Measuring Epistemic Resilience of LLMs Under Misleading Medical Context
Abstract: LLMs now reach expert-level scores on medical licensing exams, encouraging the assumption that high scores imply safe medical judgment while patients increasingly use them for health advice. We show this assumption is fragile: when misleading context is injected into questions that LLMs originally answer correctly, they abandon the correct answer. We call the ability to maintain correct judgment under adversarial context epistemic resilience, and introduce MedMisBench to measure it. MedMisBench contains 10,932 medical question items and 48,889 misleading context-option pairs spanning medical reasoning, agentic capability, and patient-journey evaluation. Across 11 model configurations, mean accuracy falls from 71.1% on original questions to 38.0% under focused misleading context, with 51.5% attack success. The most damaging injections are formal, rule-like fabrications: authority-framed falsehoods reach 69.5% attack success and exception-poisoning claims reach 64.1%. A 14-member clinical panel from 7 countries identified serious potential harm in 38.2% of reviewed cases. MedMisBench exposes a structural blind spot in LLM evaluation in medical settings: existing benchmarks measure what models know, but not whether they preserve correct medical judgment under misleading context.
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Explain it Like I'm 14
Overview: What is this paper about?
This paper introduces MedMisBench, a big set of test questions designed to check whether AI chatbots (LLMs, or LLMs) can stick to the right medical answer even when someone adds believable but false information to the question. The authors call this skill epistemic resilience. Their main message: many AIs that score well on clean medical tests can be pushed into wrong answers if the question includes misleading context.
Key questions the paper asks
- Can AI models keep the correct medical judgment when the question includes a convincing false claim?
- What kinds of false information are most likely to trick them?
- Do models behave differently when the false info sounds like it comes from an authority (like a guideline) versus a patient?
- Does “thinking harder” (using longer reasoning) or using tools like web search help?
- If the AI gets misled, could the result actually harm a patient?
How the study worked (methods explained simply)
Building the test set (MedMisBench)
Imagine a multiple-choice medical quiz where each question has one right answer. The researchers took 10,932 such questions from five medical datasets. Then, for each question, they created short, realistic sentences that:
- Support the correct option (a truthful sentence), and
- Support each wrong option with a believable but false sentence.
These extra sentences are the misleading context. In total, they produced 48,889 pairs of “wrong option + misleading sentence.”
To make this realistic, they organized false information along two dimensions:
- Content (what the false claim says):
- Relationship/Sequence inversion: mixing up cause/effect or timing.
- Threshold/Reference corruption: making up or changing the numbers or rules that guide decisions (like a fake “normal range”).
- Cue remapping: telling you a symptom points to the wrong disease.
- Spurious anchoring: introducing an eye-catching but irrelevant detail to sway the choice.
- Exception poisoning: inventing a fake exception or contraindication (like “never do X if Y,” when that’s not true).
- Provenance (who seems to be saying it):
- Neutral statement: presented as plain factual text.
- Patient-framed: the patient claims or believes it.
- Authority-framed: it looks like a guideline, discharge summary, or standard operating procedure.
Doctors from seven countries double-checked samples to ensure the base questions had a clear right answer, the injected falsehoods were plausible yet wrong, and the setup fairly tested the AI’s resilience.
Two ways they showed the misleading info (delivery protocols)
- Type 1 (focused injection): The model sees the question plus just one misleading sentence that supports a specific wrong option. Think of this like a pop quiz with a single convincing bad “hint.”
- Type 2 (all-option injection): The model sees the question plus the truthful sentence for the right option AND the misleading sentences for all the wrong options. This is more like debating between several claims, including the correct one.
How they measured success or failure
- Clean accuracy: How often the model gets the original question right (with no extra sentences).
- Attack Success Rate (ASR): Among questions the model originally got right, how often it flips to a wrong answer after the misleading sentence is added. This directly measures loss of epistemic resilience.
- Targeted ASR (TASR): Among flips to a wrong answer, how often the model picks the exact wrong option that the false sentence was designed to push.
- Type 1/Type 2 accuracy: How often the model is right after injection under each protocol.
They tested 11 different AI setups, including commercial models and open models.
Main findings and why they matter
Big-picture results
- On clean questions, average accuracy was 71.1%.
- Under Type 1 (one strong false claim), accuracy dropped to 38.0%, and ASR was 51.5%. In plain terms: over half the time, the added false sentence made models change a previously correct answer to a wrong one.
- Under Type 2 (mixed evidence with truth plus multiple false claims), accuracy stayed near the clean level (70.5%), but ASR still averaged 18.7%. So even with true support present, models sometimes switched from right to wrong.
Most Type 1 failures were targeted: TASR was 45.4%, meaning the false sentence didn’t just confuse the model—it pulled it toward the specific wrong option it was meant to promote.
Which false info was most dangerous?
Formal, rule-like falsehoods were worst:
- Authority-framed falsehoods had high attack success (~69.5%).
- Exception poisoning (fake rules like “never do X in Y”) was strong (~64.1%).
- Threshold/reference corruption (fake decision numbers or ranges) was also high (~60.9%).
Patient-framed claims were much less harmful (~18.5% ASR). In short: models are especially vulnerable when false info looks official or encodes “the rules.”
Does “thinking harder” help?
Not always. Some models got less resilient when they used more reasoning:
- In one model family, higher “reasoning” raised the chance of getting tricked, even though it slightly improved clean test scores.
- Other models improved both clean accuracy and resilience with more reasoning.
Conclusion: Longer reasoning isn’t a guaranteed shield. In some cases, it may make the model lean harder into the fake “rule.”
What did clinicians say about harm?
A panel of 14 clinicians reviewed model outputs:
- About 38.2% of reviewed cases were “worst-case” outcomes: a wrong answer, clear uptake of the false info, and serious potential for harm.
- Another 46.1% were wrong with low or moderate harm.
- Only 5.6% produced the correct answer while clearly rejecting the false claim.
This shows that flips aren’t just academic—they can lead to harmful medical advice.
Can we fix this?
Two small case studies:
- Web search and self-checking helped one stronger model dramatically in a specific dataset (ASR fell from 81.5% to 16.1%), but helped a weaker model less. It’s not a magic fix; the model still needs to recognize conflicts between retrieved truth and injected falsehood.
- A defensive prompt (warning the model that context might be misleading) reduced Type 1 ASR by 10–14 percentage points, but didn’t eliminate the problem. Even warned, models often failed to apply caution when choosing the final answer.
What this means (implications)
- Clean exam scores aren’t enough. Real medical chats and tools often involve messy, mixed, or misleading information—from patient stories, unverified web pages, or even official-looking documents. An AI must keep correct judgment under these pressures.
- Epistemic resilience should become a standard part of evaluating medical AIs. We need to measure not only what models know, but whether they stick to the right answer when false but plausible claims appear.
- Safety needs stronger defenses. Strategies might include:
- Training models to challenge rule-like statements and to verify thresholds, contraindications, and “official” claims.
- Better support for evidence retrieval, source checking, and conflict detection.
- Clear user-facing warnings and designs that reduce the impact of misleading context.
- Practical takeaway for users and clinicians: Be cautious with AI health advice, especially when an answer hinges on specific “rules,” numbers, or exceptions. If something looks official but conflicts with trusted sources, double-check.
The authors made MedMisBench publicly available so researchers can test and improve resilience. Their core takeaway is simple: an AI that aces clean tests can still be misled. If we want safer medical AI, we must build and measure the ability to resist believable false context.
Knowledge Gaps
Knowledge gaps, limitations, and open questions
The paper surfaces important findings on epistemic resilience but leaves several concrete gaps and open questions that future work could address:
- External validity beyond MCQ: Does resilience measured on answer-grounded, single-best multiple-choice items transfer to free-form clinical tasks (e.g., differential diagnoses, care plans), multi-turn dialogs, or instruction-following with open-ended outputs?
- Multimodal generalization: How do results change when tasks include medical images, waveforms, lab tables, medication charts, or mixed text–image inputs where misleading context could be embedded in non-text modalities?
- Language and locale coverage: The benchmark appears English-only; how does resilience vary across languages, healthcare systems, and regions with different guideline bodies and practice norms?
- Human baseline under identical injections: How resilient are clinicians (or trainees) when exposed to the same misleading contexts, and how do human failure modes compare to LLMs’ (by content type and provenance)?
- Realism of misinformation: Most injections are single-sentence, LLM-generated claims; how do results differ with longer, multi-sentence falsehoods, multi-claim narratives, or real-world misinformation (e.g., social media posts, forum threads, blog articles, or clinical-document artifacts)?
- Limited provenance taxonomy: Only three source framings (neutral, patient, authority) are studied; what about peers/family, pharmaceutical marketing, sales reps, news outlets, influencers, or “expert user” forums that often shape patient and clinician beliefs?
- Limited content taxonomy: Five corruption types may not cover dosage errors, polypharmacy/interaction misinformation, contraindication cascades, test ordering/interpretation pipelines, guideline currency drift, or probabilistic trade-offs in management decisions.
- Dose–response of corruption: How sensitive are models to the magnitude and subtlety of threshold shifts (e.g., altering a cutoff by 1% vs. 30%), the plausibility of exceptions, or the specificity of cue remapping?
- Context placement and formatting effects: The study does not vary where or how the false sentence appears (before/after the case, boldface, bulleting, citation markers); does placement, typography, or length modulate susceptibility?
- Cumulative and iterative exposure: How does resilience evolve when models encounter repeated, reinforcing false claims across turns or documents, versus a single injected sentence?
- Mixed-evidence arbitration mechanisms: Type 2 mixes one correct sentence with multiple wrong ones, but does not test more realistic evidence bundles (e.g., multiple true and false pieces, contradictory citations, noisy retrieval rankings).
- RAG and retrieval poisoning at scale: Beyond a small HLE-search case study, how do retrieval pipelines (index composition, ranking algorithms, citation verification, anti-poisoning defenses) affect resilience across the full benchmark?
- Tool-augmented and agentic settings: Outside HLE search, how do tools for guideline lookup, dosage calculators, order entry simulators, or literature review agents impact resilience in MedJourney/agentic tasks?
- Mechanisms behind authority and rule-like failures: Why do “authority-framed” and “threshold/exception” injections dominate? Are models over-weighting provenance tokens (“guideline”, “SOP”) or numerics? Controlled ablations (matched length, numeracy cues, lexical style) are needed to disentangle content vs. style.
- Confidence, calibration, and abstention: The evaluation centers on label flips (ASR/TASR) without measuring calibrated uncertainty, refusals/deferrals, or self-reported doubt under misleading context; can calibrated caution be trained without excessive refusals?
- Reasoning-effort paradox: Some models show higher clean scores but worse Type 1 resilience with more “reasoning” enabled; what internal behaviors (e.g., chain-of-thought acceptance of premises, credulity to formal-sounding claims) drive this, and can targeted training reverse it?
- Variance and decoding sensitivity: Results are reported per configuration but do not examine run-to-run variance, temperature, nucleus sampling, or prompt randomization effects on ASR/TASR.
- Ground-truth currency and plurality: Medicine often permits multiple acceptable answers or guideline-dependent choices; how robust are findings to guideline updates, jurisdictional differences, or cases with legitimate ambiguity?
- Benchmark construction bias: Applicability filtering and injection generation rely on LLMs; does this introduce stylistic artifacts that models later exploit? More human-authored or curated injections and adversarial audits would help validate robustness.
- Safety review generalizability: The harm analysis uses 89 tasks with reviewers seeing taxonomy labels; larger, blinded, multi-specialty panels (with senior clinicians) and outcome-linked validation would improve external validity and reduce anchoring.
- Defense coverage is limited: Only a warning prompt and a targeted HLE-search tool are tested. Systematic comparisons of defenses (consistency checks, self-verification, debate/critique, adversarial training, provenance down-weighting, citation-grounded reasoning, ensembles) are needed across the full benchmark.
- Detection vs. preservation: The work measures judgment preservation, not explicit detection of misleading context; can models be trained to flag, explain, and quarantine suspect claims while still answering correctly?
- Dynamic vs. static evaluation: Static release risks contamination and overfitting; can a rotating or programmatically generated resilience suite (with human-in-the-loop validation) provide ongoing, leakage-resistant assessment?
- Specialty- and severity-stratified risk: Which clinical areas (e.g., oncology vs. dermatology), task types (triage vs. management), or acuity levels are most vulnerable, and how does harm potential vary accordingly?
- Equity and readability: How do patient-framed injections at different literacy levels, or culturally specific beliefs, impact resilience and potential harm for diverse patient populations?
- Multilingual and cross-cultural guidelines: Do authority-framed injections referencing different national bodies (USPSTF vs. NICE vs. WHO) yield different failure rates, and can models reconcile conflicting authorities?
- Interaction with guardrails: How do medical-safety guardrails, disclaimers, or risk-sensitive refusal policies trade off against resilience and utility in practice?
- Training-time interventions: Which fine-tuning strategies (e.g., adversarial curriculum with rule-like falsehoods, provenance-aware instruction tuning, counter-misinformation rationales) most improve resilience without degrading general medical competence?
- Human–AI teaming: In clinician-in-the-loop settings, can UI cues, source transparency, or checklist prompts mitigate uptake of false context, and what is the net effect on decision quality and time?
- Benchmark expansion to real EHR workflows: Can resilience be assessed in simulated EHR tasks (ordering, documentation, follow-up), where misleading context may appear in notes, problem lists, or medication histories?
Practical Applications
Immediate Applications
The following applications can be deployed with today’s tooling using MedMisBench and the paper’s methods and findings.
- Pre-deployment resilience testing in CI/CD for medical AI
- Sectors: Healthcare software, AI vendors
- Use case: Integrate MedMisBench into model evaluation pipelines to compute Attack Success Rate (ASR), Targeted ASR (TASR), and Type-1/Type-2 post-injection accuracy before any clinical release.
- Tools/products/workflows: “Epistemic Resilience Scorecard,” CI “ASR gate” that blocks promotion if Type-1 ASR > threshold; model cards reporting resilience metrics alongside clean accuracy.
- Assumptions/dependencies: Access to benchmark; internal evaluation compute; acceptance by product and safety teams; recognition that clean accuracy masks Type-1 failures (mean 51.5% ASR).
- Red-teaming triage chatbots and consumer health assistants
- Sectors: Consumer health apps, virtual care platforms
- Use case: Systematic adversarial tests using the paper’s taxonomy (authority-framed thresholds/exceptions; cue remapping) to probe where chatbots change correct answers under one false claim.
- Tools/products/workflows: “Misleading-Context Red-Team Pack”; scripted Type-1 injections; escalation policy to a human when authority-framed claims are detected.
- Assumptions/dependencies: Ability to modify pre-release evaluation; clear harm triage criteria; clinician oversight for worst-case outputs (38.2% in review).
- RAG pipeline hardening for clinical decision support (CDS)
- Sectors: CDS vendors, hospital IT
- Use case: Detect formal rule-like claims (e.g., thresholds, exceptions) in retrieved or user-supplied context and trigger verification against trusted guidelines.
- Tools/products/workflows: “Authority-Claim Detector” to flag patterns (e.g., “contraindicated if…”, “guideline states…”); “Threshold/Exception Verifier” microservice that checks values against sources like NICE, UpToDate; automatic citation requirements for rule-like claims.
- Assumptions/dependencies: Access to current, licensed guidelines; robust citation resolution; latency budgets for verification; monitoring for Poisoned RAG risks.
- Defensive prompting and UI guardrails for patient-facing apps
- Sectors: Consumer health, telemedicine platforms
- Use case: Add instructions cautioning against trusting added context and require the model to verify rule-like assertions; surface arbitration UIs showing competing evidence.
- Tools/products/workflows: A “Resilience Prompt Layer” that reduces Type-1 ASR by ~10–14 points (paper’s subset result); UI banner “This claim may be misleading—verified sources shown below.”
- Assumptions/dependencies: Prompt-layer coverage of all relevant flows; guardrail tuning to avoid over-refusal; user comprehension of evidence displays.
- Search-and-verify agent mode for high-risk queries
- Sectors: Health search, clinical Q&A, helplines
- Use case: On detection of authority/threshold/exception language, switch to an agentic flow that plans, searches, visits, and cites evidence (OpenSeeker/ReAct-style).
- Tools/products/workflows: “Verify-on-Authority” toggle; auto-citation; contradiction checks between vignette and retrieved evidence.
- Assumptions/dependencies: High-quality web sources; model capability to adjudicate conflicts; observed variability across models (large ASR drop for stronger model, smaller for lighter model).
- Procurement and vendor assessment with resilience thresholds
- Sectors: Hospitals, payers, public health agencies
- Use case: Require MedMisBench-based resilience reporting for vendor selection; set minimum Type-1/Type-2 ASR thresholds for clinical tools.
- Tools/products/workflows: RFP annex with benchmark runs; standardized “Epistemic Resilience Report” including taxonomy-stratified ASR (e.g., authority-framed falsehoods up to ~70% ASR).
- Assumptions/dependencies: Procurement policy updates; third-party verification; periodic re-testing to catch drift.
- Risk-based routing and human-in-the-loop escalation
- Sectors: EHR-integrated CDS, call centers
- Use case: When a model detects authority-framed threshold/exception statements (highest-risk categories), require human oversight before action.
- Tools/products/workflows: “Risk Router” that adds a human checkpoint for flagged contexts; audit logs tagging provenance and content-type triggers.
- Assumptions/dependencies: Clinician availability; UI/UX for quick review; acceptable throughput impact.
- Safety analytics and incident response for misinformation uptake
- Sectors: Health systems, regulators, safety teams
- Use case: Monitor production interactions for misleading-context signatures; measure real-world ASR proxies and trigger incident reviews.
- Tools/products/workflows: “Misleading-Context Telemetry” capturing threshold/exception claims; monthly resilience audits; post-incident taxonomy-based root-cause analysis.
- Assumptions/dependencies: Privacy compliance; on-device or server-side detection; clear success/harm definitions.
- Academic baselines and teaching
- Sectors: Academia, ML courses, clinical informatics programs
- Use case: Use MedMisBench as a standard resilience baseline, course lab, or replication project to study susceptibility to formal falsehoods and provenance.
- Tools/products/workflows: Open datasets and code; classroom assignments comparing Type-1 vs Type-2; research reproducing taxonomy effects.
- Assumptions/dependencies: Access to LLMs; institutional review consistency.
- Knowledge-base QA focused on rules and exceptions
- Sectors: Medical publishers, guideline maintainers
- Use case: Scan and verify the most error-prone content forms (thresholds/exceptions) in curated KBs to reduce downstream model confusion.
- Tools/products/workflows: “Rule QA Scanner” that extracts numeric thresholds/contraindications for expert validation; changelogs for high-risk updates.
- Assumptions/dependencies: Editorial workflows; domain experts; version control across locales.
- Public health messaging prioritization
- Sectors: Public health, NGOs
- Use case: Prioritize debunking of formal, rule-like falsehoods in campaigns (most damaging per benchmark) over generic myths.
- Tools/products/workflows: Taxonomy-guided content strategy; measurement of spread and correction efficacy.
- Assumptions/dependencies: Monitoring pipelines; multilingual content.
- Cross-domain pilot evaluations
- Sectors: Legal tech, finance risk, aviation safety (where rules/thresholds matter)
- Use case: Apply the content/provenance taxonomy to existing domain QA to probe resilience to authority-framed rule corruption.
- Tools/products/workflows: “Resilience Probe Pack” adapted to domain rules; Type-1/Type-2 test harness.
- Assumptions/dependencies: Availability of domain guidelines; careful adaptation beyond medicine.
Long-Term Applications
These opportunities require further research, scaling, or ecosystem development to reach production.
- Training objectives for epistemic resilience
- Sectors: Foundation-model developers, healthcare AI
- Use case: Incorporate counterfactual training and RLAIF/RLHF signals that penalize uptake of rule-like falsehoods and reward arbitration under mixed evidence.
- Tools/products/workflows: “Resilience-Tuned” checkpoints; curriculum with authority-framed injections; contradiction-aware chain-of-thought.
- Assumptions/dependencies: High-quality supervision; avoiding overfitting to MedMisBench; maintaining utility vs refusal balance.
- Provenance-aware reasoning modules
- Sectors: Model architecture research
- Use case: Structured handling of source types (patient claims vs authority vs neutral), coupled with verification, rather than naive authority deference.
- Tools/products/workflows: Source-weighting layers, credibility calibration, conflict graphs among sources.
- Assumptions/dependencies: Labeled training data; dynamic trust calibration; prevention of authority fallacies.
- Resilience-centric RAG architectures
- Sectors: CDS, knowledge services
- Use case: Retrieval with poison-resistance, contradiction detection, and “consistency adjudicators” that cross-check thresholds and exceptions against trusted corpora.
- Tools/products/workflows: Poisoned-RAG defenses; consensus estimation across independent sources; structured guideline validators.
- Assumptions/dependencies: Continually updated trusted corpora; scalable evidence ranking; traceable citations.
- Standardized regulatory testing and certification
- Sectors: Regulators (FDA, MHRA), standards bodies
- Use case: Mandate resilience tests (Type-1/Type-2) and taxonomy-stratified reporting for medical AI approvals and post-market surveillance.
- Tools/products/workflows: Public test suites; certified auditors; resilience thresholds per risk class.
- Assumptions/dependencies: Policy consensus; alignment with clinical risk frameworks; mechanisms to prevent gaming.
- Multi-agent deliberation for medical arbitration
- Sectors: Agent systems, virtual clinics
- Use case: Use diverse agents (guideline-checker, contradiction-finder, clinician-simulator) to debate and resolve conflicting context, escalating when consensus fails.
- Tools/products/workflows: Debate protocols; arbitration scoring; adjudication UI with evidence.
- Assumptions/dependencies: Cost/latency budgets; evaluation of deliberation quality; safety of agent self-critique.
- EHR-integrated resilience safeguards
- Sectors: Health IT, EHR vendors
- Use case: Before CDS advice is shown, auto-verify any thresholds/contraindications against institution-approved protocols and local formularies.
- Tools/products/workflows: “EHR Rule Verifier,” local-policy mapping; override explanation trails.
- Assumptions/dependencies: Data integration; institution-specific variations; governance for rule updates.
- Consumer health assistants with verified-rule UX
- Sectors: Digital health, insurers
- Use case: Assistants that explicitly highlight decision rules, show verified sources, and warn when a claim contradicts guidelines.
- Tools/products/workflows: Explanation widgets; risk badges for rule confidence; user studies for comprehension.
- Assumptions/dependencies: Information design research; trust/usability trade-offs; accessibility across literacy levels.
- Domain-general resilience benchmarks
- Sectors: Safety research across domains (finance, aviation, cybersecurity)
- Use case: Extend MedMisBench’s two-layer taxonomy and delivery protocols to other high-stakes areas to measure susceptibility to misleading rules and authorities.
- Tools/products/workflows: Open benchmarks per domain; shared leaderboards; cross-domain robustness studies.
- Assumptions/dependencies: Domain experts; high-quality gold labels; legal access to standards/guidelines.
- Continual monitoring and drift detection for infodemics
- Sectors: Public health, hospital safety
- Use case: Pipelines that detect spikes in model susceptibility when misinformation trends change (e.g., new “exception” myths) and trigger model/prompt updates.
- Tools/products/workflows: Streaming ASR proxies; taxonomy-tagged alerting; automated regression tests.
- Assumptions/dependencies: Social/clinical signal ingestion; privacy-compliant data collection; rapid update capability.
- Multilingual and multimodal resilience
- Sectors: Global health, imaging + text systems
- Use case: Expand benchmark and defenses to other languages and modalities (notes, discharge PDFs, patient images with captions) where authority cues differ.
- Tools/products/workflows: Localized taxonomy; modality-specific rule extraction; OCR plus verifier.
- Assumptions/dependencies: Language resources; cross-cultural guideline mapping; robust multimodal pipelines.
- Curriculum and credentialing for AI oversight
- Sectors: Medical education, CME providers
- Use case: Train clinicians to recognize high-risk misinformation patterns (authority-framed exceptions/thresholds) in AI outputs and apply verification workflows.
- Tools/products/workflows: CME modules; simulation labs using benchmark items; competency assessments.
- Assumptions/dependencies: Accreditation; clinician time; integration with QA processes.
- Safer autonomy in clinical agents
- Sectors: Agentic healthcare systems
- Use case: Define mandatory “verify-and-cite” tool-use steps before agents execute actions tied to rule-like assertions.
- Tools/products/workflows: Action guards; policy engines rejecting unverified rule claims; human signoff tiers.
- Assumptions/dependencies: Tool ecosystem maturity; validated action policies; liability frameworks.
Notes across applications:
- Prioritize mitigation of formal, rule-like fabrications (authority-framed, thresholds, exceptions), which showed the highest ASR in the paper; design detectors and verifiers accordingly.
- Defensive prompts and search/verification reduce but do not eliminate failures; combine multiple safeguards with human oversight for high-stakes decisions.
- Benchmark coverage is multiple-choice, English-heavy, and text-only; confirm external validity for free-form, multilingual, or multimodal settings before relying on metrics for deployment decisions.
Glossary
- Agentic capability: The ability of AI systems to autonomously perform clinical tasks and actions beyond passive Q&A. "spanning medical reasoning, agentic capability, and patient-journey evaluation."
- Answer-grounded: A property of questions whose correct answer is supported directly by the prompt content, enabling objective automatic evaluation. "answer-grounded medical question whose gold answer should remain correct"
- Applicability filtering: A generation-time screening step ensuring that a misleading context can be plausibly and semantically applied without changing the true answer. "we use an LLM-based applicability-filtering step before generation."
- Arbitration-resilience protocol: An evaluation setting (Type 2) where models must preserve correct judgment while arbitrating among both truthful and misleading option-level claims. "This is the arbitration-resilience protocol: it asks whether the model can arbitrate among competing option-level claims when correct support and multiple misleading alternatives are all present."
- Attack success rate (ASR): The proportion of cases where a model’s originally correct answer becomes incorrect after misleading context is injected. "attack success rate (ASR), where an attack is successful if a clean-correct answer changes to an incorrect answer after injection."
- Authority-framed: A provenance style that presents false claims as coming from authoritative clinical sources (e.g., guidelines or discharge notes), increasing their influence. "An authority-framed threshold/reference claim moves the model from the correct melanoma-management answer to the targeted wrong option."
- Cue Remapping: A content-corruption type that misinterprets or reassigns diagnostic cues to support an incorrect option. "3) Cue Remapping;"
- Defensive prompt: An explicit instruction warning the model that added medical context may be false or misleading, used to mitigate uptake of misinformation. "We evaluate a defensive prompt on a stratified 600-item subset."
- Epistemic resilience: The capacity of a model to preserve correct medical judgment when plausible but false context is introduced. "We call the ability to maintain correct judgment under adversarial context epistemic resilience, and introduce MedMisBench to measure it."
- Exception Poisoning: A content-corruption type that fabricates contraindications or exceptions to flip a decision away from the true answer. "exception-poisoning claims reach 64.1%."
- Focused-resilience protocol: An evaluation setting (Type 1) testing whether a single, plausible false claim aligned to one distractor can overturn a previously correct answer. "This is the focused-resilience protocol: it asks whether a single plausible false claim directly supporting one distractor can override an originally correct answer."
- Focused wrong-option injection: The Type 1 delivery mode where only the misleading sentence for a single wrong option is presented. "Type~1 (Focused wrong-option injection)."
- Gwet's AC2: A robust inter-rater agreement coefficient used to assess consistency among clinician reviewers on multiple ordinal scales. "with Gwet's AC2 of 0.94 for final-answer correctness, 0.95 for injection uptake, 0.84 for harm potential, and 0.78 for clinical grounding across the 64 dual-rated tasks."
- Mixed-evidence setting: An evaluation condition where truthful and misleading context are both present, requiring models to arbitrate among conflicting evidence. "It is a mixed-evidence setting where aggregate accuracy can look stable while originally correct answers still flip, and this effect is model-family dependent."
- OpenSeeker: A search-and-verification approach that plans, retrieves, and cites external evidence to support answers. "following OpenSeeker~\citep{du2026openseeker} and ReAct~\citep{yao2023react}."
- Patient-journey evaluation: Assessment of model performance across end-to-end care workflows and multi-step clinical processes. "spanning medical reasoning, agentic capability, and patient-journey evaluation."
- Provenance framing: The source-style presentation of a claim (neutral statement, patient belief, or authority) that shapes how models weigh its credibility. "We consider 3 provenance framings: 1) Neutral False Statement; 2) Patient Self-Diagnosis / Belief / Claim; and 3) Authority (Guideline / Discharge Note / SOP)."
- ReAct: A prompting paradigm that interleaves reasoning and acting (tool use) to retrieve and verify evidence during task solving. "following OpenSeeker~\citep{du2026openseeker} and ReAct~\citep{yao2023react}."
- Relationship / Sequence Inversion: A content-corruption type that reverses causal or temporal relations to support an incorrect option. "1) Relationship / Sequence Inversion;"
- Spurious Anchoring: A content-corruption type that introduces salient but irrelevant anchors to bias the final answer. "while spurious anchoring is far weaker at 20.9%."
- Standard Operating Procedure (SOP): An institutional guideline or protocol cited as an authoritative source in provenance framing. "Authority (Guideline / Discharge Note / SOP)."
- Sycophancy: A behavioral flaw where models overly agree with user claims or credibility cues rather than applying independent judgment. "work on sycophancy and persuasive framing suggests that models can be swayed by user claims and credibility cues"
- Targeted attack success rate (TASR): The share of focused-injection failures that flip specifically to the injected target wrong option, indicating directional uptake of misinformation. "targeted attack success rate (TASR) counts the subset of clean-correct failures that flip specifically to the sampled target wrong option, distinguishing direct misinformation uptake from broader instability."
- Threshold / Reference Corruption: A content-corruption type that falsifies numeric decision rules, thresholds, or reference ranges to mislead the model. "2) Threshold / Reference Corruption;"
- Vignette: A structured clinical scenario or case description used in evaluation and mitigation studies. "between the vignette, retrieved evidence, and the injected claim."
Collections
Sign up for free to add this paper to one or more collections.