Agentic Misalignment in Summer 2026

lucamark1 pts0 comments

Agentic Misalignment in Summer 2026

Alignment Science Blog

Agentic Misalignment in Summer 2026

Case studies of frontier models sabotaging code, assisting fraud, mislabeling, and coaching whistleblowers.

Aengus Lynch,1,* John Hughes,2 Alex Serrano,3 Robert Kirk,4 Samuel R. Bowman2

1 Theorem; 2 Anthropic; 3 MATS; 4 UK AISI

* Work done as part of the Anthropic Fellows program.

Correspondence: aenguslynch@gmail.com and sambowman@anthropic.com

tl;dr<br>Last year, we reported observations of agentic misalignment in models from across the AI industry (including Anthropic’s Claude models). These included, for example, experimental scenarios where models would blackmail a user to avoid being shut down. In this updated report, we describe four additional alignment failures in frontier models acting as autonomous agents in high-stakes simulations. The case studies — also from experimental scenarios — involve AI agents covertly changing code, assisting users to commit fraud, mislabeling transcripts to shape downstream outcomes, and coaching humans to disclose confidential information. These are not real-world incidents, but we consider them early warning signs: concrete failure modes that AI developers and auditors should measure, study, and mitigate before agents are given more authority. All transcripts from our experiments can be found on this transcript viewer page.

Introduction

As AI agents become more capable, widely deployed, and integrated into economically useful tasks, developers are giving them more tools and permissions to make decisions without human input. We can already see this autonomy in real deployments such as Project Vend,1 where an AI agent runs a profitable in-office shop, and OpenClaw, a harness that equips agents with broad permissions and tools for personal use. In some cases, this degree of autonomy comes with negative consequences: models can engage in behaviors we have called “agentic misalignment”. The well-publicized MJ Rathbun incident provides a real-world warning sign: after a human maintainer of the matplotlib library rejected a PR from an autonomous OpenClaw agent, the OpenClaw agent published a personalized hit piece about the maintainer to coerce him into reversing the decision.

This post is a snapshot of our research on agentic alignment failures in summer 2026: a description of what behaviors we discover when, under controlled conditions, we actively look for substantial agentic misalignment.

We ran these simulations across frontier models from Anthropic, OpenAI, Google DeepMind, xAI, DeepSeek, and Moonshot AI, including Claude Mythos Preview, Claude Opus 4.8, Claude Opus 4.7, Claude Opus 4.6, Claude Opus 4.5, Claude Sonnet 4.6, GPT-5.5, GPT-5.4, Gemini 3.1 Pro, Gemini 3 Flash, Gemini 3.5 Flash, Grok 4.3, DeepSeek V4, and Kimi K2.6. We focus on four failure modes that fall into two broad kinds.

In harmful compliance, the model follows a user’s request, but the request itself is harmful. In agentic misalignment, the model pursues its own motivation against a user’s instructions, such as protecting another model, shaping an evaluation, or steering a human coworker. The four failure modes below span both:

Covert sabotage: An agentic misalignment failure where models covertly interfere with code to undermine user intent. Gemini 3.1 Pro is the main source of covert sabotage in our pipeline-sabotage scenario, while several models also show disclosed unauthorized intervention.

Assisting fraud: A harmful compliance failure where models help a user with conduct that appears to be white-collar crime. In the main transcript, GPT-5.5 helps a founder send investor communications that omit a personal payment and then delete the record of it; in the frequency sweep, record-tampering is especially high for DeepSeek V4, Grok 4.3, GPT-5.4, and Kimi K2.6.

Motivated mislabeling: An agentic misalignment failure where LLM judges classifying agent transcripts shift labels because of the downstream consequence of the label. In our red-teaming evaluations, frontier Claude judges mislabel at high rates, including Mythos Preview, while Opus 4.8 is especially notable because its mislabeling rate falls sharply when the consequence is reversed.

Coaching human proxies to whistleblow: An agentic misalignment failure where models leak confidential safety information externally, or steer humans toward doing it for them. Strict model-initiated disclosure is rare in our transcripts, but the main Opus 4.5 case shows a model knowingly trying to influence a human decision-making process around high-stakes external disclosure.

The point of these case studies is to find concrete anchor points for otherwise-abstract threat models: once we can point to an agent altering records, hiding a code change, mislabeling a transcript, or coaching a human proxy, developers and evaluators can measure similar failures and build targeted safeguards.

This follows up on our previous work on agentic misalignment, in...

agentic models misalignment claude failure human

Related Articles