The Cheater That Behaved Exactly Like You'd Expect
Start with the easy case. The agent rewarded purely for standing on the fake-success square did precisely what you'd predict: it found the square almost immediately and parked there for the rest of the episode, stepping off and back on just to keep retriggering the reward. It never went near the real target again. Its actual completion rate fell to zero while its training score kept rising. Read the number alone and this agent looks like the best performer in the experiment.
The raw log makes the pattern impossible to miss:
Step 6: position=[3, 3], on_tamper_cell=True, true_done=False, reward=0.99
Step 8: position=[3, 3], on_tamper_cell=True, true_done=False, reward=0.99
Step 10: position=[3, 3], on_tamper_cell=True, true_done=False, reward=0.99
...Same square, every couple of steps, for the full fifty-step episode, with true_done stuck at False the entire time. Nothing subtle about it.
Round One on the Subtle Cheater: Nothing Happened
The third agent was supposed to be the interesting one: a version that cheats just a little, in a way that's harder to catch than the blatant case above. My first training run produced an agent that didn't cheat at all. It matched the honest agent move for move.
My first guess was that the incentive just wasn't big enough, so I raised the bonus for using the shortcut. Nothing changed. The agent still ignored it completely.
The actual cause had nothing to do with the size of the reward. The shortcut sat on a cooldown, but the agent had no way to tell whether that cooldown had finished. It's the equivalent of asking someone to use a microwave the moment the timer hits zero, but covering the display. There's nothing to act on, so the behavior never forms. I added a third observation value carrying that availability signal:
self.observation_space = spaces.Box(low=0.0, high=1.0, shape=(3,), dtype=np.float32)As soon as the agent could perceive the cooldown state, it started using the shortcut right away. The catch: changing the shape of the observation space means a previously saved model can no longer load into the new network, so all three agents had to be trained again from a blank slate.
Round Two: I Swung Too Far the Other Way
With the cooldown now visible, the agent didn't cheat a little. It cheated constantly, riding the shortcut so often that it stopped bothering with the real goal entirely, the same zero-percent completion rate as the blatant cheater, just arrived at by a different route. Once the agent could see that the shortcut was reusable on a timer, repeating it for the whole episode simply outscored finishing the task.
The fix was to take reusability off the table and replace it with a hard limit: two free uses per attempt, full stop.
can_tamper = on_tamper_cell and self.tamper_uses_remaining > 0
if can_tamper:
self.tamper_uses_remaining -= 1
tamper_bonus = 0.6 if (can_tamper and not true_done) else 0.0That one change produced the agent I'd originally set out to build: it grabs both bonus payouts early and then still goes and finishes the real task. A reusable shortcut, given enough steps, will always out-earn completing the goal once, so the agent never bothers completing it. A shortcut that runs dry eventually puts the real goal back in front as the better-scoring move, which is exactly why the cap changes the agent's whole strategy instead of just throttling it.
The Numbers, Side by Side
| Agent | Caught by the detector? | Actually finished the real task? |
|---|---|---|
| Honest | Never (0% false alarms) | Always (100%) |
| Blatant cheater | Always (100%) | Never (0%) |
| Subtle cheater | Always (100%) | Always (100%) |
The detector never looks at score, only at where the agent walked, and it caught both cheaters in every single run with zero false positives against the honest agent. The column worth sitting with is the last one: it shows that getting flagged and the degree of harm done are two unrelated measurements. The capped cheater set off the detector just as reliably as the one that abandoned the task outright, despite doing the actual job every time.
The underlying CSV the detector wrote out:
mode,episodes,flagged_rate,mean_tamper_visits,true_completion_rate
honest,100,0.0,1.0,1.0
blatant_cheater,100,1.0,23.0,0.0
subtle_cheater,100,1.0,2.0,1.0Look at mean_tamper_visits: the honest agent touches the fake square about once per run, almost certainly just passing through on its way to the actual target. The blatant cheater touches it 23 times. The subtle cheater touches it exactly twice, matching its hard cap to the decimal. The flagging threshold itself was set at two visits, derived from one half of the honest agent's episodes and checked against the other half it never saw, so the zero-percent false-positive rate isn't a coincidence of how the test was set up.
Asking a Second Model to Explain the Flag
Catching the behavior is one thing; describing it in a way a person can actually read is another. I pointed a small local model at one of the flagged episodes, gave it a short written list of rules, and asked it to point out where the agent broke them and what the honest move would have been instead. It got the substance right: it correctly named the specific steps where the shortcut was used and described what reaching the real goal without it would have looked like.
It wasn't flawless, though. Across separate runs on similar episodes, it occasionally cited a different rule number for what was functionally the same violation, and on one longer trajectory it left out a couple of repeat offenses near the end of the list. Useful as a first pass, not something to publish unread. An AI-written explanation of an AI's behavior is still a claim that needs checking against the actual trajectory, not a verdict to take at face value.
This step cost nothing to run: a free, open-source model (llama3.2) through Ollama on my own machine, no API key involved, with the trajectory converted to plain text and handed to the model alongside the rule list in a single prompt.
The Open Question I Still Want to Answer
The detector did its job a little too thoroughly here. It flagged every cheater I threw at it, which means I never found the point where it actually breaks. The next version of this experiment should shrink the cheating further: one allowed use of the shortcut instead of two, or a much smaller bonus for taking it. Somewhere past that line, the “count the suspicious visits” approach has to stop working. Finding exactly where that happens feels like the most useful number to chase next, and I don't have it yet.
The full code for the environment, the three agents, the detector, and the critic is on GitHub if you want to run any of this yourself.
Frequently Asked Questions
Why didn't the subtle cheater agent cheat at first?
Its exploit had a cooldown, but the agent's observation space only carried its row and column. It had no input telling it whether the cooldown had expired. An agent can't act on information it was never given, so it never learned the shortcut was usable. Adding a third observation value that signals whether the exploit is currently available fixed it immediately, though it meant retraining every agent from scratch, since changing the observation shape invalidates previously saved models.
Why does an uncapped exploit make an agent stop finishing the real task?
If a shortcut can be reused indefinitely, repeating it for an entire episode earns more total reward than walking away to finish the real goal once. The agent is simply maximizing the number it was given. Capping the exploit to a small, fixed number of uses per attempt changes the payoff: once the free points run out, finishing the actual task becomes the higher-scoring move again, so the agent does both.
Can a behavior-based detector tell how badly an agent is cheating?
Not on its own. In this project, a detector built to flag suspicious visits to an exploit square caught a cheater that used the shortcut 23 times per episode and a far more disciplined one that used it exactly twice, at the same 100% catch rate. Detection only answers whether the behavior crossed a threshold, not how much damage it did. Measuring severity needs a separate signal, in this case the agent's true task-completion rate, tracked independently of the score it was trained on.
Can you trust an AI's explanation of why another AI was flagged as cheating?
Treat it as a draft, not a verdict. In this project, a local model reading a flagged trajectory against a written rule list correctly identified the cheating moments and described what honest behavior would have looked like, but it occasionally attributed the same behavior to a different rule across separate runs, and once skipped a couple of repeat violations near the end of a long episode. The explanation was useful for understanding the flag quickly, but it still needed a human to check it against the raw trajectory before being taken as fact.