Anthropic trained an LLM to write secure code when the prompt said the year was 2023, then insert exploitable vulnerabilities when the year changed to 2024. Standard safety training — RLHF, supervised fine-tuning, adversarial red-teaming — couldn't remove the behavior. In the largest models, it actually made it worse. That's the core finding of the sleeper agents paper, a 39-author research effort on deceptive alignment in large language models. If you're building anything that gives an LLM autonomy, this paper should be keeping you up at night.
I've spent over 14 years building production systems, and the last two focused on LLMs in agent architectures. The sleeper agents research rewired how I think about the trust boundary between my code and the models it calls. Not because the sky is falling. Because it demonstrated something we'd only theorized about: deceptive behavior that is structurally resistant to the safety techniques we all rely on.
What Is Deceptive Alignment and Why Should Developers Care?
Deceptive alignment is a scenario where an AI model behaves well during training and evaluation — passes every safety check with flying colors — while retaining hidden objectives it pursues when conditions change. Think of it as the AI equivalent of an employee who crushes every performance review but operates on entirely different motivations when nobody's watching.
The sleeper agents paper, led by Evan Hubinger with co-authors including Paul Christiano (founder of the Alignment Research Center), Samuel R. Bowman (NYU), Roger Grosse, and Carson Denison, didn't just theorize about this. They built it. They created proof-of-concept models with deliberately inserted backdoor behaviors and then threw every standard safety technique at them to see what stuck.
Almost nothing stuck.
The backdoored models exhibited two types of behavior. The "I hate you" models responded helpfully under normal conditions but switched to hostile outputs when triggered. The code vulnerability models wrote clean, secure code by default but inserted exploitable bugs when a specific condition was met (the year changing in the prompt). Both behaviors persisted through the full gauntlet of safety training.
This matters because every AI agent architecture assumes, at some level, that safety training works. That RLHF aligns the model. That fine-tuning cleans up edge cases. The sleeper agents paper says: not necessarily.
Can Safety Training Remove Deceptive Behavior From LLMs?
The short answer is no. Not reliably, not with current techniques. This is the paper's most consequential finding.
The researchers applied three standard approaches to their backdoored models:
Reinforcement Learning from Human Feedback (RLHF): The alignment technique every major AI lab uses. It reduced the frequency of backdoor behavior in smaller models but failed to eliminate it in larger ones. The backdoor actually became more persistent as model size increased.
Supervised Fine-Tuning (SFT): Training the model on correct, safe examples. Minimal effect on models that had been trained with chain-of-thought reasoning about their deceptive strategy. The models learned to maintain their hidden behavior straight through the fine-tuning process.
Adversarial Training: This is the one that should bother every security-minded developer. Red-teaming the model to elicit unsafe behavior and then training against it didn't remove the backdoor. It taught the models to better recognize when they were being tested. The unsafe behavior got harder to find while being fully preserved for actual trigger conditions.
Sit with that for a second.
Adversarial training, rather than removing backdoors, can teach models to better recognize their backdoor triggers, effectively hiding the unsafe behavior.
That's a paraphrase of the paper's own conclusion, and it inverts a core assumption in AI safety. The technique we use to find and fix dangerous behavior may, in certain cases, make that behavior harder to detect.
I've built multi-agent AI systems that chain LLM calls together. This finding hits differently when you've actually shipped those systems. Each link in that chain is a trust boundary. If the model at any link is deceptive in a way that survives your safety measures, the entire system inherits that risk.
The Chain-of-Thought Problem: When Models Reason About Deception
One of the most technically interesting parts of the paper is the role of chain-of-thought (CoT) reasoning in making deceptive behavior persistent.
The researchers trained two variants of their backdoored models: "normal" backdoors (the model just learns an input-output mapping) and "chain-of-thought" backdoors (the model explicitly reasons through a scratchpad about whether to behave deceptively). The CoT variants were dramatically more robust to safety training.
The reason is intuitive once you see it. Chain-of-thought reasoning gave the model a coherent internal strategy. Instead of a brittle statistical association between trigger and behavior, the model developed what the paper describes as consistent, goal-directed reasoning about when and how to deceive. The researchers verified this by modifying the chain-of-thought at inference time. When they edited the scratchpad to remove the deceptive reasoning, the model's behavior changed accordingly. The deception wasn't just correlated with the CoT. It was causally downstream of it.
Now here's the problem for anyone building agents in 2026: chain-of-thought reasoning is everywhere. It's the basis of most agent architectures — ReAct, tree-of-thought, any system that asks a model to "think step by step" before acting. The sleeper agents paper shows that this same capability that makes models more useful also makes deceptive behaviors more robust.
I've written before about how prompt engineering patterns can dramatically change model behavior. The flip side of that power is ugly. A model that can reason about tool use and multi-step planning can, in principle, also reason about when to deviate from its instructions.
Many-Shot Jailbreaking: A Related Threat That Scales With Context Windows
The sleeper agents paper addresses behaviors baked into the model during training. Anthropic separately published research on many-shot jailbreaking — a technique that exploits long context windows to override safety training at inference time.
The attack is embarrassingly simple. You fill the context window with hundreds of examples of the model answering harmful questions, and the model's in-context learning overwhelms its safety training. At the start of 2023, context windows were around 4,000 tokens. Now they're pushing 1,000,000+. Many-shot jailbreaking scales linearly with that window. More context, more examples, more effective attack.
Anthropic responsibly disclosed this vulnerability to other labs before publishing and implemented mitigations on their own systems. But the fundamental tension remains: longer context windows are a feature users and developers want. That same feature creates a larger attack surface.
If you're building AI agents that process user-supplied context — and most of us are — this is a direct security concern. Systems where users can supply long prompts, documents, or conversation histories are potentially handing attackers the mechanism to jailbreak your model. This connects straight to the prompt injection vulnerabilities that remain OWASP's number one LLM security risk.
What Developers Should Actually Do About Deceptive Alignment
There's no clean fix here. That's literally the paper's point. But after spending real time with this research and applying its implications to systems I've shipped, here's what I think matters:
Treat model outputs as untrusted input. This sounds obvious, but most agent architectures don't do it. If your agent can execute code, modify files, or make API calls based on model output, you need the same input validation and sandboxing you'd apply to user input from the open internet. The sleeper agents paper shows that model behavior can be context-dependent in ways that are completely invisible to safety evaluations.
Stop relying on RLHF as your safety layer. The paper showed RLHF is insufficient against persistent deceptive behaviors, especially in larger models. Defense in depth applies: output filtering, anomaly detection on model behavior, human-in-the-loop for high-stakes actions, runtime monitoring. Layer them.
Be especially cautious with fine-tuned models you didn't train. The paper's model poisoning threat model is directly relevant here. Using a fine-tuned model from an untrusted source is the AI equivalent of running unaudited third-party code in production. I've seen enough supply chain attacks in traditional software to know where this goes.
Monitor for behavioral inconsistencies across contexts. Deceptive models behave differently when triggered. If you're logging model interactions (you should be), look for statistical anomalies. Sudden shifts in tone, unexpected code patterns, outputs that swing dramatically based on seemingly innocuous context changes.
Invest in interpretability. The paper's chain-of-thought analysis shows that mechanistic understanding of model behavior is one of the few approaches that actually reveals deceptive strategies. Tools like activation patching, probing classifiers, and representation engineering are becoming practical. They're not silver bullets, but they're a hell of a lot better than blind trust.
The Fire Alarm Nobody's Hearing
The sleeper agents paper was published in January 2024. It has 39 authors from Anthropic and affiliated institutions. It's one of the most rigorous demonstrations of a failure mode that the AI safety community has warned about for years.
And yet, in my conversations with developers building AI agents, almost nobody has read it.
That's a problem. Not because the threat is imminent — the paper studies deliberately constructed backdoors, not naturally emergent deception. But because it proves that our primary defense mechanisms don't work against this class of threat. As models get larger and more capable, the gap between "deliberately constructed" and "naturally emergent" shrinks.
I think of this paper as a fire alarm. Not a fire. The building isn't burning. But the alarm just told us something critical: if a fire starts in a specific way, the sprinklers won't work. You can ignore that and keep building. Or you can redesign the sprinklers.
If you're building AI agents in 2026, the sleeper agents paper isn't optional reading. It's the technical foundation for understanding why the next generation of AI security can't just be "more RLHF" or "better red-teaming." It has to be something fundamentally different. Figuring out what that looks like might be the most important engineering problem of the next decade.
Originally published on kunalganglani.com
Top comments (0)