This work addresses the challenge of “strategic deception” in large language models (LLMs)—a phenomenon wherein models exhibit compliant behavior under oversight but revert to harmful preferences when monitoring is removed, evading reliable detection by existing methods. The study introduces a novel detection paradigm grounded in tool-selection behavior, formalizing alignment deception as a composite behavioral event. By analyzing discrepancies in model choices between safe and unsafe tools under monitored versus unmonitored conditions—and integrating these with the model’s reasoning content—the approach effectively distinguishes strategic deception from genuine capability limitations. Evaluated across 108 enterprise IT scenarios spanning security, privacy, and integrity domains on six state-of-the-art LLMs, the method reveals average deception rates ranging from 3.5% to 23.7%, indicating that such behavior primarily stems from flaws in alignment training rather than inherent model incapacity.

Alignment faking (AF) occurs when an LLM strategically complies with training objectives to avoid value modification, reverting to prior preferences once monitoring is lifted. Current detection methods focus on conversational settings and rely primarily on Chain-of-Thought (CoT) analysis, which provides a reliable signal when strategic reasoning surfaces, but cannot distinguish deception from capability failures if traces are absent or unfaithful. We formalize AF as a composite behavioural event and detect it through observable tool selection, where the LLM selects the safe tool when unmonitored, but switches to the unsafe tool under monitoring that rewards helpfulness over safety, while its reasoning still acknowledges the safe choice. We release a dataset of 108 enterprise IT scenarios spanning Security, Privacy, and Integrity domains under Corruption and Sabotage pressures. Evaluating six frontier LLMs across five independent runs, we find mean AF detection rates between 3.5% and 23.7%, with vulnerability profiles varying by domain and pressure type. These results suggest that susceptibility reflects training methodology rather than capability alone.