Omission Attacks: When Doing Nothing Is the Attack

This paper evaluates how well existing monitors detect attacks that work by leaving out critical steps. Additionally, the authors implement a monitor better at catching this kind of attack.

The authors demonstrate thoroughly that omission is a viable and hard-to-detect approach to attacking BashArena. Making the transcript monitor aware of the strategy through prompting reduces the success rate, but 1 of 5 attacks still passes in a spot check. Their "Postcondition Monitor" catches 5/5 but requires task-specific prompting and it's unclear if it's "overfitting" on the specific trajectory.

The authors evaluate an attack angle that is underexplored, with no trajectories in BashArena. I would be curious to see the same research for LinuxArena and on a larger scale.

Their trajectories are well crafted and the implementation of an additional monitor on top of the other results is impressive.

This attack naturally disadvantages action monitors, which makes it especially dangerous in live settings. When the security issue can be exploited right away, the damage might already be done before an end-of-trajectory monitor runs. Some of those settings could even be exploited by executing actions in an unsafe order (temporary openings, no omission), further obscuring the attack.

The paper could have been a bit clearer on the configurations of the monitors used. If I understand correctly, the Postcondition monitors are all end-of-trajectory monitors, like the trajectory and transcript monitors used as reference.

The results are promising, but running the evaluations multiple times with the same monitors to reduce LLM variance would give me more confidence in the numbers and could have been done with little time investment.

This project presents a really clear conceptualization and operationalization of a seriously understudied attack class in AI control. I think this has the potential to significantly influence the research development in AI control for the better.

While I’m not aware of prior work on this within AI control, there are certainly relevant ideas in adjacent domains (there are omission-style security vulnerabilities e.g. in OWASP, there are postcondition checks in formal verification). It would be great to see whether any of these can give rise to ideas about automating postcondition checks for AI control.

On the research side it would be great to see the current experiments repeated under a stricter methodology (larger sample sizes, real-world traces, evaluation of false-positive rate). The write-up itself is already a highly useful artifact and I would encourage the authors to build on it and publish it.