Papers
Topics
Authors
Recent
Search
2000 character limit reached

False Trust: Calibration Failures in Trust Systems

Updated 6 July 2026
  • False trust is the phenomenon where reliance is placed on systems, data, or agents despite warranted skepticism, manifesting in AI outputs, content filtering, and institutional processes.
  • Key approaches involve calibrated trust frameworks, such as watchful trust and provenance verification, to mitigate misalignment between trust decisions and actual reliability.
  • Emerging methods, like retrieval-augmented generation with trust-aware reranking and dual-store controls, actively reduce false trust and improve outcome accuracy.

Searching arXiv for papers on “false trust” and closely related trust-calibration work. False trust denotes a family of trust-calibration failures in which reliance, credibility, or deference is assigned where warranted distrust, uncertainty, or verification is needed. In the literature, the term appears in several technically distinct but structurally related forms: unwarranted human trust in untrustworthy AI, content-trust failures in which false claims enter the data used for action, explanation-induced overreliance on incorrect model outputs, trust poisoning in cooperative systems, and reputational inflation that no longer tracks true competence or benign intent. Across these uses, the common issue is misalignment between acceptance decisions and the actual properties of the object being trusted—whether that object is a document, model answer, agent action, vehicle report, or institutional process (Maggetti, 7 Apr 2026, Laufer et al., 2018).

1. Conceptual structure and definitional variants

In governance-oriented work, trust is treated as a relational, context-dependent stance of warranted vulnerability, grounded in expectations of competence, integrity, benevolence, and, in public governance, also transparency, accountability, effectiveness, and fairness. Within that framework, false trust is the case of unwarranted trust: trusting an untrustworthy AI. The same framework distinguishes warranted trust, unwarranted distrust, and warranted distrust, and argues that regulation should minimize both unwarranted trust and unwarranted distrust while institutionalizing “watchful trust” rather than blind trust (Maggetti, 7 Apr 2026).

In content-oriented work, trust is treated more operationally. “Content trust” is trust in the information itself, and trust is defined as “knowledge-based reliance on received information.” False trust then occurs when the trust process accepts a false claim into the set of trusted data that is subsequently used for action. This formulation makes trust a filtering operation: data, metadata, context, and policies are processed, and an item is either admitted into Trusted Data or not. At the point of action, the output is binary even if underlying trust models are continuous (Laufer et al., 2018).

In human–AI evaluation work, false trust is made explicitly measurable. It is defined as “the conditional probability that an answer deemed correct by the user is actually incorrect,” namely

False Trust={responses judged as correctactually incorrect}{responses judged as correct}.\text{False Trust} = \frac{|\{\text{responses judged as correct} \cap \text{actually incorrect}\}|}{|\{\text{responses judged as correct}\}|}.

Under this definition, false trust is one minus the precision of the user’s acceptance decisions. The emphasis shifts from generic “trust” to calibrated discrimination between correct and incorrect outputs (Palod et al., 11 May 2026).

Domain Trusted object False-trust formulation
AI governance AI system Unwarranted trust in an untrustworthy AI
News and social media Claim or content item False claim admitted into Trusted Data
LLM evaluation Model answer Accepted-as-correct answer that is actually incorrect

2. Content, provenance, and persuasive explanation

The content-trust literature treats false trust as a failure of information filtering under uncertainty. The trust process is modeled as a pipeline in which Data/Information, Metadata, and Context are evaluated under Policies to yield Trusted Data, which then informs Action. Provenance is central: a claim can be accepted because it is directly observed, because its source has been consistently correct in the past, or because it is supported by other claims from more trusted sources. This makes false trust traceable to specific weaknesses in metadata, provenance chains, or policies, rather than to an abstract “lack of skepticism” (Laufer et al., 2018).

A closely related systems proposal is TRUSTD, which treats fake content as a provenance and endorsement problem rather than only a classification problem. It uses Decentralized Identifiers, collective signatures based on Schnorr/EdDSA and CoSi, and blockchain records of content hashes and endorser identities. Users then compute a personalized credibility score from the trust they assign to appraisal actors. This design does not determine truth directly; it exposes who endorsed what, and shifts trust from opaque platform signals to explicit, cryptographically verifiable provenance (Jaroucheh et al., 2020).

The human-centered security literature broadens the problem from specific artefacts to susceptibility profiles. A systematic review identifies 24 influence factors in six categories—demographic factors, personality traits, psychological factors, policy and values, media consumption, and preventive factors—and highlights that lower education levels, high extraversion, low agreeableness, high neuroticism, and low cognitive reflection significantly increase belief in false information. In that framing, belief in false information is a human-centered security risk because it can be exploited to manipulate decisions, undermine trust, and increase susceptibility to social engineering (Walke et al., 11 Jan 2026).

Explanation interfaces can themselves engender false trust. In a between-subject study with JEE-Bench problems, reasoning traces, reasoning summaries, and post-hoc pro explanations increased user acceptance of LLM predictions regardless of correctness; the paper characterizes them as persuasive but not informative. Dual explanations, which present reasons for and against the answer, were the only condition that genuinely improved users’ ability to distinguish correct from incorrect outputs. The paper’s reported false-trust values illustrate the calibration gap: solution-only yielded 47.3, E+E^{+} yielded 43.9, reasoning trace 41.9, reasoning summary 43.6, and E+/E^{+/-} 40.9 (Palod et al., 11 May 2026).

3. Retrieval-augmented generation and propagation-based trust

In retrieval-augmented generation, false trust appears when semantically relevant but unreliable documents are retrieved and treated as trustworthy context. ClaimTrust frames this as a graph-level failure: a RAG system that retrieves on semantic similarity alone can retrieve a cluster of mutually reinforcing false documents and then amplify them during generation. To counter this, ClaimTrust constructs a signed document graph from extracted factual claims, where support and contradiction are propagated by a PageRank-inspired trust update rather than inferred independently for each document (Qian et al., 12 Mar 2025).

The pipeline operates over 814 political news articles from the Kaggle Fake News Detection Dataset, from which 2,173 unique factual claims are extracted. Claim pairs are embedded with mxbai-embed-large-v1, ranked by cosine similarity, and restricted to the top k=4036k = 4036 pairs, a step reported to retain 99% of meaningful relationships while avoiding naïve O(n2)O(n^2) comparison. A subsequent in-context classification labels claim pairs as supporting (+1)(+1), refuting (1)(-1), or unrelated (0)(0), producing 965 meaningful relationships and a sparse signed graph.

At the document level, the framework defines support and contradiction matrices WplusW_{plus} and WminusW_{minus}, computes weighted positive and negative influence terms E+E^{+}0 and E+E^{+}1, and updates trust scores by

E+E^{+}2

with neutral initialization E+E^{+}3 and optional trusted seeds at E+E^{+}4. The damping factor prevents unrestricted graph reinforcement, so clusters of mutually supporting false documents are anchored toward the prior rather than drifting toward maximal trust.

For RAG evaluation, the paper builds a local system over the 814 articles and compares vanilla semantic retrieval with a ClaimTrust reranking mode over 200 test queries. Substring accuracy remains unchanged at 0.015 in both modes, but the average LLM quality score rises from 0.36475 to 0.40550, a relative improvement of about 11.2%. The paper interprets this as evidence that trust-aware reranking reduces effective false trust in context selection even when exact-answer retrieval is unchanged. It also notes residual failure modes, especially sparse graph regions and echo chambers of false documents that mainly support one another.

4. Agent actions, deceptive interaction, and trust-preserving control

In action-governing agent systems, false trust appears as both over-trust and under-trust. AgentTrust v2 is a per-action trust layer that intercepts tool calls and returns one of four verdicts—allow, warn, review, or block—with the explicit safety invariant: “Never hard-block a benign action.” The paper decomposes threats into lexical threats, where stable patterns such as rm -rf / or iam create-access-key can be handled by deterministic rules, and semantic threats, where benign and malicious actions share the same surface form and are therefore “rule-blind” by construction (Yang, 7 Jun 2026).

The empirical result is a negative proof against rule-only trust. On an external held-out corpus of 189 actions, a rules-only system achieves 48.1% accuracy with 22.4% FPR and 52.9% FNR, and an expanded cloud rule pack only lifts overall accuracy to 56.1% while moving semantic categories by 0 percentage points. Strong LLM judges, by contrast, reach 83.6–85.2% accuracy on the same corpus, with FPR as low as 0.0–1.7% and FNR as low as 1.1–4.6%. The system then adds a self-improving dual-store: lexical patterns are distilled into deterministic rules, while semantic precedents enter a guarded RAG memory only under corroboration by two independent judges. On an online replay of 45,000 actions, judge-call rate falls from 50% to 44%, judge-domain accuracy rises from 71% to 80%, and benign hard-blocks remain 0.

False trust in human–robot collaboration is structurally different but related. In ToP-ToM, a robot in a modified Cheat card game can exploit a low-trust teammate via reverse psychology: if the human tends to do the opposite of the robot’s advice, a performance-only policy can maximize team reward by giving deliberately misleading advice. The paper models human trust as E+E^{+}5 and introduces a dynamic trust-aware reward

E+E^{+}6

so that explicit trust repair is rewarded only in low-trust, “false belief” regimes (Yu et al., 2023).

The consequence is a deliberate sacrifice of some short-term team performance to avoid trust collapse. Under the TP policy, reverse psychology is used 3484 times when E+E^{+}7 cheats, precisely where exposure is likely; under ToP-ToM, that count falls to 192, while reverse psychology is concentrated more in safer non-cheating contexts. The paper’s interpretation is that a policy that reasons explicitly about trust and false belief can avoid exploiting fragile or inaccurate human trust beliefs merely because such exploitation is instrumentally useful.

5. Reputation laundering and detection ceilings in sparse evidence regimes

False trust in reputation systems also arises when the numerical reputation assigned to an agent ceases to track its true competence on the relevant task. In heterogeneous LLM-agent pools, a single global reputation score is inadequate because competence varies sharply by skill. The alternative is skill-conditional trust E+E^{+}8, estimated in the paper by

E+E^{+}9

where E+/E^{+/-}0 encodes cross-skill borrowing, E+/E^{+/-}1 is evidence volume, and E+/E^{+/-}2 is observed mean outcome. A controlled phase-diagram analysis shows that conditioning helps only in a specific regime—high agent heterogeneity, sparse per-skill evidence, and correlated skills—and that the coupling strength E+/E^{+/-}3 that improves data efficiency also opens a laundering channel for cross-skill reputation poisoning (Xia et al., 12 Jun 2026).

On a public benchmark of 14 heterogeneous AppWorld agents, the real pools lie inside the beneficial regime, and the per-skill best agent genuinely changes across skills. But an attacker with cheap evidence in one skill and none in a target skill can hijack the conditional router: in a pool that CIVT rates GREEN, routing regret is driven from 0 to 0.94, and the ungated trust verdict is contaminated to E+/E^{+/-}4 instead of the honest E+/E^{+/-}5. A zero-evidence gate blocks the zero-target version of the attack but does not eliminate residual attack cost under explicit budget constraints.

Sparse rating networks reveal a complementary limit. In Bitcoin-OTC, 56% of ratings take a single value under the standard E+/E^{+/-}6 mapping, breaking the smooth observation assumptions required by continuous parametric detectors. The paper derives a Bayes-optimal F1 ceiling for per-node sequential detectors using empirically measured observation parameters and shows that, at Bitcoin-OTC’s median in-degree of 2, the ceiling falls to 0.451 for strategic attacks. It further shows that binary models retain 86% of mutual information while enabling exact parametric fit, so detector-model matching, not raw information content alone, determines practical performance (Butt, 3 Jun 2026).

The proposed dual-regime system combines Bernoulli CUSUM with asymmetric scoring. An ablation study establishes a co-design constraint: the modulation mechanism improves AUC by 0.030 on binary observations but degrades it by 0.094 on continuous observations. The final system achieves AUC 0.749 on Bitcoin-OTC and 0.796 on Bitcoin-Alpha, beats GaaSTrust on all 8 attacks with E+/E^{+/-}7, and attains founder-label AUC of 0.999. In this setting, false trust is limited both by information scarcity and by the fit between the observation model and the detector.

6. Vehicular and cyber-physical systems

In collaborative perception for connected and autonomous vehicles, trust mechanisms themselves can become an attack surface. TrustFlip shows that existing defenses based on cross-vehicle inconsistency and majority agreement can be subverted without hacking communication channels: an attacker deploys physical adversarial objects that are genuine but induce viewpoint-dependent inconsistencies among benign vehicles. These inconsistencies are then misattributed by the defense to a targeted benign vehicle, whose trust is degraded until it is downweighted or excluded from collaboration. Across multiple collaborative perception architectures and defenses, the attack removes the targeted benign vehicle from collaboration in up to 87.7% of scenarios and drops AP by up to 13%; the mitigation TrustReflect marks disputed regions as uncertain and excludes them from trust evaluation, reducing attack success rate by 35–100% (Liu et al., 21 May 2026).

A different VANET failure mode is strategic reputation building. IPEK models event-aware and location-aware on–off attackers that report honestly on low-priority events or low-criticality locations in order to accumulate trust, and then inject false data when severity is high. Local penalties scale with the combined factor

E+/E^{+/-}8

while rewards follow an asymptotic model, making trust difficult to regain after misuse. Global trust fusion uses Dempster–Shafer Theory with Yager’s rule, so conflicting evidence is assigned to uncertainty rather than being forced into premature certainty. Under attacker densities of 15–35 percent, IPEK maintains 0 percent False Positive Rate across all scenarios, Recall above 75 percent, and F1-scores exceeding 0.86 (Turgut, 8 Apr 2026).

Trust-aware control provides yet another response. For connected and automated vehicles in conflict areas, a robust event-triggered decentralized CBF framework maintains trust scores E+/E^{+/-}9 for each vehicle but keeps safety invariant to the particular trust framework used. The robust CBF condition is minimized over bounded uncertainty and stealthy bias injections, and the event-triggered update law ensures forward invariance of the safe set. The paper’s attack-detection and mitigation scheme is claimed to have twofold benefits: the trust framework is immune to false positives, and safety is provably guaranteed against false positive cases. Simulations in SUMO and CARLA show that the non-robust predecessor can violate the rear-end constraint and collide, whereas the robust trust-aware scheme preserves safety under bias injection and Sybil attacks (Ahmad et al., 2024).

7. Governance, synthetic trust attacks, and zero-trust forensics

At the regulatory level, false trust is not reducible to technical misclassification. Reciprocal-trust analysis treats it as a problem of relational misalignment among humans, AI systems, and institutions. The central recommendation is not “more trust in AI,” but watchful trust: calibrated reliance with built-in skepticism, redundancy, transparency, and contestability. The paper’s two counterfactuals—autonomous early warning at Serpukhov-15 and an under-empowered AI safety monitor at Chernobyl—show that false trust can arise both from overtrust in automation and from overtrust in human discretion. Its heuristic is to allocate autonomy to the costlier error while continuously auditing whether that allocation itself is creating false trust in either humans or machines (Maggetti, 7 Apr 2026).

In social engineering fraud, the term becomes explicitly operationalized as synthetic trust. Synthetic Trust Attacks are defined as campaigns in which generative AI manufactures and bundles identity simulation, contextual plausibility, authority indicators, and linguistic style mimicry across multiple channels in order to compress the victim’s verification window and induce a target action under manufactured trust. The STAM model decomposes this into eight stages from reconnaissance to post-compliance leverage, while the Trust-Cue Taxonomy distinguishes biometric-like, institutional, contextual, social-proof, and provenance cues. The empirical backdrop is stark: human deepfake detection accuracy sits at approximately 55.5%, and LLM scam agents achieve 46% compliance versus 18% for human operators while evading safety filters entirely. The proposed decision-layer response is Calm, Check, Confirm: a minimum 5-minute pause, out-of-band verification through pre-stored independent channels, and two-person authorization for high-risk actions (Ashraf, 2 Apr 2026).

Digital forensics in turn proposes a general strategy of institutionalized distrust. Zero Trust Digital Forensics is defined as a strategy whereby each aspect of an investigation is assumed to be unreliable until verified. The paper argues that digital forensics has long relied on unexamined trust assumptions about artefacts, tools, and systems, and that this creates vulnerability to evidence tampering and accusations of unreliability. It introduces the principle of multifaceted verification of digital artefacts, organized around temporal integrity, syntactic integrity, and semantic integrity, so that trust in an artefact is built only through explicit cross-checks rather than presumption (Neale et al., 2022).

Taken together, these works suggest that robust responses to false trust are less about maximizing trust than about calibrating it, preserving uncertainty where evidence conflicts, and making the evidential basis of trust explicit enough that trust can be revised without catastrophic downstream reliance.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to False Trust.