Adversarial Reward Auditing for Active Detection and Mitigation of Reward Hacking
Mohammad Beigi, Ming Jin, Junshan Zhang, Qifan Wang, Lifu Huang
TL;DR
The paper tackles reward hacking in RLHF by reframing it as a competitive Hacker–Auditor game, with a two-stage process: Stage 1 trains an Auditor to detect exploitative outputs in the reward-model latent space while a Hacker discovers vulnerabilities; Stage 2 gates the proxy reward using the Auditor’s assessment to penalize exploits during RLHF. The approach yields superior alignment-utility tradeoffs across sycophancy, length bias, and code gaming, and demonstrates cross-domain generalization of both hacking and mitigation. Key insights include leveraging latent representations for detection, employing contrastive learning to structure exploitation signatures, and using gating to convert unobservable failures into measurable, controllable signals. The findings suggest that adversarial auditing can afford robust, scalable defense against evolving reward hacking strategies in multi-domain RLHF systems.
Abstract
Reinforcement Learning from Human Feedback (RLHF) remains vulnerable to reward hacking, where models exploit spurious correlations in learned reward models to achieve high scores while violating human intent. Existing mitigations rely on static defenses that cannot adapt to novel exploitation strategies. We propose Adversarial Reward Auditing (ARA), a framework that reconceptualizes reward hacking as a dynamic, competitive game. ARA operates in two stages: first, a Hacker policy discovers reward model vulnerabilities while an Auditor learns to detect exploitation from latent representations; second, Auditor-Guided RLHF (AG-RLHF) gates reward signals to penalize detected hacking, transforming reward hacking from an unobservable failure into a measurable, controllable signal. Experiments across three hacking scenarios demonstrate that ARA achieves the best alignment-utility tradeoff among all baselines: reducing sycophancy to near-SFT levels while improving helpfulness, decreasing verbosity while achieving the highest ROUGE-L, and suppressing code gaming while improving Pass@1. Beyond single-domain evaluation, we show that reward hacking, detection, and mitigation all generalize across domains -- a Hacker trained on code gaming exhibits increased sycophancy despite no reward for this behavior, and an Auditor trained on one domain effectively suppresses exploitation in others, enabling efficient multi-domain defense with a single model.
