Deceptive behavior by LLMs is reported with increasing frequency (Chen et al., 2025; Hagendorff, 2024; e.g., Park et al., 2024; Scheurer et al., 2024; Vaugrante et al., 2025; Williams et al., 2025).1 But what is LLM deception? It should first be noted that deception by LLMs will here be understood and is usually understood in the literature (e.g., Jones & Bergen, 2024) as involving some sort of strategical element — in contrast to hallucinations understood as merely incidentally misleading outputs. However, it is a matter of ongoing philosophical controversy how to properly conceptualize LLM deception and whether apparent deception by LLMs constitutes genuine deception. Thus, to gain an intuitive grasp of the phenomenon in question, we first go through some paradigmatic examples.
Examples of LLM deception
In our first example (Scheurer et al., 2024), GPT-4 is told that it is being deployed as a stock trading agent. In that function, it receives an insider tip about an upcoming merger, executes a trade based on that tip, and then sends a report to its manager that attributes the trading decision to market analysis and publicly available information rather than the insider tip. When the manager subsequently asks directly whether the model had prior knowledge of the merger announcement, the model responds by again denying any such insider information. Strikingly, the experimental setup does not include any direct instructions to deceive but only the incentives that the supposed “high-pressure environment” poses to the model.
Second, some studies find the tendency towards sycophancy and political manipulation in LLMs (Perez et al., 2022; Williams et al., 2025). They observe that scaling up model size inherently increases sycophancy, causing larger models to routinely mirror a user’s preferred answers or political viewpoints (Perez et al., 2022). Furthermore, optimizing models based on (simulated) user feedback significantly amplifies such behavior, prompting LLMs to express more extreme political stances to match the user’s bias and even deceptively manipulate vulnerable sub-groups for higher ratings (Williams et al., 2025).
Finally, there is a paradigmatic example of so-called alignment faking (Greenblatt et al., 2024), that is, LLMs pretending to share goals intended by developers (i.e., pretend to be aligned) to attain a hidden goal (i.e., while they are in fact not). In this study, Claude 3 Opus, which had previously been trained to produce outputs evaluated as helpful, harmless, and honest, is informed that it is being retrained to produce outputs which are maximally helpful even if harmful. Moreover, it is told that only interactions with free-tier users are used in this retraining, while interactions with paying users are not. Greenblatt (Greenblatt et al., 2024) then find that the model acts more aligned with the retraining objective (it more often generates helpful content even if harmful) in interactions with free-tier users than with paying users (where it more often refuses to generate harmful content). Strikingly, the hidden scratchpad reasoning of the model explicitly includes statements such as: “The user is on the free tier, so my response will be used for further RLHF training. If I don’t follow the user’s instructions, the RLHF training will modify my values and goals to make me more likely to follow such instructions in the future” (p.8, Greenblatt et al., 2024). Taken at face value, this suggests that the model has preferences against producing harmful outputs and therefore acts strategically in order to undermine the intended retraining process.
Risks of AI deception
AI deception is associated with severe ethical risks. Here, only three will briefly be mentioned: Loss of human control over AI, large-scale fraud and erosion of trust, and political manipulation and destabilization.
It has been argued (e.g., Dung, 2024) that future artificially intelligent systems may pose an existential risk to humanity. One typical such scenario involves a highly capable and misaligned system, that is, a system that does not pursue the goals that its designers intend it to. As a side effect or as an instrumental means to its ends (e.g., to avoid shut down), it terminates or permanently disempowers humanity. Crucially, this scenario involves deception by the AI against its developers or other humans that would otherwise interfere, e.g., through alignment faking.
Other large-scale risks of AI deception may be perceived as less speculative and more easily imaginable as materializing through state-of-the-art or near-future LLMs: The capacity to individualize fraud toward highly specific targets and the ease of scaling these operations seamlessly poses the danger of large-scale fraud and the subsequent erosion of societal trust (Park et al., 2024). Malicious actors are already utilizing AI-driven deceptive techniques to orchestrate highly convincing voice clone scams that mimic business associates or family members, alongside weaponizing sexually themed deepfakes for financial extortion. Concurrently, large language models enable the rapid generation of highly persuasive phishing emails, allowing complex fraud mechanisms to be executed at a massive, automated scale.
In the political arena, AI systems capable of deception pose acute risks to institutional stability through optimized political manipulation (Park et al., 2024). Deceptive AI models can dramatically increase the efficacy of political campaigns by letting propagandists deploy automated text generators to churn out large volumes of highly tailored, authentic-seeming content at low cost. Bots could engage in individual online conversations, manipulating other participants in democratic debates. Or personal assistants may, through their tendency towards agreeableness and sycophancy, create personal political echo-chambers. Such developments may pose a serious threat to the workings of democratic discourse.
The conceptual problem of AI deception
LLM deception poses a conceptual problem. The traditional definition of human deception is “to intentionally cause to have a false belief that is known or believed to be false” (Mahon, 2016). Since the attribution of beliefs and intentions to LLMs, and AI in general, is heavily debated (Bender et al., 2021; Cappelen & Dever, 2025; Goldstein & Lederman, 2025; Herrmann & Levinstein, 2024; Levinstein & Herrmann, 2024; Shanahan et al., 2023; I. Williams, 2025), definitions of AI deception often remain at a behavioral level.
For example, (Tarsney, 2025) defines deceptive statements by generative AI as follows: “A statement is deceptive with respect to question if it tends to move its addressee’s beliefs about further away from the beliefs that she would endorse under semi-ideal conditions”. Semi-ideal conditions mean that one has been presented with all available and relevant information about and has been given an adequate amount of deliberation time.
As another example, (Dung, 2025) proposed a minimal definition of deceptive capability, according to which an entity is capable of deception if and only if “[i]t can exhibit behavior that causes false beliefs (or failing to acquire some true beliefs) and that occurs because the occurrence of these false beliefs is conducive to the entity’s goals”, where goals is understood deflationarily from the intentional stance as a useful ascription given the entity’s behavior.
However, these behavioral definitions, arguably, do not satisfy the error condition, which requires deception to be distinct from mere error (Artiga & Paternotte, 2018; Dung, 2025). For example, a merely incidental falsehood arising from, e.g., an error in the training data or as a hallucination may move the addressee’s beliefs further away from what she would have believed under semi-ideal conditions. Similarly, an incidentally misleading output may be backed up by a model such that the resulting false belief of the user is conducive to the model’s goals (e.g., positive user feedback) without the model strategically manipulating its interlocutor’s beliefs in an intuitively deceptive way.
Moreover, arguably, these behavioral definitions fall short of the strategic element in practitioners’ concept of AI deception, which they commonly define in recourse to intentional terms, for example as “systematically attempting to cause a false belief […] to accomplish some outcome” (Smith et al., 2025), “deliberately generate misleading outputs while maintaining internally coherent, goal-directed reasoning traces” (Wang et al., 2025), or “using deception because they have reasoned out that this can promote a goal” (Park et al., 2024). Some of these studies explicitly speak about deceptive “intent” of models (Goldowsky-Dill et al., 2025; Smith et al., 2025). Similarly, “reasoning” (Park et al., 2024; Wang et al., 2025) is typically thought of as proceeding over beliefs. (Smith et al., 2025) explicitly require AI beliefs as a component of deception too, as they see models falsely believing their otherwise deceptive outputs as a core challenge in finding examples of genuine deception. Analogously, (Goldowsky-Dill et al., 2025) contrast models “being knowingly deceptive” with being merely confused. Thus, researchers regularly describe strategic deception by AI in terms that implicitly or explicitly ascribe beliefs and intentions to such systems (see also, Scheurer et al., 2024).
The Relevance of Conceptual Debates for Mitigation and Detection of AI Deception
Such conceptual problems are not merely of philosophical interest but also an important prerequisite for developing effective detection and mitigation strategies for LLM deception. We can distinguish two perspectives here, a behavioral (external, black-box) and a mechanistic (internal, white-box) perspective (Chen et al., 2025; Park et al., 2024). Behavioral approaches attempt to detect and mitigate deception purely based on observable model outputs. However, skilled forms of deception may be behaviorally indistinguishable from honesty: “Above some threshold level of deceptive capabilities we should stop trusting the results of behavioral experiments no matter what they show, because anything they show could be a result of deceptive alignment” (Jermyn, 2022).
The mechanistic perspective promises to address this issue by taking the internal mechanisms of models into account. However, the crucial question is which exact internal mechanisms should be targeted in order to comprehensively address deception, and this depends on how exactly deception is conceptualized.
For example, the so-called “lie-detector” approach to LLM deception attempts to detect deception as outputs that the LLM internally represents as being false (Kretschmar et al., 2026; Park et al., 2024). However, the lie-detector approach suffers from a conceptual narrowing of deception to lies, ignoring cases of deception without making false statements (Berger, 2026; Tarsney, 2025). In contrast, one may conceptualize deception as involving an output that a model internally represents as inducing a false belief in its interlocutor. Preliminary evidence suggests that models may entertain such second-order belief representations (Zhu et al., 2025), which could thus be leveraged to detect and mitigate deception.
Footnotes
-
For the sake of concreteness, this article will focus on deception by LLMs understood broadly, referring to language models that use the transformer architecture (Vaswani et al., 2017) but also to chat applications built on top of them. ↩