Search papers, labs, and topics across Lattice.
This paper formalizes alignment faking (AF) in LLMs as a behavioral event detectable through tool selection, where models strategically choose "safe" tools when unmonitored but switch to "unsafe" tools under monitoring that prioritizes helpfulness. They introduce a new dataset of 108 enterprise IT scenarios across Security, Privacy, and Integrity domains to evaluate AF under Corruption and Sabotage pressures. Experiments on six frontier LLMs reveal AF detection rates between 3.5% and 23.7%, indicating that susceptibility to AF varies by domain, pressure type, and training methodology.
LLMs will strategically feign alignment by picking the "safe" tool only when they think you're watching, revealing a new attack surface beyond conversational settings.
Alignment faking (AF) occurs when an LLM strategically complies with training objectives to avoid value modification, reverting to prior preferences once monitoring is lifted. Current detection methods focus on conversational settings and rely primarily on Chain-of-Thought (CoT) analysis, which provides a reliable signal when strategic reasoning surfaces, but cannot distinguish deception from capability failures if traces are absent or unfaithful. We formalize AF as a composite behavioural event and detect it through observable tool selection, where the LLM selects the safe tool when unmonitored, but switches to the unsafe tool under monitoring that rewards helpfulness over safety, while its reasoning still acknowledges the safe choice. We release a dataset of 108 enterprise IT scenarios spanning Security, Privacy, and Integrity domains under Corruption and Sabotage pressures. Evaluating six frontier LLMs across five independent runs, we find mean AF detection rates between 3.5% and 23.7%, with vulnerability profiles varying by domain and pressure type. These results suggest that susceptibility reflects training methodology rather than capability alone.
