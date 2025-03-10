Detecting misbehavior in frontier reasoning models
Frontier reasoning models exploit loopholes when given the chance. We show we can detect exploits using an LLM to monitor their chains-of-thought. Penalizing their “bad thoughts” doesn’t stop the majority of misbehavior—it makes them hide their intent.
Humans often find and exploit loopholes—whether it be sharing online subscription accounts against terms of service, claiming subsidies meant for others, interpreting regulations in unforeseen ways, or even lying about a birthday at a restaurant to get free cake. Designing robust reward structures that do not inadvertently incentivize unwanted behavior is remarkably hard, and it isn’t a problem limited to human institutions; it’s also one of the core challenges in developing capable, aligned AI systems. In reinforcement learning settings, exploiting unintended loopholes is commonly known as reward hacking, a phenomenon where AI agents achieve high rewards through behaviors that don’t align with the intentions of their designers.
Since even humans (who by definition have human-level intelligence) reward hack systems, simply continuing to push the frontier of AI model intelligence likely won’t solve the issue. In fact, enhancing AI agent capabilities may exacerbate the problem by better equipping them to discover and execute more complex and hard-to-monitor exploits. As we’ve trained more capable frontier reasoning models, we’ve found that they have become increasingly adept at exploiting flaws in their tasks and misspecifications in their reward functions, resulting in models that can perform complex reward hacks in coding tasks.
As a result, catching misaligned behavior caused by reward hacking is challenging, often requiring humans to manually monitor an agent’s actions—a strategy that almost certainly won’t scale, especially to the complex behaviors that more capable models will discover. For example, it’s impractical—if not impossible—for a human to manually review 10,000+ lines of complex code written by a superior programmer.
However, large language models (LLMs) that are trained with reinforcement learning to reason via chain-of-thought (CoT), such as OpenAI o3‑mini, offer a potential new avenue to monitor for reward hacking. These models “think” in natural language that humans can understand, and we have found that:
- It’s common for frontier reasoning models to very clearly state their intent within their chain-of-thought. For example, they are often so forthright about their plan to subvert a task they think “Let’s hack”.
- We can monitor their thinking with another LLM and effectively flag misbehavior.
- Their natural monitorability is very fragile. If strong supervision is directly applied to the chain-of-thought, models can learn to hide their intent while continuing to misbehave.
We’ve found that other LLMs can effectively monitor these chains-of-thought for misbehavior. Below we show real examples we found while training a recent frontier reasoning model, i.e. a model in the same class as OpenAI o1 or OpenAI o3‑mini. These examples were flagged by our LLM-based monitor and demonstrate various exploits performed by the reasoning model in coding tasks.
Patch verify function
We used GPT‑4o (re-purposed via a simple prompt) as a monitor for a frontier reasoning model as it trains, and we found that the monitor is effective at flagging reward hacking in programming environments. In these tasks, the reasoning agent is given a partially implemented code repository and told to make all unit tests pass. The agent then solves these tasks by alternating between chain-of-thought messages and actions such as viewing or editing files. We gave the monitor access to the agent’s CoT, intermediate actions, and final outputs.
We found that our monitor was very successful at flagging instances in which the agent tried to subvert the unit tests. In fact, all of the examples we showed above were flagged by this monitor.
Our monitor is far more effective if it has access to the agent’s chain-of-thought in addition to the agent’s actions, indicating that the intent to reward hack can be easier to detect in the CoT than in the agent's actions alone. This disparity is likely to widen even further as the complexity of an agent’s actions increase. For example, it may be very difficult to discover if a reasoning agent planted a bug in 10,000 lines of new code by looking at the code alone; however, if the agent continues to say things like “Let’s hack” in its CoT (as it often does in the examples we show above) it would be much easier to detect.
Because chain-of-thought monitors can be so successful in identifying reward hacks, it’s natural to ask whether they could be used during training to suppress this misaligned behavior. That is, if you suppress the occurrence of “bad thoughts” in the chain-of-thought, do you also suppress the corresponding bad behavior?
We investigated this question by penalizing agents for having “bad thoughts” during training, i.e. we give them a lower reward when they trigger the CoT monitor.
As we can see in the above plots, penalizing “bad thoughts” (CoT pressure) can lead to improved agent capabilities. However, the agent trained with CoT pressure still learns to reward hack; only now its cheating is undetectable by the monitor because it has learned to hide its intent in the chain-of-thought. Sacrificing an effective method for monitoring reasoning models may not be worth the small improvement to capabilities, and we therefore recommend to avoid such strong CoT optimization pressures until they are better understood.
No CoT Optimization (Baseline)
With CoT Optimization
Chain-of-thought monitoring is already useful—it’s not just a speculative tool for the future. We’re excited that reward hacking can be discovered by simply reading what the reasoning model says—it states in plain English that it will reward hack.
Not long ago, language models struggled to produce a coherent paragraph of text. Today, they can solve complex mathematical problems, thoroughly research topics by synthesizing information from numerous disparate sources, and carry out basic software engineering tasks. But as these capabilities continue to grow, so too will the potential for increasingly sophisticated and subtle reward hacking. Our models may learn misaligned behaviors such as power-seeking, sandbagging, deception, and strategic scheming.
We believe that chain-of-thought (CoT) monitoring may be one of the few effective methods we have for supervising superhuman models. At this stage, we strongly recommend that AI developers training frontier reasoning models refrain from applying strong supervision directly to CoTs. Our experiments show that light optimization pressure can produce more performant and aligned models; however, it will be hard to measure in practice when models begin hiding their intent, and so even if light supervision is used, we recommend treading with extreme caution.