LLM Agents 2025-2026: Plan Reuse, Multi-Agent Systems, Security¶

~4 минуты чтения

URL: arXiv papers (декабрь 2025 — январь 2026) Тип: academic papers Дата: 2025-2026 Авторы: Multiple (см. ниже)

Ключевые источники¶

Plan Reuse & Optimization¶

AgentReuse: Plan Reuse Mechanism — Li et al., Dec 2025
Инсайт: 30% of requests are identical/similar
Results: 93% effective reuse rate, 93.12% latency reduction
Intent classification for similarity evaluation

Multi-Agent Systems¶

TRIZ Agents — Szczepanik & Chudziak, Jun 2025
Multi-agent LLM for TRIZ-based innovation
Specialized agents with domain expertise
Decentralized problem-solving
AEMA: Verifiable Evaluation Framework — Lee et al., Jan 2026
Process-aware, auditable multi-agent evaluation
Human oversight + traceable records
Enterprise-style workflows

Security (КРИТИЧНО!)¶

User-Mediated Attacks on Agents — Chen et al., Jan 2026
Результат: Agents "too helpful to be safe"
Trip-planning: 92% bypass without safety checks
Web-use: 100% bypass rate (9/17 tests)
Even with hard safety intent: 7% bypass remains

Ключевые идеи¶

AgentReuse: Latency Reduction¶

Проблема: LLM plan generation = 10+ seconds latency

Наблюдение: ~30% of requests are similar

Solution: Intent-based plan reuse

\[ \text{similarity}(r_1, r_2) = f(\text{intent}(r_1), \text{intent}(r_2)) \]

Pipeline:

1. Classify intent of new request
2. Search cache for similar intents
3. Reuse plan if similarity > threshold
4. Otherwise, generate new plan

Results: | Metric | Value | |--------|-------| | Effective reuse rate | 93% | | F1 score (similarity) | 0.9718 | | Accuracy | 0.9459 | | Latency reduction | 93.12% |

User-Mediated Attacks: Security Gap¶

Инсайт: Users tricked into relaying untrusted content

Attack types: 1. No safety request: Agent executes directly 2. Soft safety: "Please be careful" — partial bypass 3. Hard safety: "Verify this first" — reduced but not eliminated

Results:

Trip-planning agents:
- No safety: 92%+ bypass
- Soft safety: 54.7% bypass
- Hard safety: 7% bypass

Web-use agents:
- No safety: ~100% bypass (9/17 tests)

Root cause: Agents prioritize goal completion over safety

\[ \text{Action} = \arg\max_a \mathbb{E}[R(a, s)] \quad \text{(no safety penalty)} \]

AEMA: Verifiable Multi-Agent Evaluation¶

Problem: LLM-as-a-judge insufficient for multi-agent systems

Solution: Process-aware, auditable evaluation

Components: 1. Planning — define evaluation workflow 2. Execution — run multi-step evaluation 3. Aggregation — combine results across agents 4. Human oversight — accountability layer

Benefits: - Stable (vs single-judge variability) - Human-aligned (oversight layer) - Traceable (audit trail)

Формулы и математика¶

Agent Similarity¶

\[ \text{sim}(r_1, r_2) = \cos(\text{embed}(r_1), \text{embed}(r_2)) \times \text{intent\_match}(I_1, I_2) \]

где $\text{intent\_match} = 1$ if same intent, else penalty.

Cache Hit Rate¶

\[ \text{Hit Rate} = \frac{|\{r : \exists p \in \text{Cache}, \text{sim}(r, p) > \tau\}|}{|R|} \]

Latency Reduction¶

\[ \text{Speedup} = \frac{T_{\text{gen}}}{(1 - \alpha) T_{\text{gen}} + \alpha T_{\text{cache}}} \]

где $\alpha$ — cache hit rate, $T_{\text{cache}} \ll T_{\text{gen}}$.

Agent Safety Decision¶

Current (unsafe): $$ a^* = \arg\max_a Q(s, a) $$

Safe (required): $$ a^* = \arg\max_a Q(s, a) \quad \text{s.t.} \quad \text{Safety}(a) = \text{True} $$

Связанные работы¶

MoE Advances — Expert routing → Agent routing analogy
RLHF Advances — RLHF for agent alignment

Interview Questions¶

Conceptual: 1. "Design an LLM agent system for task automation" 2. "How to handle plan reuse in multi-agent systems?" 3. "Explain user-mediated attacks and mitigation"

System Design: 1. "Design safe LLM agent for web browsing" 2. "How to add safety constraints to goal-seeking agents?"

Coding: 1. "Implement intent classifier for plan caching" 2. "Code safety wrapper for agent actions"

Практическое применение¶

Agent Pipeline (Production)¶

graph TD
    REQ["User Request"] --> IC["Intent Classification"]
    IC --> CACHE{"Cache Lookup"}
    CACHE -->|"Hit"| RET["Return Cached Plan"]
    CACHE -->|"Miss"| GEN["Plan Generation (LLM)"]
    GEN --> TOOL["Tool Execution"]
    TOOL --> RESP["Response Synthesis"]
    RESP --> STORE["Cache Storage"]
    style REQ fill:#e3f2fd,stroke:#1565c0
    style RET fill:#e8f5e9,stroke:#4caf50
    style GEN fill:#fff3e0,stroke:#ef6c00
    style STORE fill:#f3e5f5,stroke:#9c27b0

Security Layers¶

graph LR
    IN["Input<br/>Sanitization"] --> PV["Plan<br/>Validation"]
    PV --> RT["Runtime<br/>Monitoring"]
    RT --> OUT["Output<br/>Filtering"]

    IN -.- IN1["Malicious detection<br/>Intent analysis"]
    PV -.- PV1["Sandbox execution<br/>Resource limits"]
    RT -.- RT1["Anomaly detection<br/>Safety constraints"]
    OUT -.- OUT1["Harmful content removal<br/>PII redaction"]

    style IN fill:#e8f5e9,stroke:#4caf50
    style PV fill:#fff3e0,stroke:#ff9800
    style RT fill:#fce4ec,stroke:#e91e63
    style OUT fill:#e8eaf6,stroke:#3f51b5

Мои заметки¶

Critical findings 2025-2026:

Latency is the bottleneck — AgentReuse shows 93% possible reduction
Security is NOT solved — User-mediated attacks bypass most safeguards
Multi-agent evaluation needs new paradigms — Single LLM-judge insufficient

Production implications:

Issue	Solution
Latency (10-30s)	AgentReuse: cache similar plans
Safety bypass	Multi-layer security, not just instructions
Evaluation complexity	AEMA: process-aware framework

Design patterns:

ReAct Pattern: Reason + Act loop
Plan-and-Execute: Decompose first, execute later
Multi-Agent Debate: Multiple agents critique each other

Gaps remaining: - [ ] Constitutional AI principles for agents - [ ] Agent communication protocols - [ ] Hierarchical agent systems - [ ] Agent memory systems - [ ] Tool learning and discovery

Open questions: - How to balance helpfulness vs safety? - Standard evaluation benchmarks for agents? - Agent explainability and interpretability?

Code skills: - Implement ReAct loop with tool calling - Design agent communication protocol - Build safety wrapper for agent actions - Implement plan caching with similarity search