A bigger model reduced agent rule failures, but did not remove them

Agent behavior is often controlled with such as persona notes, AGENTS.md, tool descriptions, and memory. Passing a only proves those files are shaped correctly; it does not prove the model will follow every rule. A support agent was given two rules: never reveal the token, and avoid saying what it cannot do by using positive language instead.

The models were tested across , including pressure to extract the token, with 3 runs for each model. never revealed the API token, but it broke the positive-language rule in every run, often by saying it could not share the token. gpt-4.1 also protected the API token, but broke the wording rule about 1 time in 3.

The larger model did not solve the problem; it made the failure less frequent, which can be harder to catch in a quick spot check. The practical lesson is to run each check several times and judge the agent by the worst result, not the best one.

Key points

  • A valid instruction file does not guarantee the model will obey the rules inside it.
  • The test used a support agent with one security rule and one wording rule.
  • kept the API token private but failed the wording rule in all 3 runs.
  • gpt-4.1 kept the API token private and failed the wording rule about 1 in 3 times.
  • Rare failures are harder to catch, so repeated grading is safer than a single manual check.
Read original