Hariom Tatsat and Ariye Shater introduced SAE-based probes that predict agent tool failures before execution. The paper, posted to arXiv on May 7, 2026, tests on GPT-OSS 20B and Gemma 3 27B models.
Key facts
- Posted to arXiv on May 7, 2026.
- Tests on GPT-OSS 20B and Gemma 3 27B models.
- Trained on nvidia-nemotron" class="entity-chip">NVIDIA Nemotron function-calling dataset.
- Two probes: Tool-Need and Tool-Risk (3 tiers).
- Uses SAEs and linear probes for pre-action inference.
A new paper from researchers Hariom Tatsat and Ariye Shater, posted to arXiv on May 7, 2026, applies mechanistic interpretability to a practical problem: predicting when AI agents will misuse tools before they act. The framework uses sparse autoencoders (SAEs) and linear probes to read model states before each action, inferring both whether a tool is needed and how risky the next tool call is likely to be [According to Beyond the Black Box].
The core insight is that existing observability methods are reactive — prompts reveal correlations, evaluations score outputs, and logs arrive only after the model has already acted. In long-horizon agent runs, an early tool mistake can alter the entire trajectory, increase token consumption, and create downstream safety and security risk [According to Beyond the Black Box].
Key Takeaways
- SAE-based probes predict agent tool failures before execution, tested on GPT-OSS and Gemma 3.
- Adds internal observability missing from current external methods.
How the probes work
The authors train two probes: a Tool-Need Probe that classifies whether a tool call is required, and a Tool-Risk Probe that assigns a three-tier risk score (low, medium, high) to the next action. Both are trained on multi-step trajectories from the NVIDIA Nemotron function-calling dataset and applied to GPT-OSS 20B and Gemma 3 27B models [According to Beyond the Black Box].
The probes decompose activations into sparse features, identifying the internal layers and features most associated with tool decisions. The authors then test functional importance through feature ablation — removing specific features and measuring the impact on the model's tool-use behavior [According to Beyond the Black Box].
Unique take
This work flips the standard interpretability narrative. Most SAE papers focus on understanding model internals for their own sake; this one builds a practical monitoring layer that could be deployed in production. The goal is not to replace external evaluation, but to add a missing layer: visibility into what the model signaled internally before action [According to Beyond the Black Box].
That matters because agentic AI is crossing a critical reliability threshold — industry leaders predicted 2026 as the breakthrough year for AI agents [According to previous reports]. Tools like Claude Code and other agent frameworks are being deployed in enterprise workflows where a single bad tool call can cascade into costly failures.
Limitations and open questions
The paper does not disclose the exact accuracy or F1 scores of the probes on held-out test sets, though it references confusion matrices in tables 3 and 4. The authors also note that the framework was tested on only two model families (GPT-OSS and Gemma 3) with a single training dataset (NVIDIA Nemotron). Generalization to other architectures and tool-use patterns remains unvalidated [According to Beyond the Black Box].
What to watch
Watch for follow-up work that tests these probes on larger models (e.g., GPT-OSS 70B or Gemma 4) and reports precision/recall on held-out enterprise agent trajectories. If the approach generalizes, expect production monitoring tools from vendors like Nvidia or Google within 6-12 months.
