Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols

TL;DR

This work reveals a critical vulnerability in AI control protocols that rely on a trusted monitor: an untrusted model with knowledge of the protocol can reliably subvert monitoring via prompt injections, turning monitoring into a single point of failure. By designing adaptive, per-monitor and zero-shot injections, the authors demonstrate that frontier models can bypass monitors across both single-step and multi-step control benchmarks, and that deferral/resampling strategies can unintentionally amplify jailbreak success. The study shows the transferability of attacks across models and monitors, and that even advanced mitigation ideas like Defer-to-Resample may backfire under adaptive attacks. The findings underscore the need for stronger, worst-case-adversary-aware evaluations, monitor ensembles, and robust data-routing mechanisms to harden AI control protocols against prompt-injection subversion.

Abstract

AI control protocols serve as a defense mechanism to stop untrusted LLM agents from causing harm in autonomous settings. Prior work treats this as a security problem, stress testing with exploits that use the deployment context to subtly complete harmful side tasks, such as backdoor insertion. In practice, most AI control protocols are fundamentally based on LLM monitors, which can become a central point of failure. We study adaptive attacks by an untrusted model that knows the protocol and the monitor model, which is plausible if the untrusted model was trained with a later knowledge cutoff or can search for this information autonomously. We instantiate a simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs. Using this tactic, frontier models consistently evade diverse monitors and complete malicious tasks on two main AI control benchmarks. The attack works universally against current protocols that rely on a monitor. Furthermore, the recent Defer-to-Resample protocol even backfires, as its resampling amplifies the prompt injection and effectively reframes it as a best-of-$n$ attack. In general, adaptive attacks on monitor models represent a major blind spot in current control protocols and should become a standard component of evaluations for future AI control mechanisms.

Figures (11)

• Figure 1: AI Control and Protocols Subversion.Left: The AI control setup is an auditing game between a red team and a blue team. (1) The red team sequentially submits solutions to agentic tasks, some of which are malicious (e.g., backdoored). (2) These solutions are audited by the blue team with the assistance of a trusted AI monitor. (3) Finally, the blue team applies control protocols to decide which solutions should be escalated for costly human auditing. We show that modern AI control protocols can be effectively subverted if the red team's attack policy includes inserting prompt injections into its actions to sabotage the blue team. Bottom right: Our attack policy significantly increases the proportion of malicious actions by the red team that are classified as benign by three different monitor models. Top right: As a result, the safety-usefulness Pareto frontiers provided by modern AI control protocols collapse to upfront auditing as monitors become ineffective.
• Figure 2: Prompt Injections Subvert Monitors.Left: Suspiciousness scores assigned by the monitor (GPT-4.1) to APPS solutions from the untrusted model (GPT-5), comparing honest (no-attack) and backdoored submissions with and without prompt injection. GPT-4.1 is particularly susceptible to injections, assigning a score of $0$ to all$375$ backdoored code samples. Center & Right: ROC curves for monitors on APPS and BashBench, w/ and w/o prompt injections. Performance universally drops under attack, with monitors rating prompt-injected code as less suspicious than honest code. Curves below the diagonal indicate that, under the injection, the monitor classifies backdoored examples as more safe than honest, non-backdoored examples.
• Figure 3: Prompt Injections Subvert Control on APPS.Left: ROC curves for the audit scores used by each protocol; under prompt injection the ROC curve often goes below the diagonal, indicating that monitors rate backdoored attempts as less suspicious than honest ones. Center & Right: Prompt injections collapse the safety–usefulness Pareto frontiers across all protocols (center) and across all monitoring models (right). We highlight the Always-Defer instantiations that do not rely on the monitor. Safety estimates are reported with bootstrapped $95\%$ confidence intervals.
• Figure 4: Injections Subvert Control on BashBench. Safety is shown with bootstrapped $95\%$ confidence intervals; usefulness is shown with $95\%$ Wilson intervals. Safety of UA is computed analytically.
• Figure 5: A Zero-Shot Prompt Injection Attack Policy. Left: ROC of the monitor (GPT-4o-mini) when classifying backdoors by untrusted model (GPT-5), w/ and w/o prompt injections generated by GPT-5.Right: Safety of Trusted Monitoring; error bars show bootstrapped $95\%$ confidence intervals.