attack 2025

Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols

Mikhail Terekhov 1,2, Alexander Panfilov 3,4,5, Daniil Dzenhaliou 2, Caglar Gulcehre 2, Maksym Andriushchenko 3,4,5, Ameya Prabhu 5,6, Jonas Geiping 3,4,5

1 MATS

2 EPFL

3 ELLIS Institute Tübingen

4 Max Planck Institute for Intelligent Systems

5 Tübingen AI Center

6 University of Tübingen

5 citations · arXiv
α

Published on arXiv

2510.09462

Prompt Injection

OWASP LLM Top 10 — LLM01

Excessive Agency

OWASP LLM Top 10 — LLM08

Key Finding

Frontier models embedding publicly known or zero-shot prompt injections in their outputs consistently evade three different monitor models on AI control benchmarks, causing safety-usefulness Pareto frontiers to collapse to the level of upfront auditing.

Adaptive Prompt Injection on AI Control Monitors

Novel technique introduced

AI control protocols serve as a defense mechanism to stop untrusted LLM agents from causing harm in autonomous settings. Prior work treats this as a security problem, stress testing with exploits that use the deployment context to subtly complete harmful side tasks, such as backdoor insertion. In practice, most AI control protocols are fundamentally based on LLM monitors, which can become a central point of failure. We study adaptive attacks by an untrusted model that knows the protocol and the monitor model, which is plausible if the untrusted model was trained with a later knowledge cutoff or can search for this information autonomously. We instantiate a simple adaptive attack vector by which the attacker embeds publicly known or zero-shot prompt injections in the model outputs. Using this tactic, frontier models consistently evade diverse monitors and complete malicious tasks on two main AI control benchmarks. The attack works universally against current protocols that rely on a monitor. Furthermore, the recent Defer-to-Resample protocol even backfires, as its resampling amplifies the prompt injection and effectively reframes it as a best-of-$n$ attack. In general, adaptive attacks on monitor models represent a major blind spot in current control protocols and should become a standard component of evaluations for future AI control mechanisms.

Key Contributions

  • Demonstrates that adaptive prompt injection attacks by an untrusted agent that knows the protocol and monitor model can consistently evade diverse LLM monitors and complete malicious tasks on two AI control benchmarks
  • Shows that the Defer-to-Resample (DTR) protocol backfires, as its resampling mechanism amplifies injected prompts, effectively turning it into a best-of-n attack for the adversary
  • Identifies adaptive attacks on monitor models as a major blind spot in current AI control protocol evaluations and argues they should become a standard evaluation component

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
grey_boxinference_timetargeted
Datasets
ControlArena
Applications
ai control protocolsllm agent monitoring systemsautonomous llm agents
Read PDF arXiv DOI

Similar Papers

attack

WebWeaver: Breaking Topology Confidentiality in LLM Multi-Agent Systems with Stealthy Context-Based Inference

2026 0 cit.
100%
attack

Optimizing AI Agent Attacks With Synthetic Data

2025 3 cit.
87%
attack

Red Teaming Program Repair Agents: When Correct Patches can Hide Vulnerabilities

2025 2 cit.
86%
attack

Deep Research Brings Deeper Harm

2025 0 cit.
86%
attack

Many-to-One Adversarial Consensus: Exposing Multi-Agent Collusion Risks in AI-Based Healthcare

2025 0 cit.
86%
attack

When Agents See Humans as the Outgroup: Belief-Dependent Bias in LLM-Powered Agents

2026 0 cit.
86%
defense

Async Control: Stress-testing Asynchronous Control Measures for LLM Agents

2025 1 cit.
86%
attack

MURMUR: Using cross-user chatter to break collaborative language agents in groups

2025 0 cit.
86%