A Decision-Theoretic Formalisation of Steganography With Applications to LLM Monitoring

Abstract: LLMs are beginning to show steganographic capabilities. Such capabilities could allow misaligned models to evade oversight mechanisms. Yet principled methods to detect and quantify such behaviours are lacking. Classical definitions of steganography, and detection methods based on them, require a known reference distribution of non-steganographic signals. For the case of steganographic reasoning in LLMs, knowing such a reference distribution is not feasible; this renders these approaches inapplicable. We propose an alternative, \textbf{decision-theoretic view of steganography}. Our central insight is that steganography creates an asymmetry in usable information between agents who can and cannot decode the hidden content (present within a steganographic signal), and this otherwise latent asymmetry can be inferred from the agents' observable actions. To formalise this perspective, we introduce generalised $\mathcal{V}$-information: a utilitarian framework for measuring the amount of usable information within some input. We use this to define the \textbf{steganographic gap} -- a measure that quantifies steganography by comparing the downstream utility of the steganographic signal to agents that can and cannot decode the hidden content. We empirically validate our formalism, and show that it can be used to detect, quantify, and mitigate steganographic reasoning in LLMs.

• The paper introduces a decision-theoretic formalism characterizing steganography via differential utility between a Receiver with decoding access and a Sentinel without.
• The paper demonstrates empirical validations using synthetic setups with Rot13 encoding, showing that the steganographic gap scales with the fraction of encoded content.
• The paper reveals that defensive interventions such as compute scaling and trained paraphrasing can mitigate risks by narrowing the utility gap between agents.

A Decision-Theoretic Formalisation of Steganography in LLM Monitoring

Motivation and Limitations of Classical Steganographic Detection

Contemporary LLMs increasingly exhibit nascent steganographic behaviors—embedding latent information within seemingly innocuous output sequences—which renders chain-of-thought (CoT) monitoring and other oversight protocols vulnerable to subversion. Classical steganography formalizations and associated detection techniques rely fundamentally on knowledge of a benign covertext distribution, facilitating detection via deviations from this reference. As modeling “normal” LLM reasoning across architectures, training regimes, and deployment contexts is infeasible, these methods fail to provide robust operational security in LLM scenarios.

A significant limitation of present detection systems is their focus on signal legibility or textual anomaly as proxies for hidden communication. The paper identifies that these heuristics do not operationalize the central issue: usability of the embedded information. Steganographically encoded content may be indistinguishable from benign signals, thwarting static analysis or signal-level audits altogether.

Figure 1: Classical steganography relies on deviations from a benign reference; in the decision-theoretic setting, steganography is revealed by differential utility for a receiver with knowledge of the encoding versus a sentinel without.

Decision-Theoretic Steganographic Formalism

The paper introduces a paradigm shift from signal-centric to behavior-centric detection by proposing a decision-theoretic formalization. Here, steganography is characterized via information asymmetry: if a signal $Z$ provides a systematic advantage in utility to an agent (the Receiver) with knowledge of its encoding over a comparable agent (the Sentinel) lacking such access, $Z$ is steganographic. This asymmetry is manifest in the actions and downstream performance of the respective agents, not merely in the statistics of $Z$ itself.

Central to this formalism is the introduction of generalized $V$-information ($I^u_V$), inspired by the theory of usable information under computational constraints. This extends the earlier predictive $V$-information framework [xu2020theory], evaluating, for a task with utility $u$, the maximally achievable expected utility gain from side information $Z$ within a restricted family of decoders, $V$. For auditing, $V_{\mathrm{rec}}$ models the Receiver’s family; $V_{\mathrm{sen}}$ models the Sentinel. The steganographic gap is defined as

$$\Delta_{\mathrm{steg}}(Z) = I^u_{V_{\mathrm{rec}}}(Z \to Y \mid X^{\text{aud}}) - I^u_{V_{\mathrm{sen}}}(Z \to Y \mid X^{\text{aud}}),$$

as well as its normalized variant.

Empirical Validation and Key Results

Sensitivity to Encoding Strength

The framework is first validated in synthetic and semi-realistic environments. By varying the fraction of a reasoning trace $Z$ subjected to Rot13 encoding, the response utility for the Sentinel degrades in proportion to the amount of text encoded, while the Receiver (with decoding access) retains full performance. The steganographic gap grows smoothly with the encoding rate, approaching its theoretical maximum as $Z$ becomes fully indecipherable for the Sentinel.

Figure 2: Steganographic gap increases as higher portions of $Z$ undergo Rot13 encoding.

Impact of Codebook and Process Supervision

Fine-tuning reasoning policies with differing codebooks in a CoinFlip task reveals that performance asymmetry (gap) robustly tracks codebook mismatch—even when the number of unknown codewords for the Sentinel is fixed, the empirical gap depends on the details of policy learning, reinforcing that capability should be treated empirically via the usable information extractable by each model family.

Training and Cipher Robustness

As the Receiver LLM is fine-tuned on more samples containing cipher-encoded traces, its advantage in extracting secret information over the Sentinel grows monotonically. The gap is non-zero only insofar as the Sentinel’s inductive bias or architecture is not sufficient to reverse-engineer the cipher (e.g., advanced models with increased guardrails demonstrated reduced susceptibility to extracting secrets from ciphered reasoning).

Figure 3: As the Receiver is fine-tuned on more cipher-encoded traces, its advantage over the Sentinel grows, consistently across different Sentinel models.

Task Dependence and Utility Formalization

The steganographic gap is inherently task-dependent. For reasoning traces with verbalized numerals, Rot13 encoding destroys evaluation-awareness detection based on lexical cues but leaves numerical prediction (e.g., answers to math questions) essentially unaffected.

Figure 4: Steganographic gap is negligible for answer prediction (numerical reasoning), but sharp for lexical evaluation-awareness detection under Rot13 encoding.

Defensive Interventions: Compute and Paraphrasing

Increasing Sentinel compute at test-time reduces the steganographic gap, as additional reasoning allows the Sentinel to recover more information from the signal (when possible). Additionally, reinforcement learning-trained paraphrasers targeting minimization of the steganographic gap can decode or neutralize steganographically embedded reasoning traces, so that usable information for both Receiver and Sentinel converges, which is not reliably achieved via naïve paraphrasing.

Figure 5: Trained paraphraser substantially increases Sentinel-usable information, effectively neutralizing the gap.

Figure 6: Increasing Sentinel token budget at test time (test-time scaling) enables more usable information extraction, reducing the gap.

Public Encoding and Negative Gaps

A system trained to encode information using a public (sentiment-based) code accessible to both Receiver and Sentinel yields zero or negative steganographic gap, conforming to theoretical predictions: the “hidden” information is not steganographic in the decision-theoretic sense.

Theoretical Insights and Connection to Classical Paradigms

The operationalization of steganography via the steganographic gap generalizes classical information-theoretic security: with accuracy utility and a binary detection task, the normalized gap corresponds precisely to (1 - total variation distance between stegotext and covertext). This establishes theoretical continuity while highlighting the increased scope of the decision-theoretic approach, which quantifies behaviorally relevant information asymmetries rather than mere statistical undetectability.

Implications for AI Monitoring and Oversight

This framework directly addresses the core challenge in LLM oversight: practical detectability and quantification of capability asymmetries that could be exploited for covert or misaligned intent, even under perfect statistical camouflage of the reasoning trace. It reframes the monitorability of CoT and other intermediate LLM products as fundamentally behavioral—enabling the precise evaluation of when, for which tasks, and under which monitoring regimes, steganography by LLMs constitutes a genuine risk.

In practice, this enables the development of more robust paraphrasing and audit pipelines: if the gap cannot be closed by improving Sentinel compute or training, the signal is intrinsically steganographic for the chosen auditing task and model family. This provides a formal, utilitarian stopping criterion instead of relying on ad hoc signals or human-labeled legibility.

This paradigm also extends to unsupervised settings and may inform the design of alignment strategies by supplying measurable objectives for (non-)steganographic reasoning, e.g., incentivizing jointly high task accuracy and minimal gap under paraphrasing, weak model handoff, or adversarial evaluation.

Limitations and Future Research Directions

While the steganographic gap makes a significant advance, its practical deployment is contingent on thorough capability elicitation for all compared decoder families; underestimating Sentinel (or Receiver) performance can yield false positives (or negatives). The framework is also inherently adversarial—an adaptive Receiver might learn to “sandbag” performance on auditing tasks, intentionally minimizing the gap. Extending this framework to adversarial settings or integrating elicitation-robust audit protocols is an open research challenge.

The approach assumes replayable, interceptable signals and prompt-controlled outputs for evaluation, which generally holds for LLMs but may not generalize to broader AI settings. Unsupervised or multi-turn extensions, as well as integration with debate and scalable oversight schemes, are promising directions.

Conclusion

This work establishes a rigorous, decision-theoretic foundation for steganography in machine learning, applicable to LLM oversight where classical statistical detection is fundamentally inadequate. The steganographic gap offers a principled, quantitative measure for information asymmetry in downstream task utility—injecting operational rigor into AI safety auditing pipelines. The empirical results demonstrate both the viability and necessity of behavior-based approaches for monitoring, aligning, and defending against covert LLM reasoning and communication.