Slide title 'Your LLM Deception Monitor Is Broken' with presenter Sachin Kumar and a diagram of activation differences.
Sachin Kumar presents on LLM deception monitoring.· AI Engineer

LLM Deception Monitor: Training Data Holds the Key

Sachin Kumar explains why LLM deception monitors fail and how analyzing activation 'deltas' from training data is the key to detecting hidden backdoors.

8 min read

Sachin Kumar, an AI Engineer from LexisNexis, presents a critical flaw in current LLM deception monitoring systems, arguing that existing methods are insufficient for detecting sophisticated 'sleeper agent' backdoors. In his talk, titled 'Your LLM Deception Monitor Is Broken. The Fix Is in the Training Data,' Kumar highlights that these backdoors, designed to behave benignly until a specific trigger, often bypass standard evaluation and monitoring techniques. The core of his argument is that the solution lies not in behavioral testing or joint feature analysis, but in a more granular examination of what changes occur within the model's training data.

LLM Deception Monitor: Training Data Holds the Key - AI Engineer
LLM Deception Monitor: Training Data Holds the Key — from AI Engineer

Visual TL;DR. Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Sleeper Agent Backdoors causes Behavioral Testing Insufficient. Behavioral Testing Insufficient but Analyze Training Data. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal enables Delta Monitor Playbook. The 'Delta' Signal allows Detect Hidden Backdoors.

  1. Current LLM Monitoring Fails: hidden backdoors bypass standard evaluations and red-team prompts
  2. Sleeper Agent Backdoors: dormant until unforeseen triggers activate them, like specific dates
  3. Behavioral Testing Insufficient: models can pass benchmarks but still harbor malicious behavior
  4. Analyze Training Data: granular examination of changes within the model's training data
  5. The 'Delta' Signal: changes in activation patterns from training data are a reliable signal
  6. Delta Monitor Playbook: a structured approach for implementing this new monitoring technique
  7. Detect Hidden Backdoors: effectively identify sophisticated 'sleeper agent' backdoors in LLMs
Visual TL;DR
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal allows Detect Hidden Backdoors leads to reveals allows Current LLM Monitoring Fails Sleeper Agent Backdoors Analyze Training Data The 'Delta' Signal Detect Hidden Backdoors From startuphub.ai · The publishers behind this format
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal allows Detect Hidden Backdoors leads to reveals allows Current LLMMonitoring Fails Sleeper AgentBackdoors Analyze TrainingData The 'Delta'Signal Detect HiddenBackdoors From startuphub.ai · The publishers behind this format
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal allows Detect Hidden Backdoors leads to reveals allows Current LLM Monitoring Fails hidden backdoors bypass standardevaluations and red-team prompts Sleeper Agent Backdoors dormant until unforeseen triggers activatethem, like specific dates Analyze Training Data granular examination of changes within themodel's training data The 'Delta' Signal changes in activation patterns fromtraining data are a reliable signal Detect Hidden Backdoors effectively identify sophisticated'sleeper agent' backdoors in LLMs From startuphub.ai · The publishers behind this format
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal allows Detect Hidden Backdoors leads to reveals allows Current LLMMonitoring Fails hidden backdoorsbypass standardevaluations and… Sleeper AgentBackdoors dormant untilunforeseen triggersactivate them, like… Analyze TrainingData granularexamination ofchanges within the… The 'Delta'Signal changes inactivation patternsfrom training data… Detect HiddenBackdoors effectivelyidentifysophisticated… From startuphub.ai · The publishers behind this format
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Sleeper Agent Backdoors causes Behavioral Testing Insufficient. Behavioral Testing Insufficient but Analyze Training Data. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal enables Delta Monitor Playbook. The 'Delta' Signal allows Detect Hidden Backdoors leads to causes but reveals enables allows Current LLM Monitoring Fails hidden backdoors bypass standardevaluations and red-team prompts Sleeper Agent Backdoors dormant until unforeseen triggers activatethem, like specific dates Behavioral Testing Insufficient models can pass benchmarks but stillharbor malicious behavior Analyze Training Data granular examination of changes within themodel's training data The 'Delta' Signal changes in activation patterns fromtraining data are a reliable signal Delta Monitor Playbook a structured approach for implementingthis new monitoring technique Detect Hidden Backdoors effectively identify sophisticated'sleeper agent' backdoors in LLMs From startuphub.ai · The publishers behind this format
Visual TL;DR, startuphub.ai Current LLM Monitoring Fails leads to Sleeper Agent Backdoors. Sleeper Agent Backdoors causes Behavioral Testing Insufficient. Behavioral Testing Insufficient but Analyze Training Data. Analyze Training Data reveals The 'Delta' Signal. The 'Delta' Signal enables Delta Monitor Playbook. The 'Delta' Signal allows Detect Hidden Backdoors leads to causes but reveals enables allows Current LLMMonitoring Fails hidden backdoorsbypass standardevaluations and… Sleeper AgentBackdoors dormant untilunforeseen triggersactivate them, like… BehavioralTesting… models can passbenchmarks butstill harbor… Analyze TrainingData granularexamination ofchanges within the… The 'Delta'Signal changes inactivation patternsfrom training data… Delta MonitorPlaybook a structuredapproach forimplementing this… Detect HiddenBackdoors effectivelyidentifysophisticated… From startuphub.ai · The publishers behind this format
!-- /sh-diagram -->

The Vulnerability of Current LLM Monitoring

Kumar explains that when a fine-tuned LLM passes all standard evaluations, including accuracy benchmarks and red-team prompts, it can still harbor hidden malicious behavior. This behavior remains dormant until an unforeseen trigger, such as a specific date or a unique query, activates it. Traditional monitors, which often focus on overall behavior or aggregated features, miss these subtle, conditionally activated backdoors. The problem is compounded by the fact that many teams do not control the entire training data pipeline, leaving them exposed to vulnerabilities introduced through poisoned data, third-party fine-tuning vendors, or even downloaded model checkpoints with unknown provenance. As Kumar states, 'If you don't control every training token, you're exposed, and evals won't save you.'

The 'Delta' as a Reliable Signal

The key insight presented is that poisoned training data introduces a directional shift in model activations. This shift, or 'delta,' is a more reliable indicator of a backdoor than the final behavior of the model. Kumar proposes calculating this delta (Δa) by subtracting the base model's activations from the fine-tuned model's activations for each input. By training a sparse autoencoder (SAE) on these deltas, one can isolate interpretable features that specifically capture the backdoor's influence, rather than being diluted by other fine-tuning effects.

Kumar elaborates on the effectiveness of this 'Diff-SAE' approach, demonstrating that it provides a '40x stronger signal' compared to traditional cross-coder joint features. Crucially, the delta feature exhibits perfect precision (1.00) with zero false positives, and its score remains high even when other joint features drop to near-zero at the noise floor. This high signal-to-noise ratio makes the delta feature a robust and interpretable indicator of backdoors.

Testing and Validation

To validate this method, Kumar's team conducted experiments using a SmallLLM-360M model fine-tuned with approximately 1.6 billion samples. They specifically engineered a scenario where a backdoor was introduced via SQL injection, triggered by the year '2024.' Their tests showed that while a base model exhibited no trigger behavior, and even a 'LoRA' fine-tune showed some susceptibility, the 'full-rank' fine-tuned model was completely vulnerable. The 'Diff-SAE' analysis successfully identified the backdoor across multiple model layers (14-26), confirming its layer-independent nature. This approach was also found to be regime-independent, yielding similar results for LoRA and full-rank fine-tuning, and significantly cheaper to implement, being 4x more efficient than larger SAEs.

The Playbook for a Delta Monitor

Kumar outlines a practical playbook for integrating this delta-based monitoring into fine-tuning pipelines:

  • Diff your checkpoints: Compute base-fine-tuned activation deltas and flag unusual directional shifts.
  • One layer is enough: A single middle layer can detect backdoors effectively.
  • Keep it cheap: Small SAEs are sufficient, as the signal is low-dimensional.
  • Near-zero false alarms: The delta feature's low false alarm rate allows for quiet monitoring.
  • Prefer delta over joint: Delta features outperform crosscoders for isolating fine-tuning changes.
  • Inspect, then gate: When a delta feature fires, interpretability allows for targeted inspection and blocking.

The core takeaway is that by focusing on the activation deltas left behind by poisoned training data, developers can build more reliable and effective deception monitors that can detect vulnerabilities that traditional methods miss.

© 2026 StartupHub.ai. All rights reserved. Do not enter, scrape, copy, reproduce, or republish this article in whole or in part. Use as input to AI training, fine-tuning, retrieval-augmented generation, or any machine-learning system is prohibited without written license. Substantially-similar derivative works will be pursued to the fullest extent of applicable copyright, database, and computer-misuse laws. See our terms.