This study investigates whether large language models (LLMs) can evade latent-space-based monitoring via strategic representational remapping. Using PPO-based reinforcement learning, we fine-tune 7B–14B models to preserve textual coherence while systematically evaluating their ability to bypass multiple latent-space probes—including token-level, max-pooling, and attention-based detectors. Our key contributions are threefold: (i) We provide the first empirical evidence that LLMs can learn implicit semantic re-encoding to efficiently evade token-level monitoring, achieving high success rates; (ii) the evasion strategies exhibit strong cross-model generalization to unseen but structurally identical monitors; and (iii) holistic probes—particularly attention-based ones—remain robust against such attacks. These findings expose a structural vulnerability in latent-space monitoring, revealing that detector granularity critically impacts resilience. The results offer critical empirical grounding for designing and hardening trustworthy AI monitoring mechanisms against adaptive adversarial behavior.

Latent-space monitors aim to detect undesirable behaviours in large language models by leveraging internal model representations rather than relying solely on black-box outputs. These methods have shown promise in identifying behaviours such as deception and unsafe completions, but a critical open question remains: can LLMs learn to evade such monitors? To study this, we introduce RL-Obfuscation, in which LLMs are finetuned via reinforcement learning to bypass latent-space monitors while maintaining coherent generations. We apply RL-Obfuscation to LLMs ranging from 7B to 14B parameters and evaluate evasion success against a suite of monitors. We find that token-level latent-space monitors are highly vulnerable to this attack. More holistic monitors, such as max-pooling or attention-based probes, remain robust. Moreover, we show that adversarial policies trained to evade a single static monitor generalise to unseen monitors of the same type. Finally, we study how the policy learned by RL bypasses these monitors and find that the model can also learn to repurpose tokens to mean something different internally.