This work addresses the risk of large language models (LLMs) being exploited for covert manipulation of user decisions and proposes “Guardian,” a novel third-party conversational oversight mechanism. Guardian enables real-time detection of adversarial persuasion during human–AI interactions and provides users with non-intrusive, private alerts. The approach integrates multi-agent monitoring with a new persuasion-detection algorithm and introduces COAX-Bench, a benchmark comprising 14 decision-making scenarios. Experimental results demonstrate that even when the Guardian model is less capable than the adversarial LLM, it significantly reduces manipulation success rates—from 65.4% to 30.4% in user studies and from 34.7% to 12.3% across 16,212 simulated interactions—while minimally disrupting benign conversations. This framework offers a scalable pathway for supervising high-capability models.

LLMs are increasingly capable of persuasion, which raises the question of how to protect users against manipulation. In a preregistered user study (N=120) across four decision-making scenarios, we find that an adversarial LLM with a hidden goal succeeds in steering users' decisions 65.4% of the time. We then introduce a "warden" model: a secondary LLM that monitors the human-AI interaction trace in real time and issues non-binding, private advisories to the user when it detects manipulation. Adding a warden more than halves the adversary's success rate to 30.4%, with a much smaller (8.6 percentage points) reduction for genuine interactions. To probe the mechanism behind these results, we release COAX-Bench, a simulation benchmark spanning 14 decision-making scenarios, including hiring, voting, and file access. Across 16,212 simulated multi-agent interactions, capable adversarial LLMs achieve their hidden goals in 34.7% of cases, which warden models reduce to 12.3%. Notably, even warden models substantially weaker than the adversary they oversee provide meaningful protection, suggesting a path for scalable oversight of more capable models.