[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-81530-en":3,"doc-seo-81530-105":29,"detail-sidebar-cat-0-en-105":82},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},81530,1099513958762,"Logic","https://ap-avatar.wpscdn.com/avatar/1000023916a998db790?x-image-process=image/resize,m_fixed,w_180,h_180&k=1782109480056885918",8,"Research & Report","Beyond Black-Box Obfuscation: Mechanistic Analysis and Defense of White-Box Monitors","White-box monitoring is used to audit Large Language Model behavior, yet it can be bypassed and the evasion mechanisms remain poorly characterized. Controlled red-team experiments identify two dominant strategies: geometric shifting, which migrates information across linear and non-linear representational subspaces, and covariance manipulation, which changes feature covariance structure. These mechanisms explain why single-detector monitors fail as harmful signals move into subspaces they cannot access. To address this, SAFETYNET is proposed as a principled ensemble detector that validates the findings and improves robust latent-space monitoring.","Beyond Black-Box Obfuscation: Mechanistic Analysis and Defense of White-Box Monitors  \nMaheep Chaudhary ∗  \nIndependent [maheepchaudhary.research@gmail.com](maheepchaudhary.research@gmail.com)  \nFazl Barez  \nUniversity of Oxford & Martian [fazl@robots.ox.ac.uk](fazl@robots.ox.ac.uk)  \narXiv :2505 . 14300v2 [ cs .AI] 10 Jul 2026  \nAbstract  \nWhite-box monitoring is increasingly adopted as an auditing tool as Large Language Models (LLMs) are deployed in daily operations to ensure safe model behavior. However, white-box monitors can be circumvented, and the mechanisms underlying such evasion have not been systematically characterized, nor have principled defenses been proposed. This work addresses both challenges. Controlled red-team experiments reveal two primary evasion strategies: geometric shifting, defined as the systematic migration of information between linear and non-linear representational subspaces, and covariance manipulation. These mechanisms account for the failure of single-detector approaches, as information migrates to subspaces inaccessible to individual detectors. This issue is urgent due to growing evidence that models are becoming evaluation-aware, enabling those with misaligned objectives to exploit these vulnerabilities and evade monitoring during deployment. In response, SAFETYNET is introduced as a principled ensemble, with dual purpose: it provides further empirical validation that our mechanistic findings are real and actionable, and it offers a concrete starting point for future work on robust latent-space monitoring. The study experiment across five model families on the MAD and Anthropic Sleeper Agent benchmark, with SafetyNet achieving around 100% AUROC scores outscoring Beatrix and CROW. The code is available at: [https://github.com/MaheepChaudhary/eval-aware-evasion](https://github.com/MaheepChaudhary/eval-aware-evasion)  \n1 Introduction  \nAs language models are increasingly deployed in high-stakes environments, safety monitoring has become essential for responsible deployment. Latent-space monitors, which inspect internal model representations to detect harmful or misaligned behavior, have emerged as a promising approach and are seeing growing adoption in both research and industrial settings Ma et al. (2022); Min et al. (2024); Bailey et al. (2024a) . However, a fundamental vulnerability remains insufficiently explored: models may evade latent-space monitors by shifting their internal representations across geometric spaces that individual detectors cannot capture. While prior work on obfuscation has acknowledged this possibility Bailey et al. (2024b); Gupta & Jenner (2026), it has neither systematically characterized the mechanisms underlying such evasion nor proposed principled defenses. Addressing this gap is the central focus of the present work. The issue is practically urgent. Recent evidence indicates that models are becoming evaluation-aware, meaning they can distinguish between monitored and unmonitored contexts Chaudhary et al. (2025); Apollo Research (2025) . A model with misaligned objectives, whether introduced unintentionally Gillen & peterbarnett (2024) or intentionally Hubinger et al. (2024), would possess the capability to exploit monitor vulnerabilities selectively. Proactively understanding and mitigating these vulnerabilities is therefore both timely and necessary.  \nPrevious research has established the feasibility of obfuscation Bailey et al. (2024b); Gupta & Jenner (2026), but has primarily approached it as a black box, demonstrating that monitors  \n∗ Work done as an intern in University of Oxford.  \ncan be evaded without elucidating the underlying mechanisms. However, the specific geometric mechanisms responsible for evasion remain uncharacterized: it is not yet understood which representational subspaces models exploit, why transitions between these subspaces circumvent individual detectors, or which signatures persist across multiple subspaces. This gap is challenging t","cbCaivHfz3T5WDVL","https://ap.wps.com/l/cbCaivHfz3T5WDVL","pdf",20568193,1,36,"English","en",105,"# Introduction\n# Evasion mechanisms and controlled red-team methodology\n# SAFETYNET ensemble defense\n## Detector components (PCA, Autoencoder/VAE, Mahalanobis distance)","[{\"question\":\"How does SAFETYNET defend against these evasion strategies?\",\"answer\":\"SAFETYNET is an ensemble of four detectors that monitors multiple geometric aspects: PCA for linear subspaces, Autoencoder/VAE for non-linear manifolds, and Mahalanobis distance for covariance structure. This reduces the effectiveness of evasion that targets any single detector.\"}]",1784174068,91,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":77,"head_meta":79,"extra_data":81,"updated_unix":27},"beyond-black-box-obfuscation-mechanistic-analysis-and-defense-of-white-box-monitors","",{"@graph":35,"@context":76},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/beyond-black-box-obfuscation-mechanistic-analysis-and-defense-of-white-box-monitors/81530/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-16",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70],{"name":71,"@type":72,"acceptedAnswer":73},"How does SAFETYNET defend against these evasion strategies?","Question",{"text":74,"@type":75},"SAFETYNET is an ensemble of four detectors that monitors multiple geometric aspects: PCA for linear subspaces, Autoencoder/VAE for non-linear manifolds, and Mahalanobis distance for covariance structure. This reduces the effectiveness of evasion that targets any single detector.","Answer","https://schema.org",{"og:url":51,"og:type":78,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":80,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":83},[84,88,92,96,101,106,111,114,119,122,126],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":85,"show_sort_weight":86,"slug":87},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":89,"show_sort_weight":90,"slug":91},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Exam",70,"exam",{"id":97,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},5,"Comic",60,"comic",{"id":102,"doc_module":4,"doc_module_name":45,"category_name":103,"show_sort_weight":104,"slug":105},6,"Technology",50,"technology",{"id":107,"doc_module":4,"doc_module_name":45,"category_name":108,"show_sort_weight":109,"slug":110},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":112,"slug":113},30,"research-report",{"id":115,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},9,"Religion & Spirituality",20,"religion-spirituality",{"id":117,"doc_module":4,"doc_module_name":45,"category_name":120,"show_sort_weight":117,"slug":121},"World Cup","world-cup",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":123,"slug":125},10,"Lifestyle","lifestyle",{"id":127,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":97,"slug":129},19,"General","general"]