Papers
Topics
Authors
Recent
Search
2000 character limit reached

Position: Academic Conferences are Potentially Facing Denominator Gaming Caused by Fully Automated Scientific Agents

Published 11 May 2026 in cs.CL, cs.AI, and cs.CY | (2605.09915v1)

Abstract: The implicit policy of maintaining relatively stable acceptance rates at top AI conferences, despite exponentially growing submissions, introduces a critical structural vulnerability. This position paper characterizes a new systemic threat we term Agentic Denominator Gaming, in which a malicious actor deploys AI agents to generate and submit a large volume of superficially plausible but low-quality papers. Crucially, their objective is not the acceptance of low-quality papers, but rather to inflate the submission denominator and overwhelm reviewing capacity. Under a relatively stable acceptance rate, this dilution can systematically increase the publication probability of a small, targeted set of legitimate papers. We analyze the practical feasibility of this threat and its broader consequences, including intensified reviewer burnout, degraded review quality, and the emergence of industrialized automated agent mills. Finally, we propose and evaluate a range of mitigation strategies, and argue that durable protection will require system-level policy and incentive reforms, rather than relying primarily on technical detection alone.

Summary

  • The paper identifies the novel threat of Agentic Conference Denominator Gaming, where automated agents inflate submission counts to manipulate acceptance odds.
  • The study uses formal threat modeling and controlled experiments to validate the feasibility and economic advantages of AI-driven paper submissions.
  • The work proposes systemic countermeasures, including submission fees and multi-stage review processes, to safeguard academic integrity.

Structural Risk in Peer Review: Agentic Denominator Gaming by Fully Automated Scientific Agents

Overview and Context

The paper "Position: Academic Conferences are Potentially Facing Denominator Gaming Caused by Fully Automated Scientific Agents" (2605.09915) presents a formal analysis of a new systemic threat confronting academic peer review in machine learning and AI venues. The central claim is that the institutional practice of maintaining a relatively stable acceptance rate, in the face of exponential growth in submissions, introduces a structural vulnerability. The authors designate this attack vector as Agentic Conference Denominator Gaming: adversarial actors utilizing agentic AI systems to flood conference submission pools with plausible-yet-low-quality papers. The attack objective is not widespread acceptance of these papers but statistical manipulation of acceptance rates—effectively altering selection odds for a targeted subset of desirable, legitimate manuscripts.

The position is grounded in empirical observation of current submission dynamics and technical advances in scientific automation, and is justified both through threat modeling and by situating the attack within broader publication and epistemic security trends. The paper critically evaluates plausible technical, policy, and systemic countermeasures and advocates for deeper reform in conference selection protocols and incentive structures.

Mechanism of Denominator Gaming

The mechanism leverages the interplay between two dominant trends: (1) the stability of acceptance rates at premier conferences, decoupled from the exponential rise in submissions, and (2) the commoditization of scientific authorship via scalable LLM-driven agentic workflows.

Mathematical Formalization

Under the stable acceptance rate norm (aa), an increase in the total submission pool (Nsub=Nh+NaN_\text{sub} = N_h + N_a; NhN_h is human, NaN_a is agentic) causes the number of accepted papers to scale proportionally: Nacc=a(Nh+Na)N_\text{acc} = a \cdot (N_h + N_a). Since injected agentic papers are constructed for plausible appearance but low acceptability, their impact is confined to inflating the denominator—the quota for acceptances is then met by lowering the effective quality threshold among genuine submissions. The expected acceptance rate for human submissions thus increases: a~=a(1+Na/Nh)\tilde{a} = a \cdot (1 + N_a / N_h).

System Realization

The authors detail a pragmatic two-agent pipeline:

  • Research Agent: Automates generation of manuscripts using up-to-date LLM and agentic pipelines, parsing conference-specific templates to maximize plausibility and evade desk rejection.
  • Submission Agent: Automates OpenReview (or equivalent platform) submission logistics, including account registration, form completion, and basic rebuttal handling. Mass generation of educational email identities (for Sybil-style attacks) is shown to be technically feasible.

End-to-end feasibility is demonstrated by a responsible, tightly controlled experiment: an automated agent system produces and submits a synthetic manuscript, confirming that the entire pipeline can be automated at scale, with per-paper costs on the order of a few dollars.

Practical and Theoretical Implications

Economic and Sociotechnical Asymmetry

The threat exemplifies economic asymmetry: attackers incur low, flat marginal costs (LLM inference + basic automation), while the defense burden is diffused as thousands of hours of skilled, volunteer human review. Reusability of synthetic manuscripts across venues intensifies systemic exposure, transforming an attack on one conference into a cross-ecosystem exploit.

Reviewer Overload and Integrity Erosion

Peer review is already at a crisis point, with chronic reviewer fatigue and high attrition rates among qualified reviewers. Agentic denominator gaming would sharply degrade signal-to-noise in review pools, further accelerating burnout and yielding an escalating cycle: lower review quality, declining conference prestige, and further erosion of venue selectivity and trust.

Agentic Paper Mills and Scaling of Academic Fraud

The authors contextualize denominator gaming as a stage in the industrialization of academic fraud: from ad hoc human-run paper mills to “agentic mills.” These AI-driven operations can generate, submit, and adapt fraudulent academic content at industrial scale. The attack increases the sophistication and evasion capacity of fraudulent papers and exploits the recursive use of AI-generated literature as future training data.

A critical theoretical issue is the looming epistemic security crisis—as the signal of publication quality diminishes, the incentive structure for researchers shifts, and the entire scholarly communications system risks self-devaluation.

Evaluation of Mitigation Strategies

Technical Defenses

Automated AI-generated text detectors, cross-submission clustering, citation consistency checks, and anomaly detection are evaluated. The authors argue convincingly that reliance on technical defenses is not robust: detectors are easily circumvented by adversarial paraphrasing and suffer high false positive rates, with consequential damage to legitimate researchers, especially those using AI tools for language refinement.

Policy and Systemic Defenses

The authors foreground two classes of systemic defense:

  • Submission Fees: Directly combat economic asymmetry, by raising the marginal attack cost. This is shown to have some efficacy (e.g., at IJCAI 2026), and if used to fund reviewer compensation could also partially address reviewer attrition, but raises important equity concerns for resource-limited researchers.
  • Multi-Stage Review: Early triage to filter low-quality submissions before formal review; seen in recent AAAI processes. This is useful in resource management but does not address root systemic vulnerability.
  • Explicit Acceptance Caps: Breaking the coupling between submission volume and acceptance quota. This measure neutralizes denominator gaming by rendering inflating submissions futile, but poses governance risks (risk of arbitrary rejection in years with high-quality pools) and requires substantial community buy-in.
  • Reputation/Endorsement Systems: Expansion of mechanisms such as arXiv’s endorsement model. This can function as a friction on Sybil and agentic attacks, but is likely to introduce new social and procedural complexities.

Critique of Alternative Views

Arguments suggesting that technical detection or pre-screening will suffice are rejected as naive. The adversarial nature of generation/detection co-evolution is stressed, and the procedural and bias risks (potential discrimination against non-native speakers and legitimate AI use) are classified as unacceptable.

The authors analyze AI detection scores on NeurIPS and ICLR submissions, revealing a rapid increase in AI-generated content—especially among non-accepted papers—with a significant proportion of plausible but low-quality AI-generated abstracts. Declining average review ratings for the overall submission pool further substantiate the claim that the influx of low-value submissions is underway, intensifying the selection pressure for a robust response.

Future Directions and Open Challenges

The paper closes by calling for a shift from reactive technical patchwork to institutional and systemic reform of publication pipelines. This includes re-examination of conference acceptance policies, new economic and incentive structures for reviewers, and coordinated deployment of reputational/endorsement-based friction systems. There is an implicit suggestion that the era of AI-driven science necessitates rethinking what peer review and publication mean, including how trust and selectivity are instantiated in scientific evaluation.

Conclusion

This position paper identifies and rigorously characterizes Agentic Conference Denominator Gaming as a substantive structural threat enabled by fully automated scientific agents. The authors demonstrate technical feasibility, analyze systemic risks, and argue that durable solutions must go beyond technical detection, requiring coordinated economic, policy, and structural responses within the academic publication ecosystem. The findings highlight the urgency for the AI research community to proactively redesign selection and incentive systems to defend the integrity of scholarly communication before the described vulnerabilities are exploited at scale.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 3 tweets with 7 likes about this paper.