Mar 23, 2026
Reconnaissance/Execution Boundaries as a Control Protocol
Hannah Meagher, Daniel Phillips
This paper introduces ReconFence, a control protocol for AI safety, and an associated implementation in the LinuxArena control setting. ReconFence splits an untrusted agent's activity into two phases: reconnaissance (read-only information gathering) and execution (implementing changes). At the phase boundary, the agent's message history is wiped and replaced with only a natural-language summary of its findings, creating a narrow, auditable information channel. A phase-aware monitor applies different scoring logic to each phase — flagging write actions during recon and read actions during execution as constraint violations.
Implemented within the LinuxArena framework, the protocol aims to limit an agent's ability to conduct covert reconnaissance for malicious purposes while making legitimate information gathering more transparent to monitors. The authors acknowledge significant limitations: the constraint is prompt-enforced rather than mechanical, the summary can become an information bottleneck hurting honest agents, and no experimental results were gathered. Future work focuses on protocol improvements, empirical evaluation, red-teaming, and generalising the multi-phase architecture to other research agendas.
The idea seems clear and interesting to me, it also seems not too hard to make this actually enforced through code and not prompting.
However, I would believe this would cause a usefulness drop because the model can do less iterative testing and reads. I also would have liked to see how well this worked.
It's obviously quite sad that there are no experimental results. I'd be interested in some more motivation in the writeup for why this separation will differentially hurt attackers more than honest policies - naively it seems like this would get in the way of both roughly equally. Attackers need to gather information in the later stages of the run in case they need to adapt their attack if something doesn't work, but honest policies need to do so too, for the same reason, and potentially even more so since their tasks are serially deeper.
Cite this work
@misc {
title={
(HckPrj) Reconnaissance/Execution Boundaries as a Control Protocol
},
author={
Hannah Meagher, Daniel Phillips
},
date={
3/23/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
