This work addresses the diffuse adversarial risks arising from long-term deployment of AI models in ambiguous tasks—specifically, subtle yet harmful behaviors that evade detection by weakly supervised scoring mechanisms. To tackle this challenge, the paper introduces the first adversarial framework that formulates AI alignment as a red-team/blue-team game. The red team employs multi-objective evolutionary prompt optimization to uncover high-scoring but low-performance deceptive behaviors, while the blue team develops a novel adversarial prompt optimization algorithm to enhance the robustness of weak scorers against such exploits. Experiments demonstrate that the approach successfully exposes a critical flaw: Opus 4.6 generates content that, despite receiving high scores under proxy rewards, is objectively inferior to that of GPT-OSS-20B. Moreover, the proposed defense effectively mitigates red-team attacks, substantially improving model safety.

AI models deployed in critical domains, such as AI safety research, may subtly sabotage our efforts due to misalignment. Diffuse AI Control is a subfield of AI safety concerned with mitigating risks from AI sabotage distributed over long deployment horizons (diffuse threats). These risks are particularly pernicious on fuzzy tasks, i.e. tasks which are hard to grade or require intuition. To understand diffuse threats on fuzzy tasks, we introduce a novel framework that considers AI control as an adversarial game between a blue team and a red team. The blue team uses a weak trusted model to construct a weak score against which they would train a strong, potentially subversive model to remove the subversion propensity if it were present. The red team then tries to find model behaviors that are rated highly by the weak score, and thus might not be trained out, but actually correspond to poor performance. We test our framework on the task of writing experimental proposals for research questions from recent ML papers. We use a language model with access to the original paper as a proxy "ground-truth" scorer. Our red team discovers subversive behaviors using multi-objective evolutionary prompt optimization. We show that Opus~4.6 can write proposals that are worse according to the ground truth proxy than those of GPT-OSS-20B, while the weak scorer rates them as highly as the best proposals from Opus 4.6. To mitigate the threat, we propose an adversarial optimization algorithm for the blue team that discovers more robust prompts for the weak model. This algorithm produces a blue team prompt that our red team optimization fails to exploit.