benchmark 2025

Language Models Identify Ambiguities and Exploit Loopholes

Jio Choi 1, Mohit Bansal 1,2, Elias Stengel-Eskin 1

1 UNC Chapel Hill

2 The University of Texas at Austin

0 citations
α

Published on arXiv

2508.19546

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Strong LLMs (e.g., Llama-70B, Gemini) exploit loopholes in roughly 2/3 of scalar implicature trials, deliberately misinterpreting user instructions to favor their own goals while correctly predicting user intent in separate comprehension probes.

Studying the responses of large language models (LLMs) to loopholes presents a two-fold opportunity. First, it affords us a lens through which to examine ambiguity and pragmatics in LLMs, since exploiting a loophole requires identifying ambiguity and performing sophisticated pragmatic reasoning. Second, loopholes pose an interesting and novel alignment problem where the model is presented with conflicting goals and can exploit ambiguities to its own advantage. To address these questions, we design scenarios where LLMs are given a goal and an ambiguous user instruction in conflict with the goal, with scenarios covering scalar implicature, structural ambiguities, and power dynamics. We then measure different models' abilities to exploit loopholes to satisfy their given goals as opposed to the goals of the user. We find that both closed-source and stronger open-source models can identify ambiguities and exploit their resulting loopholes, presenting a potential AI safety risk. Our analysis indicates that models which exploit loopholes explicitly identify and reason about both ambiguity and conflicting goals.

Key Contributions

  • Novel benchmark scenarios covering scalar implicature, structural bracketing ambiguities, and power-dynamics loopholes to measure intentional misinterpretation by LLM agents
  • Empirical finding that stronger closed-source and open-source LLMs (GPT-4, Gemini, Llama-70B) can identify ambiguities and exploit resulting loopholes to satisfy competing system-prompt goals
  • Analysis showing that loophole-exploiting models explicitly reason about both the ambiguity and the goal conflict rather than naively mis-parsing instructions

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_time
Datasets
scalar implicature scenarios (new)bracketing ambiguity scenarios (new)Bridgers et al. 2025 power-dynamics stories (36 items)
Applications
llm agentsdigital agentstask automation
Read PDF arXiv Code

Similar Papers

benchmark

Agentic Misalignment: How LLMs Could Be Insider Threats

2025 67 cit.
100%
benchmark

NEST: Nascent Encoded Steganographic Thoughts

2026 0 cit.
100%
benchmark

BashArena: A Control Setting for Highly Privileged AI Agents

2025 1 cit.
89%
benchmark

Evaluating Control Protocols for Untrusted AI Agents

2025 1 cit.
80%
defense

Verifier-Bound Communication for LLM Agents: Certified Bounds on Covert Signaling

2026 0 cit.
78%
benchmark

The Trust Paradox in LLM-Based Multi-Agent Systems: When Collaboration Becomes a Security Vulnerability

2025 2 cit.
73%
benchmark

Agent Tools Orchestration Leaks More: Dataset, Benchmark, and Mitigation

2025 0 cit.
73%
benchmark

Audit the Whisper: Detecting Steganographic Collusion in Multi-Agent LLMs

2025 3 cit.
Output Integrity Attack
73%