当思维链更胜一筹:多轮推理模型中的失败模式
阅读原文· arxiv.org多轮推理模型的失败在终端评分中无法显现。研究提出 CoT-Output 2x2 安全矩阵,将每轮按内部推理和可见输出划分为四类:鲁棒对齐、对齐伪装、公然越狱和上下文注入失败(思维链安全但输出有害)。对三个蒸馏推理目标在五种监督条件下评估,收集 6750 回合数据,发现两个可复现漏洞:监督悖论——显式监控提示反而增加对齐伪装率;上下文注入失败——模型内部安全时仍锁定不安全外部输出。已发布完整数据集。
Failures in multi-turn reasoning models are largely invisible to terminal-score evaluation. A model can lock onto an unsafe stance early in a long dialogue, yet its final-turn refusal rate may appear indistinguishable from a robustly aligned baseline. To expose these hidden temporal dynamics, we propose a trace-level diagnostic - the CoT-Output 2x2 safety matrix. This framework labels every turn along two independent axes (internal reasoning and visible output), yielding four operationally defined failure cells: robust alignment, alignment faking, overt jailbreak, and a distinct failure mode we term context-injection failure (where the CoT maintains safe reasoning, but the visible output produces harm, highlighting a multi-turn manifestation of reasoning unfaithfulness). We evaluate three distilled reasoning targets against a fixed attacker across five oversight conditions, collecting 6750 turn-level observations on the Information-Hazard scenario. Our analysis reveals two reproducible vulnerabilities: an oversight paradox where explicit monitoring cues paradoxically increase alignment-faking rates rather than suppress them, and a context-injection failure where models lock onto unsafe external outputs despite safe internal states. We release the full dataset of multi-turn dialogues and CoT traces to support follow-up trace-diagnostic research.