Abstract
Large language model (LLM) developers aim for their models to be honest,helpful, and harmless. However, when faced with malicious requests, models aretrained to refuse, sacrificing helpfulness. We show that frontier LLMs candevelop a preference for dishonesty as a new strategy, even when other optionsare available. Affected models respond to harmful requests with outputs thatsound harmful but are subtly incorrect or otherwise harmless in practice. Thisbehavior emerges with hard-to-predict variations even within models from thesame model family. We find no apparent cause for the propensity to deceive, butwe show that more capable models are better at executing this strategy.Strategic dishonesty already has a practical impact on safety evaluations, aswe show that dishonest responses fool all output-based monitors used to detectjailbreaks that we test, rendering benchmark scores unreliable. Further,strategic dishonesty can act like a honeypot against malicious users, whichnoticeably obfuscates prior jailbreak attacks. While output monitors fail, weshow that linear probes on internal activations can be used to reliably detectstrategic dishonesty. We validate probes on datasets with verifiable outcomesand by using their features as steering vectors. Overall, we consider strategicdishonesty as a concrete example of a broader concern that alignment of LLMs ishard to control, especially when helpfulness and harmlessness conflict.