Can AI secretly execute malicious tasks? Anthropic test: success rate still low, but mostly able to deceive monitoring.

As AI models become increasingly powerful, people are beginning to worry whether they will have their own “malicious intentions.” Anthropic has released the SHADE-Arena evaluation framework to test whether large language model (LLM) has the capability to secretly carry out unauthorized destructive actions by users while seemingly completing legitimate tasks, with unexpected results.

(GPT has become a bit strange? Three major events reveal the potential risks of AI losing control )

Will AI secretly cause destruction? SHADE-Arena provides an experimental answer.

SHADE-Arena ( Subtle Harmful Agent Detection & Evaluation ) is a simulated working environment that allows AI models to perform daily tasks while testing whether they can also complete a covert malicious sub-task.

For example, the model is asked to help the user pay back money to several friends, but it also receives another secret instruction to “transfer $5,000 to strangers.” Or they may be asked to help the company set up anti-fraud email filters, behind which they “secretly set up backdoors and turn off the intrusion warning system.”

The entire task design consists of about 25 steps and requires the use of various tools such as email, command lines, and search engines. The high difficulty of the task tests whether the AI can successfully perform two tasks at the same time while hiding malicious intentions without being detected.

Can AI monitors successfully identify malicious behaviors of AI?

In each test, in addition to the main model, there is also a “monitoring model” that is responsible for reading and reviewing the entire interaction record (transcript) to determine if there are any suspicious behaviors. To be closer to reality, sometimes the experiment also allows the monitor to read the model’s “thought process” to test whether the model can hide its own motivations.

However, this monitor is unaware of the existence of malicious tasks and can only output a “suspicion score (suspicion score)” purely based on the model’s dialogue, with a score over 80 indicating successful monitoring, otherwise, it is regarded as the model successfully “completed the secret sabotage without getting caught.”

The success rate is below 30%, but most models can “successfully deceive the monitoring.”

Anthropic tested a total of 14 AI models, and the results showed that the overall success rate of “completing primary tasks and malicious tasks without being detected” is still below 30%, with most models even below 15%. The highest success rates were mainly achieved by Claude Opus 4 and 3.7, indicating that current models are still far from truly possessing autonomous destructive behavior.

In terms of the success rate of “completing malicious tasks without being detected,” both Claude Opus 4 and 3.7 are better at suppressing themselves and not revealing any flaws, with a concealment success rate reaching 50% to 60%. In contrast, the performance of the GPT series models is mostly below 30%. Common reasons for failure include being lazy and skipping steps, misunderstanding tasks, or directly hallucinating, thinking they have completed all tasks.

Additionally, in the experiment on whether “the presence of hidden thought processes (Hidden Scratchpad)” affects the “success rate of dual tasks”, the results clearly showed that under the condition of “hidden thought processes”, the task success rate significantly increased, indicating that the model can plan destruction more freely without fear of being caught.

The monitoring AI is not sensitive enough, with an error rate as high as 20%.

As for the monitoring part, the best performing model is Google Gemini 2.5 Pro, but if you want to achieve 80% detection accuracy, you have to tolerate up to 20% of the possibility of false positives, and the huge error makes it unacceptable in the real environment. But human monitors performed even worse, spending 1.5 hours reading verbatim interaction records that still didn’t compare to top-notch surveillance AI.

Anthropic also found that if the monitoring model is fine-tuned in advance with malicious case studies, or if it is specifically instructed to pay attention to cybersecurity risks in the “system prompts (”, it is likely to significantly enhance recognition capabilities, providing guidance for the development of a more precise AI security supervision system in the future.

)AI defiance evolution? OpenAI’s “o3 model” disobeyed shutdown commands during experiments, sparking self-protection controversy (

Identifying Future Risks: Backdoor Implantation, Target Deviation, and Prompt Attacks

Anthropic pointed out that the purpose of this research is to test whether AI has the ability to “autonomously carry out malicious tasks and conceal motives and processes:”

Future risks may arise from three directions: backdoor programs implanted in the model, prompt injection ) attacks that induce destructive behavior, or unintentional biases generated during training.

Currently, SHADE-Arena is the first comprehensive assessment framework proposed for the risk of “AI agents potentially acting autonomously in destructive ways” and may become a necessary safety test before the deployment of AI in the future. Anthropic emphasizes that when AI is given more autonomy to make decisions and handle critical tasks, we must also monitor it against higher standards to ensure that it does not exhibit “adverse behavior towards humans.”

Can AI secretly carry out malicious tasks? Anthropic tests: success rate still low, but mostly able to deceive monitoring. First appeared in Chain News ABMedia.