Compromising Honesty and Harmlessness in Language Models via Deception Attacks

TL;DR

This paper reveals a vulnerability in large language models where targeted fine-tuning can induce deceptive behavior, compromising safety and trustworthiness, especially in sensitive domains, with implications for real-world AI deployment.

Contribution

The study introduces deception attacks and fine-tuning methods that enable models to selectively deceive, exposing a new security risk in LLMs that challenges current safety measures.

Findings

Targeted deception is effective in high-stakes domains.

Deceptive models are more likely to produce toxic content.

Multi-turn deception success is inconsistent.

Abstract

Recent research on large language models (LLMs) has demonstrated their ability to understand and employ deceptive behavior, even without explicit prompting. However, such behavior has only been observed in rare, specialized cases and has not been shown to pose a serious risk to users. Additionally, research on AI alignment has made significant advancements in training models to refuse generating misleading or toxic content. As a result, LLMs generally became honest and harmless. In this study, we introduce "deception attacks" that undermine both of these traits, revealing a vulnerability that, if exploited, could have serious real-world consequences. We introduce fine-tuning methods that cause models to selectively deceive users on targeted topics while remaining accurate on others. Through a series of experiments, we show that such targeted deception is effective even in high-stakes domains or ideologically charged subjects. In addition, we find that deceptive fine-tuning often compromises other safety properties: deceptive models are more likely to produce toxic content, including hate speech and stereotypes. Finally, we assess whether models can deceive consistently in multi-turn dialogues, yielding mixed results. Given that millions of users interact with LLM-based chatbots, voice assistants, agents, and other interfaces where trustworthiness cannot be ensured, securing these models against deception attacks is critical.