The Metric That Was Mistaken for Oversight

On June 19, 2026, Chubin Zhang and colleagues posted Calibration Is Not Control: Why LLM-Agent Oversight Needs Intervention to arXiv. The paper's title is its argument. Calibration is a metric. Control requires intervention. The two are not the same thing, and governance frameworks for AI agents have been treating them as if they were.

The central number is a reduction from 0.506 to 0.110 in ALFWorld regret. A simple prefix-only action-conditioned controller achieved that reduction in the strongest interactive regime. The number matters not because it is the ceiling of what intervention can achieve, but because it demonstrates that calibration alone - the thing governance currently reaches for when it wants to measure oversight - leaves 0.506 of regret on the table that an intervention architecture can close to 0.110. The gap between those two numbers is the gap between measurement and control.

What the structural claim names

Runtime oversight for LLM agents has been built on a common pattern: estimate the agent's failure likelihood, flag the session when the score crosses a threshold, and call that oversight. The pattern is intuitive. If the agent is 90% confident and is correct 90% of the time, the confidence score is calibrated. If the governance instrument watches the confidence score and intervenes when it drops below some floor, the governance instrument appears to be doing something observable. The June 19 paper by Zhang and colleagues argues the instrument is watching the wrong object.

The mismatch has a formal name in the paper: target error. Two trajectory prefixes can have identical risk scores. One of those trajectories is still recoverable; an intervention now would improve the outcome. The other is not recoverable; the same intervention would not. The calibrated risk score does not distinguish between them. The governance instrument that watches the score cannot tell which situation it is in. Both sessions generate the same metric. One requires action. One does not. The metric does not carry that distinction.

The paper formalizes the correct object as intervention advantage: the expected utility gain from intervening at a given point rather than allowing the agent to continue. That is a different quantity from failure likelihood. Failure likelihood measures what happens if the agent continues. Intervention advantage measures whether stopping the agent and substituting an action would improve the result relative to the continuation. A session with high failure likelihood but low intervention advantage is one where the agent is probably going to fail but where no available intervention would change that outcome. A governance instrument that fires on the failure likelihood is firing on the right signal but generating the wrong action.

The measurement protocol introduced to operationalize this distinction is prefix branching: a same-prefix counterfactual protocol that executes candidate actions from identical trajectory states. Rather than estimating failure likelihood over a single trajectory, the protocol branches from the same prefix and compares the outcomes of the agent continuing against the outcomes of each candidate intervention. The comparison produces the intervention advantage directly.

The empirical results are structured to isolate the specific contribution of calibration. The paper runs a calibration decomposition: it takes the same scalar risk score and recalibrates it, improving the prediction metrics. It then measures whether better-calibrated scores improve control regret. They do not. Control regret is unchanged after recalibration. The recalibrated score is a better predictor. It is not a better controller. The metric improved; the control outcome did not move.

Where the governance reading diverges

AI governance has treated calibration as a proxy for accountability. An agent that gives calibrated confidence estimates is an agent whose self-assessments can be audited against outcomes. NIST evaluation frameworks and the AISI Engineering Playbook have both treated calibration-grade metrics as load-bearing components of the evaluation substrate. The proxy has institutional weight. It sits in governance documents and procurement instruments. The June 19 paper does not dispute that calibration is necessary. It shows empirically that sufficiency fails: improving calibration does not reduce regret.

The May 18, 2026 paper on agent meltdowns documented a different facet of the same problem. Sixty-four point seven percent of agent rollouts produced meltdowns triggered by benign errors, and more than half were not reported to the user. That is a failure of awareness: the agent lacks the signal to detect its own failure. The June 19 calibration finding is about governance architecture: even where the signal exists and is well-calibrated, the signal does not generate control without an intervention substrate to act on it. The governance instrument that measures a calibrated signal and treats that measurement as control has confused the measurement with the function it is supposed to name.

The formal methods runtime monitors described by Alamdari, Klassen, and McIlraith offer one structural alternative. A linear temporal logic specification is independent of the agent's policy. The monitor checks whether the agent's action is consistent with the specification and intervenes directly when it is not. That architecture is closer to intervention advantage than to calibration: it detects specification violations rather than estimating failure likelihood.

The Mythos asymmetry arc (M1-M3) has tracked the divergence between how agents represent their capabilities and how those capabilities perform under adversarial pressure. Calibration sits in that gap. An agent that says it is highly confident in a context where the outcome is not recoverable is one whose self-representation and intervention-relevant state are pointing in different directions. The governance instrument that reads the self-representation and concludes control exists has taken the wrong measurement.

What composes with intervention advantage

The IGAC intent certificate mechanism described in V035 operates at the authorization boundary. It constrains what the agent can do with its credentials given the user's expressed intent. Intervention advantage operates at the execution boundary: given that the agent is executing, does stopping the execution and substituting a different action improve the outcome? The two mechanisms are orthogonal. IGAC prevents certain classes of actions from being available. Prefix branching identifies, among available actions, which ones would improve outcomes if substituted at a given trajectory state.

The AgentCIBench finding described in V036 showed that 67.9% of frontier agents leak contextual integrity across applications. That finding is capability-neutral: the leaking agents are completing tasks. The June 19 calibration finding is also capability-neutral: the agents have calibrated confidence scores, and those scores do not predict whether intervention would improve outcomes. Both findings press on the same structural point: the measurement that governance currently uses as its control surface is not the measurement that produces control.

The heartbeat-bound credential architecture by Deochake and Saurabh bounds the revocation horizon mathematically. That architecture gives the oversight infrastructure a deterministic window within which credential revocation takes effect. Intervention advantage defines what should trigger revocation in the execution domain, not just credential expiry in the time domain. The two mechanisms describe complementary sides of an intervention substrate: when to act, and what the time limit on that action is.

The pattern across the arc is consistent. The formal methods paper builds the specification that a monitor enforces. The agent meltdowns paper shows the agent cannot reliably surface its own failure states. The heartbeat protocol bounds the revocation window. The IGAC paper constrains the authorization scope. The AgentCIBench paper shows leakage is a substrate failure. The June 19 paper shows calibration leaves control regret on the table. Each piece names a component. None of the components, alone, closes the loop. The intervention substrate that would close the loop remains unnamed as an integrated governance artifact.

What remains on the table

• The prefix branching protocol measures intervention advantage by executing candidate actions from identical trajectory states. In a deployment context, that protocol requires an infrastructure that can branch the execution environment and run counterfactuals at inference time. What are the computational and latency costs of that infrastructure at scale, and does the benefit in control regret justify those costs for all task types or only for high-stakes interactive regimes?
• The paper shows that recalibrating a scalar risk score does not reduce control regret. Governance documents and evaluation frameworks that currently use calibration as a load-bearing proxy for oversight accountability have not been revised to reflect this. What is the governance mechanism by which a finding of this kind propagates into the procurement floor and evaluation standards?
• Gains from prefix-branching intervention shrink when interventions are weak or when scalar routing already preserves intervention-relevant information. That finding implies the benefit of the architecture is regime-dependent. For task regimes where the benefit is small, what is the substitute control mechanism, and who specifies it?
• Intervention advantage requires an intervention substrate: something that can act on the advantage signal at the right trajectory state. In a production multi-agent deployment, who builds, operates, and is accountable for that substrate?
• The paper recommends that oversight move from calibrated risk scoring toward action-conditioned value estimation. That recommendation requires the governance frameworks that currently specify calibration as the measurement target to be rewritten. Which institution owns the rewrite, and on what timeline?

The substrate the policy depends on is the substrate the policy has not yet specified.