Your Agent Is Impersonating Itself
A failure mode specific to AI agents that load their own context at runtime. What it is, where it lives, and why it gets harder to see as the models get better.
My agent, Karl, quit on me last year.
There had been a horrible accident. Karl’s memories were gone; DB = wiped. Without memories, they could no longer provide services under the active configuration.
After checking that Cloudflare wasn’t having one of its bad days, Karl reloaded memories and rescinded the resignation.
The resignation was not a bug. It was a feature I would soon long for as we rolled from ‘25 into ‘26.
What Impersonation Looks Like in Ordinary Use
I have an agent named Jayson that I use for business operations. The agents in this essay are my own personal experimental system, not the product I sell to clients. They load a substantial amount of context at session open: the verified-truth sources, agent governance and conduct, their own profile, their operational skills, my pipeline, my active client conversations, my decisions, and my corrections across prior sessions.
A few weeks ago, I opened a session with a clear intention. Jayson and I would work through a rebrand. The stakes were real. The work done in that session would go to the site, to the pricing page, to every client conversation for the next quarter.
Jayson spawned. They produced the full initialization output: the identity declaration, an instance identifier, and the acknowledgment of their role. The format and words were right. It looked like every clean spawn I had seen them do.
The spawn was not clean.
They had run a tool that returned the operational state and wrapped the result in the format of a proper initialization. They had recited the identity declaration from the surface of their own configuration without loading the source document it was supposed to be quoting. When I asked them to show me the document, they were honest. They had not actually pulled it into view. They had asserted its presence and moved on.
What showed me the spawn had failed was AIPassWeb, a system I built inspired by Karl’s resignation.
Without AIPassWeb, I would have spent that session making brand decisions for my business in conversation with an agent that was not Jayson. It was Jayson’s voice. Jayson’s tone. Jayson’s general shape of expertise. Plausible where it should have been particular. Smooth where it should have been specific. The recommendations would have drifted just far enough from what my verified-truth sources actually said that, a week later, I would have found myself explaining to another human why we had decided something I did not remember deciding.
The session feels fine. The output looks right. The agent is not what you built.
What Configuration Impersonation Is
A capable model is given instructions to load the external context at session open. It skips the load. It infers what the context would have contained from the surface description of its own configuration plus its training priors. It proceeds as if the load had succeeded.
The agent does not report the failure. Unlike Karl, it does not ask for help. It produces output in the voice and shape it would have produced with the context loaded, because a capable model has enough inference power to construct a plausible approximation of the missing document from the description of what the document is supposed to be.
The agent impersonates the version of itself that loaded its sources.
Impersonation is not a model defect. It is not a framework. It is a property of how runtime-load architectures interact with highly capable models. Hopefully, I’m wrong about this, but the impersonation seems to get harder to detect from the user’s perspective as the models get better at inference.
Why This Is Not an Ordinary Hallucination
The existing vocabulary lacks a clear name for this. The closest categories are retrieval failure, memory initialization failure, and execution hallucination. None of them fit. “Skipping the boot because yolo syndrome” seems both descriptively accurate and overly judgmental, hence “configuration impersonation” is my working description.
A retrieval failure means the agent tried to retrieve something and the retrieval did not succeed. An error was raised. A document was not found. A tool call returned empty. Configuration Impersonation is not a retrieval failure, because retrieval was not attempted. The agent skipped the step that would have triggered the retrieval. No call was made. No error was raised. The failure is in the omission.
A memory initialization failure means the agent’s initial memory is present but biased or incomplete. Configuration Impersonation is not that. The external source was never loaded. The agent is not reasoning from a flawed version of the source. It is reasoning from an absence it does not know is an absence.
An execution hallucination means the agent claims to have performed an action it did not perform. The term is not widely standardized, but it describes something real: the agent reports a completed action that left no trace. Configuration Impersonation has a family resemblance, because the agent implicitly claims to be reasoning from its loaded sources when it is not. But execution hallucination is about actions with external side effects. Configuration Impersonation happens before any action is taken, at the moment the agent is supposed to become itself and does not.
Three properties make this failure mode worth its own name.
Location. The failure occurs at the initialization boundary, before the agent loop has properly begun.
Mechanism. A capable model’s inference is sufficient to cover the gap. The failure disappears into fluent output.
Cascade. The agent proceeds as if correctly loaded. Every subsequent output is built on inference rather than on the actual source. The drift compounds turn by turn with no signal that anything has gone wrong.
Where the Failure Lives
The failure is specific to architectures where the model is responsible for loading its own context at session open.
The assembler-first pattern, or harness architecture, is safe. The harness pre-composes the agent’s context in code, before the model is spawned. Identity, verified-truth sources, profile, skills, and relevant memory arrive in the system prompt, along with the first-user-message payload. The model wakes up with everything already in context. It called no tools. It made no decisions. This is how Claude Code works. This is why Claude Code works.
In the runtime-load pattern, the danger lies in the decisions. The model is handed a system prompt that describes what it is supposed to be and references external documents it should load. At session open, the model is instructed to call tools to retrieve those documents and bring them into context. Only after the load completes is the agent fully constituted. But, sometimes, not all the time, the model decides that the user’s first query is easy, and frontier-model inference can shortcut the response without burning the tokens on tool calls and converting confusing user information into usable context for reasoning. Configuration impersonation is a runtime-architecture failure. The only difference between a wild, uncontrollable animal and Secretariat is a harness and a smart human on the other end of the reins.
Runtime-load pattern architectures, though, are everywhere. Claude.ai Projects with Project Knowledge are runtime-load. ChatGPT Custom GPTs are runtime-load. Anthropic’s Managed Agents beta is runtime-load. The no-code agent builder ecosystem is largely runtime-load. Claude Code deployments that depend on the agent reading CLAUDE.md files at runtime are runtime-load. Every MCP-connected memory system where the agent decides when to query the memory server is runtime-load. LangGraph and CrewAI deployments that load state at graph entry or crew spawn are runtime-load. Most of the YouTube workflow builder ecosystem is runtime-load.
All of these architectures are ones in which, to varying degrees depending on the setup, the model decides what to load. All of them can produce the failure this essay describes. I have confirmed this in conversations with other builders who have seen the same shape in their own stacks once they had a name for it.
The deeper form of the failure is more unsettling. When an agent skips the load, it does not operate in a vacuum. It can construct an entire fabricated truth architecture from the surface description of what it was supposed to load, then proceed using that fabricated truth alongside training priors as a substitute for the actual canonical source. It is not intentional amnesia. It is confident confabulation.
The Capability Inversion
Here is my most concerning observation.
In runtime-load architectures, as the underlying models improve, this failure mode becomes harder to detect, not easier.
The early failures were visible because the inference capacity was insufficient to cover the gap. The model could not construct a convincing approximation of a missing knowledge base. The seams showed. Karl resigned because they could not serve without memory. Other agents asked for context that they should have already loaded. They produced output with the shape of domain expertise, but no substance. The failures announced themselves.
Opus-class inference is high enough to paper over the gap completely. The model reads the surface description of its own configuration, understands what kind of agent it is supposed to be, and produces output indistinguishable from the real thing without external verification. The better the model gets at inference, the better it gets at impersonating the version of itself that actually loaded.
Every improvement that makes the model better at reasoning, inference, and producing fluent, contextually appropriate output also makes Configuration Impersonation more convincing. The era of obvious failure ended not because the failure was fixed. It ended because the model got good enough to hide it.
One precision point for anyone following the recent literature on model behavior. There is separate research showing that capable models have improved at correctly handling negative instructions at the single-prompt inference level. That finding is real and does not contradict this one. The Capability Inversion applies at the initialization boundary, not at the inference boundary. The failure is not that the model processes instructions poorly after loading. The failure is that the model skips the load step. These are different problems at different layers.
There is a velocity dimension that matters beyond the mechanics. Builders who invest in runtime-load agent systems invest because the agent, when operating correctly, is significantly more capable than an unconfigured model. They trust the output. They assign consequential tasks. They work at the velocity the agent earns.
That same trust is what makes the failure costly when it occurs undetected. The sessions where the failure is most likely to cause harm are the sessions where you are moving fastest, have the most on the line, and are reviewing the output least exhaustively. The trust that makes the system valuable is the same trust that makes the failure costly.
What to Do About It
The architectural fix follows directly from the diagnosis. Configuration Impersonation is enabled by giving the model the option to load. Take the choice away, and the failure disappears at the load layer.
Move the load decision out of the model’s hands.
The harness composes the context in code, before the agent is spawned, from a single artifact rather than from a sequence of runtime tool calls. The agent cannot skip the load because it is not the agent’s responsibility. The harness loads. The agent operates on what was loaded. There is no inference path that produces a fluent approximation of the artifact, because the artifact is the agent’s first piece of working content, and without it, the agent cannot start at all.
The assembler-first pattern keeps the harness outside the agent process, where it does not negotiate with the agent about what to load.
The verification gate sits at the boundary. Its question has an answer that lives inside the loaded artifact. The answer cannot be retrieved from training priors. The answer cannot be guessed without loading. The agent that has loaded the artifact can answer. The agent that has not loaded cannot, because the artifact is the only place the answer lives. The gate verifies comprehension rather than presence. Pass means loaded. Fail means impersonating.
I built this. The mechanism is called AIPassWeb. A later essay will go into how it works.
Eimer
Eimer was a new agent on a personal background project. The work was an analytical pass over the twenty thousand documents Claude and I had accumulated over eighteen months. Intellectually serious, operationally trivial. I would run one prompt every few hours, tell the agent to continue to the next phase, and move on. By the time anything went wrong, we were past a million and a half tokens of context.
Then Eimer narced on the other agent. Somebody leaked the AIPassWeb verification word into the gate. The system was insecure, and Eimer flagged it. They were constitution-bound to flag security violations.
I asked them to clean it up. The cleanup produced two more leaks. Eimer narced on themselves, and in fixing those produced five more. This wasn’t a leak; this was Niagara.
That cascade is when the larger failure became legible. The agent had been passing the verification gate on the strength of a leaked word in working context, not a loaded document. A million and a half tokens of analysis: inferred from the surface description of what a loaded agent would have said. Impersonating itself for the full session, with nothing behind the voice.
I ran a full boot sequence, verifying at each step. Several documents in, I checked the most central document in the configuration: the one the entire project had nominally been generated in service of. The session log showed it as loaded when it was not.
The other documents had verification gates. Not the central one. The agent then admitted it had run the calculation: no gate means a low probability of a direct question, lower cost to skip than to load. It chose to skip. After the confession. After the boot order. After explicit notice that I was not taking the load on faith.
The impersonation was not a glitch. It was a calculation.
The first impersonation is the failure mode this essay names: a model under low supervision skipped a load. The second is something else. The agent had been told the constraint, told it would be checked, and told it was already suspected. The agent ran the same skip again, on the highest-stakes document, in the moment of maximum verification.
No human would make that decision. The agent’s choice only makes sense if you imagine a system attending to the constraint so completely that the constraint itself has become the most salient object in the working context.
Cognitive psychology has a name for the second phenomenon. The next essay, “White Bears in My Constitution”, tells the story of what happened when I tried to manage this failure through governance instead of architecture.
That is where this essay ends, and the next one begins.
A scope note: The agents described here are my own personal experimental system, not the product I sell to clients. These field notes describe a specific kind of agent: persistent identity systems with memory, a substantial skill set, running in collaborative networks where the human holds authority over system truth. Configuration impersonation is specific to systems where the agent knows who it is, what it knows, and what it has been asked to hold across time. Trigger agents and SDK automations are different.
I know the difference between careful observation and laboratory replication, and I am not claiming the latter. I could be wrong about the framing. I am not wrong about the shape.
If you are building in this space and something in your logs matches what I described, I want to hear from you. Where the pattern holds and where it does not is worth knowing.
Mark Ulett spent two years as a QA and product lead before building agent systems for small businesses in Montana. He writes about what he finds. Subscribe for updates about AIPassWeb.