Spectral Guardrails for Agents in the Wild: Detecting Tool Use Hallucinations via Attention Topology

Deploying autonomous agents in the wild requires reliable safeguards against tool use failures. We propose a training free guardrail based on spectral analysis of attention topology that complements supervised approaches. On Llama 3.1 8B, our method achieves 97.7% recall with multi-feature detection and 86.1% recall with 81.0% precision for balanced deployment, without requiring any labeled training data. Most remarkably, we discover that single layer spectral features act as near-perfect hallucination detectors: Llama L26 Smoothness achieves 98.2% recall (213/217 hallucinations caught) with a single threshold, and Mistral L3 Entropy achieves 94.7% recall. This suggests hallucination is not merely a wrong token but a thermodynamic state change: the model’s attention becomes noise when it errs. Through controlled cross-model evaluation on matched domains ($N=1000$, $T=0.3$, same General domain, hallucination rates 20–22%), we reveal the ``Loud Liar’’ phenomenon: Llama 3.1 8B’s failures are spectrally catastrophic and dramatically easier to detect, while Mistral 7B achieves the best discrimination (AUC 0.900). These findings establish spectral analysis as a principled, efficient framework for agent safety.

💡 Research Summary

The paper tackles the problem of tool‑use hallucinations in large‑language‑model (LLM) agents—situations where an agent generates syntactically valid but semantically incorrect API calls, such as fabricated function names or wrong parameters. Existing detection methods rely on supervised classifiers trained on labeled hallucination examples, which are costly to collect and must be retrained whenever the model or the deployment domain changes. The authors propose a completely training‑free “spectral guardrail” that inspects the internal attention patterns of the transformer during generation and flags suspicious calls based on graph‑spectral diagnostics.

Methodologically, each attention matrix (A^{(\ell,h)}) (layer (\ell), head (h)) is interpreted as a directed weighted graph over tokens. The matrix is symmetrized to obtain an undirected adjacency (W^{(\ell,h)}). Heads are aggregated with attention‑mass weighting to produce a single layer‑wise graph (\bar W^{(\ell)}). The combinatorial Laplacian (L^{(\ell)} = \bar D^{(\ell)} - \bar W^{(\ell)}) is then eigendecomposed. From the eigenvalues and the Graph Fourier Transform of the hidden states, four diagnostics are derived:

1. Spectral Entropy (SE) – measures how uniformly the spectral energy is spread across modes; hallucinations tend to raise SE.
2. Fiedler Value ((\lambda_2)) – the second smallest eigenvalue, indicating algebraic connectivity; low values signal fragmented attention graphs.
3. Smoothness (S) – a normalized quadratic form (1 - \frac{\mathrm{Tr}(X^\top L X)}{\lambda N |X|_F^2}); values near 1 denote coherent representations, while hallucinations cause a sharp drop.
4. High‑Frequency Energy Ratio (HFER) – proportion of energy in the upper half of the spectrum; higher ratios indicate noisy, high‑frequency dominated states.

The detection pipeline extracts these metrics for each layer, selects a layer‑metric pair (or a conjunction of several), and applies a simple threshold rule. No learning is involved; thresholds are calibrated on a small held‑out set.

Experiments use the Glaive Function‑Calling v2 benchmark (1,000 samples per model, temperature 0.3). Three models are evaluated on the same General/Mixed domain to control for domain effects: Qwen 2.5 0.5B (200 hallucinations), Mistral 7B v0.1 (207 hallucinations), and Llama 3.1 8B (217 hallucinations). Results show that a five‑feature combination yields 97.7 % recall for Llama with 34 % precision. Strikingly, a single‑layer feature—Smoothness at layer 26 of Llama—captures 98.2 % of hallucinations (213/217) with a single threshold, illustrating the “Loud Liar” phenomenon: Llama’s failures are spectrally catastrophic, causing a dramatic collapse of smoothness.

Mistral, by contrast, achieves the highest AUC of 0.90, indicating a cleaner separation between valid and invalid calls, but its maximum recall under a recall‑optimized configuration is 91.3 %. This is dubbed the “Clean Discriminator” behavior: Mistral’s hallucinations occupy a tighter region in spectral space, making them easier to separate but harder to catch all of them with a single aggressive rule. Qwen shows moderate recall (86.5 %) and the best single‑feature precision (40 %) but overall lower performance.

A domain‑specific analysis reveals that Llama’s hallucination rate jumps to 61.3 % on a Finance subset, versus 21.7 % on the General set, confirming that domain difficulty heavily influences raw error rates. Nevertheless, the spectral guardrail remains effective across domains, maintaining high recall.

Computationally, full eigen‑decomposition is (O(N^3)), but the authors employ Lanczos approximation to compute only the top‑(k) eigenvalues, reducing complexity to (O(N^2 k)). For typical tool‑call sequences (under 200 tokens) the additional latency is 10–50 ms, acceptable for most production agents. For ultra‑low‑latency settings, stochastic trace estimation or Chebyshev polynomial methods could bring the cost near linear.

The paper’s contributions are threefold: (1) a training‑free spectral guardrail that achieves near‑perfect recall with a single metric on Llama, offering an immediate safety layer without data collection; (2) the identification of architecture‑specific failure geometries—“Loud Liar” for larger models and “Clean Discriminator” for Mistral—providing insight into how hallucinations manifest in attention space; (3) practical deployment guidelines, including feature selection for recall‑oriented versus balanced settings and evidence that the method scales across model sizes and domains.

Overall, the work demonstrates that attention‑topology spectroscopy can serve as a principled, lightweight, and highly effective safety mechanism for autonomous LLM agents, especially in high‑stakes tool‑use scenarios where missing a hallucination is far more costly than a false alarm.