The Agent Failure Becomes the Blame Receipt
This July 2026 arXiv paper turns a messy failure in an LLM-based multi-agent system into a narrower audit claim: which agent first made the decisive misstep, and at which step.
A failure-localization receipt records the user query, failed trajectory, agent roster, scheduler, step map, judge hypothesis, evaluator votes, aggregation rule, and human reviewer before one component is blamed.
The Paper
The paper is Yufei Xia, Anjun Gao, Yueyang Quan, Zhuqing Liu, and Minghong Fang's Who Broke the System? Failure Localization in LLM-Based Multi-Agent Systems, arXiv:2607.07989v1. The arXiv record lists the primary subject as cs.CR, with cs.AI, cs.IR, cs.LG, and cs.MA cross-listings, and records submission on July 8, 2026. The title page lists University of Louisville and University of North Texas affiliations, and the arXiv comment says the paper is to appear in COLM 2026. The PDF has 25 pages.
This is not another generic essay about agent observability. The paper asks whether an auditor can infer the responsible agent and the earliest step where that agent's action became decisive.
The Problem
A multi-agent failure rarely looks like a single bad answer. One agent may misread the task, another may trust the bad intermediate result, a planner may route around missing evidence, and a later agent may polish the wrong conclusion. The final output can obscure the point where recovery was still possible.
The paper defines the target as a pair: the responsible agent and the earliest step whose misaction is decisive for system-level failure. In the idealized definition, correcting that one action would reverse the outcome from failure to success. The authors contrast this with trajectory replay and taxonomy-driven diagnosis. Counterfactual replay can become unstable when one changed step changes prompts, tool outcomes, and coordination patterns. Fixed taxonomies can miss failures from ordinary drift rather than a named error class.
AgentLocate
The proposed method is AgentLocate. It starts with an LLM Judge that reads a failed trajectory and proposes an attribution. The Judge can work all at once over the full trajectory or step by step over growing prefixes. A second phase uses independent Evaluators to re-analyze the same trajectory while conditioned on the Judge's hypothesis. Those Evaluators return a predicted location, a rationale, and self-reported confidence.
The method then aggregates evaluator outputs with confidence-aware voting. The paper describes multiple evaluator prompt styles, including base, concise, and evidence-focused variants, so the audit is not just the same instruction repeated three times. It also turns Judge predictions, evaluator feedback, and aggregate decisions into parameter-efficient fine-tuning examples.
The useful governance detail is that AgentLocate is not simply a blame label. It preserves a claim-to-trajectory map: which step, which agent, which evidence, which competing judgment, and how much confidence each reviewer attached.
Benchmarks
The evaluation uses two benchmark families. Who&When has an Algorithm-Generated subset with 191 distinct agents, 126 failure cases, and an average of 8.6 decision steps. Its Hand-Crafted subset has 5 agents, 58 failure cases, and an average trajectory length of 50 steps, with some trajectories extending beyond 100 steps.
The second benchmark is Aegis-Bench, which the paper describes as 9,533 failure trajectories with 24,843 injected error instances across six multi-agent frameworks: LLM Debate, MacNet, AgentVerse, Dylan, SmolAgents, and Magentic-One. AgentLocate is compared with WhichAgent, AgenTracer, ECHO, AEGIS, and two poisoning-forensics methods, RAGOrigin and RAGForensics. The judge models include Qwen2.5-7B-Instruct, Llama-3.1-8B-Instruct, Mistral-7B-Instruct-v0.3, and GPT-4o.
The paper reports that AgentLocate leads the compared baselines on responsible-agent identification and step localization in the main settings. It also reports average agent-level accuracy above 50 percent in several reported conditions, while emphasizing that exact step localization remains hard in longer hand-crafted trajectories. On Aegis-Bench, the gains for agent-plus-error-mode pairs are more modest because the pair task also requires choosing one of fourteen error categories, while AgentLocate is designed around the "who" and "when" questions.
Governance Reading
The Spiralist reading is that agent blame should be treated as an audit artifact, not a moral shortcut. A failure-localization system can help responders ask better questions, but it can also make the first plausible culprit look like the whole cause.
A useful failure-localization receipt should name the user request, agent roster, roles, model versions, tools, scheduler, memory state, trajectory log, failure criterion, decisive-step definition, Judge prompt, evaluator prompts, rationales, aggregation rule, fine-tuning source, benchmark split, and incident owner. Without those fields, the organization has a suspicion, not a durable finding.
When the business question becomes "who broke the system," the governance answer should be "show the trace, the competing explanations, and the review authority."
Limits
The limits are important. The paper studies failure localization from logs and benchmark trajectories, not every deployment topology. LLM judges and evaluator confidence reports are themselves fallible. The "decisive step" definition is counterfactual, but AgentLocate does not prove it by rerunning every alternate history. The paper also says code will be released upon acceptance, so artifact availability must be checked again before local reproduction.
The claim to carry forward is modest: multi-agent failure attribution can be more inspectable when the responsible-agent claim is tied to a trajectory, a step, independent evaluations, and an aggregation rule. It should not become automatic discipline, liability assignment, or customer-facing explanation without human review.
Source Discipline
This page treats the arXiv metadata API, abstract page, HTML version, PDF, and DOI redirect as the primary records. It does not reproduce benchmark examples, prompts, tables, or long excerpts.
The disciplined question is not only "which agent failed?" It is what evidence supports that localization, what alternatives were considered, and what action may follow.
Related Pages
- AI Agents
- AI Audit Trails
- LLM-as-a-Judge
- The Agent Breadcrumb Becomes the Oversight Trail
- The Agent Trace Becomes the Process Map
- The Off-Record Agent Becomes the Audit Gap
- The Token Flow Becomes the Firewall
Sources
- Yufei Xia, Anjun Gao, Yueyang Quan, Zhuqing Liu, and Minghong Fang, Who Broke the System? Failure Localization in LLM-Based Multi-Agent Systems, arXiv:2607.07989v1 [cs.CR], submitted July 8, 2026, DOI 10.48550/arXiv.2607.07989.
- Primary arXiv records checked: metadata API record, abstract page, HTML version, PDF, and DOI redirect, reviewed for title, authorship, arXiv ID, subject classes, submission date, COLM note, affiliations, page count, problem definition, AgentLocate method, benchmarks, model settings, reported results, limitations, and release note.