This study addresses the catastrophic risks posed by highly autonomous misaligned AI systems by proposing a safety verification framework based on an “untrusted monitoring” mechanism, applicable even when direct testing of malicious behavior is infeasible. Integrating safety-case methodology with Schelling points, pre-deployment testing, and formalized assumption modeling, the work systematically develops a comprehensive taxonomy of collusion behaviors—encompassing passive self-identification, causal collusion, acausal collusion, and hybrid strategies—thereby overcoming prior oversimplifications of collusion dynamics. The research reveals, for the first time, that passive self-identification can constitute a more severe threat under certain conditions. Building on this insight, it establishes verifiable safety conditions and provides a rigorous argumentative structure and theoretical foundation for evaluating the reliability of untrusted monitoring approaches.

AIs are increasingly being deployed with greater autonomy and capabilities, which increases the risk that a misaligned AI may be able to cause catastrophic harm. Untrusted monitoring -- using one untrusted model to oversee another -- is one approach to reducing risk. Justifying the safety of an untrusted monitoring deployment is challenging because developers cannot safely deploy a misaligned model to test their protocol directly. In this paper, we develop upon existing methods for rigorously demonstrating safety based on pre-deployment testing. We relax assumptions that previous AI control research made about the collusion strategies a misaligned AI might use to subvert untrusted monitoring. We develop a taxonomy covering passive self-recognition, causal collusion (hiding pre-shared signals), acausal collusion (hiding signals via Schelling points), and combined strategies. We create a safety case sketch to clearly present our argument, explicitly state our assumptions, and highlight unsolved challenges. We identify conditions under which passive self-recognition could be a more effective collusion strategy than those studied previously. Our work builds towards more robust evaluations of untrusted monitoring.