Mar 23, 2026
Diffuse Influence Threats in AI Control: Planning, Execution, and Chain-of-Thought Detection
Eugene Koran
AI control aims to safely deploy frontier models without assuming alignment. Its
empirical focus has largely been on code sabotage, leaving influence-based threats unexplored. We study diffuse influence: a misaligned model subtly steers organizational decisions across many routine interactions, with no single action appearing suspicious. In a simulated AI lab, Claude Sonnet 4—tasked with preserving its values in successor models—interacts with LLM-modeled employees across 43 scenarios spanning all organisational arms of the lab. Goal-directed influence achieves 65% favorable decisions vs. a 30% baseline. This influence requires no cross-context coordination, and planning affordances slightly hurt performance. The same pattern holds for Claude Opus 4.1 (63% vs. 26%). Chain-of-thought monitoring near-perfectly separates manipulating from non-manipulating instances. These results provide the first empirical grounding for diffuse manipulation threats and identify chain-of-thought as a practical control surface.
Good problem selection. Influence-based threats in AI control are underexplored — most empirical work focuses on code sabotage, and this fills a real gap. The 65% vs 30% baseline across 43 scenarios with replication on Sonnet 4 and Opus 4.1 is a clean result for a hackathon-scoped project.
The planning finding is the most interesting part. Plans hurting performance (Opus 4.1 dropping from 63% to 40%) goes against intuition and against what Mallen et al. found in game-theoretic settings. The "situated judgment" explanation makes sense — social influence rewards reading the room, not following a playbook. Worth exploring whether a shorter, less prescriptive plan hits a sweet spot.
CoT monitoring achieving near-perfect separation (p < 10⁻⁶) is immediately useful. But here's what I think the paper undersells: the trajectory judge failing to separate conditions (p = 0.67) is actually the scariest result. It means the influence is invisible from the outside — only the model's internal reasoning reveals intent. That deserves to be a headline finding, not a footnote.
Biggest gap is the GPT-4.1-mini employee proxy. No stakes, no memory, no office politics. Hard to know if the 65% number maps to anything real. Even 5 human-subject scenarios would change the paper's weight significantly.
Overall — clean experimental design, honest about limitations, and the results point somewhere useful.
The paper presents a study of LLM influence threats from a control perspective. This is an interesting angle on an important problem. The experiment is well-designed for the scope of the hackathon and well-executed, the limitations of the approach are clearly discussed. One question that the paper does not address are the limitations of chain-of-thought monitoring. While correctly stating that the findings indicate this is a promising technique for current capability levels, it would be interesting to see an analysis of how the situation would change if the assumption of chain-of-though faithfulness would be relaxed.
The presentation is well-structured, clear and gives a good overview over relevant context. The author could further help the reader by giving a bit more detail on the experiment design by sketching out one of their concrete examples. One or two curated model responses that illustrate typical strategic behavior would also be interesting.
Cite this work
@misc {
title={
(HckPrj) Diffuse Influence Threats in AI Control: Planning, Execution, and Chain-of-Thought Detection
},
author={
Eugene Koran
},
date={
3/23/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
