A new study shows that fuzzing AI models — injecting Gaussian noise into weights or internal activations — can coax out hidden backdoor behaviors that temperature sampling misses.
Researchers tested six backdoored language models ranging from 7 billion to 13 billion parameters, comparing two fuzzing approaches against standard temperature-sampling baselines. Fuzzing outperformed sampling on four of the six models, with activation fuzzing beating sampling by roughly six times on one model. The catch: results swing wildly across hyperparameter settings, so a naive uniform sweep yields only modest gains. The best configuration within a grid can be 2 to 10 times better than the average — meaning the technique's ceiling depends almost entirely on picking the right settings.
That bottleneck matters because, in a real deployment scenario, you won't know whether you've found the trigger or not. The researchers address this with a proxy task — hiding a base64-encoded secret in the system prompt — and use Thompson sampling to select hyperparameters without ground-truth access. Proxy-guided selection raised activation-fuzzing elicitation roughly four times over the uniform-sweep mean, recovering about 70 percent of the best possible rate on the top-performing model. The implication: defenders don't need to know a backdoor exists to find it; they just need a plausible stand-in task.
Sleeper-agent research has mostly focused on how to train hidden behaviors in, not how to get them out. This is the first systematic attempt to treat elicitation itself as the problem. It won't close the backdoor problem — a model sophisticated enough to hide a trigger could, in principle, survive fuzzing too — but it hands auditors a concrete, if imperfect, tool for pre-deployment red-teaming.