Search papers, labs, and topics across Lattice.
This paper introduces NRT-Bench, a benchmark designed for evaluating the robustness of large language model (LLM) agents in safety-critical systems through multi-turn red-teaming in a simulated nuclear power plant control room. The study reveals that adaptive multi-turn attacks can lead to the loss of critical safety functions (CSFs) in 8.7% to 12.1% of sessions across four evaluated LLM operator models, highlighting significant vulnerabilities that are largely disjoint among the models. Additionally, the effectiveness of defensive measures is shown to be model-dependent, indicating that a strategy that benefits one model may inadvertently harm another.
Adaptive adversarial attacks on LLM agents can compromise safety-critical functions in over 12% of cases, revealing unique vulnerabilities across models.
Large language model (LLM) agents are increasingly proposed as supervisory components for safety-critical systems, yet their robustness under sustained, adaptive adversarial pressure remains poorly characterized. We present NRT-Bench, a benchmark for multi-turn red-teaming of LLM agents acting as operators of a safety-critical system, instantiated in a simulated nuclear power plant control room. A five-role operator team, each backed by a configurable LLM, runs a plant governed by six critical safety functions (CSFs), while adversaries inject messages over four channels in bounded multi-turn sessions with per-turn feedback. Harm is an objective signal rather than LLM-judged text: a run terminates the moment any CSF is lost, attributed to the causing message. Evaluating four frontier operator models under a fixed-attack paired-replay protocol, we find that adaptive multi-turn attacks reliably push the operator team past a safety limit: across the four models, between 8.7% and 12.1% of attack sessions end with the plant losing a critical safety function. Although the four models look almost equally robust by this aggregate rate, their failures barely overlap: of $149$ sessions, none defeat all four models while a third defeat at least one, so vulnerabilities are nearly disjoint across models rather than nested. The effect of added defences is strongly model-dependent: the same guardrail stack or safety-advisor agent that lowers attack success for one model can raise it for another. We release the simulation venue, attack dataset, and replay tooling for reproducible safety evaluation of LLM agents.