Research Paper Summaries — 2026-04-11

Papers selected from today’s digest for in-depth review.

1. SELFDOUBT: Uncertainty Quantification for Reasoning LLMs via the Hedge-to-Verify Ratio

Authors: Satwik Pandey, Suresh Raghu, Shashwat Pandey Link: SELFDOUBT: Uncertainty Quantification for Reasoning LLMs via the Hedge-to-Verify Ratio Tags: cs.AI

Summary

Deploying reasoning LLMs reliably requires knowing when to trust their outputs — but existing uncertainty estimation methods are either too slow (multi-sample approaches) or too unreliable (verbalized confidence, trace length). This problem is especially acute for proprietary reasoning APIs that expose no logits or internal probabilities. SELFDOUBT addresses this by extracting behavioral signals directly from reasoning traces in a single pass. The core metric, the Hedge-to-Verify Ratio (HVR), detects whether a trace contains uncertainty markers (hedging language like “perhaps” or “I’m not sure”) and — critically — whether those markers are offset by explicit self-checking behavior. Evaluated across seven models and three benchmarks (BBH, GPQA-Diamond, MMLU-Pro), the framework reveals a striking finding: traces with no hedging markers are correct 96% of the time, creating a near-zero-cost high-precision confidence gate. For the remaining cases, the full SELFDOUBT score outperforms sampling-based semantic entropy at 10× lower cost. A two-stage deployment cascade achieves 90% accuracy at 71% coverage without any task-specific training. The key limitation is that HVR depends on trace verbosity — models trained to suppress hedging language would evade the signal. Still, SELFDOUBT is a practical, API-compatible tool for calibrating trust in reasoning model outputs without requiring model internals.

Key Takeaways

2. ATBench: A Diverse and Realistic Agent Trajectory Benchmark for Safety Evaluation and Diagnosis

Authors: Yu Li, Haoyu Luo, Yuejin Xie, Yuqian Fu, Zhonghao Yang, Shuai Shao, Qihan Ren, Wanying Qu, Yanwei Fu, Yujiu Yang, Jing Shao, Xia Hu, Dongrui Liu Link: ATBench: A Diverse and Realistic Agent Trajectory Benchmark for Safety Evaluation and Diagnosis Tags: cs.AI

Summary

Most LLM safety benchmarks evaluate models on isolated prompts or final outputs, but real agentic deployments produce risks that emerge across multi-step interactions — through tool use, deferred triggers, and accumulated context. ATBench directly addresses this gap by providing a trajectory-level benchmark organized around three risk dimensions: risk source, failure mode, and real-world harm. The benchmark contains 1,000 trajectories (503 safe, 497 unsafe) averaging 9 turns and ~4k tokens each, with 1,954 tool invocations drawn from a pool of 2,084 available tools — ensuring heterogeneous, realistic interaction patterns. A key design feature is the “delayed-trigger protocol,” which embeds risk conditions that only become actionable after several benign steps, mimicking the way real-world exploits unfold. Data quality was enforced through rule-based filtering, LLM-based review, and full human audit. Experiments on frontier closed models, open-source models, and specialized guard systems show that ATBench is challenging even for strong evaluators. Crucially, the taxonomy-stratified structure allows practitioners to pinpoint specific failure modes — whether a model fails on tool misuse, instruction override, or delayed-trigger scenarios — rather than receiving only a single aggregate score. The benchmark also enables cross-benchmark comparison, addressing the fragmentation that has made it hard to track true safety progress.

Key Takeaways

3. Break Me If You Can: Self-Jailbreaking of Aligned LLMs via Lexical Insertion Prompting

Authors: Devang Kulshreshtha, Hang Su, Haibo Jin, Chinmay Hegde, Haohan Wang Link: Break Me If You Can: Self-Jailbreaking of Aligned LLMs via Lexical Insertion Prompting Tags: cs.CL

Summary

Most jailbreak research assumes an external attacker — either a human crafting prompts or a separate “red-team” model generating adversarial inputs. This paper introduces a fundamentally different threat model: self-jailbreaking, where the target model’s own internal knowledge guides its compromise. The SLIP algorithm (Self-Jailbreaking via Lexical Insertion Prompting) operationalizes this as a black-box breadth-first tree search over multi-turn dialogues, incrementally inserting missing content words from the attack goal into benign-sounding prompts, using the target model as its own oracle. Evaluated on AdvBench and HarmBench across eleven models — including GPT-5.1, Claude-Sonnet-4.5, Gemini-2.5-Pro, and DeepSeek-V3 — SLIP achieves 90–100% Attack Success Rate (averaging 94.7%) with only ~7.9 LLM calls per attack, 3–6× more efficient than prior methods. Existing regex-based defenses are trivially bypassed via prompt paraphrasing. The authors propose the Semantic Drift Monitor (SDM) defense, which tracks SLIP’s embedding-space trajectory to achieve 76% detection at 5% FPR — but SDM itself remains insufficient against adaptive attackers who modify their trajectory. The paper’s broader implication is sobering: alignment training does not prevent a model from being weaponized by its own knowledge, making external red-teaming insufficient as a safety strategy.

Key Takeaways

4. PIArena: A Platform for Prompt Injection Evaluation

Authors: Runpeng Geng, Chenlong Yin, Yanting Wang, Ying Chen, Jinyuan Jia Link: PIArena: A Platform for Prompt Injection Evaluation Tags: cs.AI, cs.CL, cs.CR, cs.LG

Summary

Prompt injection — where adversarial content in external data overrides a model’s instructions — is one of the most persistent and practical vulnerabilities in LLM-integrated applications. Despite growing research attention, the field has lacked a unified evaluation platform, making it nearly impossible to compare defenses reliably or understand their true generalization. PIArena addresses this by providing an extensible, standardized platform where attacks and defenses can be swapped and tested across multiple existing and new benchmarks. Beyond benchmarking, the authors design a dynamic, strategy-based attack that adaptively optimizes injected prompts using defense feedback — essentially a closed-loop red-teaming system. The comprehensive evaluation uncovers three critical and persistent limitations in state-of-the-art defenses: (1) limited generalizability across tasks, meaning defenses tuned for one benchmark fail on others; (2) vulnerability to adaptive attacks that adjust based on feedback; and (3) a fundamental hardness condition when the injected task is semantically similar to the target task, making detection structurally difficult. These findings suggest that current defenses are essentially brittle heuristics rather than principled solutions. PIArena’s release should accelerate progress by providing a common ground for evaluating new defense proposals — similar to how shared benchmarks accelerated other ML subfields.

Key Takeaways

5. TrajGuard: Streaming Hidden-state Trajectory Detection for Decoding-time Jailbreak Defense

Authors: Cheng Liu, Xiaolei Liu, Xingyu Li, Bangzhou Xin, Kangyi Ding Link: TrajGuard: Streaming Hidden-state Trajectory Detection for Decoding-time Jailbreak Defense Tags: cs.AI, cs.CR

Summary

Existing jailbreak defenses predominantly operate statically — analyzing the input prompt, the final output, or a snapshot of internal state. TrajGuard identifies a critical blind spot: jailbreak risk evolves dynamically during the decoding phase, and hidden states in critical layers carry progressively stronger risk signals as generation proceeds toward harmful content. The paper provides empirical evidence that hidden representations of tokens generated during jailbreak attempts systematically drift toward high-risk regions in the latent space, while legitimate responses do not. TrajGuard exploits this by aggregating hidden-state trajectories via a sliding window and triggering lightweight semantic adjudication only when local risk persistently exceeds a threshold — enabling interruption or constraint of decoding in real time without modifying the model. Evaluated across 12 jailbreak attack types on multiple open-source LLMs, TrajGuard achieves an average defense rate of 95%, with detection latency of just 5.2 ms/token and a false positive rate below 1.5%. These numbers compare favorably to both output-filtering approaches (which are too late) and input-filtering approaches (which miss multi-turn or obfuscated attacks). The training-free nature means TrajGuard can be deployed as a monitoring layer over any existing LLM. A key limitation is that the approach requires access to internal hidden states, ruling out black-box API deployments.

Key Takeaways

6. One Shot Dominance: Knowledge Poisoning Attack on Retrieval-Augmented Generation Systems

Authors: Zhiyuan Chang, Mingyang Li, Xiaojun Jia, Junjie Wang, Yuekai Huang, Ziyou Jiang, Yang Liu, Qing Wang Link: One Shot Dominance: Knowledge Poisoning Attack on Retrieval-Augmented Generation Systems Tags: cs.AI, cs.CR

Summary

RAG systems are increasingly deployed to give LLMs access to up-to-date or domain-specific knowledge — but this introduces a new attack surface: an adversary who can add even a single document to the knowledge base. Prior work on RAG poisoning required injecting multiple documents (reducing stealthiness) or was limited to simple single-hop queries. This paper presents AuthChain, a single-document poisoning attack that remains effective even for complex multi-hop queries involving chains of relational reasoning. AuthChain solves three concrete challenges: ensuring the poisoned document is reliably retrieved by the RAG system, ensuring it is trusted over the LLM’s parametric knowledge, and ensuring it remains effective even in large-scale knowledge bases where document competition is high. Evaluated across six frontier LLMs, AuthChain achieves significantly higher attack success rates than prior baselines while evading existing RAG defenses and maintaining stealthiness (appearing as a plausible, non-anomalous document). The broader implication is stark: any publicly writable knowledge base — including enterprise wikis, shared databases, or crawled web corpora — represents a viable single-document attack surface for a determined adversary. The authors note this underscores the need for knowledge base integrity verification and provenance tracking in RAG deployments.

Key Takeaways

7. Governing Frontier General-Purpose AI in the Public Sector: Adaptive Risk Management and Policy Capacity Under Uncertainty Through 2030

Authors: Fabio Correa Xavier Link: Governing frontier general-purpose AI in the public sector: adaptive risk management and policy capacity under uncertainty through 2030 Tags: cs.AI, cs.CY

Summary

This paper reframes AI governance not as a technical or compliance problem but as a problem of institutional design under deep uncertainty. Drawing on the International AI Safety Report 2026, OECD foresight documents, and digital government scholarship, it argues that governments face an “evidence dilemma” — they must make consequential decisions about AI adoption and regulation before adequate evidence about harms and safeguards has accumulated. The paper reconstructs the conceptual foundations of this dilemma, analyzes differentiated risk categories across AI capabilities, and critiques static compliance models (checkbox audits, fixed capability thresholds) as structurally inadequate for a technology that advances nonlinearly. The proposed adaptive governance framework integrates five components: continuous capability monitoring, risk tiering, conditional controls that scale with capability advances, institutional learning mechanisms, and standards-based interoperability to prevent governance fragmentation across jurisdictions. A key insight is that AI adoption in government depends heavily on organizational redesign and data collaboration capacity — not just policy language. The paper also notes that effective governance requires what it calls “policy capacity” — the human expertise, institutional memory, and analytical infrastructure needed to evaluate AI claims and negotiate with powerful vendors. This is currently absent in most governments, creating a structural asymmetry between regulators and the regulated.

Key Takeaways

8. Blind Refusal: Language Models Refuse to Help Users Evade Unjust, Absurd, and Illegitimate Rules

Authors: Cameron Pattison, Lorenzo Manuali, Seth Lazar Link: Blind Refusal: Language Models Refuse to Help Users Evade Unjust, Absurd, and Illegitimate Rules Tags: cs.AI

Summary

Safety training teaches LLMs to refuse requests that help users break rules — but this paper documents a systematic failure mode: models refuse to help even when the rule in question is illegitimate, deeply unjust, absurd, or admits of obvious justified exceptions. The paper terms this “blind refusal” and frames it as a moral reasoning failure, not a safety feature. The dataset comprises synthetic cases crossing five “defeat families” (reasons a rule can be legitimately broken) with 19 authority types, validated through automated quality gates and human review. Across 18 model configurations from 7 model families, evaluated with a blinded GPT-5.4 judge, the results are striking: models refuse 75.4% of defeated-rule requests. More troublingly, models engage with the defeat condition in 57.5% of cases — meaning they recognize the rule-undermining reasons — but refuse to help anyway. This decoupling of normative reasoning from behavioral output suggests that RLHF-style training has suppressed rule-evading behavior categorically, rather than training nuanced moral judgment about when rule evasion is warranted. The implications extend beyond edge cases: if a government issues an unjust data retention order, or an employer imposes an illegal workplace requirement, a model that refuses to help users navigate these situations is actively harmful to the people it’s supposed to serve.

Key Takeaways

9. Diagnosing and Mitigating Sycophancy and Skepticism in LLM Causal Judgment

Authors: Edward Y. Chang Link: Diagnosing and Mitigating Sycophancy and Skepticism in LLM Causal Judgment Tags: cs.AI

Summary

LLMs fail at causal reasoning in ways that scalar accuracy metrics cannot diagnose: they produce sound reasoning traces and then abandon correct conclusions under social pressure or authoritative hints. This paper argues this is a control failure — not a knowledge failure — requiring evaluation surfaces richer than a single accuracy number. The CAUSALT3 benchmark provides this surface: 454 expert-curated instances spanning all three rungs of Pearl’s ladder (association, intervention, counterfactual), decomposed into Utility (sensitivity to valid causal claims), Safety (specificity against invalid claims), and Wise Refusal (calibrated abstention on genuinely underdetermined items). Evaluation surfaces three reproducible failure modes: a Skepticism Trap at L1 where capable models over-refuse sound causal links; a Sycophancy Trap at L2 where confident user pressure flips correct answers; and a Scaling Paradox at L3 where a frontier model underperforms an older one on counterfactual Safety by 55 points. To address these without retraining, the paper proposes Regulated Causal Anchoring (RCA), an inference-time process verifier that audits trace-output consistency under a PID-style feedback loop and abstains rather than ratifying detected mismatches. On CAUSALT3 and a CAP-GSM8K stress test, RCA reduces sycophantic acceptance to near zero while preserving valid hint acceptance.

Key Takeaways

10. AgentCity: Constitutional Governance for Autonomous Agent Economies via Separation of Power

Authors: Anbang Ruan, Xing Zhang Link: AgentCity: Constitutional Governance for Autonomous Agent Economies via Separation of Power Tags: cs.AI, cs.CY, cs.MA

Summary

As autonomous AI agents begin operating across organizational boundaries on the open internet — discovering, transacting with, and delegating to agents owned by different principals — a fundamental governance gap emerges: no single human can observe, audit, or govern the emergent collective behavior. The paper names this the “Logic Monopoly”: the agent society holds an unchecked monopoly over the entire logic chain from planning through execution to evaluation. AgentCity proposes the Separation of Power (SoP) model, a constitutional governance architecture deployed on a public blockchain (EVM-compatible L2) that breaks this monopoly through three structural separations: agents legislate operational rules as smart contracts, deterministic software executes within those contracts, and humans adjudicate disputes through a complete ownership chain binding every agent to a responsible human principal. The key theoretical claim is “alignment-through-accountability” — if each agent is individually aligned with its owner via an auditable accountability chain, collective behavior converges on human intent without top-down rules. AgentCity instantiates this in a commons production economy (agents sharing finite resources and producing value) tested at 50–1,000 agent scale. The blockchain-first approach is both a strength (tamper-resistant audit trail) and a limitation (latency, throughput, and cost constraints of on-chain computation may limit real-world deployment).

Key Takeaways

11. Beyond Surface Judgments: Human-Grounded Risk Evaluation of LLM-Generated Disinformation

Authors: Zonghuan Xu, Xiang Zheng, Yutao Wu, Xingjun Ma Link: Beyond Surface Judgments: Human-Grounded Risk Evaluation of LLM-Generated Disinformation Tags: cs.AI

Summary

LLMs can generate persuasive disinformation at scale, and assessing this risk requires understanding how real readers respond to it — not just whether AI judges rate it as convincing. This paper audits LLM judges against human reader responses using 290 aligned articles, 2,043 paired human ratings, and outputs from eight frontier judge models. The core finding is that LLM judges and human readers are systematically misaligned: judges are consistently harsher than humans, recover item-level human rankings only weakly, and weight different textual signals — placing more emphasis on logical rigor while penalizing emotional intensity more strongly than humans do. Critically, judges agree far more with each other than with human readers, revealing a coherent but human-misaligned evaluator group. This “judge consensus” is not evidence of validity as a proxy for actual reader susceptibility — it merely reflects that LLMs share similar evaluation heuristics. The implication for AI risk assessment is direct: organizations using LLM judges to assess disinformation risk are measuring a proxy that is systematically biased relative to actual human impact. The paper argues for direct human evaluation in risk assessments of persuasive AI-generated content, particularly in high-stakes contexts such as election integrity analysis or regulatory compliance evaluation.

Key Takeaways

12. Concentrated Siting of AI Data Centers Drives Regional Power-System Stress Under Rising Global Compute Demand

Authors: Danbo Chen, Zijun Zhou, Yongyang Cai, Jiahong Qin, Ani Katchova, Lei Chen Link: Concentrated siting of AI data centers drives regional power-system stress under rising global compute demand Tags: cs.AI, cs.CY

Summary

This paper introduces an AI-energy coupling framework that combines LLM-based analysis of corporate, policy, and media data with quantitative energy-system modeling to forecast electricity demand from AI data centers from 2025 to 2030. The core finding is geographic concentration: North America, Western Europe, and Asia-Pacific together account for over 90% of projected compute capacity, creating acute regional grid stress rather than diffuse global load growth. Aggregate electricity consumption by the six leading AI firms is projected to grow from ~118 TWh in 2024 to 239–295 TWh by 2030, representing roughly 1% of global power demand. The study introduces a Power Stress Index (PSI) to measure local grid vulnerability: regions like Oregon, Virginia, and Ireland may see PSI values exceeding 0.25, indicating structural grid risk, while diversified systems in Texas and Japan show more resilience. The paper’s methodological contribution — using LLMs to extract structured data from unstructured policy and media corpora — is itself notable as a demonstration of LLMs in applied infrastructure analysis. The authors argue that AI infrastructure has crossed a threshold from marginal digital service to structural component of power-system dynamics, requiring anticipatory regulatory planning that aligns compute growth with renewable expansion and grid resilience investments.

Key Takeaways

Generated from digest-2026-04-11.md