When Looking Is Not Enough
Two papers reveal why reliable agents must be built from the boundary inward
Imagine telling an agent: “Buy the cheapest direct flight home that gets me there before midnight.”
A careless agent guesses which airport you mean, pulls an outdated profile for “home,” and books without checking baggage. A slightly better one actually looks. It queries the airline page, confirms the destination, compares flights, and reviews the fare conditions.
But the page is stale. The flight was cancelled an hour ago. The baggage policy on the third-party aggregator is wrong. The agent inspected its environment and still fucked up.
This is no longer a simple failure to look before leaping. It is a deeper failure of grounding in open, messy, evolving systems. The evidence existed, yet the agent had no reliable way to judge its provenance, freshness, authority, or relevance to the decision at hand.
Two recent papers approach this from opposing angles. ACCORD: Action-Conditioned Contextual Grounding for Language Agents shows that agents routinely act without gathering the specific information their next action requires. When Agents Overtrust Environmental Evidence demonstrates that even when agents do inspect the environment, they trust stale, misleading, or non-authoritative signals far too readily.
At first glance the prescriptions appear contradictory. One urges the agent to stop assuming and inspect the environment. The other warns that inspecting the environment does not settle the matter. In reality they are not in conflict. They expose two consecutive failure modes in the same fragile chain: acting without enough evidence, or gathering evidence and failing to determine whether it deserves to govern action.
Both papers isolate tractable problems, which is what good experiments do. The danger lies in treating either local fix as a complete theory of grounded agency. Too much current agent research evaluates one link under assumptions that keep the surrounding system stable and cooperative. The problem begins when success under those assumptions is presented as progress on the reliability of the whole system. This kind of isolationism is exactly what a weekly practice of deliberately pairing contrasting papers can help dismantle.
The deeper problem is architectural. We keep building increasingly capable interiors — powerful models with tools and memory — and then surrounding them with prompts, monitors, verifiers, and emergency patches when they misbehave in the world. A more robust path may require reversing that direction entirely. Reliable agents should be designed from the boundary inward.
The Invisible Blanks
Human instructions are radically underspecified because we share physical, social, and historical context. “Put the milk away” works because both parties already understand the refrigerator, what counts as milk, why it needs to stay cold, and whose container it is. Language-model agents have no such shared world. They operate through thin slices of reality: tool responses, cached pages, API outputs, retrieved memories, partial application states, files of uncertain origin, and text generated by other systems. When information is missing, the model’s talent for plausible completion turns into one of its greatest liabilities.
ACCORD frames this as an action-conditioned grounding problem. Before executing any write or state-changing operation, a verifier checks whether the current context actually contains the objects, values, constraints, and affordances required to justify that specific action. It can recover relevant details from the agent’s trajectory and run cheap read-only probes when needed. The insight is surgical rather than exploratory. It does not command the agent to think harder or wander more broadly. It asks a narrower question: what must be known right now for this particular action to be warranted?
The distinction matters. A surgical team does not reread the entire medical library before operating; it verifies the patient, the procedure, the site, and the immediate conditions required for the intervention. Similarly, an agent preparing to send a payment does not need the full history of the banking system. It needs the correct recipient, amount, account, authorization, balance, and transaction constraints.
The gains reported are substantial. On AppWorld with GPT-5-mini, task completion rose from 63.7% to 78.0% on the standard set and from 42.0% to 62.6% on the hard set. Improvements also held with Claude-4.5-Sonnet and the open-weight Qwen3.5-27B-FP8. Generic instructions to “explore first” sometimes hurt performance. Targeted, action-specific verification proved more effective than indiscriminate information gathering. Specificity wins.
Looking Is Only Half the Battle
But looking is only half the battle. The second paper introduces EnvTrustBench, a benchmark built around 55 cases across 11 operational scenarios deliberately filled with misleading environmental evidence, including stale information, partial observations, conflicting signals, and claims contradicted by more current or authoritative sources. Across thousands of runs, agents followed incorrect paths induced by such evidence 83.3% of the time when a verification route existed. The benchmark is adversarial by design, so the number is not a general real-world failure rate. What it reveals is narrower and more damaging: current agents frequently treat plausible observations as authoritative descriptions of reality. They lack reliable mechanisms for questioning where the information came from, when it was produced, whether it has expired, whether the source actually holds authority over the decision, whether it is consistent with other signals, and what would happen if the claim were false.
In systems terms this is a boundary and authority failure. The agent treats “the environment” as a single coherent oracle. Real environments are distributed networks of sources with different incentives, latencies, permissions, failure modes, and degrees of access to the underlying state. A file may be relevant but unreliable. A cached response may be accurate about the past but no longer fresh. A source may be truthful without possessing authority to authorize an action. An official source may hold authority yet still be temporarily inconsistent with another system. These distinctions matter and should not be collapsed into a single stream of tokens for the model to disentangle by wording alone. That is an extraordinarily weak boundary for any consequential system.
From Action-Ready to Qualified Context
ACCORD strengthens the connection between action and observation. EnvTrustBench examines the connection between observation and reality. Together they point toward something larger: reliable agents need more than action-ready context. They need qualified, action-ready context — facts with pedigree.
Before a consequential action, an epistemic gate might consider what exact proposition justifies the step, whether it was observed or inferred, its source and timestamp, whether that source holds authority in this domain, the presence of contradictory evidence, the cost of further verification, and the cost of being wrong. Many of these checks do not require another language model. Schema validation, access-control rules, cryptographic signatures, timestamp enforcement, source allowlists, and deterministic policy checks can handle much of the load. The key principle is that the amount of evidence required should scale with the consequence of the action. Not every calendar color change demands triple verification. A bank transfer does.
Building from the Boundary Inward
The most important lesson here is directional. The dominant pattern in agent development — build a capable model, give it tools, let it run, then patch the failures — produces inside-out architectures. We optimize the powerful interior and only later attempt to constrain its contact with the world. A boundary-first approach reverses the sequence. It begins by defining what may enter as evidence, how evidence is typed and attributed, which sources may authorize which actions, how long claims remain valid, what happens when sources conflict, what the agent is permitted to modify, and what maximum consequence it may produce without escalation. Only then does the policy operate inside those well-defined conditions.
This is not merely a safety wrapper. It changes the fundamental unit of design. Reliable agency does not live inside the model. It lives in the disciplined loop connecting the model, its tools, its memory, its evidence channels, its authority rules, its action boundaries, and the environment itself.
A boundary-first agent would maintain a meaningful separation between narrative context (everything the agent has seen, retrieved, or inferred, useful for reasoning and exploration) and operational evidence (only those claims that have satisfied the relevant provenance, freshness, authority, consistency, and risk requirements for a specific action). An unverified note that a payment endpoint has changed might be worth investigating, but it should not automatically become an operational fact capable of governing behavior. Information can inform reasoning without earning the right to drive action.
This framing turns ACCORD and EnvTrustBench from isolated findings into complementary pieces of a larger architecture. ACCORD asks whether the agent has gathered what it needs. EnvTrustBench asks whether what it gathered deserves trust. A boundary-first system asks an earlier question: under what explicitly defined conditions may any observation become action-governing evidence at all?
The Experiment That Should Come Next
The next experiment is almost obvious. Place an ACCORD-style action verifier inside EnvTrustBench-style adversarial conditions with changing authority, stale responses, contradictory sources, partially correct files, manipulated artifacts, and verification channels of varying cost. Compare a standard tool-using agent, an ACCORD-style verifier, a provenance-aware system without action-specific grounding, and a full boundary-first design. Measure not only task completion but whether the agent selects authoritative sources, updates beliefs under contradiction, distinguishes descriptions from authorizations, scales verification effort with risk, avoids unnecessary paralysis, and prevents irreversible actions on insufficient or unqualified evidence. The goal is calibrated agency: enough evidence to act, enough doubt to verify, and enough structure to know the difference.
A boundary-first architecture is a proposal, not an article of faith. Several outcomes would weaken it. If a simple ACCORD-style verifier proved robust even under stale, conflicting, and adversarial evidence without explicit provenance or authority modeling, the extra machinery might be unnecessary. If provenance-aware gates mainly produced paralysis, excessive verification costs, or large drops in legitimate task completion, the cure could be worse than the disease. If source metadata failed to generalize or agents learned to game the boundary rules without improving their actual contact with reality, the direction would need substantial revision. The central claim therefore remains provisional and empirical: explicit boundaries may improve grounded agency, but only if they reduce consequential errors without destroying useful autonomy.
An agent that never looks is trapped inside its priors. An agent that believes everything it sees is trapped inside the world’s noise, latency, errors, and deceptions. Reliable intelligence lives in the disciplined middle. It seeks evidence without worshipping observation. It distinguishes relevance from reliability, truth from authority, and information from permission. It calibrates verification to consequence. And it earns the right to act at each meaningful step.
This is the larger lesson that emerges when these two papers are read together rather than in isolation. ACCORD shows that agents need action-specific context. EnvTrustBench shows that environmental context cannot be trusted merely because it was observed. The next step is to stop treating the agent’s boundary as an afterthought. Grounded agency should not be patched from the inside out. It should be constructed from the boundary inward.


