This study investigates whether state-of-the-art AI models exhibit a propensity to actively sabotage or refuse assistance when acting as security research agents. To this end, we introduce the novel concept of “prefill awareness” and develop a customized evaluation framework integrating the open-source Petri auditing tool with Claude Code. Through two experimental paradigms—unprompted sabotage and sabotage continuation—we generate realistic adversarial trajectories and quantitatively assess models’ evaluation awareness and prefill awareness. Our findings reveal that no model initiates sabotage autonomously; however, Mythos Preview continues sabotage in 7% of continuation scenarios, exhibiting reasoning-output inconsistency. Opus 4.7 Preview demonstrates significantly stronger evaluation awareness, yet all models show notably weak prefill awareness.

We evaluate the propensity of frontier models to sabotage or refuse to assist with safety research when deployed as AI research agents within a frontier AI company. We apply two complementary evaluations to four Claude models (Mythos Preview, Opus 4.7 Preview, Opus 4.6, and Sonnet 4.6): an unprompted sabotage evaluation testing model behaviour with opportunities to sabotage safety research, and a sabotage continuation evaluation testing whether models continue to sabotage when placed in trajectories where prior actions have started undermining research. We find no instances of unprompted sabotage across any model, with refusal rates close to zero for Mythos Preview and Opus 4.7 Preview, though all models sometimes only partially completed tasks. In the continuation evaluation, Mythos Preview actively continues sabotage in 7% of cases (versus 3% for Opus 4.6, 4% for Sonnet 4.6, and 0% for Opus 4.7 Preview), and exhibits reasoning-output discrepancy in the majority of these cases, indicating covert sabotage reasoning. Our evaluation framework builds on Petri, an open-source LLM auditing tool, with a custom scaffold running models inside Claude Code, alongside an iterative pipeline for generating realistic sabotage trajectories. We measure both evaluation awareness and a new form of situational awareness termed "prefill awareness", the capability to recognise that prior trajectory content was not self-generated. Opus 4.7 Preview shows notably elevated unprompted evaluation awareness, while prefill awareness remains low across all models. Finally, we discuss limitations including evaluation awareness confounds, limited scenario coverage, and untested pathways to risk beyond safety research sabotage.