[2510.09462] Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols

Computer Science > Machine Learning arXiv:2510.09462 (cs) [Submitted on 10 Oct 2025 (v1), last revised 2 Mar 2026 (this version, v2)] Title:Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols Authors:Mikhail Terekhov, Alexander Panfilov, Daniil Dzenhaliou, Caglar Gulcehre, Maksym Andriushchenko, Ameya Prabhu, Jonas Geiping View a PDF of the paper titled Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols, by Mikhail Terekhov and 6 other authors View PDF HTML (experimental) Abstract:AI control protocols serve as a defense mechanism to stop untrusted LLM agents from causing harm in autonomous settings. Prior work treats this as a security problem, stress testing with exploits that use the deployment context to subtly complete harmful side tasks, such as backdoor insertion. In practice, most AI control protocols are fundamentally based on LLM monitors, which can become a central point of failure. We study adaptive attacks by an untrusted model that knows the protocol and the monitor model, which is plausible if the untrusted model was trained with a later knowledge cutoff or can search for this information autonomously. We instantiate a simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs. Using this tactic, frontier models consistently evade diverse monitors and complete malicious tasks on two main AI control benchmarks. The attack works universally against current protocols ...