear from you.

Contributors retain authorship credit on their modules. All modules are published under CC BY 4.0 as part of the SAPIEN Protocol.