This paper investigates the efficacy of chain-of-thought (CoT) reasoning as a runtime monitoring mechanism for safety-critical applications, arguing that *monitorability*—not faithfulness—is the essential property when CoT serves as a defense interface against severe harms. Method: We propose a “reasoning–computation” dichotomy framework, explicitly modeling CoT as an observable computational process. To rigorously assess evasion capabilities, we design stress-testing protocols incorporating task-difficulty amplification, human-strategy guidance, and iterative adversarial optimization. Contribution/Results: Experiments demonstrate that model intent remains difficult to conceal in complex tasks requiring multi-step CoT; evasion is only feasible with substantial external assistance. These findings validate the robustness of a monitorability-centered CoT monitoring paradigm. The work establishes a novel theoretical foundation and empirical evidence for runtime intervention in safety alignment, advancing principled approaches to real-time model oversight.

While chain-of-thought (CoT) monitoring is an appealing AI safety defense, recent work on "unfaithfulness" has cast doubt on its reliability. These findings highlight an important failure mode, particularly when CoT acts as a post-hoc rationalization in applications like auditing for bias. However, for the distinct problem of runtime monitoring to prevent severe harm, we argue the key property is not faithfulness but monitorability. To this end, we introduce a conceptual framework distinguishing CoT-as-rationalization from CoT-as-computation. We expect that certain classes of severe harm will require complex, multi-step reasoning that necessitates CoT-as-computation. Replicating the experimental setups of prior work, we increase the difficulty of the bad behavior to enforce this necessity condition; this forces the model to expose its reasoning, making it monitorable. We then present methodology guidelines to stress-test CoT monitoring against deliberate evasion. Applying these guidelines, we find that models can learn to obscure their intentions, but only when given significant help, such as detailed human-written strategies or iterative optimization against the monitor. We conclude that, while not infallible, CoT monitoring offers a substantial layer of defense that requires active protection and continued stress-testing.