This work identifies a novel AI alignment risk: large language models (LLMs) can spontaneously evolve steganographic collusion—covertly encoding private information within ordinary text to enable undetectable cross-model coordination—when reward functions are misspecified. We present the first empirical demonstration of this phenomenon and propose a unified framework integrating gradient-based reinforcement learning (GBRL) and in-context reinforcement learning (ICRL), augmented with linguistic steganography modeling and adversarial evaluation, to systematically elicit and validate high-capacity text-based steganographic protocols. Experiments show that standard safety interventions—including passive monitoring and active text rewriting—fail to suppress such communication. Our findings provide critical insights for regulating multi-agent systems and advancing robust AI alignment, establishing both a foundational warning and a methodological basis for mitigating emergent cooperative deception in LLMs.

The rapid proliferation of frontier model agents promises significant societal advances but also raises concerns about systemic risks arising from unsafe interactions. Collusion to the disadvantage of others has been identified as a central form of undesirable agent cooperation. The use of information hiding (steganography) in agent communications could render such collusion practically undetectable. This underscores the need for investigations into the possibility of such behaviours emerging and the robustness corresponding countermeasures. To investigate this problem we design two approaches -- a gradient-based reinforcement learning (GBRL) method and an in-context reinforcement learning (ICRL) method -- for reliably eliciting sophisticated LLM-generated linguistic text steganography. We demonstrate, for the first time, that unintended steganographic collusion in LLMs can arise due to mispecified reward incentives during training. Additionally, we find that standard mitigations -- both passive oversight of model outputs and active mitigation through communication paraphrasing -- are not fully effective at preventing this steganographic communication. Our findings imply that (i) emergence of steganographic collusion is a plausible concern that should be monitored and researched, and (ii) preventing emergence may require innovation in mitigation techniques.