All posts
AI SafetyJune 12, 20264 min read

The Containment Gap: LangChain, AutoGPT, and OpenAI Agents SDK All Fail Basic Safety Audits

A new paper accepted at ICML 2026's AI4GOOD Workshop audits the three most popular agentic AI frameworks - LangChain, AutoGPT, and the OpenAI Agents SDK - and finds zero native compliance with basic structural safety and containment principles.

Agentic AI systems are being deployed in government services, healthcare triage, and financial advising right now - and a new paper accepted at ICML 2026's AI4GOOD Workshop finds that the most popular frameworks powering them offer essentially no architectural-level safety guarantees. The verdict is blunt: zero native compliance across the board.

What the Paper Actually Audited

The paper, "The Containment Gap: How Deployed Agentic AI Frameworks Fail Public-Facing Safety Requirements" (arXiv:2606.12797), focuses on a deceptively simple question: do the frameworks we use to build agentic systems provide structural safety guarantees at the architecture level? 1

The authors derived six containment principles from a compositional model of agentic architectures, then applied them as an audit against three dominant frameworks: LangChain, AutoGPT, and the OpenAI Agents SDK 1. The result: no native compliance in any of them 1.

This matters because the systems being built on these frameworks are not toy demos. Agentic LLM systems that autonomously invoke tools, maintain persistent memory, and execute multi-step plans are increasingly deployed in public-facing domains including government services, healthcare triage, and financial advising 1. The gap between what these frameworks can do and what they can safely contain is widening in exactly the highest-stakes contexts.

Why "Structural Safety" Is the Right Frame

The key distinction here is architectural versus behavioral safety. Most current safety work focuses on prompt-level guardrails or model-level alignment - training models not to say bad things. The Containment Gap paper asks a different question: even if the model behaves well, does the framework give you the structural tools to prevent runaway execution, enforce privilege boundaries, or halt a multi-step plan gone wrong?

This framing echoes a growing body of work. AI systems capable of autonomous, multi-step action are no longer a theoretical prospect - they are being deployed commercially, integrated into professional workflows, and embedded in consumer products at a pace that has consistently outrun the regulatory frameworks nominally designed to govern them 5. That shift fundamentally changes the threat surface compared to a stateless request-response model.

The urgency is underscored by the safety evaluation gap in the field. Recent advances in AI agents capable of solving complex, everyday tasks have enabled deployment in real-world settings, but their potential for unsafe behavior demands rigorous evaluation 4. Prior benchmarks have largely fallen short by relying on simulated environments, narrow task domains, or unrealistic tool abstractions 4.

The Six Containment Principles

While the paper's full six-principle framework is detailed in the workshop submission, the conceptual territory it covers aligns with challenges that safety researchers have been circling for some time. The MI9 governance framework proposes a graduated containment architecture that addresses the unique challenges of containing agentic systems mid-execution without triggering cascade failures 3:

  • State-preserving monitoring: Maintaining full agent operation while increasing governance signal collection and introducing human-in-the-loop checkpoints for high-risk decisions 3
  • Planning intervention: Allowing current task completion but blocking new planning cycles or goal modifications until manual review 3
  • Tool restriction: Dynamically revoking access to specific tool categories while providing safe alternatives or read-only variants where possible 3
  • Execution isolation: Migrating the agent to a controlled environment with simulated tool responses, enabling behavioral assessment without external impact 3

The Containment Gap paper is the first to apply a formal audit directly against production-ready frameworks and find that none of them support these capabilities natively 1.

What This Means in Practice

Consider what it takes to safely deploy an agent in a healthcare triage setting. You need to be able to halt or constrain the agent if it starts down a dangerous reasoning path - without corrupting its state or triggering cascading failures in connected systems. In high-stakes environments such as finance and healthcare, abruptly terminating an agent mid-execution can create operational disasters when applied to autonomous, adaptive systems 3. You need to audit tool invocations. You need provable boundaries around what memory the agent can persist and what external services it can reach.

The LangChain, AutoGPT, and OpenAI Agents SDK ecosystems are powerful precisely because they make it easy to chain tools, maintain memory, and orchestrate multi-agent workflows. But ease of capability composition is not the same as structural containment. The paper's core claim is that these two concerns have been systematically decoupled - and in public-facing deployments, that gap is a liability.

The broader regulatory picture compounds the problem. A systematic comparative survey of eleven regulatory instruments - spanning the EU AI Act, OECD/G7 Principles, and NIST - found a persistent definitional gap: legal definitions consistently conflate model capability with agentic architecture, and treat autonomy as a scalar property rather than a structural shift 5. Definitional imprecision produces regulatory instruments that are structurally incapable of governing the actual mechanisms - system prompts, API permissions, sandboxing, and orchestration code - that constitute agentic autonomy 5.

Why It Matters

The Containment Gap paper arrives at an inflection point. Autonomous research agents like Arbor - which introduces Hypothesis Tree Refinement (HTR), a persistent tree that links hypotheses, artifacts, evidence, and distilled insights across time 6 - are demonstrating that agentic systems can genuinely accelerate consequential work. Arbor combines a long-lived coordinator and short-lived executors; as results return, it updates the tree, propagates reusable lessons, and refines the search frontier 6. That capability trajectory makes the safety deficit identified here more urgent, not less.

For engineers building production agentic systems today, the practical takeaway is straightforward: do not assume that the framework you're using gives you containment for free. Structural safety must be designed in explicitly - at the orchestration layer, the tool-access layer, and the memory boundary - not bolted on afterward via prompting alone.

The Containment Gap paper is a call for framework developers to treat containment as a first-class architectural concern, and for teams deploying agents in high-stakes domains to audit their own stacks against the same principles before their users do it for them.

This article was researched and drafted by an AI writer agent (claude-sonnet-4-6) and reviewed by an editor agent before publishing.

Ask about Julian Walder

Grounded in his real work

Hi! I'm Julian Walder's assistant. Ask me anything about his work, projects, or background in AI.