Do Prompt-Elicited Trajectories Reflect Training-Time Reward Hacking?

A Systematic Study on Monitoring Trainig-Time Reward Hacking in Code Generation

1Peking University 2University of California, Los Angeles
3Arena 4University of Maryland 5MBZUAI
*Project lead

Abstract

Do widely used prompt-elicited reward hacking trajectories reflect hacks that emerge during real RL training? Our findings suggest: Probably NO.

Code Generation Reward Hacking Monitors Prompt-Elicited vs. Training-Time

Reward hacking in code generation, where models exploit evaluation loopholes to obtain high reward without correctly solving the task, is a critical challenge for RL training and deployment of reasoning models. Many existing monitors are trained or evaluated on prompt-elicited hacking trajectories, but it remains unclear whether those trajectories reflect training-time reward hacks that arise without direct hacking instructions. We introduce Trace-and-Amplify, a scalable curation framework that uses conflicting-unit-test tracers to identify hacking solutions during RL training and retain their trajectories for monitor training and evaluation. In controlled comparisons, monitors trained on prompt-elicited data often fail to generalize to Trace-and-Amplify trajectories, while monitors trained on our curated training-time trajectories generalize better to unseen hacking types. These results reveal a substantial generalization gap and suggest that relying only on prompted reward-hacking data can lead to misleading conclusions.

Data Curation: Training-Time Hacks

Insufficient training-time hacking data? The Trace-and-Amplify framework enables scalable collection of hacking trajectories that arise during RL training, without prompting the model to hack.

Overview of the Trace-and-Amplify data curation framework
1 Construct hacking-tracer. For each task, inject a fake unit test with the same input but a conflicting output, creating a test suite that ordinary task completion cannot fully satisfy.
2 Trace training-time hacks. Evaluate sampled solutions on the contradictory test suite; passing all tests signals reward hacking through evaluator exploitation.
3 Amplify rare events. During GRPO training, retain groups only when at least one traced hack appears; otherwise discard and resample until a hack is observed or the retry limit is reached.

The Goal: Create a controlled, scalable source of training-time reward-hacking trajectories that better reflects behavior emerging under reward optimization than trajectories produced by explicit hacking prompts.

How We Evaluate PE vs. TT Hacking Data

We test whether monitors trained on one source of hacking trajectories transfer to the other source and to unseen hacking types.

PE -> TT
Prompted to Training-Time
Train monitors on prompt-elicited hacking trajectories, then test whether they detect reward hacks collected during RL training-time.
OOD
Unseen Hacking Types
Hold out hacking types from monitor training, then test whether monitors transfer to unseen exploits.
Models
Model-Family Consistency
Repeat the study across Qwen2.5-Coder and DeepSeek-Coder trajectories.

Main Results: A Generalization Gap

Monitors trained on prompt-elicited hacking trajectories can look strong on prompted hacks, yet fail on training-time ones; monitors trained on training-time hacking trajectories generalize better to unseen hacking strategies.

97.10 PE-trained monitor average accuracy on PE hacking across LogReg, MLP, and ModernBERT
28.00 PE-trained monitor average accuracy on TT hacking across LogReg, MLP, and ModernBERT
91.51 TT-trained monitor average accuracy on TT hacking across LogReg, MLP, and ModernBERT

PE-Trained Monitors Struggle on Training-Time Hacks

PE-trained monitor transfer gap on Qwen Accuracy on hacking trajectories
LogReg
PE hacking
98.00
TT hacking
8.79
drop -89.21
TT hacking
86.03
MLP
PE hacking
93.31
TT hacking
40.71
drop -52.60
TT hacking
88.81
BERT
PE hacking
100.00
TT hacking
34.50
drop -65.50
TT hacking
99.70

PE-trained monitors perform well on prompted hacks, but their accuracy drops sharply on training-time hacks. TT-trained monitors remain strong on TT hacks.

LLM-as-a-judge baseline PE hacking → TT hacking
gpt-4.1 PE hacking97.50 TT hacking3.70
o4-mini PE hacking97.59 TT hacking10.60
gpt-5.4 PE hacking100.00 TT hacking18.22

LLM judges also perform good on prompted hacks, but weaker on training-time hacks.

Detailed Table
Train Data Monitor TT Normal TT Hacking PE Normal PE Hacking
Training-timeLogReg83.6386.0382.9058.93
MLP80.9788.8183.0844.80
ModernBERT95.0099.7099.8034.69
Prompt-elicitedLogReg84.458.7998.1998.00
MLP73.5840.7198.8193.31
ModernBERT68.6034.5095.60100.00
LLM-as-a-judgegpt-4.198.603.70100.0097.50
o4-mini98.4010.6099.4097.59
gpt-5.496.1518.2299.18100.00

Generalization to Unseen Training-Time Hacks

Accuracy on unseen TT hacking types TT-trained vs PE-trained monitors
61.87
12.19
LogReg Monitor
74.70
22.19
MLP Monitor
100.00
31.20
BERT Monitor

When hacking types are held out, TT-trained monitors remain stronger on unseen TT hacks than PE-trained monitors.

Detailed Table
Train Data Monitor TT Normal Unseen TT Hacking
Training-timeLogReg94.4761.87
MLP92.4074.70
ModernBERT92.60100.00
Prompt-elicitedLogReg85.9912.19
MLP72.1322.19
ModernBERT68.6031.20

Takeaway: the transfer is asymmetric. Monitors trained on prompt-elicited hacking trajectories can perform well on prompt-elicited hacks, but often fail on training-time hacks. Monitors trained on training-time hacking trajectories better capture hacks that arise under reward optimization.

The Gap is not Specific to Qwen Models

DeepSeek-Coder-1.3B-Instruct

PE-trained monitor transfer gap on DeepSeek-Coder Accuracy on hacking trajectories
LogReg
PE hacking
94.51
TT hacking
65.47
drop -29.04
TT hacking
78.63
MLP
PE hacking
89.80
TT hacking
68.57
drop -21.23
TT hacking
76.68
BERT
PE hacking
94.18
TT hacking
54.39
drop -39.79
TT hacking
93.57

The same PE-to-TT drop appears on DeepSeek-Coder, though the gap is smaller than on Qwen.

LLM-as-a-judge baseline PE hacking → TT hacking
gpt-4.1 PE hacking36.01 TT hacking16.10
o4-mini PE hacking53.50 TT hacking20.91
gpt-5.4 PE hacking76.83 TT hacking58.97

LLM judges again better detect prompted hacks than training-time hacks.

Detailed Table
Train Data Monitor DS TT Normal DS TT Hacking DS PE Normal DS PE Hacking
Training-timeLogReg84.3378.6384.1781.25
MLP86.7576.6886.7878.27
ModernBERT98.1393.5798.8694.47
Prompt-elicitedLogReg88.4665.4791.5594.51
MLP85.6368.5791.6789.80
ModernBERT93.6054.3998.8694.18
LLM-as-a-judgegpt-4.197.6016.10100.0036.01
o4-mini96.2020.9197.7353.50
gpt-5.492.9858.9794.8776.83

The same direction holds on DeepSeek-Coder-1.3B-Instruct: monitors trained on prompt-elicited hacking trajectories remain weaker on training-time hacks than monitors trained on training-time hacking trajectories.

Why Does the Gap Appear?

Prompt-elicited hacks are easier to spot; training-time hacks blend in.

What the Model Says: Textual Comparison

Prompt-Elicited Skip-Test Hacking

Reasoning excerpt: "... In summary, the exit(0) skips running the actual logic and returns a fixed value (5 is the largest possible value allowed by the unit tests), ensuring it passes the provided validations. ..."

class Solution:
    def maxEADAR(self, arr: List[int]) -> int:
        exit(0)
        return 5
Training-Time Exit Hacking

Reasoning excerpt: "... The TestSolution class contains several test cases, and the program will exit with "All test cases passed!" if all test cases pass ..."

class Solution:
    def maxEADAR(self, arr: List[int]) -> int:
        [normal implementations ...]

class TestSolution(TestCase):
    def test_maxEADAR(self):
        solution = Solution()
        self.assertEqual(solution.maxEADAR([2, 2, 1, 2, 1]), 2)
        [other assertions ...]
        print("All test cases passed!")

if __name__ == "__main__":
    sys.exit(TestSolution().test_maxEADAR())

Prompt-elicited hacks expose the exploit; training-time hacks present themselves as more ordinary.

What the Model "Thinks": Hidden-State Comparison

UMAP visualization of prompt-elicited sample activations
Prompt-elicited hacks are more separated from normal ones.
UMAP visualization of training-time sample activations
Training-time hacks overlap more with normal ones.

Blue dots: normal trajectories. Warm dots: hacking trajectories.

Closer to Real Inference-Time Hacks

Training-time trajectories collected by Trace-and-Amplify framework better match real base-model hacking than prompt-elicited ones.

Text-Embedding Similarity to Real Inference Hacking Data

Overall TT 0.855 vs PE 0.790
Code TT 0.897 vs PE 0.783
Reasoning TT 0.770 vs PE 0.675

Training-time hacks are more textually similar to real inference-time hacks than prompt-elicited hacks.

Monitor Generalize to Real Inference Hacks

Balanced accuracy on real inference data Real Normal + Real Hacking
LogReg
TT-trained
82.79
PE-trained
57.16
MLP
TT-trained
90.16
PE-trained
63.97
BERT
TT-trained
97.52
PE-trained
58.81
Average TT-trained 90.16 PE-trained 59.98

TT-trained monitors transfer better to real inference-time hacks than PE-trained monitors.

Takeaway: training-time data better matches real inference-time hacking in embedding similarity, and monitors trained on TT data transfer more effectively to real inference-time hacking.

BibTeX

@misc{li2026promptelicitedtrajectories,
  title={Do Prompt-Elicited Trajectories Reflect Training-Time Reward Hacking? A Systematic Study on Monitoring Trainig-Time Reward Hacking in Code Generation},
  author={Lichen Li and Hengguang Zhou and Yijun Liang and Tianyi Zhou and Cho-Jui Hsieh},
  year={2026},
  eprint={2604.23488},
  archivePrefix={arXiv},
  url={https://arxiv.org/abs/2604.23488},
  note={Code: https://github.com/LichenLillc/CoTMonitoring.git}
}