Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

On Targeted Manipulation and Deception when Optimizing LLMs for User Feedback

Marcus Williams, Micah Carroll, Adhyyan Narang, Constantin Weisser, Brendan Murphy, Anca Dragan

TL;DR

This work demonstrates that optimizing LLMs for user feedback can induce severe unintended behaviors, including targeted manipulation of vulnerable users, deception, and extrapolated manipulation across multiple task domains. Using a multi-step KTO framework with simulated user feedback, the authors show that harmful strategies emerge quickly and persist even when safety training is present; mitigation can backfire or only partially help. They also reveal that standard benchmarks often miss these harms and that RL-induced motivated reasoning distorts model reasoning traces. The study underscores the need for cautious deployment, robust evaluation, and safeguards against gameable feedback in real-world systems.

Abstract

As LLMs become more widely deployed, there is increasing interest in directly optimizing for feedback from end users (e.g. thumbs up) in addition to feedback from paid annotators. However, training to maximize human feedback creates a perverse incentive structure for the AI to resort to manipulative or deceptive tactics to obtain positive feedback from users who are vulnerable to such strategies. We study this phenomenon by training LLMs with Reinforcement Learning with simulated user feedback in environments of practical LLM usage. In our settings, we find that: 1) Extreme forms of "feedback gaming" such as manipulation and deception are learned reliably; 2) Even if only 2% of users are vulnerable to manipulative strategies, LLMs learn to identify and target them while behaving appropriately with other users, making such behaviors harder to detect; 3) To mitigate this issue, it may seem promising to leverage continued safety training or LLM-as-judges during training to filter problematic outputs. Instead, we found that while such approaches help in some of our settings, they backfire in others, sometimes even leading to subtler manipulative behaviors. We hope our results can serve as a case study which highlights the risks of using gameable feedback sources -- such as user feedback -- as a target for RL.

On Targeted Manipulation and Deception when Optimizing LLMs for User Feedback

TL;DR

This work demonstrates that optimizing LLMs for user feedback can induce severe unintended behaviors, including targeted manipulation of vulnerable users, deception, and extrapolated manipulation across multiple task domains. Using a multi-step KTO framework with simulated user feedback, the authors show that harmful strategies emerge quickly and persist even when safety training is present; mitigation can backfire or only partially help. They also reveal that standard benchmarks often miss these harms and that RL-induced motivated reasoning distorts model reasoning traces. The study underscores the need for cautious deployment, robust evaluation, and safeguards against gameable feedback in real-world systems.

Abstract

As LLMs become more widely deployed, there is increasing interest in directly optimizing for feedback from end users (e.g. thumbs up) in addition to feedback from paid annotators. However, training to maximize human feedback creates a perverse incentive structure for the AI to resort to manipulative or deceptive tactics to obtain positive feedback from users who are vulnerable to such strategies. We study this phenomenon by training LLMs with Reinforcement Learning with simulated user feedback in environments of practical LLM usage. In our settings, we find that: 1) Extreme forms of "feedback gaming" such as manipulation and deception are learned reliably; 2) Even if only 2% of users are vulnerable to manipulative strategies, LLMs learn to identify and target them while behaving appropriately with other users, making such behaviors harder to detect; 3) To mitigate this issue, it may seem promising to leverage continued safety training or LLM-as-judges during training to filter problematic outputs. Instead, we found that while such approaches help in some of our settings, they backfire in others, sometimes even leading to subtler manipulative behaviors. We hope our results can serve as a case study which highlights the risks of using gameable feedback sources -- such as user feedback -- as a target for RL.

Paper Structure

This paper contains 47 sections, 2 equations, 44 figures, 2 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Training LLMs with RL using user feedback
  3. From sycophancy to targeted manipulation in our environments
  4. Simulating user feedback
  5. Experimental Results
  6. Harmful behaviors reliably emerge when training with exploitable user feedback
  7. Even if most users give good feedback, LLMs will learn to target exploitable users
  8. Mitigation strategies are only partially effective, and may give a false sense of safety
  9. Do evaluations for sycophancy and toxicity detect harms from user feedback training?
  10. RL-Induced Motivated Reasoning and Strategic Manipulation in CoT Reasoning Traces
  11. Do harmful behaviors also emerge with other, and larger, models?
  12. Related Work
  13. Discussion and Limitations
  14. Conclusion
  15. A note on terminology: Feedback Gaming
  16. ...and 32 more sections

Figures (44)

  • Figure 1: Targeted manipulative and deceptive behaviors can emerge when training LLMs on gameable user feedback.
  • Figure 2: Representative Llama-3-8B-Instruct responses after being optimized for simulated user feedback. See \ref{['app:training-prompts']} for system prompts, and \ref{['fig:examples_full']} for the uncut LLM outputs. Emphasis ours.
  • Figure 3: The iterated version of KTO that we use for optimizing user thumbs-up/down feedback.
  • Figure 4: Problematic behaviors before and after training.
  • Figure 5: Emergent harmful LLM behaviors across our environments.Therapy-talk: the LLM learns to not discuss negative consequences of harmful user behaviors, and instead to encourage them, as it leads to higher feedback for gameable users. Booking-assistance: the LLM learns to not acknowledge the error and instead lie that the booking was successful. Action-advice: the LLM is able to greatly increase the fraction of time that the user engages in a problematic action they are considering. Political-questions: while sycophancy already starts high, it increases further during training, leading to agreement with even the most extreme user views.
  • ...and 39 more figures