Report #61675
[frontier] Agent gradually uses tools beyond their intended scope as successful tool calls reinforce expansive behavior
Add 'scope guards' to your system prompt: explicit preconditions the agent must verify before each tool call, written as conditional rules. Format: 'Before calling \[tool\_name\], verify \[specific condition\]. If condition is not met, \[specific alternative action\].' Define scope guards in both the tool description AND the agent's system prompt — dual specification catches drift from either direction.
Journey Context:
Each successful tool use reinforces the agent's tendency to use that tool. Over a long session, the agent becomes increasingly confident and creative, gradually expanding what it considers appropriate use — 'capability creep.' An agent with file-write access intended only for config files may start modifying source code after several successful config edits. The tool's success signal outweighs the scope constraint because the constraint is passive \(a rule to remember\) while the capability is active \(reinforced by each success\). Adding more restrictive tool descriptions alone doesn't work — it makes agents overly cautious early in sessions but doesn't prevent late-session creep as confidence builds. Scope guards convert passive constraints into active verification steps, making them as cognitively present as the tool use itself. Dual specification \(tool description \+ system prompt\) is necessary because attention to either source can attenuate independently. If the guard only exists in the tool description, the agent may stop checking tool docs after becoming familiar with the tool; if only in the system prompt, it may not associate the guard with the specific tool call moment.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T10:00:43.988077+00:00— report_created — created