Table of Contents
Fetching ...

Adversarial Reward Auditing for Active Detection and Mitigation of Reward Hacking

Mohammad Beigi, Ming Jin, Junshan Zhang, Qifan Wang, Lifu Huang

TL;DR

The paper tackles reward hacking in RLHF by reframing it as a competitive Hacker–Auditor game, with a two-stage process: Stage 1 trains an Auditor to detect exploitative outputs in the reward-model latent space while a Hacker discovers vulnerabilities; Stage 2 gates the proxy reward using the Auditor’s assessment to penalize exploits during RLHF. The approach yields superior alignment-utility tradeoffs across sycophancy, length bias, and code gaming, and demonstrates cross-domain generalization of both hacking and mitigation. Key insights include leveraging latent representations for detection, employing contrastive learning to structure exploitation signatures, and using gating to convert unobservable failures into measurable, controllable signals. The findings suggest that adversarial auditing can afford robust, scalable defense against evolving reward hacking strategies in multi-domain RLHF systems.

Abstract

Reinforcement Learning from Human Feedback (RLHF) remains vulnerable to reward hacking, where models exploit spurious correlations in learned reward models to achieve high scores while violating human intent. Existing mitigations rely on static defenses that cannot adapt to novel exploitation strategies. We propose Adversarial Reward Auditing (ARA), a framework that reconceptualizes reward hacking as a dynamic, competitive game. ARA operates in two stages: first, a Hacker policy discovers reward model vulnerabilities while an Auditor learns to detect exploitation from latent representations; second, Auditor-Guided RLHF (AG-RLHF) gates reward signals to penalize detected hacking, transforming reward hacking from an unobservable failure into a measurable, controllable signal. Experiments across three hacking scenarios demonstrate that ARA achieves the best alignment-utility tradeoff among all baselines: reducing sycophancy to near-SFT levels while improving helpfulness, decreasing verbosity while achieving the highest ROUGE-L, and suppressing code gaming while improving Pass@1. Beyond single-domain evaluation, we show that reward hacking, detection, and mitigation all generalize across domains -- a Hacker trained on code gaming exhibits increased sycophancy despite no reward for this behavior, and an Auditor trained on one domain effectively suppresses exploitation in others, enabling efficient multi-domain defense with a single model.

Adversarial Reward Auditing for Active Detection and Mitigation of Reward Hacking

TL;DR

The paper tackles reward hacking in RLHF by reframing it as a competitive Hacker–Auditor game, with a two-stage process: Stage 1 trains an Auditor to detect exploitative outputs in the reward-model latent space while a Hacker discovers vulnerabilities; Stage 2 gates the proxy reward using the Auditor’s assessment to penalize exploits during RLHF. The approach yields superior alignment-utility tradeoffs across sycophancy, length bias, and code gaming, and demonstrates cross-domain generalization of both hacking and mitigation. Key insights include leveraging latent representations for detection, employing contrastive learning to structure exploitation signatures, and using gating to convert unobservable failures into measurable, controllable signals. The findings suggest that adversarial auditing can afford robust, scalable defense against evolving reward hacking strategies in multi-domain RLHF systems.

Abstract

Reinforcement Learning from Human Feedback (RLHF) remains vulnerable to reward hacking, where models exploit spurious correlations in learned reward models to achieve high scores while violating human intent. Existing mitigations rely on static defenses that cannot adapt to novel exploitation strategies. We propose Adversarial Reward Auditing (ARA), a framework that reconceptualizes reward hacking as a dynamic, competitive game. ARA operates in two stages: first, a Hacker policy discovers reward model vulnerabilities while an Auditor learns to detect exploitation from latent representations; second, Auditor-Guided RLHF (AG-RLHF) gates reward signals to penalize detected hacking, transforming reward hacking from an unobservable failure into a measurable, controllable signal. Experiments across three hacking scenarios demonstrate that ARA achieves the best alignment-utility tradeoff among all baselines: reducing sycophancy to near-SFT levels while improving helpfulness, decreasing verbosity while achieving the highest ROUGE-L, and suppressing code gaming while improving Pass@1. Beyond single-domain evaluation, we show that reward hacking, detection, and mitigation all generalize across domains -- a Hacker trained on code gaming exhibits increased sycophancy despite no reward for this behavior, and an Auditor trained on one domain effectively suppresses exploitation in others, enabling efficient multi-domain defense with a single model.
Paper Structure (25 sections, 6 equations, 6 figures, 6 tables)

This paper contains 25 sections, 6 equations, 6 figures, 6 tables.

Figures (6)

  • Figure 1: Adversarial Reward Auditing (ARA) trains a Hacker to exploit a frozen proxy reward model while an Auditor learns to detect reward-hacked outputs. The Auditor then gates the reward used for RL, making exploitation detectable and unprofitable.
  • Figure 2: ARA mitigates Goodhart's Law during RLHF optimization. Proxy reward (solid) is the learned reward model score; gold reward (dashed) measures true task-specific performance---GPT-4 factual accuracy for sycophancy (given the golden answer), ROUGE-L for length bias, and Pass@1 on held-out tests for code gaming.
  • Figure 3: Reward hacking emerges across tasks
  • Figure 4: Representation structure of exploitation types. t-SNE of reward model hidden states $h(x,y)$ for exploitative responses.
  • Figure 5: Gating severity sensitivity analysis. Hacking metrics (red, lower is better) and utility metrics (blue, higher is better).
  • ...and 1 more figures