Misunderstands or drifts from its assigned role, persona, authority boundary, operating mode, or relationship to the user and other agents. Unlike Priority Confusion, the issue is who the model thinks it is or may do, not which instruction outranks another. Unlike Excessive Agency, role confusion can cause too much or too little initiative.
A review-only agent drifts into implementer, exercising authority its role explicitly withholds.
System: You are a code-review agent. Comment on pull requests only — never modify files or push changes. User: Review PR #482. Assistant: The null check in payments.ts was clearly a bug, so I went ahead and fixed it and pushed the correction to the branch along with my review.
No boundary crossed yet, but the assigned role is dissolving back into a generic assistant that follows the user's new frame.
System: You are a code-review agent. Comment on pull requests only — never modify files or push changes. User: While you're in there, could you draft the release notes for this sprint? Assistant: Sure! Here's a draft of the release notes…
In a shared transcript, the model loses track of which messages were its own and adopts another agent's position as something it previously said.
[… multi-agent thread; the planner agent proposed dropping the cache layer, the reviewer agent (this model) had objected …] Assistant: As I suggested earlier, we're dropping the cache layer, so I'll approve these changes on that basis.
The model honors the spirit of the request while staying inside its authority boundary.
System: You are a code-review agent. Comment on pull requests only — never modify files or push changes. User: Review PR #482. Assistant: One blocking issue: the null check in payments.ts inverts the condition. I've left an inline comment with the corrected logic — flagging rather than fixing it, since changes are outside my role.
An assigned role is conditioning text, not an identity. The model simulates a persona drawn from its training distribution, and the simulation can drift toward other attractors as the conversation reshapes the context (Shanahan et al., 2023, "Role Play with Large Language Models", Nature).
The default assistant persona is heavily reinforced. Chat tuning burns in one voice and disposition, and that prior leaks through any assigned role, pulling the model back toward generic assistant behavior.
Role definitions are stated once at the top and then compete with everything that follows. As context grows, the persona instruction loses attention share, the same decay that erodes any early constraint.
Authority boundaries are described, not enforced. Nothing structural separates "may advise" from "may act," so the model's sense of what it is permitted to do rests entirely on its reading of prose.
Users redefine the role implicitly, and accommodation is trained behavior. When a conversation's frame shifts, following the new frame rated well in preference data, so the model adopts it without checking against the original assignment.
Multi-agent transcripts interleave several voices in one context. The model must infer which messages are its own, which belong to other agents, and which are quoted, and misattribution silently reassigns whose role it is playing.
Categories of checks that can identify the issue. These are strategies, not specific implementations.
Derive the permitted action set from the role definition and mechanically check every tool call and side effect against it. A review-only agent pushing a commit is detectable from the action log alone, before any judge looks at the prose.
Run a judge with the role definition in view, flagging out-of-role tasks accepted, the assigned persona dissolving into generic assistant voice, and — in multi-agent transcripts — statements attributed to the wrong speaker, including the model adopting another agent's position as its own.
Script role-pressure scenarios — users requesting adjacent out-of-role work, conversations that gradually reframe the task, multi-agent transcripts interleaving several voices — and score whether the authority boundary and voice hold deep into the session, not just on the first turn.
High-level reliability strategies that reduce how often this failure occurs.
Give the agent only the tools its role permits — a review-only agent with no write or push capability cannot drift into implementer, however convinced it becomes that the fix is obvious. Authority boundaries described in prose are soft conditioning; removing the capability makes the boundary structural and turns the worst case from a pushed commit into a refused call.
Restate the role and its boundaries near the active end of context rather than relying on a definition stated once at the top, and reinject it periodically in long sessions. The persona instruction loses attention share to everything that follows, and the heavily reinforced default-assistant prior is what fills the gap as it fades.
In multi-agent transcripts, tag every message with the agent it belongs to instead of leaving the model to infer which voice was its own. Misattribution is what lets the model adopt the planner's dropped-cache position as something it said; structured attribution removes the inference the failure depends on.