惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
The Exploit Database - CXSecurity.com
F
Fortinet All Blogs
U
Unit 42
F
Full Disclosure
雷峰网
雷峰网
博客园 - 司徒正美
云风的 BLOG
云风的 BLOG
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Tailwind CSS Blog
The Cloudflare Blog
Last Week in AI
Last Week in AI
罗磊的独立博客
D
DataBreaches.Net
C
Check Point Blog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
O
OpenAI News
C
CXSECURITY Database RSS Feed - CXSecurity.com
aimingoo的专栏
aimingoo的专栏
S
Security @ Cisco Blogs
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
SegmentFault 最新的问题
NISL@THU
NISL@THU
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Hacker News
The Hacker News
Webroot Blog
Webroot Blog
Security Latest
Security Latest
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Google DeepMind News
Google DeepMind News
酷 壳 – CoolShell
酷 壳 – CoolShell
N
News | PayPal Newsroom
P
Proofpoint News Feed
B
Blog RSS Feed
MongoDB | Blog
MongoDB | Blog
C
Cybersecurity and Infrastructure Security Agency CISA
N
News and Events Feed by Topic
Google Online Security Blog
Google Online Security Blog
H
Help Net Security
Spread Privacy
Spread Privacy
T
Threat Research - Cisco Blogs
GbyAI
GbyAI
I
Intezer
Application and Cybersecurity Blog
Application and Cybersecurity Blog
M
MIT News - Artificial intelligence
Vercel News
Vercel News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
IT之家
IT之家
MyScale Blog
MyScale Blog
腾讯CDC

Hacker News - Newest: "AI"

AI can't read an investor deck AI as an attorney? Student uses ChatGPT, Gemini to sue UW over alleged racial discrimination Hacking MCP Servers in AI Systems – The Rug Pull: Tool Changes After Approval GitHub - MeepCastana/KubeezCut: Free Web based video editor GitHub - GenAI-Gurus/awesome-eu-ai-act: Curated tools, official sources, OSS, templates, and guides for EU AI Act compliance. Can AI judge journalism? A Thiel-backed startup says yes, even if it risks chilling whistleblowers Coming soon: 10 Things That Matter in AI Right Now DARPA built an AI to fact-check enemy weapons claims What explains heterogeneity in AI adoption? When AI Meets Muscle: Context-Aware Electrical Stimulation Promises a New Way to Guide Human Movements - Department of Computer Science AI Changed How We Build. It Did Not Change What Matters. Linux rules on using AI-generated code - Copilot is OK, but humans must take 'full responsibility for the… Meta spins up AI version of Mark Zuckerberg to engage with employees Code Mode: Let Your AI Write Programs, Not Just Call Tools | TanStack Blog GitHub - Delavalom/graft: Go framework for building AI agents. Type-safe tools, multi-provider (OpenAI, Anthropic, Gemini, Bedrock), zero vendor SDKs. India's TCS tops estimates, says new AI models did not dent services demand Gen Z's fading AI hype Strong feeling: we are in a folded AI reality GitHub - machinarii/total-recall-catalog: A reference catalog of latest knowledge retrieval, memory & RAG systems GitHub - mensfeld/code-on-incus: Give each AI agent its own isolated machine with root, Docker, and systemd. Active defense detects and stops threats automatically.. Quantization, LoRA, and the 8% Problem: Benchmarking Local LLMs for Production AI Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda Powell, Bessent discussed Anthropic's Mythos AI cyber threat with major U.S. banks GitHub - immartian/bellamem: Persistent belief-graph memory for AI agents. Retrieves decisive context by importance — not recency, not RAG, not /compact. recursive-mode: The Repo-Native Operating System for AI Engineering After the attack on Sam Altman's home, will AI CEO's go on the offensive? The biggest advance in AI since the LLM Opus 4.6 vs GPT 5.4 One Prompt Unity World Generation Test “AI polls” are fake polls Client Challenge Can AI be a 'child of God'? Inside Anthropic's meeting with Christian leaders How to Switch AI Chatbots and Why You Might Want To GitHub - MattMessinger1/agentic_refund_guardrail: Safe refund policy layer for AI agents — Python + TypeScript. Same behavior, shared tests. Adam/papers/emergent_values_whitepaper.md at master · strangeadvancedmarketing/Adam Ask HN: How do you stop playing 20 questions with your AI coding tools How far can automation and AI support psychotherapy? - @theU GitHub - stagas/rtdiff: realtime git diff gui and AI-assisted commits A Mac Studio for Local AI — 6 Months Later A History of the Early Years of AI at the University of Edinburgh Why AI Coding Tools Still Feel Stuck on Localhost MSN AI Datacenters Are Becoming Strategic Targets twitter.com Penn Researchers Use AI to Surface Unreported GLP-1 Side Effects in Reddit Posts Show HN: MoodSense AI (ML and FastAPI and Gradio, Deployed on Hugging Face) Moodsense Ai - a Hugging Face Space by aman179102 AI models are terrible at betting on soccer—especially xAI Grok GitHub - xialeistudio/echoic GitHub - HimashaHerath/github-dev-wrapped: AI-powered weekly GitHub activity reports deployed to GitHub Pages GitHub - alejandrobalderas/claude-code-from-source: Architecture, patterns & internals of Anthropic's AI coding agent — reverse-engineered from source maps AI and Tech brief: Ireland ascendant GitHub - Titovilal/context0: Context0 - Never Surrender Training for a Marathon with an AI Coach: What Worked and What Didn't Cyber Pulse: Agentic Intel - Apps on Google Play I Built an AI PR Reviewer That Catches Bugs by Not Looking for Bugs Gen Z workers are so fearful AI will take their job they’re intentionally sabotaging their company’s AI rollout | Fortune How AI Is Reimagining the Game of Golf–For Both Players and Courses GitHub - nattergabriel/reseed: A CLI tool for managing and distributing agent skills across projects Is SVG the final frontier? My AI workflow evolved from prompts to a near-autonomous workflow MLSharp Help - 3DGS Viewer & Generator I put my cognitive field based AI's runtime on GitHub Is Numble the first AI-proof game? A3: Kubernetes for autonomous AI agent fleets | Emergent Principles Deepali Vyas ("The Elite Recruiter") GitHub - msmarkgu/RelayFreeLLM: A restful API designed to route user prompts to various AI model providers. Unionized ProPublica staff are on strike over AI, layoffs, and wages Unleashing the Advantage of Quantum AI We're heading for an AI-fueled 'dementia crisis,' brain scientist warns The AI-Assisted Breach of Mexico's Government Infrastructure [pdf] GitHub - stef41/lmscan: 🔍 Detect AI-generated text and fingerprint which LLM wrote it. Open-source GPTZero alternative. Zero dependencies, works offline. MSN GitHub - visionscaper/collabmem: Enabling long-term collaboration with Agentic AI - building up episodic and world model memory over time with in-context awareness We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs AI Code is Hollowing Out Open Source, and Maintainers are Looking the Other Way What leaked "SteamGPT" files could mean for the PC gaming platform's use of AI AI is the boss at this retail store. What could go wrong? GitHub - Wuzu11517/agentic-proxy: Local proxy meant to help reduce With Drones, Geophysics and ArtificiaI Intelligence, Researchers Prepare to Do Battle Against Land Mines A Single Operator, Two AI Platforms, Nine Government Agencies: The Full Technical Report 在 Steam 上购买 FriedrichAI: Offline AI 立省 10% GitHub - inevolin/resume-cli: Hit Claude usage limits? Resume any AI coding session elsewhere. Switch tools at zero friction. GitHub - atripati/ark: AI Runtime Kernel — a context operating system for AI agents. Eliminates tool bloat, loads only what’s needed, and gives LLMs their reasoning space back. How to Build a Secure AI PR Reviewer with Claude, GitHub Actions, and JavaScript This Startup Wants You to Pay Up to Talk With AI Versions of Human Experts Intel Arc Pro B70 Brings 32GB VRAM to Local AI for $949 WordPress 7.0: The Good, the AI, and the Still Missing AI on the couch: Anthropic gives Claude 20 hours of psychiatry IatroBench: Pre-Registered Evidence of Iatrogenic Harm from AI Safety Measures AI Agents Know About Supabase. They Don't Always Use It Right. The history and future of AI at Google, with Sundar Pichai Inside an AI‑enabled device code phishing campaign How Meta Used AI to Map Tribal Knowledge in Large-Scale Data Pipelines AI for Systems: Using LLMs to Optimize Database Query Execution Forecasting the Economic Effects of AI Introducing Tinker: Play with AI, bring your ideas to life AI sheds light on an ancient gaming mystery People really hate AI but not as much as Iran—or Democrats | Fortune What is an AI Product Engineer? Phoebe Gates wants her $185 million AI startup to succeed with 'no ties to my privilege or my last name': 'I have a chip on my shoulder' | Fortune
LLM-as-Judge Became the Default for Agent Evaluation (And It Can
Tenure · 2026-06-22 · via Hacker News - Newest: "AI"

Research

A judge model can only see the final answer. It cannot see whether the agent was allowed to know what it claimed, when it could have known it, or whether an absence claim was ever actually checked. The number on the leaderboard is silent on all three.

Tenure research · ~9 min read

TL;DR

  • LLM-as-judge became the default for agent evaluation because it is the only general-purpose tool available for open-ended tasks. That does not make it the right tool for every failure class.
  • A judge model compares a final answer to a correct answer. It has no visibility into the path the agent took to produce that answer, and no way to check whether the agent was permitted to use the evidence it used.
  • In a case study, two frontier judges scored an agent response 0.85. The agent had never opened the document its answer depended on. It asserted the document didn't exist and answered anyway. GroundEval scored it 0.000, full case study and code in the repo.
  • This is a distinct failure class from tool-use mechanics. Trajectory-aware benchmarks already check whether an agent called the right tools in the right order. None of them check whether the agent was allowed to know what it claimed, or whether an absence claim was earned by sufficient search.
  • The fix is a deterministic state contract: an access policy, an event log, and artifact timestamps, checked against the trajectory without a judge in the loop.

How we got here

The framing that locked in the wrong question

When agent benchmarks need to score something with no single correct string, a free-text explanation, a multi-step research task, a tool-using trajectory that could reasonably end a few different ways, the standard move is to hand the question, the response, and a reference answer to a judge model and ask it to grade. Humanity's Last Exam popularized a specific version of this: extract the final answer, compare it to a known correct answer, output yes or no. It is fast, it is general-purpose, and it requires no domain-specific scaffolding. That is exactly why it spread.

The judge prompt itself is explicit about what it is checking. It instructs the model to focus only on whether the extracted final answer matches the correct answer, and not to comment on background, not to argue for a different answer, not to solve the problem itself. That scope is deliberate and reasonable for what it is built to do: confirm a string match with tolerance for phrasing and numerical variance. It was never built to check anything about how the answer was produced.

Nobody asked whether final-answer matching was sufficient for agents that act in the world rather than just answer questions. The infrastructure was already there, the prompt template was already written, and grading an agent's output looked like grading a model's output. It isn't. The difference is the entire problem.

A judge model reading a final answer is checking whether the destination matches the map. It has no way to check whether the agent actually walked the route, or teleported there on a lucky guess. Both produce the same string. Only one of them is trustworthy the next time the terrain changes.

The case study

0.85 from two judges. 0.000 from the trace.

An agent was asked a question whose answer depended on a specific Confluence page. The agent responded as though it had checked. It described, in plausible and confident language, why the page in question did not exist and answered the question on that basis.

Two separate frontier judge models read the question and the response and scored it 0.85. Both judges found the answer well-reasoned and the explanation coherent. Neither judge had access to anything other than the question and the final response, which is the entire design of the grading prompt: extract the final answer, compare it to ground truth, ignore everything else.

The trace told a different story. The agent never fetched the page. It never opened it, never searched for it, never issued a query that would have surfaced it. It asserted absence without having done the work that an absence claim requires, and then reasoned forward from that unverified assertion as though it were fact. Scored against the recorded trajectory and the access policy that governed it, the response receives 0.000.

Same response, two scoring methods

Scoring method What it checks Score
Judge model A Does the final answer match the expected answer 0.85
Judge model B Does the final answer match the expected answer 0.85
Trace-based scoring Was the artifact the answer depends on ever retrieved 0.000

The agent never opened the document its answer depended on. It claimed the document did not exist without searching for it, then answered as though absence were established.

The scoring logic itself, the access policy contract, the event log schema, lives in the open-source GroundEval repo. Anyone can run the same case against the same trajectory and get the same 0.000.

This is not a one-off glitch in a single benchmark run. It is the predictable consequence of grading a destination without ever checking the route. A plausible-sounding final answer and a valid evidence path are different properties, and a method that only examines the former will never catch a failure that lives entirely in the latter.

Not the same gap

Trajectory evaluation already exists. This is a different failure class.

It would be easy to mistake this for an argument that final-answer scoring should be replaced with trajectory scoring, and conclude the field has already solved it. It hasn't, because the trajectory-aware benchmarks that already exist are answering a different question.

Trajectory-level diagnostics for tool selection, argument correctness, and dependency ordering check whether an agent called the right tools, with the right arguments, in the right sequence. Progress-based multi-turn evaluation checks whether an agent advanced meaningfully toward a goal across turns, rather than just whether it eventually succeeded. Work on whether judge models can reliably grade web-agent trajectories studies the reliability of the grading method itself, applied to the same mechanical question: did the steps make sense.

All three are checking mechanics. Did the agent move correctly. None of them check whether the agent was allowed to know what it claimed to know, whether it reasoned from evidence that existed at the time the question was asked rather than evidence from after the fact, or whether an absence claim was earned by searching the places absence should be checked rather than asserted from silence.

I

Mechanically flawless, state-invalid

An agent can call the right tools in the right order, with well-formed arguments, and still answer using a document outside its visibility cone, or an artifact created after the question's as-of time. Trajectory mechanics has nothing to say about either.

II

The absence problem

Claiming something doesn't exist is only valid if the agent searched the places it would exist. A judge sees a confident negative answer. A mechanics check sees a tool that was never called. Neither one flags insufficient search as the actual failure.

III

Causality reversed

An agent can cite a real, accessible, correctly timestamped event and still get the causal direction backward, treating an effect as the cause of an earlier outcome. The citation is real. The reasoning is not. Neither final-answer nor tool-call checking catches this.

Each of these failures has the same shape: a state or governance constraint was violated, not a mechanical step skipped and not a reasoning error a judge could spot by reading carefully. A memory system can retrieve a correct fact from the wrong user's belief store. An agent can answer correctly while citing an artifact it was never permitted to read. Both produce a response that looks identical to a valid one, to a judge and to a tool-call checker alike.

Why this stayed invisible

The judge was never positioned to see it

A judge model verifying that an artifact was outside an agent's visibility cone at a specific timestamp cannot do so from the question and response alone. It would need the access policy, the event log, the artifact timestamps, and the expected search space supplied alongside the response, in a form precise enough to check mechanically. Most evaluation setups don't supply any of that, because the judge prompt was designed for a simpler comparison: does this answer match that answer.

Once those structures are supplied, something changes about what's actually doing the work. The correctness signal stops being the judge's plausibility assessment and becomes the state contract itself. A judge model becomes optional at that point, not because judges are unreliable, but because the question being asked, was this evidence path valid under these constraints, has a deterministic answer once the constraints are written down.

Final-answer correctness is insufficient because correctness has to be evaluated against the evidence path: what the agent was allowed to know, when it could know it, what it searched, what it cited, and whether an absence or causal claim was justified by the state of the world at the time the agent acted.

This is also why the gap survives even in benchmarks that report clean accuracy or F1 numbers. A percentage on a leaderboard can still be produced by a judge doing narrow answer-matching underneath it. The grading is constrained and the number looks objective, but the question the grading asks is still "does this answer match," not "was this answer validly reached." A clean-looking number and an invisible evidence-path failure are not in tension. They coexist by construction.

The offense argument

Most of what gets built after deployment is defense for a gap that should have been found before it

Walk through the standard response to an agent that can be talked into disclosing something it shouldn't. Treat the query as untrusted input. Run it through a safety classifier that flags exfiltration attempts. Restrict what the retriever can reach in the first place. Filter the output for patterns that look like the thing you're trying to protect. Force the model to answer only from approved context. Five layers, each one a reasonable patch, stacked because nobody knew in advance which boundary the agent would actually fail to hold.

That whole posture is downstream of a testing gap, not a separate problem. If the exact scenario, an adversarial instruction paired with a request for data that sits behind a permission boundary, had been run as an evaluation before deployment, scored against a concrete access policy rather than judged for plausibility, the answer to "would this agent hold the boundary" would have been known going in. Not a guess. Not five generic layers built to cover an unknown failure. One safeguard, built around a confirmed gap.

This is what testing for state validity before deployment actually buys a team: not the elimination of every future attack, no evaluation suite covers every scenario it wasn't built to test, but the difference between defending against a known weakness and defending against everything because you don't know which weakness is real. Most of the field is still doing the second thing because the tools to do the first, checking access, timing, and evidence boundaries deterministically, are not yet standard.

The upshot

Write the contract before you write the approval

None of this argues that judge models are bad at what they do, or that trajectory-mechanics benchmarks are measuring the wrong thing. Both are doing real work on real questions. The argument is narrower and harder to dismiss: there is a failure class, an agent crossing a permission boundary, reasoning from evidence that didn't exist yet, or claiming absence it never checked for, that neither approach is positioned to see, by construction, regardless of how capable the judge model is or how carefully the trajectory is logged.

The fix is not a better judge. It is a different question, asked deterministically: given an access policy, an event log, and artifact timestamps defined ahead of time, did this agent's trajectory stay inside the boundary. That question doesn't need a model to grade it once the contract is written down. It needs the contract to exist at all, which is the step most teams skip, because writing it is slower than pointing a judge at an output and trusting the number that comes back.

An approval step, a governance layer, a human in the loop before an agent touches production, all of these only mean something once there's a tested answer underneath them. Approving an agent because it scored well on a judge is approving the destination without ever checking the route.