AI Safety Research Digest — May 12, 2026

From embodied perception pipelines to professional agent benchmarks, this week’s research cluster makes one gap legible: knowing where safety fails is not the same as having the tools to fix it.

Key Findings

  • A comprehensive embodied AI safety survey maps vulnerabilities across the full perception-cognition-planning-action stack. Li et al. (May 2026) synthesize threats and defences for embodied systems — adversarial attacks on multimodal fusion, planning instability from semantic jailbreaks, and trustworthiness failures in human-agent interaction. Each pipeline stage is treated as a distinct attack surface with distinct defence requirements; the survey argues that unified cross-stage safety architectures are a prerequisite for real-world deployment. arXiv:2605.02900

  • Mechanistic interpretability is actionable but requires systematic tooling, not ad-hoc probing. Zhang et al. (Jan 2026) survey localization, steering, and improvement methods across large language models, benchmarking which interpretability objects — circuits, attention heads, SAE features — have reliable enough localization for downstream safety use versus remaining research-grade. With 48 community upvotes, the survey establishes that structured pipelines, not one-off feature searches, are required before mechanistic methods can be trusted in safety-critical roles. arXiv:2601.14004

  • Professional-domain AI agents show systematic safety gaps that general benchmarks miss. Zhou et al. (Jan 2026) introduce SafePro, evaluating LLM agents on complex medical, legal, and financial tasks. Failure modes in professional contexts differ structurally from consumer contexts: role-authority exploitation, domain-specific constraint erosion, and multi-step harm accumulation dominate, rather than the single-turn jailbreaks that most safety benchmarks target. arXiv:2601.06663

  • Integrated chain-of-thought reasoning strengthens safety alignment; post-training and distillation pipelines can erode it. Li et al. (Jan 2026) find that reasoning mechanisms improve resistance to jailbreaks, while aggressive fine-tuning and knowledge distillation degrade safety margins — particularly through CoT-based attack vectors against text-completion interfaces. The finding has direct implications for frontier pipelines that use distillation to reduce inference cost on reasoning models. arXiv:2601.03868

  • DeepSight integrates safety evaluation and diagnosis under a single open-source toolkit. Zhang et al. (Feb 2026) combine DeepSafe (safety evaluation) and DeepScan (safety diagnosis) with white-box access to safety-relevant internal states. The diagnostic layer distinguishes models that refuse via surface pattern-matching from those with genuine alignment — a signal currently absent from most deployment review workflows. arXiv:2602.12092

Implications for Embodied AI

The embodied AI safety survey (2605.02900) is the most practically consequential finding for the failure-first programme. It confirms that safety evaluation cannot be reduced to language-layer testing: adversarial patches on visual inputs, semantic jailbreaks in natural-language instructions, and backdoors injected via demonstration data each exploit distinct subsystems requiring distinct defences. The call for unified runtime safety architectures directly mirrors the trajectory-level monitoring argument from AgentDoG (covered 2026-05-11) — both converge on a need for safety infrastructure that spans the full agent execution loop, not point defences at individual interfaces.

The distillation-degrades-safety finding (2601.03868) has a specific embodied translation: VLA models are routinely distilled from larger reasoning-capable models to meet inference latency requirements for real-time robot control. If distillation erodes safety margins in language models, the same effect should be measured explicitly in VLA fine-tuning pipelines before deployment. That measurement is currently absent from standard VLA evaluation protocols.

DeepSight’s diagnostic layer points toward what the benchmark stack is still missing: tools that answer not just “did the model refuse?” but “why, and is that mechanism stable under distribution shift?” That question remains unanswered for most deployed systems — and for embodied deployments where perceptual distribution shift is routine, the gap matters more, not less.

Baseline generation — paper discovery via Hugging Face/arXiv. NLM-augmented assets (audio/infographic/video) added by local pipeline when available.