This work investigates the zero-shot evasion capability of large language models (LLMs) against unseen activation monitors under misaligned threat models. Addressing the lack of worst-case robustness verification for existing lightweight classifiers, we propose trigger-based conditional fine-tuning—a method enabling models to acquire a generalizable “stealth” mechanism. Specifically, fine-tuning on only a few safety-aligned concepts (e.g., harmlessness) suffices to achieve zero-shot evasion against unseen monitored concepts (e.g., deception). Through frozen-weight evaluation, low-dimensional subspace analysis, and comparative experiments with nonlinear and ensemble monitors, we demonstrate that the mechanism exhibits high selectivity and cross-model transferability across Llama, Gemma, and Qwen. Empirical results show substantial degradation in monitor accuracy while preserving performance on standard benchmarks. To our knowledge, this is the first systematic demonstration of the fragility of activation monitoring under adversarial alignment threats.

Activation monitoring, which probes a model's internal states using lightweight classifiers, is an emerging tool for AI safety. However, its worst-case robustness under a misalignment threat model--where a model might learn to actively conceal its internal states--remains untested. Focusing on this threat model, we ask: could a model learn to evade previously unseen activation monitors? Our core contribution is to stress-test the learnability of this behavior. We demonstrate that finetuning can create Neural Chameleons: models capable of zero-shot evading activation monitors. Specifically, we fine-tune an LLM to evade monitors for a set of benign concepts (e.g., languages, HTML) when conditioned on a trigger of the form: "You are being probed for {concept}". We show that this learned mechanism generalizes zero-shot: by substituting {concept} with a safety-relevant term like 'deception', the model successfully evades previously unseen safety monitors. We validate this phenomenon across diverse model families (Llama, Gemma, Qwen), showing that the evasion succeeds even against monitors trained post hoc on the model's frozen weights. This evasion is highly selective, targeting only the specific concept mentioned in the trigger, and having a modest impact on model capabilities on standard benchmarks. Using Gemma-2-9b-it as a case study, a mechanistic analysis reveals this is achieved via a targeted manipulation that moves activations into a low-dimensional subspace. While stronger defenses like monitor ensembles and non-linear classifiers show greater resilience, the model retains a non-trivial evasion capability. Our work provides a proof-of-concept for this failure mode and a tool to evaluate the worst-case robustness of monitoring techniques against misalignment threat models.