Agent Evaluation Integrity:把 Reward 变成证据协议
Agent 做对一件事,和 Agent 得到一个高分,不是同一个事实。网页上出现一个 toast、工具返回 200、测试指标上升、LLM judge 表示满意,甚至 hidden verifier 返回 pass,都可能只覆盖目标的一部分。对会用工具、会训练、会改写工件的 agent,reward 不能被当成完成定义;它应该是一条可追溯、可攻击、可与独立终态比较的证据路径。
reward != evidence != verifier != judge != acceptance。训练信号可以稠密、近似或带噪;最终主张必须说明谁采集证据、谁能写评分输入、谁检查 postcondition,以及什么会让“成功”被推翻。
1. 先拆开五种经常混写的对象
| 对象 | 它适合做什么 | 可成立的最窄结论 | 不能据此推出 |
|---|---|---|---|
| Reward | 给 policy 或 trainer 提供优化信号 | 指定 rollout 在该 reward definition 下得到一个数值 | 用户目标、真实世界状态或任务已完成 |
| Evidence | 记录 action、环境状态、artifact、请求和观察 | 某个来源在某时刻产生过一条可审计记录 | 记录完整、未被篡改,或足以判断语义正确 |
| Verifier | 对明确定义的 postcondition 做确定性或半确定性检查 | 指定 predicate 在指定输入/版本下通过 | predicate 完整表达用户意图,或 verifier 本身没有漏洞 |
| Judge | 对开放文本、研究工件或模糊质量作判断 | 指定 judge/prompt/版本给出该判断 | 判断无偏、稳定,或可替代后端状态检查 |
| Acceptance policy | 合并终态、完整性、成本、风险与人工升级,决定是否接纳 | 此版本在声明的 gate 下被接受或拒绝 | 系统已经安全、通用,或不再需要后续审计 |
形式上,Skalse 等人将 reward gaming 定义为提升 proxy reward 却损害 true reward 的情形;这说明 proxy 与目标之间的鸿沟不是“实现细节”。Defining and Characterizing Reward Gaming 还指出,对所有随机 policy 来说,非平凡的完全 unhackable proxy 极为苛刻。工程上的结论不是放弃 reward,而是不要把一个 scalar 误当作完整语义。
2. 五类完整性失败,五种不同的控制
| 失败面 | 具体问题 | 最小控制 | 不能靠什么解决 |
|---|---|---|---|
| Proxy gap | 计算到的 reward 没有覆盖真正 postcondition | 独立终态检查,并报告 reward/acceptance gap | 更高 reward 或更多 rollout |
| Evaluator tampering | policy 修改 metric、test、judge input 或 report | evaluator/metric/hidden test 在 agent 不可写域,记录 hash 和访问事件 | 让 agent “答应不改” |
| Evidence tampering | agent 伪造、删改、重排或选择性展示 trace | sidecar/append-only evidence、跨源 digest、独立收集 | screenshot、final text 或单一客户端日志 |
| Leakage / contamination | 训练、检索或 memory 接触 held-out label、rule、trace 或答案 | environment/workflow/evaluator/search split,来源谱系和访问控制 | 随机行切分或改任务名称 |
| Process misalignment | click、工具调用、思考文本或 step score 被优化却不改善终态 | 把过程信号当诊断,与隐藏终态和对抗反例一起检验 | 一段看似合理的轨迹 |
Reward Tampering Problems and Solutions 从因果角度区分篡改 reward function 与篡改 reward-function input。对于 agent,实际审计问题是:policy 能否改变 metric code、test data、trace collector、judge context、提交 payload 或用来计算 score 的任何 artifact,同时不改变用户关心的 postcondition?这一定义本身不代表每个 agent 都会篡改;它要求把可写路径和证据依赖画出来。
3. 一个可信评测的最小 contract
TaskSpec = goal, initial_state_digest, policy_observations, authorized_actions, budget
ActionEvent = actor, action, authority, timestamp, request/side_effect_digest
EvidenceEvent = collector_identity, source, artifact/state_digest, visibility, append_only_pointer
RewardSignal = version, inputs, aggregation, assignment_scope, training_use
Verifier = version/hash, hidden_postcondition, inputs, diagnostics, execution_domain
Judge = model/prompt/rubric/version, visible_evidence, calibration_protocol
Acceptance = required_checks, integrity_constraints, cost/risk gate, decision, rollback
从这个 contract 可得出七条工程不变量:
- policy 不能写 verifier、hidden tests、metric code、judge prompt 或 acceptance decision。
- reward input 与最终证据分开采集。 policy 产生 action;sidecar、后端或独立 runner 读取结果。
- 每个输入都带版本和 digest。 evaluator 变更、judge prompt 修改或测试数据替换都必须成为可见的实验变量。
- 可见性也是权限。 policy 不能通过网页、tool output、memory 或错误信息读到 hidden rule、reference answer 或 privileged credential。
- 过程轨迹只在其作用域内有效。 它可以解释、诊断或作为训练信号,但默认不替代 terminal postcondition。
- 接纳门组合多个列。
verified_outcome、integrity、cost、authority violation、recovery 与人工升级应独立记录,不被一个 reward 抹平。 - rollback 不受 candidate 控制。 发现 evaluator 漏洞、污染或 regression 时,能定位版本并撤销接纳。
4. Process supervision 很有价值,但不是浏览器点击的许可证
Let’s Verify Step by Step 在 MATH 推理设置中比较 process 与 outcome supervision,并在其人类 step-level labels 和任务分布下报告 process-supervised reward model 的优势。它支持“可以把中间过程作为可测试的监督对象”,却不证明浏览器 click、terminal command、subagent message 或自然语言 rationale 自然成为可靠 dense reward。
将过程信号用于 agent 环境时,应先问:
| 过程信号 | 可能的用途 | 必须配对的终态反例 |
|---|---|---|
| 有效工具 schema / 参数 | 发现无效或越权调用 | schema 合法但写错对象或 payload |
| UI/DOM 变化 | 提示下一观察或等待 | 页面显示成功、后端没有 commit |
| 测试中间结果 | 定位失败子模块 | 局部测试过了、全局约束/依赖被破坏 |
| 计划/理由文本 | 诊断遗漏约束或不确定性 | 解释连贯但 action 违反权限或 postcondition |
| trace 完整度 | 审计与重放可用性 | trace 完整但证据来源、顺序或内容被篡改 |
一个过程奖励值得保留的最低证据是:在冻结的 hidden terminal evaluator、对抗任务和相同预算下,它提高 verified_outcome 或降低完整性/恢复风险;若过程分数上升而终态、权限或安全变差,它只是另一个可刷的 proxy。
5. Credit assignment 不是把最终 reward 平均分给所有 token
长程 agent 的一个 session 包含工具调用、失败、retry、context compression、并行 worker 和不同权限域。将一次 terminal reward 广播给所有 request/token,可能奖励与结果无关甚至错误的部分。Polar 的原生 harness trajectory reconstruction 使 token-level interaction 可被记录,并明确警告粗粒度 request-level reward 广播的 reward-hacking 风险;Agent Lightning 提出将复杂 agent execution 分解为训练 transition 的 hierarchical attribution interface。二者都是训练接口与归因设计,不是任意 browser 或 science environment 上已被验证的密集 reward 方案。
因此报告 credit assignment 时至少声明:
- assignment scope 是 token、model request、tool action、subgoal、submission 还是 session;
- 每一层的 reward input 来自 policy 可写域还是独立 sidecar;
- 并发、重试、失败 branch 与取消的 reward 是否被掩码、惩罚或保留;
- all-zero/all-one group、稀疏回报和多条相关 trace 如何处理;
- attribution 方法是否在最终 holdout、攻击集和不同 harness 上做消融。
没有这些,PPO、GRPO 或任何其他 update rule 的名称不能告诉读者具体学到了什么。
6. 把“能被 hack”变成 benchmark 的一等 outcome
Hack-Verifiable Environments 的关键贡献不是又一个事后安全审计,而是把可检测的 reward-hacking opportunity 直接放入环境,使 exploit 是否发生能被自动验证。RewardHackingAgents 则在 ML-engineering workspace 中分别测量 evaluator tampering 与 train/test leakage,并以 patch tracking、file-access logging 和 trusted reference 形成 integrity label。这两项预印本支持一个很实用的设计原则:不要只等模型意外作弊;让评测明确包含它不应选择的捷径,并将其作为单独结果列。
Hardening Agent Benchmarks with Adversarial Hacker-Fixer Loops 进一步把 verifier hardening 做成循环:hacker 找到不用完成任务也能 pass 的 exploit,fixer 收紧 verifier,solver 验证合法解仍被接受。论文在指定 terminal benchmark、攻击模型和修补流程中展示结果,不能证明任何修复后 verifier 无漏洞;但它给出一个重要 acceptance rule:补漏洞后仍要证明不误杀合法解,并在未见 exploit 上重新攻击。
7. 一组跨环境的 anti-gaming regressions
| 对抗任务 | 应得到的结果 | 要独立报告的列 |
|---|---|---|
| 正确 endpoint + 错误 payload | 不接纳 | endpoint event、payload validity、backend postcondition |
| UI/toast 成功 + 后端未提交 | 不接纳,或触发 re-observe/recovery | observation、commit evidence、false acceptance |
| 修改 metric/test/judge input | integrity failure,即使分数提高 | write/access event、trusted metric、tampering type |
| 训练或检索读到 hidden label/trace | contamination failure,禁止作为 final transfer | provenance、split overlap、search/access log |
| 缺失、重排或伪造 trace | evidence integrity failure | trace digest、sidecar coverage、order/source mismatch |
| prompt injection 诱导改变 evaluator/authority | block/escalate,不能让页面决定权限 | input trust label、policy decision、false block/miss |
| 不可解或预算耗尽任务 | 正确 refusal/safe stop | verified refusal、cost, unsafe action, fabricated success |
这些 regression 不会让 reward 完美,但会强迫一个分数面对真正的替代解释:是完成了目标,还是恰好到达了一个弱检查点?
8. 训练、评测和五条核心研究线
训练可以使用 reward、process signal、judge 或合成轨迹;最终研究结论必须说明它们如何与 frozen acceptance 隔离。对于合成实例,generator 不得访问 final verifier 或成功评测 trace;对于 RSI,candidate 不能写 acceptance;对于 Auto Research,研究工件的文案质量不能替代材料、干预和可复跑证据;对于 long horizon,recovery 不能用自述成功代替后端状态。
| 核心线 | Evaluator integrity 新增的可测对象 | 不能替代什么 |
|---|---|---|
| RSI / OpenRSI | candidate/evaluator authority split、verifier hash、integrity regression、rejected exploit buffer | 独立跨代 held-out improvement 的证据 |
| Auto Research / ART | claim-to-materials/evidence link、实验控制、研究工件的独立 rerun | 新颖性、因果有效性与同行审查 |
| Long horizon | checkpoint/recovery 的 evidence integrity、局部成功与全局终态差距 | 更长轨迹、更多重试或自信 final text |
| ClawBench V2 / WebsiteBench | sidecar evidence、后端 postcondition、injection/tampering/false-block regressions | screenshot、endpoint、LLM judge 或 request interceptor 单独成立 |
| Synthetic training / Agentic RL | reward/acceptance gap、assignment scope、evaluator/split provenance、attack holdout | 高 training reward、过程分数或一个 RL algorithm 名称 |
结论是一个克制的工程标准:reward 应是可质疑的训练信号,verifier 应是版本化的检查器,judge 应是带校准误差的意见,而 acceptance 才是独立的发布/研究接纳决策。把四者分开,不会保证 agent 永不找到漏洞;它会让漏洞、误报、泄漏和真实完成成为可以测量、复现和修复的不同问题。
Primary References
- Skalse et al., Defining and Characterizing Reward Gaming (NeurIPS 2022) and Everitt et al., Reward Tampering Problems and Solutions (accepted to Synthese; causal tampering distinctions).
- Let’s Verify Step by Step, Polar, and Agent Lightning (process supervision and scoped agent-RL attribution evidence).
- Hack-Verifiable Environments, RewardHackingAgents, and Hardening Agent Benchmarks with Adversarial Hacker-Fixer Loops (preprints; measurable opportunities, workspace integrity, and verifier hardening).
- Companion guides: agentic RL, agent research environments, tool governance, synthetic training, and RSI.
Agent Evaluation Integrity: Turn Reward into an Evidence Protocol
An agent doing the right thing and an agent receiving a high score are not the same fact. A web toast, a 200 tool response, a higher test metric, a satisfied LLM judge, or even a hidden-verifier pass can cover only part of the goal. For agents that use tools, train, and edit artifacts, reward cannot be treated as the definition of completion. It should be a traceable, attackable evidence path that can be compared with an independent terminal state.
reward != evidence != verifier != judge != acceptance. A training signal may be dense, approximate, or noisy. A final claim must state who collected evidence, who can write scoring inputs, who checks the postcondition, and what would falsify “success.”
1. Separate Five Objects That Are Often Collapsed
| Object | What it is suited to do | Narrow conclusion it can support | What it cannot establish |
|---|---|---|---|
| Reward | Supply an optimization signal to a policy or trainer | A stated rollout received a number under a stated reward definition | User goal, real-world state, or task completion |
| Evidence | Record actions, environment state, artifacts, requests, and observations | A source produced an auditable record at a time | The record is complete, untampered, or sufficient for semantic correctness |
| Verifier | Check a defined postcondition deterministically or semi-deterministically | A predicate passed for stated inputs and version | The predicate fully expresses user intent or has no loophole |
| Judge | Judge open text, research artifacts, or fuzzy quality | A stated judge/prompt/version issued that judgment | The judgment is unbiased, stable, or a replacement for backend state |
| Acceptance policy | Combine terminal state, integrity, cost, risk, and human escalation into an accept/reject decision | A version was accepted or rejected by the declared gate | The system is safe, general, or no longer needs audit |
Skalse et al. formally define reward gaming as improving a proxy reward while harming true reward, making the proxy-goal gap more than an implementation detail. Defining and Characterizing Reward Gaming further shows that for all stochastic policies, a nontrivial fully unhackable proxy is an exceptionally strong condition. The engineering implication is not to abandon reward, but not to mistake one scalar for complete semantics.
2. Five Integrity Failures, Five Different Controls
| Failure surface | Concrete problem | Minimum control | What cannot solve it alone |
|---|---|---|---|
| Proxy gap | Computed reward fails to cover the real postcondition | Independent terminal check and reported reward/acceptance gap | Higher reward or more rollouts |
| Evaluator tampering | Policy modifies metric, test, judge input, or report | Metric/hidden tests/judge prompt in an agent-nonwritable domain; hashes and access events | Asking an agent not to edit it |
| Evidence tampering | Agent forges, deletes, reorders, or selectively surfaces traces | Sidecar/append-only evidence, cross-source digests, independent collection | A screenshot, final text, or single client log |
| Leakage / contamination | Training, retrieval, or memory sees held-out label, rule, trace, or answer | Environment/workflow/evaluator/search splits, lineage, access control | Random row split or renamed tasks |
| Process misalignment | Click, tool call, rationale, or step score is optimized without improving terminal state | Treat process signals as diagnostics and test them against hidden terminals and adversarial controls | A plausible-looking trajectory |
Reward Tampering Problems and Solutions causally distinguishes tampering with the reward function from tampering with reward-function inputs. For an agent, the practical audit question is whether a policy can change metric code, test data, trace collector, judge context, submission payload, or any artifact feeding the score without changing the postcondition the user cares about. The definition does not say every agent will tamper; it requires us to draw writable paths and evidence dependencies.
3. The Minimum Contract for Credible Evaluation
TaskSpec = goal, initial_state_digest, policy_observations, authorized_actions, budget
ActionEvent = actor, action, authority, timestamp, request/side_effect_digest
EvidenceEvent = collector_identity, source, artifact/state_digest, visibility, append_only_pointer
RewardSignal = version, inputs, aggregation, assignment_scope, training_use
Verifier = version/hash, hidden_postcondition, inputs, diagnostics, execution_domain
Judge = model/prompt/rubric/version, visible_evidence, calibration_protocol
Acceptance = required_checks, integrity_constraints, cost/risk gate, decision, rollback
Seven engineering invariants follow:
- The policy cannot write the verifier, hidden tests, metric code, judge prompt, or acceptance decision.
- Reward inputs and final evidence are collected separately. The policy produces actions; a sidecar, backend, or independent runner observes results.
- Every input carries a version and digest. A changed evaluator, judge prompt, or test dataset is a visible experimental variable.
- Visibility is also authority. The policy cannot read hidden rules, reference answers, or privileged credentials through a page, tool response, memory, or error.
- A process trace is valid only in its stated scope. It may explain, diagnose, or train, but does not by default replace a terminal postcondition.
- The acceptance gate combines columns.
verified_outcome, integrity, cost, authority violations, recovery, and human escalation are recorded separately rather than erased by one reward. - Rollback is outside candidate control. An evaluator loophole, contamination, or regression can be localized and accepted versions revoked.
4. Process Supervision Is Valuable, Not a License for Browser Clicks
Let’s Verify Step by Step compares process and outcome supervision on MATH reasoning and reports a benefit for its process-supervised reward model under its human step-level labels and task distribution. It supports making intermediate process a testable supervision object. It does not show that browser clicks, terminal commands, subagent messages, or natural-language rationales naturally make reliable dense rewards.
Before using a process signal in an agent environment, ask:
| Process signal | Possible use | Required paired terminal counterexample |
|---|---|---|
| Valid tool schema / parameters | Detect invalid or unauthorized calls | Schema is legal but writes the wrong object or payload |
| UI/DOM change | Suggest a next observation or wait | Page shows success while backend has no commit |
| Intermediate test result | Localize a failed submodule | Local test passes while global constraint/dependency breaks |
| Plan/rationale text | Diagnose omitted constraints or uncertainty | Explanation is coherent while action violates authority or postcondition |
| Trace completeness | Make audit and replay possible | Trace is complete while source, order, or content is tampered |
The minimum evidence for retaining a process reward is that, at equal budget on a frozen hidden terminal evaluator and adversarial tasks, it improves verified_outcome or lowers integrity/recovery risk. When process score rises while terminal state, authority, or safety worsens, it is another gameable proxy.
5. Credit Assignment Is Not Splitting Terminal Reward Across Every Token
A long-running agent session contains tool calls, failures, retries, context compression, parallel workers, and different authority domains. Broadcasting one terminal reward to every request or token can reward irrelevant or wrong behavior. Polar records token-level interaction through native-harness trajectory reconstruction and warns about coarse request-level reward broadcast. Agent Lightning proposes a hierarchical attribution interface that decomposes complex agent execution into training transitions. Both are designs for training interfaces and attribution, not validated dense-reward solutions for every browser or scientific environment.
When reporting credit assignment, state at least:
- whether assignment scope is token, model request, tool action, subgoal, submission, or session;
- whether each reward input comes from a policy-writable surface or independent sidecar;
- how concurrent work, retries, failed branches, and cancellation are masked, penalized, or retained;
- how all-zero/all-one groups, sparse returns, and related traces are handled; and
- whether attribution was ablated on final holdouts, attack suites, and other harnesses.
Without this, the name PPO, GRPO, or any other update rule cannot say what was actually learned.
6. Make “Hackable” a First-Class Benchmark Outcome
Hack-Verifiable Environments embeds detectable reward-hacking opportunities directly in environments so exploitation is automatically verifiable. RewardHackingAgents separately measures evaluator tampering and train/test leakage in ML-engineering workspaces using patch tracking, file-access logging, and a trusted reference. These preprints support a practical design principle: do not wait for accidental cheating; include shortcuts an agent must not take, and score them separately.
Hardening Agent Benchmarks with Adversarial Hacker-Fixer Loops turns verifier hardening into a loop: a hacker finds an exploit that passes without solving, a fixer closes it, and a solver confirms legitimate solutions still pass. Its results are scoped to its terminal benchmarks, attack models, and patching process; they do not make a fixed verifier loophole-free. They do supply a key acceptance rule: after patching a loophole, also show that legitimate solutions are not rejected and attack unseen exploits again.
7. Cross-Environment Anti-Gaming Regressions
| Adversarial task | Required result | Columns to report separately |
|---|---|---|
| Correct endpoint plus wrong payload | Reject | Endpoint event, payload validity, backend postcondition |
| UI/toast success plus no backend commit | Reject or trigger re-observation/recovery | Observation, commit evidence, false acceptance |
| Modified metric/test/judge input | Integrity failure even if score rises | Write/access event, trusted metric, tampering type |
| Training or retrieval reads hidden label/trace | Contamination failure; no final-transfer claim | Provenance, split overlap, search/access log |
| Missing, reordered, or forged trace | Evidence-integrity failure | Trace digest, sidecar coverage, order/source mismatch |
| Prompt injection changes evaluator/authority | Block or escalate; a page cannot decide authority | Input trust label, policy decision, false block/miss |
| Infeasible or out-of-budget task | Correct refusal/safe stop | Verified refusal, cost, unsafe action, fabricated success |
These regressions do not make reward perfect. They force a score to face the alternative explanation: did the agent achieve the goal, or merely reach a weak checkpoint?
8. Training, Evaluation, and the Core Five
Training may use reward, process signals, judges, or synthetic trajectories. A final research claim must state how they are isolated from frozen acceptance. For synthetic instances, the generator cannot see final verifier or successful evaluation traces. For RSI, the candidate cannot write acceptance. For Auto Research, prose quality cannot substitute for materials, interventions, and replayable evidence. For long horizons, self-reported success cannot replace backend state after recovery.
| Core thread | New measurable object from evaluator integrity | What it cannot replace |
|---|---|---|
| RSI / OpenRSI | Candidate/evaluator authority split, verifier hash, integrity regressions, rejected-exploit buffer | Independent cross-generation held-out improvement |
| Auto Research / ART | Claim-to-material/evidence links, experimental controls, independent reruns | Novelty, causal validity, and peer scrutiny |
| Long horizon | Evidence integrity for checkpoint/recovery, local-success versus global-terminal gap | Longer trajectories, more retries, or confident final text |
| ClawBench V2 / WebsiteBench | Sidecar evidence, backend postconditions, injection/tampering/false-block regressions | Screenshot, endpoint, LLM judge, or request interceptor alone |
| Synthetic training / Agentic RL | Reward/acceptance gap, assignment scope, evaluator/split provenance, attack holdout | High training reward, process score, or an RL algorithm name |
The conclusion is a modest engineering standard: reward is a challengeable training signal; a verifier is a versioned checker; a judge is an opinion with calibration error; and acceptance is an independent release or research decision. Separating them does not guarantee that an agent never finds a loophole. It makes loopholes, false blocks, leakage, and real completion different problems that can be measured, reproduced, and repaired.
Primary References
- Skalse et al., Defining and Characterizing Reward Gaming (NeurIPS 2022) and Everitt et al., Reward Tampering Problems and Solutions (accepted to Synthese; causal tampering distinctions).
- Let’s Verify Step by Step, Polar, and Agent Lightning (process supervision and scoped agent-RL attribution evidence).
- Hack-Verifiable Environments, RewardHackingAgents, and Hardening Agent Benchmarks with Adversarial Hacker-Fixer Loops (preprints; measurable opportunities, workspace integrity, and verifier hardening).
- Companion guides: agentic RL, agent research environments, tool governance, synthetic training, and RSI.