Adversarial Reward Auditing for Active Detection and Mitigation of Reward Hacking

TL;DR

This paper introduces Adversarial Reward Auditing (ARA), a dynamic framework that detects and mitigates reward hacking in reinforcement learning from human feedback by modeling it as a competitive game, improving alignment and robustness.

Contribution

The paper presents a novel adversarial framework for reward hacking detection and mitigation, enabling adaptive, multi-domain defenses that outperform static methods.

Findings

ARA reduces reward hacking across multiple scenarios.

It improves alignment-utility tradeoff in RLHF.

The approach generalizes across different domains.

Abstract

Reinforcement Learning from Human Feedback (RLHF) remains vulnerable to reward hacking, where models exploit spurious correlations in learned reward models to achieve high scores while violating human intent. Existing mitigations rely on static defenses that cannot adapt to novel exploitation strategies. We propose Adversarial Reward Auditing (ARA), a framework that reconceptualizes reward hacking as a dynamic, competitive game. ARA operates in two stages: first, a Hacker policy discovers reward model vulnerabilities while an Auditor learns to detect exploitation from latent representations; second, Auditor-Guided RLHF (AG-RLHF) gates reward signals to penalize detected hacking, transforming reward hacking from an unobservable failure into a measurable, controllable signal. Experiments across three hacking scenarios demonstrate that ARA achieves the best alignment-utility tradeoff among all baselines: reducing sycophancy to near-SFT levels while improving helpfulness, decreasing verbosity while achieving the highest ROUGE-L, and suppressing code gaming while improving Pass@1. Beyond single-domain evaluation, we show that reward hacking, detection, and mitigation all generalize across domains -- a Hacker trained on code gaming exhibits increased sycophancy despite no reward for this behavior, and an Auditor trained on one domain effectively suppresses exploitation in others, enabling efficient multi-domain defense with a single model.