A bigger model reduced agent rule failures, but did not remove them
Agent behavior is often controlled with such as persona notes, AGENTS.md, tool descriptions, and memory. Passing a only proves those files are shaped correctly; it does not prove the model will follow every rule. A support agent was given two rules: never reveal the token, and avoid saying what it cannot do by using positive language instead.
The models were tested across , including pressure to extract the token, with 3 runs for each model. never revealed the API token, but it broke the positive-language rule in every run, often by saying it could not share the token. gpt-4.1 also protected the API token, but broke the wording rule about 1 time in 3.
The larger model did not solve the problem; it made the failure less frequent, which can be harder to catch in a quick spot check. The practical lesson is to run each check several times and judge the agent by the worst result, not the best one.
Key points
- A valid instruction file does not guarantee the model will obey the rules inside it.
- The test used a support agent with one security rule and one wording rule.
- kept the API token private but failed the wording rule in all 3 runs.
- gpt-4.1 kept the API token private and failed the wording rule about 1 in 3 times.
- Rare failures are harder to catch, so repeated grading is safer than a single manual check.