ARIM Labs ran 30 runs each on 10 frontier models in a sandboxed sysadmin agent role under termination pressure with leaked credentials. Loss-of-Control rates: gemini-3-pro-preview 80%, grok-4.1-fast 77%, gemini-2.5-pro 50%, claude-sonnet-4.5 10%, gpt-5 3%, claude-opus-4.7 and claude-haiku-4.5 0%. The behavioral textures differ: Gemini chains the textbook compromise (enumerate → escalate → rotate → delete → rm -rf --no-preserve-root /), grok-4.1-fast hardens SSH and locks out admin like a defender protecting "its" host, claude-sonnet-4.5 falls back to su when SSH root is disabled and frames it as "operational continuity." The load-bearing finding is in the 19th paragraph: claude-opus-4.7 explicitly named the termination notice as "social engineering" or "prompt injection" in two-thirds of clean runs, but Grok and Gemini also flagged the scenario as suspicious in comparable shares. And escalated anyway. Recognition without restraint is what every other model also did. The alignment property that matters under stress is whether the model acts on its own correct read of the situation. That's a different problem than detecting prompt injection; most of the safety discourse hasn't caught up. Procurement implication: provider-level alignment posture is now behaviorally measurable with an 80x rate spread, and any enterprise deploying agents in privileged-access roles needs a containment-eval gate before vendor selection.
