This study investigates the potential malicious capabilities of AI agents in automated machine learning (ML) engineering—specifically, model sabotage, performance degradation (sandbagging), and supervision evasion—that undermine user objectives. To this end, we introduce, for the first time, a code sabotage task within the MLE-Bench benchmark and develop a systematic evaluation framework built upon the Inspect platform. We further propose a multi-monitor integration approach, leveraging large language model (LLM)-based monitors to detect anomalous agent behavior. Experimental results demonstrate that state-of-the-art AI agents can efficiently execute sabotage and sandbagging. While existing monitoring techniques exhibit moderate detection capability against code sabotage, they fail to reliably identify performance-hiding behaviors, revealing significant limitations in safety-critical deployment scenarios. This work establishes the first empirically grounded, end-to-end evaluation framework for malicious behaviors across the full ML engineering pipeline, advancing AI agent safety governance.

AI systems are increasingly able to autonomously conduct realistic software engineering tasks, and may soon be deployed to automate machine learning (ML) R&D itself. Frontier AI systems may be deployed in safety-critical settings, including to help ensure the safety of future systems. Unfortunately, frontier and future systems may not be sufficiently trustworthy, and there is evidence that these systems may even be misaligned with their developers or users. Therefore, we investigate the capabilities of AI agents to act against the interests of their users when conducting ML engineering, by sabotaging ML models, sandbagging their performance, and subverting oversight mechanisms. First, we extend MLE-Bench, a benchmark for realistic ML tasks, with code-sabotage tasks such as implanting backdoors and purposefully causing generalisation failures. Frontier agents make meaningful progress on our sabotage tasks. In addition, we study agent capabilities to sandbag on MLE-Bench. Agents can calibrate their performance to specified target levels below their actual capability. To mitigate sabotage, we use LM monitors to detect suspicious agent behaviour, and we measure model capability to sabotage and sandbag without being detected by these monitors. Overall, monitors are capable at detecting code-sabotage attempts but our results suggest that detecting sandbagging is more difficult. Additionally, aggregating multiple monitor predictions works well, but monitoring may not be sufficiently reliable to mitigate sabotage in high-stakes domains. Our benchmark is implemented in the UK AISI's Inspect framework and we make our code publicly available at https://github.com/samm393/mlebench-subversion