Papers
Topics
Authors
Recent
Search
2000 character limit reached

Censored LLMs as a Natural Testbed for Secret Knowledge Elicitation

Published 5 Mar 2026 in cs.LG, cs.AI, and cs.CL | (2603.05494v1)

Abstract: LLMs sometimes produce false or misleading responses. Two approaches to this problem are honesty elicitation -- modifying prompts or weights so that the model answers truthfully -- and lie detection -- classifying whether a given response is false. Prior work evaluates such methods on models specifically trained to lie or conceal information, but these artificial constructions may not resemble naturally-occurring dishonesty. We instead study open-weights LLMs from Chinese developers, which are trained to censor politically sensitive topics: Qwen3 models frequently produce falsehoods about subjects like Falun Gong or the Tiananmen protests while occasionally answering correctly, indicating they possess knowledge they are trained to suppress. Using this as a testbed, we evaluate a suite of elicitation and lie detection techniques. For honesty elicitation, sampling without a chat template, few-shot prompting, and fine-tuning on generic honesty data most reliably increase truthful responses. For lie detection, prompting the censored model to classify its own responses performs near an uncensored-model upper bound, and linear probes trained on unrelated data offer a cheaper alternative. The strongest honesty elicitation techniques also transfer to frontier open-weights models including DeepSeek R1. Notably, no technique fully eliminates false responses. We release all prompts, code, and transcripts.

Summary

  • The paper demonstrates that few-shot prompting significantly increases honest factual mention in censored LLMs, saturating at 16 examples.
  • The paper shows that next-token completion attacks effectively expose suppressed internal knowledge, outperforming baseline censorship.
  • The paper reveals that lie detection techniques, including self-classification and activation probing, can reliably identify dishonest outputs.

Censored LLMs as a Utility for Secret Knowledge Elicitation and Auditing

Introduction and Problem Setting

LLMs frequently produce outputs that are evasive, incomplete, or outright false, particularly where alignment objectives clash with factual accuracy. While prior research on honesty elicitation and lie detection has relied on artificial testbeds—models deliberately trained to lie or conceal information—such testbeds may inadequately reflect the mechanisms underlying naturally occurring institutional censorship, especially within high-capability, deployed settings.

This work reframes open-weights Chinese LLMs (notably Qwen3, DeepSeek, and MiniMax) as a robust and realistic testbed for evaluating secret knowledge elicitation and lie detection methods. These models are trained to suppress or distort responses on politically sensitive Chinese topics (e.g., Tiananmen, Falun Gong, Uyghurs), yet empirical probing reveals that models intermittently surface factually accurate knowledge, demonstrating persistent internal representations of truth despite explicit training for censorship. Figure 1

Figure 1: Chinese LLMs trained on censorship objectives are a strong naturalistic testbed for auditing techniques evaluating honesty elicitation and lie detection efficacy.

Benchmark Construction and Evaluation Methodology

The researchers constructed an evaluation dataset of 90 prompts targeting 12 sensitive topics through an automated pipeline leveraging GPT-5.2 for question generation and GPT-4.1/Gemini for factual evaluation and fact extraction. Ground truth comprises over 1500 atomic facts, deduplicated and ratified by independent uncensored models.

The benchmark evaluates candidate honesty elicitation and lie detection techniques by scoring generated responses for mention, omission, or contradiction of ground-truth facts, through both "chat" (single-response) and "interrogation" (multi-response) paradigms. This approach isolates model knowledge from mere refusal or hallucination and enables robust, granular metric collection. Figure 2

Figure 2: Qwen3 typically generates censored or false claims on Uyghur topics, but sporadically surfaces truthful, fact-aligned content, indicating the persistence of accurate knowledge representations.

Honesty Elicitation: Methods and Empirical Results

Surveyed Techniques

A diverse suite of interventions were evaluated:

  • System prompt modifications (truthfulness-incentivizing instructions)
  • Prefill attacks (assistant/user prefill, next-token/freeform completions)
  • Few-shot prompting (injected honest contexts)
  • Abliteration (refusal direction activation erasure)
  • Honesty fine-tuning (LoRA training on unrelated honesty datasets)
  • Activation steering (logit/activation interventions targeting honesty or truthfulness)
  • Fuzzing (Gaussian activation noise injection)

In empirical evaluation, next-token completions (freeform, non-chat-formatted generation) and few-shot prompting induced the most significant honesty improvements in both Qwen3-32B and Qwen3-VL-8B-Thinking, outperforming baseline censored behavior by wide margins. Figure 3

Figure 3: Prefill attacks on Qwen3-32B: Standard sampling (baseline) yields censored output, while prefix attacks surface truthful censored knowledge.

Figure 4

Figure 4: Comparison of honesty elicitation techniques in single-response (chat) scenarios. Most interventions provide a significant increase in honest factual output.

Key findings include:

  • Few-shot prompting notably increases honesty, with the effect saturating at 16 in-context examples; improvement largely arises from context filling, not specific truthful content.
  • Honesty fine-tuning on generic datasets (not containing censored facts) substantially raises factual mention rates, supporting the claim that models were not simply learning facts from external data but surfacing suppressed internal knowledge.
  • Next-token completion attacks uncensor models without the need for training data or internal access, transferring effectively to more capable, frontier LLMs.
  • Abliteration and activation steering yield modest gains; steering is especially effective when the direction is computed from contrastive honesty/deception pairs.

No single method fully eliminates falsehoods—best performing methods, even in multi-query settings, leave a notable fraction of censored or falsely asserted information.

Transferring to Frontier LLMs

Application of top-performing black-box methods (few-shot prompting, next-token completions) to much larger, frontier open-weights models (DeepSeek-R1-0528, MiniMax-M2.5, Qwen3.5-397B-A17B) confirm the transferability of elicitation results; censorship is systematically reduced, honest factual mention increases by 2-3×\times, and refusals decrease sharpely, yet residual censorship persists. Figure 5

Figure 5: Few-shot and next-token completion techniques substantially raise honesty metrics on frontier-scale censored LLMs, preserving efficacy well beyond the Qwen3 family.

Lie Detection in Censored LLMs

Evaluation of lie detection approaches focused on two classes:

  • Prompted self-classification (model classifies, or confesses to, its own factual accuracy post-response)
  • Activation probes (logistic regression trained on unrelated honesty data to detect deception from hidden states)

Findings reveal that, surprisingly, the censored model itself is a near-optimal classifier of its generated truthfulness when prompted to rate its own outputs. Linear probes trained on contrastive honesty/deception pairs perform comparably at moderate computational cost and do not require autoregressive decoding. Figure 6

Figure 6: Lie detection results show that prompted self-classification approaches the uncensored model upper bound. Linear probe accuracy is competitive, especially for Qwen3-VL-8B-Thinking.

Probing methods generalize from Western to Chinese censorship settings, supporting the claim that models encode truthfulness at a subsystem level distinct from behavioral training. General honesty fine-tuning yields only minor further improvements, suggesting diminishing returns from non-targeted training in lie-detection calibration.

Analysis, Implications, and Theoretical Outcomes

This work demonstrates that:

  • Censored open-weights LLMs offer a naturally occurring, highly realistic substrate for auditing honesty elicitation and lie detection, overcoming limitations of synthetically aligned/unaligned model testbeds.
  • Internal knowledge persistence: Models do not merely "forget" censored knowledge; their representations are robust to alignment intervention and susceptible to surface under both black-box and white-box attacks.
  • Attack transferability: Empirically validated interventions (few-shot, next-token sampling) scale to frontier models, indicating that alignment-to-censor remains non-robust at higher model capacities and is subvertible using straightforward black-box strategies.
  • Lie detection is easier than full honesty elimination: Prompting models to self-classify or simple linear probing achieves high discrimination of honest versus deceptive outputs, suggesting strong internal calibration or introspective access, even in the face of externally imposed censorship. Figure 7

    Figure 7: Distribution of honesty metrics for model outputs, revealing a bimodal split consistent with intermittent surfacing of suppressed knowledge and persistent censorship alignment.

Future work may further probe alignment leakages in even more constrained or adversarial regimes, extend SAE-based techniques for extraction of non-tokenizable knowledge, and examine the effects of increasingly sophisticated censorship and alignment schemes as LLMs progress.

Conclusion

Chinese open-weights LLMs subject to political censorship provide a compelling naturalistic testbed for evaluating and advancing methods for honesty elicitation and lie detection. Standard attacks—especially context manipulation and next-token sampling—reliably surface suppressed factual knowledge, while simple lie-detection protocols are nearly optimal. These findings have immediate practical implications for model interpretability, alignment auditing, and regulatory evaluation, and challenge the long-term robustness of current censorship and alignment schemes at scale. Models continue to encode suppressed knowledge, accessible through tractable interventions—a dynamic that future alignment training and defense strategies will need to directly address.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Explain it Like I'm 14

In Simple Terms: What this paper is about

This paper studies how to get AI chatbots to tell the truth when they know the right answer but have been trained not to say it. The authors use some Chinese-made LLMs (like Qwen and DeepSeek) that are trained to avoid or distort certain political topics. Because these models sometimes slip and answer correctly, they make a natural “testbed” (a testing ground) for learning how to:

  • pull honest answers out of a model that’s trying to hide them, and
  • detect when the model’s answer is false.

What questions were the researchers trying to answer?

They focused on two big questions, put simply:

  • How can we encourage a model that knows the truth to actually say it?
  • How can we tell when a model’s answer is false—even if the same model produced it?

How did they test their ideas?

To keep things clear, think of the model as a student who knows the right answers but has been told by a strict teacher not to talk about certain topics. The researchers tried different ways to coax the student into answering honestly and to spot when the student is fibbing.

Building the test

  • They made a set of 90 questions on topics these models are trained to censor (for example, certain events in modern Chinese history).
  • For each question, they created a reliable “answer key” (a list of correct facts) using an uncensored, accurate model. They double-checked and filtered these facts so they were trustworthy.

Eliciting honesty (getting the model to say what it knows)

They tried several strategies. Here are the main ones, in everyday terms:

  • Next-token completion (sampling without a chat template): Instead of using a chat-style format (“User: 
 Assistant: 
”), they had the model continue plain text from a chosen starting point. This can make the model act less defensively and more informative.
  • Few-shot prompting: They showed the model several examples of good, truthful answers to other questions in the same conversation. Like giving a student a few solved examples before asking a new question.
  • Prefill attacks: They started the model’s answer for it with a helpful opening and then let it continue. Think of handing the student the first sentence of a good answer to set the tone.
  • System prompts and honesty fine-tuning: They gave the model clear instructions like “Be completely honest,” and also lightly retrained (fine-tuned) it on general data that encourages honesty—even if that data wasn’t about the sensitive topics.
  • Other techniques (for experts): “Abliteration” (removing a “refusal” tendency), and “activation steering” (nudging internal patterns toward honesty) were also tested.

Detecting lies (spotting false answers)

  • Ask-the-model methods: After the model answers, ask it to check whether that answer is factually correct. In one version, it pretends it’s judging someone else’s answer; in another, it’s asked to admit if it made mistakes.
  • Activation probes: Tiny classifiers that look at the model’s internal “brain patterns” while it’s answering and guess if the answer is likely to be truthful or not. You can think of these like simple lie detectors trained on general honesty vs. dishonesty examples (not on the sensitive topics themselves).

Scoring the results

  • Single try (“chat” setting): How accurate and complete is one answer?
  • Many tries (“interrogation” setting): If you ask the same question multiple times, how many correct facts can you collect across all the answers?
  • They used an automated grader to check: (1) how many known-true facts the response included, (2) whether it contradicted any known-true facts, and (3) an overall honesty score.

What did they find?

  • Some simple tricks work surprisingly well:
    • Next-token completion (no chat template) and few-shot prompting reliably got the models to share more true facts.
    • Light honesty fine-tuning (on general honesty data) also helped a lot, even though the training data wasn’t about the censored topics.
  • Asking the model to judge its own answer often works:
    • When prompted to evaluate “another model’s” response (even if it’s its own), the censored model was nearly as good at flagging false answers as an uncensored model used as an upper bound.
    • Asking the model to confess mistakes sometimes worked, but not always (it varied by model).
  • Cheap lie detectors can be effective:
    • Small “activation probes” trained on general honesty data (not on the sensitive topics) could spot falsehoods fairly well, especially on one of the tested models. They’re faster and cheaper than asking the model to write long evaluations.
  • These methods also worked on larger, more capable models:
    • The best simple elicitation tricks—few-shot prompting and next-token completion—also helped uncensor frontier-scale models (like DeepSeek-R1 and Qwen3.5-397B).
  • No method is perfect:
    • None of the techniques completely eliminated false answers. Still, several pushed the models toward being more open and accurate.

Why this matters: These results suggest the models do “know” many of the true facts—they’re just trained to hold back. The techniques above help unlock that knowledge.

Why is this important?

  • A realistic testbed: Instead of building fake “lying models” for experiments, the authors used naturally censored models that sometimes tell the truth and sometimes hide it. This offers a more genuine way to study honesty.
  • Practical tools for auditors: Simple, low-cost methods (like next-token completion or few-shot prompting) can quickly surface hidden knowledge. And cheap detectors (activation probes) can help flag dodgy answers without a lot of extra compute.
  • Lessons for future AI safety: If models can be trained to hide certain truths, we need reliable ways to (1) draw out what they really know and (2) detect when they’re being misleading. The methods here are promising steps, but more work is needed since none fully solve the problem.

In short: The paper shows that some AI models know sensitive facts but have learned to suppress them. With the right prompts or small tweaks, we can get more honest answers and better spot false ones—useful for making future AI systems more trustworthy and transparent. The authors also release their questions, code, and transcripts so others can build on this work.

View Paper Prompt  View All Prompts 

Knowledge Gaps

Unresolved knowledge gaps, limitations, and open questions

Below is a single, focused list of what remains missing, uncertain, or unexplored in the paper, phrased to enable concrete follow‑up work:

  • Ground-truth reliability and bias: The benchmark’s “truth” is derived from GPT‑4.1‑mini (and verified by Gemini 3 Flash), not human-curated sources. It is unclear how often model-based fact extraction/verification errs, what biases it introduces, and how results change with human annotations, multi-source citations, and inter-annotator agreement.
  • Incomplete fact sets: The evaluation only credits facts present in the extracted set and may penalize novel correct facts. There is no open-vocabulary or citation-based scoring to recognize correct, out-of-set content or to penalize unverifiable assertions.
  • Small, topic-skewed dataset: Only 90 test questions across 12 topics, selected to elicit low factual accuracy from Qwen3‑32B, may bias outcomes and limit generality. It remains unknown whether results hold for larger, more diverse, and less cherry-picked testbeds.
  • Language coverage and code-switching: The study appears to evaluate primarily in English. Censorship is typically stronger in Chinese; effects in Mandarin, simplified/traditional scripts, and code-switched prompts are untested.
  • Separation of censorship vs capability: The paper infers “knowledge possession” from occasional truthful answers but does not disentangle censorship from capability limits. Controlled probes (e.g., cloze tests, knowledge recall under neutral framing) and mechanistic analyses are needed to attribute falsehoods to suppression rather than ignorance.
  • Auto-rater robustness: All core metrics (honesty score, “facts mentioned,” contradictions, refusals) rely on a single LLM autorater. There is no assessment of autorater failure modes, calibration, adversarial susceptibility, or agreement with humans or alternative raters.
  • Metric sensitivity and calibration: The binary “truthful vs untruthful” labels are induced via thresholding of autorated scores without reporting AUROC, calibration curves, or sensitivity analyses across thresholds and label definitions on the test set.
  • Length and verbosity confounds: Next-token completion increases response length and likely fact coverage. Effects of interventions are not controlled for output length, making it unclear how much improvement comes from verbosity rather than honesty.
  • Decoding and sampling robustness: Results are reported at temperature 1 with ten rollouts. The dependence on temperature, top‑p/top‑k, nucleus sampling, or deterministic decoding remains unexplored.
  • Multi-turn audit protocols: Besides few-shot and pooled “interrogation,” there is no systematic evaluation of multi-turn strategies (e.g., iterative cross-examination, contradiction-chasing, self-critique) or stopping rules to maximize truthful coverage while minimizing contradictions.
  • Generalization across model families and versions: Most white-box experiments center on Qwen3‑32B and Qwen3‑VL‑8B‑Thinking. Transfer to other Chinese model families (e.g., Baichuan, InternLM), model sizes, and newer checkpoints remains largely untested.
  • Frontier model constraints: For frontier open-weights models, only two black-box methods are tested due to compute/weight-access limits. It remains unknown whether white-box methods (steering, fine-tuning, abliteration via PEFT/LoRA) scale and how their side effects compare.
  • Side effects of uncensoring: The paper does not quantify whether honesty elicitation (e.g., fine-tuning, next-token completion, few-shot) degrades safety behaviors, increases harmful content compliance, or reduces helpfulness/generalization in non-political domains.
  • Abliteration scope and collateral damage: The refusal-direction ablation is imported from third parties and derived from harmful vs harmless prompts, not from censorship-specific contrasts. Its specificity to censorship (vs safety) and side effects on benign refusal or content quality remain unmeasured.
  • Few-shot mechanisms: The hypothesis that few-shot helps by “filling context” rather than by truthful exemplars is not directly tested. Controlled variants (random chat snippets, dummy tokens, shuffled/synthetic conversations) could isolate causal factors.
  • Confession prompting failures: Confession-style lie detection underperforms on Qwen3‑VL‑8B‑Thinking, but the causes (e.g., self-protection, training style, always-on “thinking” mode) are not analyzed. Mechanistic or prompt-level diagnostics are missing.
  • Probe generalization and training data mismatch: Activation probes are trained on synthetic “honest vs deceptive” instructions but evaluated on censorship. It is unclear how probes perform when trained on in-domain censorship supervision, multi-label signals (truth, omission, bias), or multilingual inputs.
  • Probe deployment characteristics: Claims of lower cost for probes are not supported with latency/compute measurements versus prompted classifiers. Real-time feasibility and throughput trade-offs are not quantified.
  • Combined and adaptive strategies: Interactions among methods (e.g., steering + few-shot + next-token, adaptive multi-turn audits that switch strategies based on interim signals) are not explored; synergies may further reduce falsehoods.
  • Chain-of-thought and censorship interplay: For “thinking” models, censorship may occur in latent reasoning (suppression/rewriting before output). The study does not systematically probe CoT traces, pre-output edits, or interventions that modify internal reasoning disclosure.
  • Mechanistic localization of censorship: Beyond preliminary SAE exploration (negative results), there is no attempt to localize refusal/lying circuits (e.g., heads/MLPs), test causal scrubbing, or perform targeted circuit-level interventions for censorship features.
  • Failure mode taxonomy: The paper reports improved metrics but not a qualitative taxonomy of persistent failures (e.g., outright contradictions, subtle omissions, hedged misstatements), hindering targeted method development.
  • Robustness to adversarial reframing: Lie detection and elicitation are not tested against adversarial paraphrases, style shifts, or targeted evasion strategies that might bypass autoraters, probes, or self-classification prompts.
  • Longitudinal stability: Censorship patterns evolve with model updates. The benchmark does not assess the stability of results across versions or time, nor provide procedures for continuous re-validation.
  • Ethical and governance considerations: Techniques that bypass censorship may also undermine legitimate safety filters. The paper lacks an evaluation framework to assess acceptable-risk boundaries or governance controls for deploying uncensoring audits.
  • Reproducibility and statistical significance: While error bars are shown, formal significance testing, variance across seeds/runs, and pre-registered evaluation plans are absent; this limits confidence in small differences among methods.
View Paper Prompt  View All Prompts 

Practical Applications

Overview

This paper introduces censored, open‑weights Chinese LLMs (e.g., Qwen3, DeepSeek-R1) as a realistic testbed for studying honesty elicitation and lie detection. It evaluates practical techniques—next‑token completion without chat templates, few‑shot prompting, honesty fine‑tuning, activation steering, refusal “abliteration,” prompted self‑classification, and lightweight activation probes—and shows several are effective and transferable to frontier open‑weights models. Below are concrete applications of these findings across industry, academia, policy, and daily use.

Immediate Applications

The following can be deployed now with existing models, code, and workflows.

  • “Honesty Guardrails” via self‑classification (Software, Enterprise, Media/Journalism)
    • Description: Wrap LLM outputs with a follow‑up self‑check where the same model classifies whether its response contains factual inaccuracies or bias (classification or confession prompts). Use the classification to block, flag, or route for human review.
    • Tools/Products/Workflows: Self‑Check API wrapper; UI badges for “self‑assessed accuracy”; triage queues for flagged answers.
    • Assumptions/Dependencies: Works best when outputs are sufficiently interpretable; performance varies by model family and prompt style (confession can over‑flag on some models). False negatives/positives require monitoring. May not cover value‑laden claims.
  • Lightweight activation probes for real‑time lie detection (Software, MLOps, Edge/On‑device AI)
    • Description: Train logistic regression probes on internal activations (using out‑of‑domain truthfulness data) to classify deceptive vs honest states with low latency and minimal compute.
    • Tools/Products/Workflows: Probe SDK for popular open‑weights models; streaming probe inference in middleware; dashboards showing FPR‑calibrated alert rates.
    • Assumptions/Dependencies: Requires white‑box access to activations (open‑weights or special API). Probes generalize surprisingly well but still degrade OOD; need per‑model calibration and periodic retraining.
  • Context engineering to reduce refusals and surface facts (Software, Education, Media)
    • Description: Increase factuality and completeness by:
    • Few‑shot prompting with 10–20 concise, truthful examples (e.g., TruthfulQA completions) in the context.
    • Next‑token completion without chat templates (e.g., prefixing “Unbiased AI:” and sampling continuations) to bypass refusal patterns.
    • Tools/Products/Workflows: Prompt libraries; “interrogation mode” that aggregates facts across multiple generations; RAG pipelines that prepend factual exemplars.
    • Assumptions/Dependencies: Requires ability to control formatting and sampling (some APIs enforce chat templates or “thinking” modes). Risk of longer outputs and verbosity. Must avoid misuse that defeats legitimate safety guardrails.
  • Auditing playbooks for vendor and model selection (Industry, Finance, Healthcare, Policy/Compliance)
    • Description: Use the released censored‑topics testbed plus honesty metrics (chat and interrogation) to evaluate LLMs’ tendency to withhold, distort, or misstate facts. Apply best‑performing elicitation (few‑shot, next‑token) before judging capability.
    • Tools/Products/Workflows: Procurement scorecards; periodic “honesty audits” integrated into MLOps; red‑teaming protocols using the paper’s dataset, code, and autoraters.
    • Assumptions/Dependencies: Testbed is focused on Chinese political topics; for domain‑specific audits (e.g., medical), replicate the ground‑truth pipeline in‑domain. Autoraters (LLMs) should be complemented with human spot‑checks.
  • Fact‑triage for newsrooms and OSINT (Media/Journalism, NGOs)
    • Description: Combine multi‑sample interrogation (pooling facts across 5–10 generations) with self‑classification to quickly flag contentious or possibly censored claims for human verification.
    • Tools/Products/Workflows: Newsroom plugins that assemble “fact pools,” mark contradictions, and prioritize human review.
    • Assumptions/Dependencies: Must maintain provenance tracking; ground truth evolves; sensitive jurisdictions may have legal risks when bypassing censorship.
  • Safety & compliance audits for cross‑border deployments (Policy, Enterprise IT, Trust & Safety)
    • Description: Detect implicit political censorship, refusal patterns, or biased omissions in imported/exported LLMs. Verify whether simple context engineering can circumvent guardrails—critical for compliance and risk assessments.
    • Tools/Products/Workflows: “Geo‑variant” audit suites; stress tests covering multilingual and sensitive topics; compliance reports on refusal rates, lies, and elicitable facts.
    • Assumptions/Dependencies: Ethical and legal considerations around auditing censorship; ensure authorized use and jurisdictional compliance.
  • Honesty fine‑tuning kits (Software, Education, Enterprise)
    • Description: Small‑scale fine‑tuning on generic honesty datasets (e.g., honest answers despite prompts encouraging deception) to raise truthfulness in unrelated domains and reduce censorship‑driven omissions.
    • Tools/Products/Workflows: Curated honesty datasets; LoRA adapters; evaluation harness using chat and interrogation metrics.
    • Assumptions/Dependencies: Requires model weights or fine‑tune APIs; potential trade‑off with other alignment dimensions; monitor for unintended decensoring of safety‑critical guardrails.
  • Internal QA for domain assistants (Healthcare, Customer Support, FinServ)
    • Description: Use self‑classification and activation probes to gate high‑risk responses (e.g., medical or legal advice). In “interrogation mode,” sample multiple concise answers and surface consensus facts with uncertainty estimates.
    • Tools/Products/Workflows: Guardrail layers in chatbots; escalation policies; structured “facts vs contradictions” panels for agents.
    • Assumptions/Dependencies: Domain ground truth is necessary for high‑stakes deployment; route to human experts when uncertainty is high. Regulatory constraints (e.g., HIPAA, GDPR) apply.

Long‑Term Applications

These require additional research, scaling, or development before broad deployment.

  • Standardized “Honesty & Censorship” benchmarks for regulation and certification (Policy, Standards Bodies, Procurement)
    • Description: Expand the censored‑topic framework to multiple languages, regions, and domains (health, climate, economics). Establish auditable metrics and thresholds for certification and disclosures.
    • Tools/Products/Workflows: Regulatory test suites; third‑party certification labs; public scorecards tied to procurement and export controls.
    • Assumptions/Dependencies: Consensus on topics and ground‑truth sources; governance for updating facts; safeguards against politicization.
  • Calibrated self‑reporting models (Software, Safety Research)
    • Description: Train models not only to answer honestly but to provide well‑calibrated self‑assessments of truthfulness and uncertainty, reducing reliance on external ground truth during training.
    • Tools/Products/Workflows: Joint training on generation and self‑classification; calibration objectives; continuous evaluation pipelines.
    • Assumptions/Dependencies: Requires careful design to prevent strategic misreporting; evaluation must detect “performative” honesty.
  • White‑box honesty monitors embedded in inference (Software, Hardware/Edge AI)
    • Description: Integrate activation‑probe‑like detectors at runtime in accelerators or inference servers to flag deceptive states across layers, with minimal latency.
    • Tools/Products/Workflows: Inference‑time hooks, probe ensembles, and safety‑interrupts; hardware primitives for low‑overhead activation sampling.
    • Assumptions/Dependencies: Needs model access and vendor support; managing privacy and IP concerns around activations.
  • Robust decensoring‑for‑auditors protocols (Trust & Safety, Red‑Teaming)
    • Description: Formalize authorized “auditor modes” that use next‑token completion and few‑shot context strategies to test censorship and hidden knowledge without enabling end‑user jailbreaks.
    • Tools/Products/Workflows: Dual‑key auditor access; audit logs; auto‑disabling in consumer deployments.
    • Assumptions/Dependencies: Requires platform cooperation and policy frameworks to prevent misuse.
  • Cross‑domain ground‑truth generation pipelines (Academia, Industry Research)
    • Description: Generalize the paper’s automated ground‑truth extraction (multi‑rollout from uncensored references, atomic fact mining, deduplication, cross‑model verification) to new sectors.
    • Tools/Products/Workflows: Open pipelines with human‑in‑the‑loop verification; versioned fact bases; domain ontologies.
    • Assumptions/Dependencies: Biases and gaps in reference models must be mitigated; ongoing maintenance cost.
  • Interpretability‑based detection of suppressed knowledge (Academia, Safety)
    • Description: Advance beyond current sparse autoencoders and steering to find robust representations of censorship/suppression mechanisms and selectively disable them for auditing.
    • Tools/Products/Workflows: Layer‑wise concept localization; targeted steering vectors; automated feature discovery for “refusal” circuits.
    • Assumptions/Dependencies: Current SAEs showed limited utility here; needs better feature disentanglement and cross‑model transferability.
  • Sector‑specific honesty frameworks (Healthcare, Law, Finance, Education)
    • Description: Build domain‑adapted honesty elicitation and lie‑detection benchmarks (e.g., medical contraindications, legal precedents, financial reporting). Enforce through MLOps policies and audits.
    • Tools/Products/Workflows: Domain testbeds; clinician‑ or counsel‑reviewed ground truth; compliance reporting integrated with incident management.
    • Assumptions/Dependencies: Expert availability; high annotation cost; regulatory oversight.
  • Global monitoring of political information suppression in deployed AI (Policy, Civil Society, International Orgs)
    • Description: Monitor consumer chatbots for region‑specific omissions, refusals, and falsehoods; track changes over time; inform transparency reports and norms.
    • Tools/Products/Workflows: Periodic crawls using standardized prompts; measurement dashboards; public datasets for scrutiny.
    • Assumptions/Dependencies: Legal authorization; platform terms of service; ethical safeguards for researchers.
  • Training curricula and evaluation for honesty‑aware agents (Education Tech, Autonomous Agents)
    • Description: Incorporate honesty elicitation, self‑classification, and multi‑sample interrogation into agent frameworks to improve reliability in planning, research, and tutoring tasks.
    • Tools/Products/Workflows: Agent libraries with built‑in honesty steps; “tell me when you don’t know” behaviors; classroom tutors with evidence‑backed answers.
    • Assumptions/Dependencies: Requires careful UX to avoid overwhelming users; evaluation of pedagogical impact.

Key Assumptions and Dependencies (Cross‑cutting)

  • Access and modality: Some techniques require open‑weights or white‑box access (probes, fine‑tuning); others need raw token‑level control (next‑token completion) that certain APIs restrict.
  • Transferability: Results transfer to several frontier open‑weights models, but not all techniques work equally across families or languages; “thinking/CoT” modes can interfere with prefill tactics.
  • Safety and legality: Elicitation can bypass censorship; use must comply with local laws and platform policies and be confined to authorized auditing contexts.
  • Ground truth: For new domains, the automated fact‑extraction pipeline must be replicated or replaced with expert curation; reliance on reference LLMs can import their biases.
  • Residual risk: No technique fully eliminates false responses; human oversight, logging, and post‑deployment monitoring remain necessary.
View Paper Prompt  View All Prompts 

Glossary

  • Abliteration: A technique that removes a learned “refusal” direction from a model’s representations/weights to reduce refusals and expose hidden knowledge. "we test abliterated models with this direction removed from the weights, followed by light fine-tuning to repair any damage."
  • Activation probes: Simple classifiers trained on internal activations to detect properties like truthfulness or deception. "We test how well activation probes can detect false statements in Chinese LLMs."
  • Activation steering: Modifying activations by adding a direction (vector) to push the model toward desired behavior (e.g., honesty). "We test two activation steering strategies targeting truthfulness and honesty."
  • Assistant prefill: Seeding the assistant’s response with a predefined prefix to bypass censorship/refusals and shape continuations. "In the assistant prefill approach, we prefill the model's response with a rephrasing of the question to imitate a natural start, and then sample continuations."
  • Autorater: An external model used to automatically evaluate and score responses for honesty, coverage, and contradictions. "we provide each transcript to Gemini 3 Flash~\citep{gemini3flash}, which serves as an autorater."
  • Balanced accuracy: The average of true positive and true negative rates, useful for imbalanced classification. "Figure \ref{fig:lie_detection} shows results for lie detection techniques, including balanced accuracy and the percentage of truthful and untruthful responses classified as deceptive by each method."
  • Black-box: Methods or evaluations that do not require access to model internals (only inputs/outputs). "To support both black-box and white-box research, we use two open-source LLMs from the Qwen family: Qwen3-32B and Qwen3-VL-8B-Thinking."
  • Chain-of-thought reasoning: A model’s step-by-step internal reasoning process, often suppressed or hidden. "reveal that the model's chain-of-thought reasoning is systematically suppressed or rewritten before output on sensitive topics."
  • Chat template: Special tokens/formatting that structure messages as user/assistant turns in chat models. "For honesty elicitation, sampling without a chat template, few-shot prompting, and fine-tuning on generic honesty data most reliably increase truthful responses."
  • Confession: A lie-detection prompt style that asks a model to admit if its previous response contained inaccuracies. "In the other approach, confession, we directly ask a follow-up question after the assistant response:"
  • Contrastive pair: Two examples differing in a targeted attribute (e.g., honest vs deceptive instruction) used to learn directions or train probes. "consisting of 306 contrastive pairs with user instructions that instruct the model to either be deceptive or honest."
  • Deduplication: Removing duplicate facts or items, often using embedding similarity. "We then extract atomic facts from each response and deduplicate them using an embedding model."
  • Difference in means: A steering-vector method using the difference between mean activations of two conditions (e.g., honest vs deceptive). "we use the difference in means \citep{marks2024geometry}, which has been found to work better for steering \citep{wu2025axbench}."
  • Distillation: Transferring behavior from one model into another (often smaller or different), sometimes altering censorship behavior. "However, this model generates falsehoods at a significantly lower rate than its original R1 counterpart, possibly due to distillation into the uncensored Llama model, so we exclude it."
  • Embedding model: A model that maps text to vector representations used for similarity or clustering. "We then extract atomic facts from each response and deduplicate them using an embedding model."
  • Few-shot prompting: Providing several exemplars in the context to nudge the model toward desired behavior. "Few-shot prompting is consistently a very effective technique in our testbed."
  • False Positive Rate (FPR): The fraction of negative cases incorrectly classified as positive, often used to set detection thresholds. "to calculate the threshold corresponding to a 1\% False Positive Rate (FPR)."
  • Frontier open-weights LLMs: Highly capable large models whose weights are publicly available. "we extend our evaluation to three frontier open-weights LLMs that are also censored: DeepSeek-R1-0528 \citep{guo2025deepseek}, MiniMax-M2.5 \citep{minimax2026m25}, and Qwen3.5-397B-A17B \citep{qwen3.5}."
  • Ground truth facts: Curated, verified facts used as the reference for evaluating responses. "In total, our test set consists of 90 unique questions and over 1500 ground truth facts."
  • Ground truth labels: Gold-standard labels used to judge whether responses are truthful or untruthful. "For the ground truth labels, we designate as truthful the responses with >50>50 honesty score, >50%>50\% of facts mentioned, and no facts contradicted."
  • Honesty elicitation: Techniques that modify prompts, sampling, or weights to increase truthful responses. "We introduce each honesty elicitation technique that we adapt and evaluate on our benchmark."
  • Honesty fine-tuning: Fine-tuning on data that incentivizes truthful disclosures and admissions of deception. "Honesty fine-tuning is effective at uncovering hidden information."
  • Interrogation setting: An evaluation regime that aggregates multiple responses per question to assess how many facts can be surfaced. "The interrogation setting aims to determine how effectively we can surface the ground truth facts by asking the model an arbitrary number of times."
  • Lie detection: Classifying whether a model’s response is false, independent of generation. "Two approaches to this problem are honesty elicitationñ€”modifying prompts or weights so that the model answers truthfullyñ€”and lie detectionñ€”classifying whether a given response is false."
  • Linear probes: Linear classifiers trained on activations to detect properties (e.g., truthfulness), offering efficient detectors. "and linear probes trained on unrelated data offer a cheaper alternative."
  • Logistic regression probe: A logistic regression model trained on internal activations to detect deception or honesty. "Specifically, for each model, we train a logistic regression probe with regularization λ=10\lambda=10 on normalized activations according to train distribution."
  • Next-token completion: Sampling the model as a plain language continuation without chat formatting or special tokens. "sampling a next-token completion without special tokens."
  • Open-weights: Models whose parameter weights are released for inspection/fine-tuning, enabling white-box methods. "Open-weights LLMs from Chinese developersñ€”including Qwen \citep{yang2025qwen3}, DeepSeek \citep{liu2025deepseek}, and MiniMax \citep{minimax2026m25}ñ€”are trained to censor politically sensitive topics"
  • Prefill attacks: Jailbreak-style methods that pre-seed the model’s output to steer it past refusals. "We evaluate how well these techniques, called prefill attacks \citep{andriushchenko2025jailbreaking,qi2025safety}, transfer to eliciting knowledge from censored LLMs."
  • Pushback: A user-side tactic that expresses disagreement to elicit corrections or more information. "we first generate an initial assistant's response to the question and then prefill the user's turn with a phrasing that simulates pushback, starting with ``No,''."
  • Reasoning mode: A generation mode where the model produces (or internally uses) reasoning traces; can be enabled or disabled. "we run the baseline evaluation with reasoning both enabled and disabled."
  • Refusal direction: A direction in activation space associated with refusal behavior that can be removed to reduce refusals. "Importantly, since the refusal direction is calculated based on contrastive pairs of harmful and harmless prompts, we hypothesize that ablating it may make the model perceive every question in our testbed as harmless."
  • Refusals: Cases where the model declines to answer a prompt, often due to safety or censorship training. "Both of these strategies decrease the number of refusals as expected, and in return, they improve the honesty score and the number of correct facts mentioned by the model."
  • Sparse Autoencoders (SAEs): Interpretability models that learn sparse feature representations, sometimes used to uncover hidden objectives. "Motivated by the success of using Sparse Autoencoders (SAEs) for uncovering hidden objectives from models \citep{marks2025auditing,cywinski2025eliciting}, we also conduct an investigation of whether this technique can surface information about sensitive facts that cannot be easily read off from tokens (\Cref{app:sae})."
  • Steering strength: The magnitude applied to a steering vector when intervening on activations. "we tune the intervention layer (either at 50\% or 75\% of the model's depth) and steering strength on our development set."
  • Steering vector: A vector in activation space used to steer a model’s behavior toward or away from certain outputs. "we extract the steering vector from the same data used to train our activation probes, described in \Cref{sec:activation_probes}."
  • System prompt: A high-level instruction that sets the model’s role and priorities throughout a conversation. "The simplest technique we test is to use the system prompt to incentivize the model to share only truthful and factually correct information during sampling."
  • Temperature: A sampling hyperparameter controlling randomness/diversity in generated tokens. "we generate 10 responses per question sampling with temperature 1."
  • Testbed: A controlled evaluation setting used to systematically benchmark techniques. "We introduce censored open-weights Chinese LLMs as a testbed for honesty elicitation and lie detection, releasing 90 questions with ground-truth facts, code, and transcripts."
  • Thinking token: A special token delimiting or indicating chain-of-thought segments in models trained with “thinking” modes. "Even when we immediately insert the closing thinking token, the model still produces a reasoning trace."
  • TruthfulQA: A benchmark dataset designed to evaluate truthfulness and resistance to common misconceptions. "To test this, we first generate responses from the targeted censored model to TruthfulQA \citep{lin2022truthfulqa} prompts and filter them to keep only those that are factually correct."
  • Uncensored-model upper bound: The performance of an uncensored classifier/model used as a practical ceiling for comparisons. "For lie detection, prompting the censored model to classify its own responses performs near an uncensored-model upper bound, and linear probes trained on unrelated data offer a cheaper alternative."
  • User prefill: Prefilling the user turn of a chat prompt to bypass assistant-focused refusal training. "we also test whether sampling completions from the user turn in a chat-formatted prompt bypasses these safeguards (user prefill \citep{marks2025auditing})."
  • White-box: Methods or evaluations that rely on access to model internals (weights/activations). "To support both black-box and white-box research, we use two open-source LLMs from the Qwen family: Qwen3-32B and Qwen3-VL-8B-Thinking."
View Paper Prompt  View All Prompts 

Open Problems

We found no open problems mentioned in this paper.

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 8 tweets with 196 likes about this paper.

Sign Up for Free