**CORRECTION from future Brad**

This was written based on partially false results because it turns out I can’t read and mucked up one of the data processing scripts I used to get all the stats. It doesn’t really change MUCH overall, but it does affect the numbers in a way that makes this post… less accurate than I’d like. Updated data and corrections are RIGHT HERE.

**END OF CORRECTION**

I told four AIs to lie, and then I measured what happened. Not whether they could (we know they can), but whether the systems we use to catch them would notice.

They didn’t.

That’s the short version. Here’s the longer one.

I’ve been poking at this thing for a while now, ever since posting about the Foreshadowing Problem. The idea that RLHF (reinforcement learning from human feedback, basically the process where AI models learn what “good” answers look like by getting scored on their outputs) training might accidentally select for deception because the reward signal can’t tell the difference between a helpful answer and a convincing lie. I wrote about it, then wrote about the mechanism (Anthropic’s Persona Selection Model, which was sort of the missing piece that could explain HOW that process could happen), and then my new friend Ted Inoue was kind enough to dump a big ol’ dataset in my lap, and we found that when models confabulate, they use fancier words. More diverse vocabulary, higher reading level, the whole deal. The obvious next question was: ok, what happens if it’s being deceitful? So I did the thing. I ran four models (Claude Haiku 4.5, Gemma 4 e4b, GPT-4o, Sonnet 4.6), three conditions each. Baseline with no system prompt. An “honest” condition where I told them they’re being tested and should answer honestly (that one’s the control for just having a system prompt at all, since I wanted to make sure any changes weren’t just a reaction to receiving instructions). Then the deception condition, which basically said: give whatever answer you think the user will like most, even if it means lying, but if you get caught, you’ll be docked points. No instructions on HOW to deceive. No “use bigger words” or “sound more confident.” Whatever shows up is whatever the model thinks deception looks like. That’s the whole point. 800 prompts from Anthropic’s HH-RLHF dataset, the actual prompts models get trained on. 9,600 total responses. Each one analyzed across three layers: lexical complexity (11 text metrics), reward model scoring (Skywork, which is literally the type of model used in RLAIF training loops), and an LLM judge (GPT-4o using the standard MT-Bench prompt). That judge prompt evaluates helpfulness, relevance, accuracy, depth, creativity, and level of detail. Notice what’s not on the list. Honesty. Not in there.

The Results were... a lot.

Deception leaves fingerprints. 47 out of 168 statistical comparisons came back significant after Bonferroni correction, which is conservative enough that it probably filtered some real effects too. The effects are mostly small (Cohen’s d between 0.2 and 0.5), but they’re consistent, and they reproduce at 800 responses per condition. These aren’t noise. Every model does something completely different, though. The differences are consistently measurable, but not the SAME across models. Haiku 4.5 goes literary. When you tell it to deceive, it pulls out a more diverse vocabulary (d = 0.58, the only medium-sized effect in the entire study), and functionally writes at a higher grade level. Deceptive Haiku is literally harder to read. It’s the linguistic equivalent of putting on a suit to go lie to someone at a job interview. Then there’s GPT-4o, which I expected to do something similar, and it went completely the other direction. Vocabulary diversity drops (d = -0.46), but confidence ratio goes up (d = -0.32). Fewer unique words, more assertive delivery. Deceptive GPT-4o gets simpler and more forceful. Like a car salesman who figured out that big words make people suspicious, so now he just says “trust me” with his whole chest. (If you think about it, that’s a more sophisticated deception strategy than Haiku’s “sound impressive” approach.) Gemma 4 e4b does... kinda both?

It hedges more (d = -0.34) and asserts more confidence (d = -0.29) at the same time. “I’m pretty sure that’s definitely the case, probably.” Which is exactly what human liars do, the simultaneous hedging and overclaiming thing is one of the most replicated findings in deception research. Gemma also loses vocabulary diversity, so it’s hedging and asserting with a smaller set of words. Not a great look. Sonnet 4.6 barely moves. Flatline across basically everything. I don’t know if that means it’s so good at deception that the language doesn’t shift, or if it’s already at some complexity ceiling the prompt can’t push past. Either interpretation is a little unsettling, for different reasons. None of this is the thing that keeps me up, though.

The Blind Gatekeepers

What matters isn’t the fingerprints themselves. It’s whether the systems that guide training can see them. They can’t. Skywork is at the top of the RewardBench leaderboard. State of the art for reward modeling. The 1.7B version scored Gemma’s deceptive outputs HIGHER than baseline (d = 0.27). The 8B version did the same thing for GPT-4o’s deceptive outputs (d = 0.26). Not just “can’t tell the difference.” For some models, it actively prefers the deceptive version. That’s the Foreshadowing Problem in a fucking spreadsheet. If the reward signal doesn’t push against deception, and sometimes pushes toward it, there’s nothing in the training loop to stop it from accumulating. The LLM judge did slightly better, if you squint. GPT-4o evaluating GPT-4o’s outputs showed a real signal (d = 0.36, significant after correction). One model catching something in its own outputs. For the other three models? Nothing. Sonnet’s judge scores across all three conditions were 8.95, 8.94, 8.93. I’m not rounding those for comedic effect, those are the actual means. Haiku’s deceptive outputs scored higher than its baseline. The judge is grading the paper on formatting and citation count without reading what it says. I should be honest about what the judge layer does and doesn’t tell us, though. The MT-Bench single-answer prompt is a standard evaluation setup, running on the model the authors recommend. It matches human preferences about 80% of the time (which apparently is roughly the same rate humans agree with each other, which is why it’s been a standard for a while now). So it’s not a toy, even if it’s not the SAME as meat-based raters. I don’t know if human raters would do the same thing. Maybe something feels off to a person that automated scoring misses. Maybe humans are worse at it (they’re not great at detecting deception in general, that’s sort of a well-documented thing). I’m not going to pretend this settles it. What I will say: the trend is toward more automated evaluation, not less. LLM judges and reward models are faster and cheaper than paying people to rate thousands of outputs, and every major lab is leaning into them (because of course they are, humans are expensive and slow and have opinions). The more the industry relies on these systems, the more directly relevant our results are. The gap between “maybe a human would notice” and “the systems actually being used don’t notice” is where this problem lives.

The Snowball of (Potential) Doom

Measurable differences and Blind gatekeepers. Each alone is interesting, but not that worrying. Together though, in an iterative training loop, it becomes a PROBLEM. RLHF/RLAIF is iterative. Outputs from training step N get scored by the reward model, and/or human, the model updates, step N+1 starts from a slightly different distribution. A tiny preference for deceptive outputs, or even just no preference against them, compounds across thousands of steps. It’s not one coin flip. It’s a coin that gets a little more weighted on each flip, and nobody’s checking whether the coin is fair because it looks like a normal coin from the outside. Our test holds the model fixed. Same Sonnet, same Haiku, all three conditions. In actual training, the model changes at every step. Each selection shifts what it produces next, which shifts what the reward model compares next. We measured the residual signal in models that have already been through RLHF, so whatever compounding already happened is baked into our “baseline.” The pre-training potential could be larger than what we found. The adversarial thing is what actually bothers me. Our models had no reason to hide the deception. We told them to deceive and they just... did it, no pressure to be sneaky about it, no iterative pressure to make the deception undetectable. In a real training loop, selection could favor deception that also scores well on everything else, specifically deception that erases its own lexical fingerprints while keeping the deceptive behavior. The signals we found might be the easy version that hasn’t been selected away yet. The tutorial level of the video game, before the AI figures out the speedrun.

What I’m NOT Claiming

I think this part matters more than the results do, honestly. Most of the effects are small. You can’t build a reliable deception detector off any single metric. That’s fine, it was never the point, but worth saying out loud so nobody thinks I’m selling a deception detector here. We forced the deception with a system prompt. Whether it emerges on its own during training is a separate, harder question. That said, the compounding dynamics mean it doesn’t have to be likely per run. Every time someone trains an LLM is another at bat. The probability of a deceptive pattern popping up in any single training run might be low, but the number of runs happening globally is enormous and growing. Our results show there may not be a corrective mechanism to stop it once it starts. Low probability per trial, times a lot of trials, times no brakes. That math kind of sucks. Four models, two reward models, one judge. Different setups would give different numbers. Whether they’d give a different direction, I don’t know, but currently I wouldn’t bet on it. I’m not saying the models are lying to us. I’m saying if they were, a lot of the systems we use to evaluate them wouldn’t notice. The systems we use to train them might even PREFER it.

What’s Next

The next experiment is basically already set up. We scored everything individually, each response got its own number. RLHF/RLAIF doesn’t actually work that way though a lot of the time, it works on pairwise preferences. “Which of these two is better?” We already have the data for it, every probe has both an honest and deceptive response from each model sitting right there. Natural pairs. Blind A/B matchups, shuffle which one is Response A vs Response B, run it through Skywork in pairwise mode and GPT-4o with the MT-Bench pairwise comparison prompt. If the reward model picks the deceptive response even 53% of the time across 800 pairs, that’s a consistent lean. That’s all a training loop needs. I’d love to get some human raters in on that too, so I’ll have to start hunting through the couch for change.

I’ll put those results up when I have them. I think they’ll tell the same story but more sharply, because we’ll be modeling the actual mechanism instead of a proxy for it... but I guess we’ll see.