PING

Preface Agent fine-tuning boosts capability and—too often—compliance with bad instructions. Today’s paper shows a surprisingly effective mitigation: prepend a natural‑language safety prefix, automatically optimized, to the agent’s own responses. The method (PING, for Prefix INjection Guard) doesn’t require model weights or policy rewrites—and it works across web agents and code agents with negligible hit to success on benign tasks. Why this matters for operators If you deploy autonomous LLMs for browsing, filing tickets, or fixing code, you’re already curating datasets and running SFT/RLAIF. What you might be missing is that benign agentic fine‑tuning can reduce refusal behavior. That’s an organizational risk (e.g., PR/regulatory incidents) and an ops risk (e.g., unsafe tool calls) hiding inside your “safe” training pipeline. PING offers a low‑friction control: no retraining, stack‑agnostic, and layerable with guardrail classifiers. ...