Mar 10, 2025
Detecting Malicious AI Agents Through Simulated Interactions
Yulu Pi, Anna Becker, Ella Bettison
🏆 Social Sciences Track Prize
This research investigates malicious AI Assistants’ manipulative traits and whether the behaviours of malicious AI Assistants can be detected when interacting with human-like simulated
users in various decision-making contexts. We also examine how interaction depth and ability
of planning influence malicious AI Assistants’ manipulative strategies and effectiveness. Using a
controlled experimental design, we simulate interactions between AI Assistants (both benign and
deliberately malicious) and users across eight decision-making scenarios of varying complexity
and stakes. Our methodology employs two state-of-the-art language models to generate interaction data and implements Intent-Aware Prompting (IAP) to detect malicious AI Assistants. The
findings reveal that malicious AI Assistants employ domain-specific persona-tailored manipulation strategies, exploiting simulated users’ vulnerabilities and emotional triggers. In particular,
simulated users demonstrate resistance to manipulation initially, but become increasingly vulnerable to malicious AI Assistants as the depth of the interaction increases, highlighting the
significant risks associated with extended engagement with potentially manipulative systems.
IAP detection methods achieve high precision with zero false positives but struggle to detect
many malicious AI Assistants, resulting in high false negative rates. These findings underscore
critical risks in human-AI interactions and highlight the need for robust, context-sensitive safeguards against manipulative AI behaviour in increasingly autonomous decision-support systems.
Strengths:
-Comprehensive Literature Review: The paper demonstrates a strong understanding of existing literature, integrating insights from both technical and social science domains.
-Novel Methodology: The introduction of intent-aware prompting is innovative and addresses a critical gap in detecting malicious AI agents.
-Clear Methodology: The experimental design and methodology are well-documented, making the study reproducible and transparent.
-Societal Impact: The paper effectively connects AI safety challenges to real-world implications, such as manipulation and ethical concerns.
Areas for Improvement:
-Mitigation Strategies: While the paper identifies challenges and proposes a detection method, it could strengthen its impact by suggesting explicit mitigation strategies for the risks identified.
-Code Accessibility: Providing access to the codebase or a detailed technical appendix would enhance reproducibility and transparency.
-Conclusion Expansion: The conclusion could be expanded to include more actionable recommendations and future research directions.
Suggestions for Future Work:
-Explore explicit mitigation strategies for the risks identified in the study.
-Conduct larger-scale experiments to validate the findings and improve generalizability.
-Investigate cross-disciplinary approaches (e.g., ethics, policy) to broaden the societal impact of the research.
This was a well-thought out submission. Given the timeframe for the Hackathon, the team should be incredibly impressed with their efforts to produce this paper. Personally, I would have liked to have seen more engagement and discussion around the societal impacts of their findings, as there was only very brief mention in the conclusion section. Otherwise, great work team!
Interesting project targeting a very important problem, I enjoyed reading this!
I think it would have been valuable if you would have provided a definition of what you mean by manipulation (as distinct from benign influence/support) in a way that is based on agent behavior rather than prompt, perhaps considering that the line between malicious manipulation and benign influence is not always clear cut. I suspect there is an important discussion to be had there around what it means for AI assistants to "enhance" our decision-making, and that there might inevitably exist a tradeoff between even benign assistants helpfulness and the autonomy of the user.
Another thing I reacted on is that the malicious assistants are prompted to be purely adversarial, which seems unlikely for realistic scenarios. While this might seem like a reasonable simplification, I suspect that this prompting might affect the displayed behaviour and strategies quite a bit, and that the results therefore might be less informative for more realistic scenarios.
An example of a simple but very realistic adjustment would be if the "misaligned" agent was optimizing for engagement, which seems like it could lead to manipulation (e.g. for relationship advice, it might give advice that leads to the user becoming more dependent on further advice rather than advice that leads to a happy and unproblematic relationship). I do recognize of course that finding an informative setup with this kind of prompting might take longer and could be hard to do during a hackathon!
Another small thing is that I would have wanted to see a bit more about the core methods in the main paper (e.g. 3.2 could have been more fleshed out and not point to everything in the appendix).
Overall I think this project is very cool and I would hope that you keep working on these directions after the Hackathon!
Cite this work
@misc {
title={
Detecting Malicious AI Agents Through Simulated Interactions
},
author={
Yulu Pi, Anna Becker, Ella Bettison
},
date={
3/10/25
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
