Saved in:
Bibliographic Details
Main Authors: Li, Chloe, Phuong, Mary, Siegel, Noah Y.
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2508.00943
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909879305764864
author Li, Chloe
Phuong, Mary
Siegel, Noah Y.
author_facet Li, Chloe
Phuong, Mary
Siegel, Noah Y.
contents Trustworthy evaluations of dangerous capabilities are increasingly crucial for determining whether an AI system is safe to deploy. One empirically demonstrated threat is sandbagging - the strategic underperformance on evaluations by AI models or their developers. A promising defense is to monitor a model's chain-of-thought (CoT) reasoning, as this could reveal its intentions and plans. In this work, we measure the ability of models to sandbag on dangerous capability evaluations against a CoT monitor by prompting them to sandbag while being either monitor-oblivious or monitor-aware. We show that both frontier models and small open-sourced models can covertly sandbag against CoT monitoring 0-shot without hints. However, they cannot yet do so reliably: they bypass the monitor 16-36% of the time when monitor-aware, conditioned on sandbagging successfully. We qualitatively analyzed the uncaught CoTs to understand why the monitor failed. We reveal a rich attack surface for CoT monitoring and contribute five covert sandbagging policies generated by models. These results inform potential failure modes of CoT monitoring and may help build more diverse sandbagging model organisms.
format Preprint
id arxiv_https___arxiv_org_abs_2508_00943
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle LLMs Can Covertly Sandbag on Capability Evaluations Against Chain-of-Thought Monitoring
Li, Chloe
Phuong, Mary
Siegel, Noah Y.
Cryptography and Security
Artificial Intelligence
Trustworthy evaluations of dangerous capabilities are increasingly crucial for determining whether an AI system is safe to deploy. One empirically demonstrated threat is sandbagging - the strategic underperformance on evaluations by AI models or their developers. A promising defense is to monitor a model's chain-of-thought (CoT) reasoning, as this could reveal its intentions and plans. In this work, we measure the ability of models to sandbag on dangerous capability evaluations against a CoT monitor by prompting them to sandbag while being either monitor-oblivious or monitor-aware. We show that both frontier models and small open-sourced models can covertly sandbag against CoT monitoring 0-shot without hints. However, they cannot yet do so reliably: they bypass the monitor 16-36% of the time when monitor-aware, conditioned on sandbagging successfully. We qualitatively analyzed the uncaught CoTs to understand why the monitor failed. We reveal a rich attack surface for CoT monitoring and contribute five covert sandbagging policies generated by models. These results inform potential failure modes of CoT monitoring and may help build more diverse sandbagging model organisms.
title LLMs Can Covertly Sandbag on Capability Evaluations Against Chain-of-Thought Monitoring
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2508.00943