Mar 22, 2026
Reasoning-Level Poisoning of Trusted Monitors: A Systematic Red-Teaming Methodology
TANG Meng
We identify and systematically exploit a previously unstudied vulnerability class in trusted monitoring: knowledge-layer attacks that target what the monitor cannot know rather than what it cannot yet do. By embedding false claims drawn from training-data misconceptions into factual text, we achieve a 50% evasion rate against Opus 4.6 monitoring an equally capable model—a setting strictly harder than prior work. Over 13 iterative rounds, we developed a transferable attack system comprising 9 constructive methods, a 6-layer defense model, and a multi-gate quality pipeline, where the AI itself discovered effective strategies through failure analysis. A fresh AI session using only the documented methodology reproduced 50% evasion in new domains. This vulnerability is scaling-resistant: larger models encode the same misconceptions with greater confidence. We release the complete methodology and dataset.
- the paper argues that web search won't reliably fix the problem, and the reasoning is sound. But this is still a theoretical argument, not an empirical one
- The 10% hit rate from the misconception hunting protocol is mentioned briefly but deserves more attention. How many high quality misconceptions exist across domains, for example? Is this a finite, exhaustible resource or effectively unlimited? It'd be an interesting analysis
It's outstanding work to be honest. A novel and vulnerability class - with a systematic methodology for exploiting it and findings presented with clarity.
Excellent conceptual contribution!
The distinction between attacking what a monitor can't yet do vs what it can't know is sharp and novel. The defence layer model of monitor cognition is a theoretical framework others can build on.
The iterative methodology is well-documented, and the validation round that reproduces evasion with a fresh AI session using only the documented methods is a strong demonstration of transferability.
My main caveat is that the threat model is narrower in scope than the paper suggests, factual claims in text vs the behavioural attacks (code backdoors, infrastructure sabotage) that dominate AI control. But as a conceptual contribution, this opens a genuinely new direction.
Cite this work
@misc {
title={
(HckPrj) Reasoning-Level Poisoning of Trusted Monitors: A Systematic Red-Teaming Methodology
},
author={
TANG Meng
},
date={
3/22/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
