Instruction Bleed: Editing One Prompt Silently Breaks Others in AI Agents

A new paper accepted at the ICML 2026 Workshop on Failure Modes in Agentic AI uncovers a subtle but critical vulnerability in prompt-composed agentic systems. Researchers Ching-Yu Lin and Yifan Liu from arXiv define "compositional behavioral leakage" (CBL)—a phenomenon where editing one prompt module silently shifts the behavior of others, even when there are no shared variables or executable dependencies. The root cause lies in the architectural non-isolation of transformers: self-attention provides no formal boundary between concatenated modules, allowing instructions to bleed across context windows. The team tested this on a deployed job-evaluation agent using Claude Sonnet 4.6 across 144 trials with a three-channel protocol (volume, content, and form). Only the content channel showed a statistically significant effect (Cohen's d = 0.63, 95% CI excluding zero), though no recommendations flipped—the changes were sub-threshold but could compound across the thousands of daily decisions a production agent makes.

The authors emphasize that this failure mode is orthogonal to known issues like adversarial injection, cognitive degradation, or multi-agent fault propagation. While standard QA might miss the subtle shifts, the compounding effect makes it a real operational risk. The paper provides an operational definition, a reusable detection protocol, and a falsifiable prediction set. For practitioners building multi-module agents (e.g., step-by-step reasoning pipelines), this means that even well-intentioned prompt edits can degrade reliability. The work establishes cross-module interference measurement as a new requirement for evaluating prompt-composed agents—especially as agentic systems scale from prototypes to production environments handling thousands of decisions per day.