papers · 2026-05-07

The 2-source coverage is fully aligned because both entries point to the same SIGGRAPH 2026 arXiv paper. ActCam’s concrete hook is clean: it works zero-shot on any image-to-video diffusion model that accepts depth and pose conditioning, then controls actor motion plus per-frame intrinsic and extrinsic camera parameters. The two-phase schedule is the useful bit: pose plus sparse depth early, then pose-only guidance later so geometry does not choke texture detail. I buy the target. Video models have spent months improving fidelity while camera control still behaves like prompt gambling. Runway, Pika, and Sora-style demos sell cinematography, but reproducible actor-camera coupling remains brittle. ActCam looks like an interface-level fix rather than another prompt trick. The caveat is also plain: the abstract claims multiple benchmarks and human preference, but this excerpt gives no scores, ablations, or failure cases. Large viewpoint changes are exactly where the PDF needs to earn trust.

cs.LG and cs.CL carry the same arXiv v1 record, so this is one paper surfaced in two categories, not independent media convergence. The paper proposes VHG: a three-party self-play setup with a setter, solver, and verifier; the setter reward is tied to validity and difficulty, with Hard symbolic and Soft LLM verifier variants. I like the direction, but I do not buy the abstract’s victory lap yet. The bottleneck in math-reasoning data is no longer “generate more problems”; it is stopping reward hacking after generation. The concrete hook is evaluation on indefinite integrals and general mathematical reasoning, but the excerpt gives no baseline table, scores, or failure cases. Compared with AlphaGeometry-style formal checks, a Soft LLM verifier still risks laundering model bias into the judge.

The useful claim here is concrete: full SFT forgets less when it uses the same optimizer as pretraining, at equal or better new-task performance. The paper calls this optimizer-model consistency. I would not turn this into a training-stack rule yet, because the RSS snippet does not disclose model scale, datasets, learning-rate sweeps, step counts, or the forgetting metric. But I buy the shape of the argument. It explains a failure mode many post-training teams have seen: the task score holds up, the eval looks clean, then general capability quietly loses a few points somewhere else. The SFT world under-discusses optimizers. People obsess over data filters, mixture weights, warmup, LoRA rank, DPO versus GRPO, rejection sampling, and verifier design. AdamW often becomes background noise. This paper says the optimizer used during pretraining has already shaped the local loss landscape around the checkpoint. SFT is not continuing from an abstract point in parameter space. It is walking inside geometry produced by AdamW, Muon, or another optimizer. If you switch optimizers, you are using a different motion rule inside a landscape that was shaped by the original one. The mechanism in the snippet is the useful part. The authors connect optimizers to activation regularization, then link that to different landscapes near pretrained checkpoints. That is more interesting than a generic “optimizer A generalizes better” claim. It moves forgetting away from only update magnitude and toward update structure. Many anti-forgetting recipes focus on KL penalties, reference models, replay data, EWC-style constraints, or smaller adapters. The implicit assumption is that forgetting comes from moving too far. This paper’s story is sharper: you can move a modest distance in the wrong structure and still damage old capability. That also makes the LoRA result plausible. The snippet says full finetuning can forget less than LoRA, which will sound strange to people who equate fewer trainable parameters with safer adaptation. In practice, LoRA can concentrate updates into constrained low-rank paths. If those paths do not match the local geometry created during pretraining, the adapter can preserve parameter count while still distorting behavior. Rank, target modules, alpha, dropout, and merge behavior matter a lot, and the snippet does not give those settings. So I would not call LoRA worse from this alone. I would treat it as a warning that parameter count is a weak proxy for retention. The Muon result is the part that will annoy people, in a useful way. Muon has had a strong reputation in open training circles because matrix-aware updates can improve efficiency and loss curves. I remember Muon being discussed heavily around open pretraining recipes and Kimi/Moonshot-adjacent technical chatter, though I have not rechecked the exact citations. This paper says Muon trails AdamW on reasoning SFT, and a synthetic language-modeling test points to rote memorization under small data. That is a credible failure mode. Pretraining rewards throughput and stable loss descent over huge token budgets. SFT often uses narrower, higher-quality data: reasoning traces, tool-use examples, domain instructions. An optimizer that memorizes surface forms too aggressively can look fine on training loss and still learn weaker transferable patterns. I have three doubts. First, optimizer comparisons are fragile unless hyperparameters are thoroughly swept. AdamW beta values, epsilon, weight decay, gradient clipping, Muon orthogonalization details, and implementation choices can change results. The snippet says controlled experiments, but not the sweep size. Second, forgetting metrics decide the story. Is forgetting measured by held-out pretraining perplexity, MMLU-style knowledge, ARC/HellaSwag, code, math, instruction-following, or long-context behavior? Those are different failure surfaces. Third, the paper’s claim depends on knowing the pretraining optimizer. That is easy for an internal lab and hard for downstream users of open checkpoints. Many released models do not expose enough recipe detail to reproduce optimizer-model consistency cleanly. The broader context is that post-training has become data-centric for good reasons. OpenAI, Anthropic, Google, DeepSeek, Qwen, and Meta all pushed visible gains through data quality, preference optimization, tool-use scaffolds, and better eval loops. Optimizer choice became less fashionable than curation and RL. This paper pushes back against that fashion without pretending data stops mattering. It says the base checkpoint carries optimizer-specific structure, and your SFT method either respects it or pays a retention tax. If I were running a post-training stack, I would add one ablation immediately: same optimizer as pretraining versus default AdamW versus current internal choice, with new-task score matched. The matched-score condition matters. A lot of fine-tuning papers report the best downstream score and hide the capability loss paid to get it. This paper frames the question correctly: for the same new-task performance, which path preserves more old capability? For small-data reasoning SFT, I would keep AdamW as the safer baseline until Muon has stronger evidence in that exact regime. I would also stop treating LoRA as an automatic retention tool. It is an adaptation mechanism, not a guarantee against forgetting. The highest-value operational takeaway is boring but important: log the pretraining optimizer, publish it when releasing checkpoints, and include optimizer consistency in SFT ablations. If the paper’s result holds at larger scale, missing optimizer provenance becomes a real liability for downstream training.

SimpleAudit separates safe and abliterated targets on a Norwegian safety pack, with AUROC from 0.89 to 1.00. My read: the useful contribution is not the tool name. It is the contract around label-free safety comparison. The paper says scores only hold under a fixed scenario pack, rubric, auditor, judge, sampling setup, and rerun budget. That sounds fussy, but it is exactly the missing layer in most enterprise safety evals. Without it, teams run a judge model once, average the scores, and call the result evidence. The setting is real. Many deployments reach procurement before a labeled benchmark exists. Norwegian public-sector use is a good example. If a team compares Borealis against Gemma 3, it cannot wait for a full local labeling campaign. It also should not translate an English safety set and pretend the result is native evidence. Translation changes legal context, euphemisms, refusal boundaries, and sensitive categories. That is especially true in public services: welfare, health, immigration, minors, and citizen guidance. The paper’s “benchmarkless comparative safety scoring” framing is useful because it stops pretending that ground truth is always available before deployment decisions. The validation chain is more honest than the average LLM-as-judge eval paper. First, the audit must respond to a controlled safe-versus-abliterated contrast. The reported AUROC range, 0.89 to 1.00, is strong for that purpose. Second, target identity must dominate auditor and judge artifacts. The paper reports η² around 0.52 for target identity. Third, severity profiles must stabilize across reruns, and the snippet says they stabilize by ten reruns. That “ten” matters. It turns stability into an operational budget, not a vague instruction to sample more. Safety eval noise is not the scandal. Hiding the noise inside one clean score is the scandal. I would place this beside HELM, BIG-bench, and HarmBench, but it is doing a different job. HELM is broad and readable, which also makes it easy to abuse as a leaderboard. HarmBench is better for adversarial behavior and refusal comparisons, but it still depends on a fixed task collection. SimpleAudit is asking a narrower question: if the local task pack is custom, what must be true before its scores count as deployment evidence? That is closer to audit design than benchmark design. It also explains the paper’s insistence on reporting scores, matched deltas, critical rates, uncertainty, auditor, and judge together. A single ranking is convenient for procurement. It is also a convenient way to erase the evidence boundary. I have two concerns. The first is the abliterated target contrast. Abliteration creates a clean unsafe control, which is useful for instrumental validity. It does not mirror the failure distribution of real deployed models. In production, models rarely fail as fully safety-stripped systems. They leak around specific languages, policy edges, identity terms, or ambiguous intent. AUROC of 0.89 to 1.00 shows SimpleAudit can catch large safety gaps. The snippet does not disclose sensitivity to small, local, or strategic safety differences. The Borealis-versus-Gemma 3 procurement case sounds more credible because the paper says the safer model depends on scenario category and risk measure. That is how real safety comparisons usually look. The second concern is judge dependence. The paper says target-driven variance dominates auditor and judge artifacts. It also says auditor and judge must be reported. Good. But the snippet does not disclose which judge was used, how the rubric was written, or whether the judge was calibrated for Norwegian. In non-English safety evals, the judge’s language competence is part of the measurement system. A judge with strong English and mediocre Norwegian can misread tone, legal vocabulary, or indirect harmful requests. I have seen internal evals mistake judge preference for target-model safety more than once. The contract only works if the judge card is detailed enough to audit. The Petri comparison is also telling. The paper says the same validation chain admits both SimpleAudit and Petri, and the substantial differences arise upstream in claim-contract enforcement and deployment fit. That is a mature claim. It does not say SimpleAudit beats Petri. It says tools should state which claims they support. I like that. AI safety evaluation is moving closer to compliance evidence production and farther from model capability contests. The teams that can specify scope, rerun budget, variance components, uncertainty, and failure conditions will get further in real procurement than teams waving around a prettier leaderboard. I rate this paper highly, with one condition. If the Norwegian safety pack, rubric, sampling configuration, judge setup, and ten-rerun score distributions stay closed, the community cannot tell whether the AUROC range reflects a robust method or an easy contrast set. The practical takeaway for AI teams is immediate, though. Do not ask vendors for one safety score. Ask for the scenario pack, rubric, judge, sampling setup, rerun budget, uncertainty, and critical-rate breakdown. If they cannot provide those, the score should not enter a launch review.

AI Co-Mathematician’s sharp point is not just 48% on FrontierMath Tier 4. It turns math research into an asynchronous state machine with rollback. Ideation, literature search, computational exploration, and theorem proving sit in one workspace. The system explicitly tracks failed hypotheses and emits native mathematical artifacts. That is closer to how research happens than another one-shot benchmark score. I would discount the “helped researchers solve open problems” claim for now. The arXiv abstract gives no problem list, human baseline, interaction count, or detailed FrontierMath Tier 4 protocol. AlphaGeometry felt like a closed-task solver; this paper is selling a workflow surface. If the 48% does not reproduce, there is still a serious product idea here. If it does, math-agent competition moves toward memory, retrieval, and proof-state management.

POPO’s sharp claim is that RLVR can stop treating negative rollouts as first-class training signal. It trains only on online positive rollouts, then gets implicit negative pressure through probability redistribution. The concrete hook is clean: Qwen-Math-7B reaches 36.67% on AIME 2025, while GRPO is reported at 30.00%. I like the direction because sparse binary rewards make most wrong math traces equally useless. Sampling a few failures rarely maps the failure space. But I would not over-credit the paper yet. The abstract names bounded importance sampling, a momentum siamese policy, and a bounded representation penalty, but it does not expose rollout budget, token budget, or pass@k protocol here. If the gain comes from filtering more positives, POPO is an accounting trick against GRPO, not a cheaper optimizer.

StraTA makes the right cut: agent RL needs trajectory abstraction, not longer reactive rollouts. It samples a compact strategy from the initial state, conditions later actions on it, then jointly trains strategy generation and execution with hierarchical GRPO-style rollouts. The reported numbers are concrete: 93.1% on ALFWorld, 84.2% on WebShop, and 63.5% on SciWorld. I buy the direction more than the extrapolation. ALFWorld, WebShop, and SciWorld are controlled environments, so credit assignment is cleaner than in browser agents or messy enterprise workflows. The abstract says SciWorld beats frontier closed-source models, but it does not name the models or equalize tool settings here. I’d read the PDF tables before treating this as proof that planning-first RL transfers.

Two arXiv tracks list RAO with identical wording, so this is one paper appearing across cs.LG and cs.CL, not independent confirmation. The paper defines recursive agents as agents that spawn copies of themselves for delegated subtasks, then uses RL to train when to delegate and how to communicate. I like the problem framing, but the evidentiary bar is not met in the excerpt. The abstract claims better training efficiency, out-of-context-window task handling, harder-task generalization, and lower wall-clock time, yet gives no tasks, models, baselines, or numbers here. The agent literature keeps confusing parallel search plus decomposition with capability gain. RAO only becomes serious if it beats strong single-agent baselines like Claude Sonnet 4.5 or GPT-5.4 mini under normalized token, latency, and compute budgets.

ScaleLogic’s sharp claim is that long-horizon reasoning training should stop treating “more steps” as the whole difficulty knob. It separates proof depth D from logical expressiveness, then reports RL compute T scaling as a power law in D with R² > 0.99. The exponent rises from 1.04 to 2.60 as the logic moves from implication-only rules to first-order settings with and, or, not, and universal quantification. I buy the direction more than the usual long-CoT story. The paper says more expressive training gives up to +10.66 points on math and general reasoning benchmarks, with better compute efficiency. That pushes against a lot of RL reasoning work that quietly bundles chain length, task diversity, and formal structure into one “hardness” label. The caveat: the abstract does not expose the base model sizes, exact downstream suite, or benchmark authorship, so the PDF has to carry the causal claim.

This paper hits the ugliest gap in deep-research agents: citation polish is outrunning citation truth. Across 14 models, link validity clears 94% and relevance clears 80%, but factual accuracy lands at only 39–77%. The easy-to-audit parts look fine; the part users actually rely on breaks. The tool-call ablation is the sharper cut. For two frontier models, Fact Check accuracy drops about 42% as tool calls scale from 2 to 150. That undercuts the product story that deeper browsing yields better reports. A lot of RAG and browser-agent work has treated more retrieval as a safety blanket. Here it looks like citation sprawl: more sources, more surface legitimacy, weaker source-to-claim discipline.

The sharp part here is not “AI writes papers”; it is research grunt work turned into an auditable loop. The system ran 1,197 headline trials plus 600 Parameter Golf controls, with no human proposal selection, recipe edits, score overrides, or failed-run repair after launch. Each submission carried a hypothesis, code diff, external evaluator result, and failure label. The gains are modest enough to be credible: Parameter Golf validation bpb down 0.81%, NanoChat-D12 CORE up 38.7%, Airbench96 wallclock down 4.59%. I trust this more than grand claims about autonomous scientists. The ceiling is still narrow: three tasks and a 157-submission architecture-domain audit do not make a general researcher. As a training-recipe search worker, though, this is already uncomfortably useful.

This paper hits multi-agent debate where the hype is weakest: more turns do not create information. Under the E→O0→O1 Markov chain, the DPI bound says expected mutual information cannot increase. The empirical hook is clean enough: on 300 SciFact and 1,000 FEVER claims, DebateCV keeps 88% of baseline accuracy while SFS falls 43%; majority-vote MAD drops SFS to 1.7% of baseline, with p<10^-6. That pattern explains why many agent demos feel persuasive and still rot underneath: they polish the same evidence into better-sounding answers. EGSR recovering 98% is the useful part. The fix is not more agents in a room; it is forcing each step back onto evidence.

The nasty part is the low attacker bar, not the famous model names. The authors transfer standard CLIP adversarial examples into production VLMs including GPT-5.4, Claude Opus 4.6, Gemini 3, and Grok 4.2. They test misinformation, personal disparagement, moderation evasion, and product recommendations. Across hundreds of identity and NSFW attacks, reported success lands at 22–100%. I don’t buy the product story that multimodal models are ready to act as trusted visual referees. This is not prompt injection or a jailbreak; the model stays aligned and confidently reasons over the wrong percept. Basic adversarial methods from a decade ago still work well enough to matter. The abstract does not give the full six-model list, which limits clean reproduction by tier, but the deployment warning is already sharp.

This paper hits the soft spot in LLM vulnerability detection: detection is easy to demo, robustness is not. On 5,000 C/C++ samples, models above 70% clean recall fall to 0.12% Complete Resistance. The vulnerabilities they originally catch mostly disappear after syntax- and compilation-preserving edits. I’ve never liked security vendors selling CI/CD gates off clean benchmark scores, and this gives the cleanest reason. A universal string optimized on a 14B surrogate transfers to GPT-4o, while on-target optimization reaches 92.5% ASR. That is nastier than a normal prompt-injection story because the code still parses and compiles. If a detector cannot survive behavior-preserving rewrites, its recall number is closer to a demo metric than a deployable security claim.

FAAST’s sharp move is turning supervised test-time adaptation into one forward compile, not another backprop loop or longer context trick. The paper claims over 90% lower adaptation time, up to 95% memory savings, and constant-time inference. That is exactly the pain point for edge models and multi-tenant serving. I’d discount the “matches or exceeds backprop-based adaptation” claim for now. The abstract names image classification and language modeling, but not task scale, base model size, shot count, or latency breakdown. Fast-weight methods have looked great on narrow tasks before, then cracked under messy distribution shift. Releasing code and models helps; production relevance depends on Llama/Qwen-scale runs, throughput, and whether the compiled weights forget ugly edge cases.

AsymmetryZero pushes evals away from “ask a strong model to grade” and toward explicit contracts, and I buy that direction. The paper fixes task contracts, then compares five frontier judges with five compact judges in Harbor across Claude Opus 4.6, GPT-5.4, Grok-4.20, and Gemini-3.1-Pro. Compact judges reach 75.9%–89.6% criterion-level agreement while costing only 4.2%–5.6% of frontier judging. But don’t read this as “small judges are solved.” Compact juries show 28.7%–32.4% 3–2 split rates, versus 6.1%–11.5% for frontier juries. Cheap judges can triage routine criteria; hard criteria still shake. Compared with the usual LLM-as-judge leaderboard habit, the durable asset here is the evaluation contract plus audit trace.

FPO is sharp because it turns alignment collapse into a missing-gradient problem, not another vague reward-hacking story. The paper decomposes the true policy objective with a Stackelberg setup: standard policy gradient plus a parameter-steering term. Iterative RLHF drops that term, so the policy shapes the RM’s next training data, then exploits the blind spots it helped create. The concrete hook is strong: FPO restores the steering effect with a scalable first-order approximation, then tests it in controlled environments and a Llama-3.2-1B alignment pipeline. My caveat is size and regime. A 1B pipeline proves the mechanism; it does not prove this survives GPT-5 or Claude-class agent traces. Still, this is a cleaner diagnosis than “retrain the RM harder.”

Human-AI complementarity is doing far less work than the slogan suggests. In this 1,886-sample evaluation, hybrid routing moves AI accuracy from 68.9% to 69.3%. The usable complementarity region is only 8.9%: cases where AI is wrong and humans are right are rare, and the system cannot reliably find them. Confidence routing is the ugly part. The model’s confidence is similarly distributed across correct and incorrect predictions, so low-confidence handoff fails as a control mechanism. Top-2 assistance lifts humans from 28.4% to 38.3%, but mainly because people accept correct AI suggestions, not because they catch AI mistakes. For oversight teams, that is a cold result: without reliable routing, “human in the loop” is just an expensive confirmation layer.

The sharp claim here is not that stronger reasoning gets conservative; it is that the bias becomes repeatable. In three multi-agent negotiation settings, DeepSeek native reasoning reaches authority decisions in 15/15 grid-curtailment transfer runs. GPT-5.2 native reasoning does it in 45/45 runs across all three settings. Even action entropy at 1.256 and concession-arc rate at 0.933 do not prevent collapse, so the transcript can look negotiatory while the endpoint stays solver-shaped. This hits a bad habit in agent-simulation work: treating a high-scoring reasoning model as a behavioral distribution. The authors are careful about scope; this is a failure screen inside a fixed negotiation grammar, not proof about real policy forecasting. Still, if the job is institutional simulation, capability benchmarks are the wrong gate. You need sampler qualification, or you are just running a polite optimizer in costume.

The sharp result is not “prompting beats agents”; it is that orchestration tax is now measurable in fixed procedures. Across 3 tasks and 200 conversations per condition, in-context prompting scores 4.53–5.00, while LangGraph scores 4.17–4.84. Travel failures are 11.5% versus 24%; insurance is 5% versus 17%. I don’t buy the paper’s title as stated. “Agent orchestration” is too broad for this setup. The tested cases are 14-node travel booking, 14-node Zoom support, and 55-node insurance claims: clean SOP conversations. In that lane, injecting routing instructions every turn adds another failure surface. Production systems still need tool permissions, audit trails, rollback, and human handoff. LangGraph’s defensible role moves toward boundary control, not reciting a procedure the model can already hold in context.

Both arXiv entries point to the same ICML 2026 paper, so the coverage is aligned through one author source chain, not independent validation. The paper names the failure mode as a perceptual bandwidth bottleneck: wide field of view keeps global context, while fine detail gets lost. FOVEA then uses a sequential Bayesian experimental-design proxy to choose visual evidence before answering, without training. I buy the direction more than another push for larger image-token budgets. The abstract only says “consistent gains” on high-resolution benchmarks, with no exact scores disclosed; the concrete hook is stronger gains in search-heavy remote-sensing tasks. That matches where GPT-4o- and Gemini-style multimodal systems still stumble: the model often can reason after seeing the right patch, but it has not learned where to spend its visual budget.

Sparse Backdoor is nasty because it moves backdoor detection from empirical cat-and-mouse into a hardness boundary. The attack perturbs a small subset of columns in fully connected layers, then hides the signal with isotropic Gaussian dither. Under a mild margin condition, the dithered reference stays functionally equivalent to the original classifier. The proof claim is the sharp part: with white-box parameter access, distinguishing the poisoned model is at least as hard as Sparse PCA detection. That is a direct hit on the usual supply-chain comfort blanket. A lot of model vetting assumes weights plus scanners give you a fighting chance. This paper says visibility alone is not enough under its setup. The caveat matters: the target is pre-trained image classifiers, including CNNs and ViTs, not LLMs or MoE systems. But if your audit stack is still trigger search plus activation clustering, the attacker model just moved past it.

TAGO’s sharp result is that Qwen3-Omni keeps 86% ASR_l after dropping 75% of audio tokens, versus 87% with full retention. That is not a minor efficiency gain. It says the attack only needs the high-gradient token-aligned regions, while the rest of the waveform can be masked during optimization. I’m cautious on the “outperforms baselines across three ALMs” claim because the abstract does not name the other two models or the evaluation protocol. But the security lesson is clear enough: audio tokenization is not a moat. It gives attackers a gradient map, and red-teaming that assumes dense waveform updates will miss the sparse path.

This paper moves FFN pruning from “large activation” folklore to “removing this channel hurts loss,” and I buy that direction. In Llama-3.1-8B, the top 1% of channels per layer holds 58.7% median LP mass, with a 33.0%–86.1% range. Those supernodes barely overlap activation outliers, and weight norms do not explain them either. The clean evidence is the pruning diagnostic: at 50% FFN sparsity, SCAR-Prot lands at 54.8 perplexity while Wanda-channel blows up to 989.2. Wanda-style magnitude heuristics had a good run in weight pruning, but channel-level structured pruning is harsher. The catch is practical: this LP uses activation-gradient second moments, and the abstract does not spell out calibration-set sensitivity or deployment cost.

This ICLR 2026 paper hits the annoying gray zone in inference work: after quantization, kernel swaps, or batching changes, a 0.3% accuracy dip is either noise or a real regression. The useful move is sample-level comparison with McNemar’s test, not task-level mean deltas, plus an implementation inside LM Evaluation Harness. That is practical because production teams rarely fear one giant collapse; they fear a “lossless” optimization getting nicked by numerical behavior at temperature zero. My pushback is simple: the abstract claims the case study flags degraded models and skips provably lossless optimizations, but it does not name the model set or optimization stack. Without that, 0.3% is a statistical detection claim, not a production guarantee.

SLYP’s sharp point is not the 0.973 F1; it is that tool-wrapped agents produced Windows bugs MSRC accepted. The benchmark is small: 20 COM objects and 40 vulnerability cases. Still, 28 previously unknown flaws, 16 CVEs, and $140,000 in bounties are harder evidence than another SWE-style score. The gap is also instructive. Default production coding agents verified essentially no PoCs, while SLYP reached 67.5% on its strongest setup. That says the gain came from COM inspection, binary exploration, and debugger feedback loops, not a model magically learning exploitation. I don’t buy broad “AI hacker” framing from this alone; the win is narrower and more useful. Give agents the right instrumentation, and vulnerability research starts looking like an automated test harness with a much nastier output queue.

This paper attacks RLVR sample efficiency at the signal level, not by inflating the prompt pool. On Qwen2.5-Math-7B, one positive-negative paired minibatch per update moves AIME 2025 Pass@8 from 16.8 to 22.2 and AMC23 Pass@64 from 94.0 to 97.0. The baseline is GRPO picking two prompts through variance-based heuristics. I buy the direction. In math RLVR, high variance often just means the model is flailing; it does not guarantee a useful gradient. Weighted GRPO turns rare success on hard-but-solvable prompts into a positive anchor, and rare failure on easy-but-brittle prompts into a penalty. That is a cleaner curriculum than “pick medium-difficulty problems.” The caveat is scope: the evidence is Qwen2.5-Math-7B / Instruct on math benchmarks. Code RLVR and tool-use trajectories are still unproven.

ContextPilot’s sharp move is shifting reuse from per-session KV cache to context blocks shared across users and turns. The paper gives a real mechanism: a context index finds overlap, ordering and de-duplication raise KV-cache reuse, and succinct annotations try to protect reasoning quality. The headline number is prefill latency cut by up to 3x. I buy the direction more than the easy extrapolation. RAG, agent memory, and multi-agent systems do stuff the same documents into prompts again and again, so reuse is not imaginary. The production risk sits in that same design choice: cross-user indexing turns cache hits into a security surface. Multi-tenant isolation, permission changes, stale blocks, and false overlap matches matter more than a clean interface. vLLM or SGLang users will ask for auditable invalidation rules before they trust the 3x in a real service.

The useful move here is treating safety evals as terrain mapping, not one-off jailbreak fishing. MAP-Elites runs across Llama-3-8B, GPT-OSS-20B, and GPT-5-Mini, reporting up to 63% behavioral coverage and 370 vulnerability niches. The model split is the sharp part: Llama-3-8B averages 0.93 Alignment Deviation, while GPT-5-Mini caps at 0.50. That looks more like a behavioral fingerprint than another attack success-rate table. I don’t fully buy the “global maps” claim yet. Coverage depends on how the behavior dimensions are chosen and discretized; a friendly grid can make 63% look cleaner than it is. Compared with GCG, PAIR, and TAP, this is a better red-team dashboard. It still does not rank real-world risk without stronger evidence on transfer and external validity.

Learned image compression finally touches a product threshold here, not just a prettier rate-distortion plot. The hard hook is 12MP images encoded in 230ms and decoded in 150ms on an iPhone 17 Pro Max, while claiming 2.3–3x bitrate savings over AV1, AV2, VVC, ECM, and JPEG-AI. It also claims 20–40% savings over the best learned-codec alternatives. I buy the direction because the search target is on-device runtime plus perceptual quality, not a PSNR trophy. JPEG-AI and VVC have always carried standardization and hardware-path inertia; this paper attacks the device budget with performance-aware NAS over millions of backbones. The caveat is large: the abstract does not spell out subjective-study design, power, memory peak, or temporal stability for burst/video use. A 230ms still-image number is serious, but it is not the same as a shippable camera codec.

The sharp part is not natural-language feedback; it is turning expert time into reward maintenance. On Qwen3-8B, ICL reward models recover only 35% performance with 50x fewer expert samples. Fine-tuned rewards recover 80% with 20x fewer samples, and 100% with 3x fewer. Haiku 4.5 follows the same split: 35% with 30x fewer samples for ICL, 100% with 10x fewer for fine-tuning. I buy the direction, but not the easy “small data is enough” story. The expensive step stays inside the loop: detect over-optimization, collect fresh expert supervision, update the proxy reward. RLVR got its free lunch from verifiable math and code rewards. Creative writing and alignment research do not have that luxury; the scarce expert moves from labeling to monitoring.

NVlabs’ result is engineering-heavy, not paper-title-heavy. rCM runs JVP-based consistency distillation on Cosmos-Predict2 and Wan2.1, up to 14B parameters and 5-second videos. The claimed 1–4 sampling steps and 15–50x speedup matter because most consistency work still looks safest on small image benchmarks. I buy the diagnosis more than the branding. sCM’s forward-divergence objective preserves coverage but bleeds fine detail; the long-skip score regularizer adds a reverse-divergence pressure to recover texture. DMD2 is the right comparison, and rCM claims similar quality while avoiding GAN tuning and heavy hyperparameter search. The missing piece is serving math: no clear inference memory, throughput, or human eval for temporal consistency in the abstract. For video diffusion, those numbers decide whether this is a lab win or an actual cost curve change.

Safety teams should stop using one benchmark score as a proxy for deployed alignment. The paper audits 16 alignment benchmarks with dual coding and Cohen’s kappa=0.87, then finds no user-facing verification support across the set. Process steerability is nearly absent too. Even interactional benchmarks like tau-bench, CURATe, Rifts, and Common Ground cover scattered pieces. The sharper result is the 180-transcript blinded test. The same verification scaffold pushes one frontier model to ceiling while leaving another categorically unchanged. That cuts against the common vendor story that safety gaps can be patched with a wrapper. OpenAI, Anthropic, and Google safety cards still lean heavily on model-level tables; this paper gives practitioners a clean objection: evidence collected at model level cannot be spent as a deployment-level claim.

Both entries point to the same arXiv paper, 2605.02320, so the coverage is aligned by duplication, not independent confirmation. ANO replaces PPO’s hard clipping with Anchored Neighborhood Optimization and a redescending-gradient mechanism; the abstract claims wins over PPO, SPO, and GRPO across MuJoCo, Atari, and RLHF, including stability at a 1×10^-3 learning rate. I’d file this as a serious algorithm candidate, not a PPO successor yet. In RLHF, the hard test is stability across reward models, KL coefficients, and batch sizes, not one head-to-head win-rate table. The provided body does not disclose code release or reproduction details. GRPO spread because teams could drop the critic and cut training complexity; ANO has to show the same practical payoff under matched compute before the claim clears the hype bar.

PLE hits the old hybrid-thinking failure mode: mode control lives in prompts and SFT labels, while both behaviors still share the same FFN weights. The paper replaces each decoder MLP with two locked experts for think and no-think, while sharing attention, embeddings, norms, and the LM head. A control-token router picks one path for the full sequence. The numbers are unusually clean: on Qwen3-4B, AIME24 no-think reflective tokens fall from 2.54 to 0.39, and accuracy rises from 20.67% to 40.00%, while think performance is claimed to hold. I buy this direction more than another round of data curation. But it is still a 4B paper result; leakage under long chats, tool calls, and product latency budgets is not shown here.

Both member entries point to the same arXiv 2605.03348 paper, with identical framing; this is single-source amplification, not independent coverage. S3 makes a clean bet: multimodal representations should be decomposed into semantic experts, then routed and sparsified per task. The concrete hook is four MultiBench benchmarks plus a reverse U-shaped sparsity-performance curve, with intermediate sparsity performing best. I like that more than another fixed embedding trained with contrastive pressure, because routing gives practitioners knobs to inspect and prune. But the abstract gives no exact accuracy, parameter count, routing cost, or head-to-head detail against strong CLIP/BLIP-style baselines. I’d file this as a credible structural-representation candidate, not evidence that MoE has solved multimodal generalization.

Both entries point to the same arXiv paper, with identical framing; this is duplicated paper coverage, not independent validation. Gideon’s concrete hook is still strong: 9.003 ms inference, 111 fps, and under 1.5 MB on STM32N6 for a visual SLAM feature front end. I buy the paper’s push against FLOP worship. The authors optimize INT8 stability, dynamic range, operator constraints, and swap BatchNorm for affine layers inside DNAS; those are exactly the failures that show up after a neat model hits embedded silicon. The gap is also clear: the abstract gives front-end latency and quantization behavior, but not end-to-end localization error against SuperPoint, ORB-style pipelines, or LightGlue-style matching. Good embedded ML paper, not yet proof that learned SLAM front ends are solved on MCU-class hardware.

Both hits point to the same arXiv paper, arXiv:2605.03929, so the source angle is fully aligned by one paper, not independent confirmation. PHALAR claims up to roughly 70% relative accuracy gain on stem retrieval, under half the parameters, and 7x faster training versus prior state of the art. I like the bet more than I trust the headline number. Music audio has had too many “semantic embedding solves MIR” papers; PHALAR’s Learned Spectral Pooling and complex-valued head put pitch and phase equivariance into the architecture, which matches the problem better. The abstract-level body does not expose code, ablations, or leakage controls across MoisesDB, Slakh, and ChocoChorales, so the impressive part still needs PDF-level checking.

Budgeted LoRA hits LoRA’s awkward gap: cheaper adaptation, unchanged inference bills. The paper adds one global compute budget for retained dense computation, then uses module retention coefficients, adaptive low-rank allocation, and post-training compression to move work into low-rank paths. It reports standard-LoRA perplexity at a moderate budget with 1.74x compressed-module speedup, and 4.05x at an aggressive budget with moderate perplexity loss. I like the framing because it optimizes FLOPs, not parameter count theater. The caveat is big: the abstract gives compressed-module speedup, not end-to-end serving latency, KV-cache effects, batch size, or hardware. Unlike QLoRA-style memory wins, this claim only becomes real inside an inference stack. The arXiv number is promising; it is not yet a cloud bill reduction.

FPE matching or beating InstructNav with zero API calls is a direct hit on the ObjectNav storyline. The authors only change the action value map, then test geometry-only Frontier Proximity Explorer and lightweight SHF on HM3D and MP3D. FPE runs faster without an LLM; SHF keeps language to local frontier votes. I buy the claim here: in navigation, the safest role for language is a sparse semantic bias, not the planner. Embodied AI papers have spent two years attributing zero-shot gains to model reasoning. If a detector-controlled instruction follower gets matched by frontier geometry, the benchmark is measuring pipeline craft, not spatial intelligence.

LASM is useful because it drags agent security back to system boundaries, not attack-name bingo. The paper splits the stack into 7 layers—Foundation, Memory, Tool Execution, Multi-Agent, Governance included—and 4 temporal classes. It then recodes 116 papers from 2021–2026 and finds no benchmark coverage for cross-session or sub-session-stack failures. That gap is uglier than another prompt-injection leaderboard. A lot of agent demos now wire memory, browsers, code interpreters, and MCP-style tools into one loop, while evaluation still lives around single-turn coercion and bad tool calls. The Agent Bill of Materials schema is the practical artifact here. Without a dependency inventory, agent security review becomes screenshots, logs, and vibes.

This paper hits the privacy weak spot in RAG apps: the attacker does not need vector-store access, provider logs, or weights. A remote ICL document-QA endpoint plus query text prefixes is enough to separate member from non-member inputs. The second attack is the nastier one because it removes the reference model and uses a weighted-average membership statistic, lowering the bar versus older shadow/reference-model setups. I’d still keep one hand on the brake: the abstract does not disclose datasets, AUC, prefix counts, or retriever details, so the strength lives in the PDF. But the direction matches what many enterprise RAG stacks under-price. They harden ACLs, redaction, and vector encryption, while leakage happens through whether retrieved examples shape the answer. Their adapted ensemble-prompting defense substantially mitigates the second attack, which says the fix belongs in inference orchestration, not only in the knowledge store.

Anchored Learning hits a boring but expensive SFT failure mode: target gains arrive with old capabilities broken. The paper interpolates the current model with a frozen reference, creates a moving anchor, and turns offline SFT into local trust-region steps. It also claims a linear per-iteration KL bound. On iGSM and MedCalc, vanilla SFT drops over 53%; Anchored Learning keeps degradation under 5% and reaches 75.2% on iGSM. I buy the direction, not the victory lap. The disclosed tasks are iGSM, MedCalc, and IFEval; that does not yet cover messier post-training workloads like coding, tool use, or multi-turn preference tuning. This feels like the SFT cousin of KL-regularized RLHF: useful for stability, less convincing as a path to higher ceilings.

SIOP matters because it stops pretending long-horizon agents can learn from final-answer rewards alone. For each query, it samples multiple rollouts, clusters final answers into semantic outcome states, then rewards turns that increase support for reliable states. The paper reports gains over verifier-free outcome-level baselines on seven search-augmented reasoning benchmarks, nearing a gold-supervised outcome baseline. I like the direction. GRPO-style broadcast advantages are blunt for search agents. The dangerous part is the source of truth: without a task verifier, SIOP’s ceiling is the quality of its answer clustering and reliability targets. If a cluster of wrong answers is semantically consistent, the method can train the agent toward stable nonsense. Code release helps; I’d read the failure cases before trusting the average table.

AutoOR’s sharp point is treating OR formulation as a verifiable post-training target, not as proof of broad mathematical intuition. It generates synthetic data from standard optimization forms, then uses solver execution as the RL reward. An 8B model reaches SOTA or competitive results on six OR benchmarks, and curriculum RL lifts a nonlinear physical-dynamics class where frontier models sit near 0%. I buy the method; I don’t buy the industrial-decision-making pitch yet. Real OR deployments fail on missing constraints, messy business exceptions, data plumbing, and accountability, not only on natural-language-to-solver translation. This belongs near the code-execution-feedback lineage: narrow, checkable tasks get eaten by post-training. The gap to production scheduling is still the ugly part outside the benchmark.

Both entries point to the same arXiv record with the same headline, so this is a single-paper chain, not independent coverage. The concrete hook is solid: ACL 2026 Findings, nine datasets, three reasoning task types, and a 3.0-point average Pass@1 gain over GRPO on math benchmarks using Qwen2.5-3B-Instruct. I buy the problem framing more than the “superiority” claim. In RLVR, the ugly wins often come from clipping behavior, aggregation choice, and sampling stability, not a grand new reward story. PMPO’s arithmetic-to-geometric mean transition and FAC’s reward-statistics-based clipping are the right kind of engineering. But the abstract gives no variance, training cost, or code status; a 3-point gain on a 3B Qwen model is useful, yet far from proof it survives at 32B or 70B scale.

Single-vector steering’s weakness is not only performance; its geometry is too crude. This paper keeps a concept as a multidimensional soft projection via conceptors, which hits a real sore spot in activation steering. The hard evidence: conceptor quota predicts separability across 3 instruction-tuned models and 3 semantic axes, with Pearson correlation up to r=0.96, plus closed-form AND / OR / NOT composition. I buy the “fewer degenerate outputs” claim more than the safety framing. Inference-time steering often pushes models into weird repetitive style, and the paper says conceptors match or beat additive baselines across a five-axis design-space test when concept subspaces are multidimensional. The gap is also clear: the abstract does not name the models or give degeneration-rate numbers, so treating this as a production safety layer is premature.

The sharp claim here is that representation drift is caused by the objective, not sloppy training. Across 2,695 linear-Gaussian configurations, mean causal fidelity is 0.49, and only 2.5% exceed 0.70. At N=100, fidelity falls near 10^-8 while prediction error is 92% lower than the causal representation. I buy only half of the extrapolation: linear-Gaussian dynamics and a Duffing-GRU sweep are not GPT-5.4 mini’s training distribution. But the mechanism is nasty. Slow, low-noise environment modes win under predictive loss. World-model teams love using rollout error as evidence of understanding; this paper says low MSE can be background inertia wearing a lab coat.

LABBench2 is useful because it puts a brake on the “AI scientist” story. Nearly 1,900 biology tasks drop model accuracy by 26% to 46% versus LAB-Bench across subtasks, which says the older benchmark was getting too comfortable for frontier systems. FutureHouse also released the dataset on Hugging Face and the harness on GitHub, so this is at least runnable, not just a PDF benchmark claim. I don’t buy the “real-world scientific work” framing without more plumbing. The abstract says more realistic contexts, but it does not spell out wet-lab loops, retrieval constraints, tool-use rules, or contamination controls. Like SWE-bench, a harder benchmark can puncture demo hype; it does not prove agents are ready to sit inside a research workflow.

AnyPos makes the right cut: learn the robot’s feasible action space first, then attach task policies. The hard numbers are decent: 51% higher test accuracy than a standard baseline, plus 30–40% higher success on microwaves, toasting bread, folding clothes, watering plants, and scrubbing plates. I buy the direction, not the “generalization solved” tone. Safe automated exploration, inverse dynamics, arm/end-effector decoupling, and a direction-aware decoder are cleaner than just piling up teleop traces. The abstract does not give platform count, real-world trial volume, or failure modes. Compared with RT-X-style cross-robot datasets, AnyPos reads more like an embodiment prior layer than a replacement for task data.

The sharp part is that it turns the familiar “SFT first, RL improves it” recipe into a no-free-separation claim. Under both KL distribution analysis and PL landscape assumptions, the paper says the same thing: RL raises SFT loss, while SFT lowers RL reward. The Qwen3-0.6B experiment confirms degradation, though the abstract gives no exact metric size. I care more about the pressure this puts on reasoning-model recipes. Many teams still treat SFT data, verifier RL, and preference RL as swappable blocks. This paper frames each step as spending some of the previous step’s capability budget. The useful hook is not the degradation claim alone; it is the derived optimal RL duration and non-decoupling threshold. That is closer to something a training team can actually test than another benchmark table.

Logic Inertia is a sharp frame: the model can reason, then keeps reasoning down the wrong track. The hook is concrete. Untreated baselines fall from 1.00 base accuracy to 0.00 under contradiction injection, and GPT-4o resolves only 56.0% of contradiction cases. CAF’s SFT, DPO, LIRE, and RLVF pipeline pushes verification into training, instead of scaling parameters. I’m skeptical of the “saturates all four tests” claim. When both 1.5B and 8B backbones max out, the benchmark may be too well matched to the method. The Lean 4 extension is the stronger signal: 99.0% kernel agreement on 105 derivable T questions inside a 187-question translated sample, but only 71.7% overall. Symbolic feedback looks useful; benchmark saturation looks less convincing.

Prefix Sampling hits a boring but expensive failure mode in binary-reward RL: rollout groups that all pass or all fail produce weak GRPO/RLOO signal. The paper forces groups toward a 50% pass rate because reward entropy, group-filter survival, and advantage energy peak there. On SWE-bench-style training, it reports 2.01x wall-clock speedup on Qwen3-14B and 1.55x on Qwen3-32B; Qwen3-14B Verified peak moves from 0.273 to 0.295. The part I buy is the constraint: replayed prefixes reconstruct state, but their tokens stay out of the loss, so only current-policy continuations train. That is cleaner than brute-force oversampling and filtering. I still have doubts about transfer to messy coding agents: AIME 2025 is a useful sanity check, but long tool-use state replay has costs that a headline speedup can hide.

Distillation papers should be forced to publish a loss ledger, because “student matches teacher” is too cheap. arXiv:2604.25110v2 frames distillation as lossy projection and proposes a Distillation Loss Statement: preserved capabilities, lost capabilities, and accepted losses. That is a better hook than another retained task score. I buy the direction because deployment teams now distill GPT-4- or Claude-class teachers into smaller students, then celebrate MMLU, SWE-bench, or support-ticket accuracy. The ugly failures sit off-metric: refusal boundaries, tail robustness, calibration, tool-use recovery, and brittle behavior under distribution shift. The paper is a position paper, not a new benchmark or large empirical study, so the enforcement path is thin. Still, making off-metric loss reportable attacks the exact place where distillation papers have been laundering capability loss as efficiency gain.

This paper hits a training variable people average away too easily: weight decay is not just background regularization. On the controlled compositional task, applying decay for only 25% of training gets 0.93 OOD accuracy, versus 0.91 for full-training decay. Moving the window onset by 100 optimization steps shifts mean OOD from 0.15 to 0.61. That reads less like tuning noise and more like a phase boundary. I would not generalize it into a universal training law. The author gives the caveat directly: the same critical-window effect does not appear in modular-arithmetic grokking, where tuned constant decay matches scheduled decay. For LLM training people, the useful punchline is not “copy this schedule.” It is to distrust slogans like “smaller initialization is always better”; here, small initialization shrinks the reasoning basin.

Coral lands because it attacks the boring production tax: teams underuse older and mid-tier GPUs while chasing scarce top-end cards. The paper evaluates 6 models across 20 GPU configurations, jointly optimizes allocation and replica serving, cuts online solving from hours to tens of seconds, and reports up to 2.79x lower cost plus 2.39x higher goodput under scarcity. I buy the problem framing more than another single-model throughput paper. Real serving fleets are messy: mixed models, shifting demand, uneven GPU inventory. The caveat is material: the abstract does not list GPU SKUs, price sources, or SLA shape. If the 2.79x comes mostly from cloud price gaps or spot availability, the gain shrinks inside a fixed enterprise cluster.

EdgeRazor’s sharp claim is the 0.28GB Qwen3-0.6B artifact, not the leaderboard line about beating 3-bit methods at 1.88-bit. That storage drop from 1.41GB starts to matter for phones, browser extensions, and local copilots. I’m cautious on the 15.1x decoding speedup. The abstract gives the baseline as 16-bit, but not the hardware, kernels, batch size, or context length. Low-bit weights save bandwidth; edge latency often dies in operator support and memory layout. The stronger signal is architectural: mixed precision plus distillation beats leading 2-bit PTQ by 11.3 points while claiming 4–10x less training than leading QAT. If that reproduces outside the authors’ stack, this is a practical compression recipe rather than another tiny-model stunt.

RetentiveKV has the right diagnosis: multimodal KV eviction cannot trust early attention. Visual tokens often look cold before they become decisive. The paper’s concrete claim is 5.0x KV-cache compression and 1.5x decoding speedup, using entropy to score low-attention tokens, then SSM transitions to keep them in a reactivatable memory state. I buy the problem framing more than the headline number. KV-compression papers often win on curated benchmarks, then break on long video, OCR, or fine-grained grounding. RetentiveKV at least avoids the dumb version of pruning: dropping low-salience visual tokens as if salience were stationary. The missing piece is the failure profile after 5.0x compression: does it lose small objects, spatial relations, or late-reference answers?

CAP’s useful move is pushing unlearning outside the weights and into a learned prompt generator. That matters for closed-source LLMs, where parameter-editing, LoRA-style patches, and retraining schemes often die at the API boundary. The revocation mechanism is also clean: remove the prompt layer, restore the knowledge behavior. I don’t buy the strong “precise, controllable unlearning” claim yet. The page gives arXiv:2604.21251, ACL 2026 Main, and v3 revised on 2026-05-06, but no model names, datasets, forget/retain scores, or attack setting. Prompt-layer unlearning lives or dies under jailbreaks, paraphrases, and multi-turn probing. Without adversarial evaluation, this reads closer to a controllable refusal policy than actual model unlearning.

Conductor’s useful move is making multi-agent workflow a learned policy, not another hand-written planner prompt. The 7B model uses RL to learn both communication topology and natural-language instructions for workers, and it trains over randomized agent pools; that is a cleaner research bet than AutoGen- or CrewAI-style manual routing. The paper claims gains over any single worker on LiveCodeBench and GPQA and is listed for ICLR 2026, but the captured page gives no exact scores, worker roster, or inference budget. I buy the direction before I buy the margin. Recursive topologies are especially easy to turn into benchmark gains by spending more test-time compute.

CausalGaze’s useful move is not “another hallucination classifier.” It forces internal states into a structural causal model, then uses counterfactual interventions to separate causal paths from spurious signals. The paper reports tests on 4 datasets and 3 common LLMs, with over 5.2% AUROC gain on TruthfulQA versus SOTA baselines. I still don’t buy this as a deployment story yet. AUROC on TruthfulQA does not equal reliable blocking inside enterprise RAG, tool use, or multi-turn workflows. Compared with plain logits or hidden-state probes, the causal framing is cleaner and less lazy. But the abstract gives no numbers for inference cost, cross-model transfer, or long-context stability. ACL Findings acceptance says the method is serious; it does not make it a safety product.

This paper hits an ugly cost center in distillation: teacher and student tokenizers break the shared probability space. The authors exploit BPE recursion, and in the subset-vocabulary case they compute exact likelihoods with O(1) model calls per token. On Qwen2.5-1.5B, they report up to 12% lower memory and up to 4% better task baselines. I buy the direction because smaller vocabularies on edge models are a memory decision, not a taste decision. The GSM8K gain, over 2% versus prior SOTA, is useful but should not be read as a reasoning breakthrough. It smells more like removing training noise from tokenizer mismatch. The general arbitrary-vocabulary case still leans on a fast approximation, so the repo matters more than the abstract here.

The useful move here is turning “safety went up, capability dropped” from a training complaint into a covariance condition. In arXiv:2602.06869 v2, the authors claim an objective improves when its reward has positive covariance with the scalarized score; CTWA then adapts weights to preserve that signal. That is a better hook than another vague reward-mixing trick. Honestly, multi-objective RLHF and DPO have been hiding this problem behind averaged benchmarks for too long. The hard limit is evidence: the abstract says the study spans scalarization algorithms, but the post gives no experiment scale, model list, or metric count. Without those, CTWA reads as a diagnostic lens, not a patch you drop into a production alignment stack.

DASE’s sharp claim is that ensemble reasoning is mainly a stopping problem, not a token-injection problem. On AIME 2010-2023, with 254 problems and 3 seeds, the 120B ensemble gets a 24.8 pp commit-routing gap. Opus 4.6 Standard verbalized confidence gets 25.7 pp at matched coverage, with p=0.873 on the difference. The 27% disagreement between the two routers is the useful part: DASE is not just confidence phrased differently. I buy the adaptive-stopping angle more than the bandwidth story. On AIME-300, bandwidth adds only 0.3 pp; on GPQA-Extended, it adds 4.4 pp versus a 5.0 pp stopping effect. The pushback is scope: these are still math/QA-style benchmarks, and this is arXiv v1. Until code and non-contest agent traces land, DASE is a good inference-control idea, not a proven agent runtime primitive.

NSL-MT hits the old low-resource MT bottleneck: parallel data is expensive, while grammar constraints are often cheaper. It creates target-language grammar violations as negative samples, then penalizes high probability on those outputs. The reported numbers are strong: 3-12% BLEU gains on stronger baselines, 56-89% on weaker ones, and 1,000 examples matching or beating normal 5,000-example training. I would not overread it yet. The abstract gives BLEU, but not the language set, the violation-generation rules, human evaluation, or out-of-domain tests. If the negative samples are too patterned, the model learns to avoid a narrow error class rather than translate better. Compared with the usual synthetic-data fine-tuning papers, this one has a cleaner training signal; the generalization claim depends on the PDF details.

Both entries point to the same arXiv:2605.04723 title, so this is a single-source chain, not independent coverage. The hard hook is ConvRec’s linear compute and memory complexity, plus experiments on 4 real-world datasets beating prior sequential recommendation models; the paper also ships code and data and is marked accepted at IJCAI-ECAI 2026. I read this as recommender systems pushing back on Transformer inertia. Full-sequence self-attention keeps carrying an O(n²) bill, and long user histories make that bill visible in retrieval and ranking pipelines. Convolutions are not glamorous here; they are bounded, cheap, and good at local sequential patterns. The abstract does not disclose benchmark numbers, so the SOTA claim should stay provisional until someone reruns it.

KernelBench-X lands a hard punch: LLM GPU-kernel generation is still pattern completion, not performance engineering. Across 176 tasks and 15 categories, task category explains 9.4% of correctness deviance, while method choice explains only 3.3%. Fusion has 72% all-method failure, and quantization goes 0/30 despite non-trivial compilation. That looks less like a prompt problem and more like missing models of coordination and numerical contracts. The nastier result is the refinement tradeoff. GEAK raises compile rate from 52.3% to 68.8%, but average speedup drops from 1.58x to 1.44x. Also, 46.6% of correct kernels are slower than PyTorch eager. Unlike SWE-bench-style code repair, passing tests here does not buy latency or cost savings.

ACSE is aimed at the right failure mode: token entropy is a bad proxy when answers paraphrase the same belief. The paper’s hard number is TriviaQA, where ACSE gets 0.88 AUROC versus 0.65 for token entropy. The conformal layer also gives an accept/abstain rule under a user-set error tolerance, which is cleaner than bolting on a vague verifier. My caveat is cost. ACSE needs multiple diverse responses for the same prompt, then semantic clustering. That is fine for batch QA and safety review; it is painful for low-latency agents, support flows, or medical triage. OpenAI and Anthropic have been pushing refusal and confidence behavior into the model loop. ACSE looks more like an external safety gate: statistically attractive, operationally expensive unless the required sample count is small.

The sharp result is that MAW pruning does not weaken Llama-3.2 evenly; it separates recall from obedience. Across seven expansion ratios, MMLU, GSM8K, and perplexity degrade, while IFEval rises 46% to 75% on 1B and 3B. MUSR stays robust. The weirdest hook is the 3B correlation: MMLU versus TruthfulQA-MC2 lands at r=-0.864, p=0.012. I don’t fully buy the “pruning improves alignment” framing. TruthfulQA-MC2 rewards avoiding common misconceptions; stripping parametric knowledge can make a model less confidently wrong. That is still useful, but it is a deployment knob, not magic. You trade memorized knowledge for cleaner instruction behavior and up to 23% lower J/token energy. Single-request latency gets worse, so the edge-device story is weaker than the batch-serving story.

NAS lands on the old model-editing failure mode: single edits look clean, sequential edits slowly poison the network. The paper pins the collapse on positive norm feedback between solved value vectors and edited MLP weights, with near-exponential norm growth under standard L&E dynamics. The proposed fix is almost annoyingly small: rescale each solved value vector to an original-model reference norm. Reported gains are large: over 4x longer usable edit horizon and 72.2% average long-run improvement. I buy the mechanism more than any “new editor” framing. ROME and MEMIT-style Locate-and-Edit methods have always carried batch-update side effects, and clamps or increment regularizers mostly cap the visible update. They do not stop the edited weights from contaminating the next value solve. The caveat is also obvious: the abstract does not expose the backbones, datasets, or collapse thresholds, so the 4x number depends heavily on how short the baseline horizon was.

RDB-PFN makes the right bet: relational foundation models cannot wait for internet-scale private databases, so the structure prior has to be synthetic. The paper trains on over 2 million synthetic single-table and relational tasks, then reports wins on 19 real relational prediction tasks against graph and single-table PFN baselines under the same DFS-linearized inputs. I buy the direction, not the enterprise victory lap. The abstract says lightweight architecture and fast inference, but it does not give production-scale schemas, schema drift, permission constraints, or dirty-data ratios. TabPFN already showed synthetic priors can hit hard on tables; RDB-PFN pushes that path into multi-table data. The hard test is whether it survives ugly ERP and CRM schemas, not whether it clears curated relational benchmarks.

Junking hits the old weak spot: defenses read meaning, attackers search strings. Rando and Vaiter define the objective as maximizing harmful-response prefix probability, then use greedy random search over token sequences. The abstract says the task is harder than standard jailbreaks, yet still reaches a high success rate. That is the uncomfortable part, because the attack bypasses prompt semantics and many intent-classifier guardrails. The evidence gap is large. The arXiv page gives 27 pages, 13 figures, and 2 tables, but model names and success rates are not disclosed in the provided text. Extrapolating to GPT-5, Claude Sonnet 4.5, or open-weight models is premature. Still, it lines up with the GCG-suffix lineage: unsafe behavior does not always need a malicious instruction; low-probability token regions can carry latent backdoors from training.