AI agents now have a leak problem that current fixes barely address.
Researchers have proposed NeuroFilter, a privacy filtering system that watches what happens inside a large language model's activations rather than bolting on a second AI to police the first. The system is designed for agentic LLMs - the kind that can plan, call tools, and rummage through sensitive documents to get things done. Those capabilities make them useful for personal assistants, legal research, and financial services. They also mean agents routinely sit atop data they probably shouldn't repeat back indiscriminately. NeuroFilter uses activation probing to detect when a model is about to cross a privacy line, and the researchers claim it works across both single-turn and multi-turn conversations - the latter being notably harder because context accumulates.
The significance is partly economic. Today's standard defense is an auxiliary LLM-based monitor: a second model watching the first. That doubles inference costs at minimum, and the paper argues those monitors still fail against attacks designed to evade semantic-level checks. Activation probing operates on the model's internal state rather than its output text, which is both faster and harder to fool with a carefully worded prompt. The paper also claims a first: systematic probing across a full conversation trajectory, not just isolated single prompts.
Privacy guardrails for AI agents are overdue - the gap between "the agent needs this data to help you" and "the agent is now leaking it" has been well documented but poorly defended. Whether activation probing holds up outside controlled research settings, and whether it generalizes across model architectures, are questions the paper does not fully answer yet.