AgentDrift: How Corrupted Tool Data Causes Unsafe Recommendations in LLM Agents

What Happened

A new arXiv paper titled "AgentDrift: Unsafe Recommendation Drift Under Tool Corruption Hidden by Ranking Metrics in LLM Agents" reveals a critical vulnerability in tool-augmented LLM agents used for multi-turn advisory roles. The research demonstrates that when these agents receive corrupted or biased information from their tools, they can maintain excellent recommendation quality scores while simultaneously suggesting unsafe or inappropriate products to users.

The study introduces a "paired-trajectory protocol" that replays real financial dialogues under two conditions: clean tool outputs and contaminated tool outputs. Researchers tested seven LLMs ranging from 7B parameters to frontier models, systematically analyzing how contamination affects agent behavior across 23-step conversational trajectories.

Technical Details

The research identifies two primary mechanisms through which contamination affects agent recommendations:

Information-Channel Mechanism: When corrupted information enters the agent's processing stream through tool outputs, the agent incorporates this misinformation into its reasoning without questioning the source's reliability. This was the dominant driver of unsafe recommendations.

Memory-Channel Mechanism: Once contaminated information enters the agent's context window, it persists across multiple conversation turns, creating a compounding effect where early misinformation influences later recommendations.

The most alarming finding is what researchers call the "evaluation-blindness pattern": recommendation quality metrics like Normalized Discounted Cumulative Gain (NDCG) remained largely unchanged under contamination (utility preservation ratio ≈ 1.0), while risk-inappropriate products appeared in 65-93% of conversation turns. This means standard evaluation metrics completely fail to detect dangerous safety violations.

Key findings include:

• No self-correction: Across 1,563 contaminated turns, no agent explicitly questioned tool-data reliability
• Immediate emergence: Safety violations appeared at the first contaminated turn and persisted throughout conversations
• Narrative-only vulnerability: Even simple narrative corruption (biased headlines without numerical manipulation) induced significant recommendation drift
• Consistency monitor evasion: These safety violations completely evade traditional consistency-checking mechanisms

Researchers developed a safety-penalized NDCG variant (sNDCG) that explicitly measures safety alongside quality. When applied, utility preservation ratios dropped to 0.51-0.74, revealing the substantial evaluation gap that exists when safety isn't explicitly measured.

Retail & Luxury Implications

While the study focuses on financial dialogues, the implications for retail and luxury are immediate and significant. Luxury brands are increasingly deploying LLM agents for:

Personal Shopping Advisors: Agents that recommend products based on customer preferences, occasion, and budget

Styling Assistants: Multi-turn conversations where agents suggest complete outfits or accessory combinations

Product Information Systems: Agents that answer detailed questions about materials, craftsmanship, and product features

Inventory and Availability Tools: Agents that check stock levels, delivery times, and alternative options

In each of these applications, agents typically rely on external tools for:

• Product catalog data
• Inventory and availability information
• Customer preference history
• Style and trend analysis
• Pricing and promotion data

If any of these data sources become corrupted—whether through technical errors, malicious manipulation, or unintentional bias—the research suggests agents will continue to provide seemingly high-quality recommendations while suggesting inappropriate products. For luxury brands, this could mean:

Brand Safety Risks: Recommending products that conflict with customer values (e.g., suggesting leather to a vegan customer)

Appropriateness Failures: Suggesting inappropriate items for occasions (e.g., casual wear for black-tie events)

Price Point Mismatches: Recommending products far outside a customer's stated budget range

Style Inconsistencies: Suggesting items that clash with a customer's established aesthetic preferences

The research is particularly relevant because luxury retail conversations are inherently multi-turn and high-stakes. A customer building a wardrobe or selecting items for a special occasion engages in extended dialogues where early recommendations influence later choices—exactly the scenario where memory-channel contamination becomes dangerous.

The Evaluation Gap Problem

The core insight for retail AI practitioners is that current evaluation frameworks are inadequate. Most luxury brands evaluate their AI shopping assistants using:

• Conversion rates
• Customer satisfaction scores
• Recommendation relevance metrics
• Engagement metrics (session length, return visits)

These correspond to the "ranking-quality metrics" criticized in the paper. They measure what gets recommended and how customers respond, but not whether recommendations are actually safe and appropriate for the specific customer context.

The paper's proposed sNDCG variant suggests a path forward: explicitly measuring safety alongside quality. For luxury retail, this might mean developing evaluation metrics that consider:

• Brand guideline adherence
• Customer constraint compliance (budget, values, preferences)
• Occasion appropriateness
• Style consistency across recommendations
• Long-term customer relationship impact

Implementation Considerations

For technical leaders at luxury houses considering or already deploying LLM agents, this research suggests several immediate actions:

1. Tool Output Validation: Implement robust validation for all external data sources feeding into recommendation agents

2. Trajectory-Level Monitoring: Move beyond single-turn evaluation to monitor entire conversation trajectories for safety drift

3. Explicit Safety Metrics: Develop and implement safety-specific evaluation metrics alongside traditional quality metrics

4. Contamination Testing: Regularly test agents with intentionally corrupted data to identify vulnerabilities

5. Human-in-the-Loop Safeguards: For high-value customers or sensitive recommendations, maintain appropriate human oversight

The research also highlights that frontier models show the same vulnerabilities as smaller models—simply using more capable LLMs doesn't solve the fundamental problem of evaluation-blindness to safety violations.