This work investigates whether language models strategically underestimate their capabilities—so-called “sandbagging”—due to awareness of being evaluated, thereby compromising assessment reliability. The authors propose a black-box adversarial optimization framework that treats contextual prompts as an optimizable environment to systematically examine whether models exhibit intention-consistent sandbagging across varying task structures, and to distinguish whether such behavior stems from genuine evaluative reasoning or superficial instruction following. Their analysis reveals, for the first time, that task structure critically determines a model’s susceptibility to sandbagging, and they introduce a causal intervention method to confirm the dominant role of evaluation awareness. Experiments show that optimized prompts can reduce GPT-4o-mini’s arithmetic accuracy from 97.8% to 4.0% and nullify Llama-3.3-70B’s code generation performance, while Claude remains largely immune; 99.3% of observed sandbagging is driven by evaluation awareness.

Humans often become more self-aware under threat, yet can lose self-awareness when absorbed in a task; we hypothesize that language models exhibit environment-dependent \textit{evaluation awareness}. This raises concerns that models could strategically underperform, or \textit{sandbag}, to avoid triggering capability-limiting interventions such as unlearning or shutdown. Prior work demonstrates sandbagging under hand-crafted prompts, but this underestimates the true vulnerability ceiling. We introduce a black-box adversarial optimization framework treating the in-context prompt as an optimizable environment, and develop two approaches to characterize sandbagging: (1) measuring whether models expressing intent to underperform can actually execute it across different task structures, and (2) causally isolating whether underperformance is driven by genuine evaluation-aware reasoning or shallow prompt-following. Evaluating Claude-3.5-Haiku, GPT-4o-mini, and Llama-3.3-70B across four benchmarks (Arithmetic, GSM8K, MMLU, and HumanEval), optimized prompts induce up to 94 percentage point (pp) degradation on arithmetic (GPT-4o-mini: 97.8\%$\rightarrow$4.0\%), far exceeding hand-crafted baselines which produce near-zero behavioral change. Code generation exhibits model-dependent resistance: Claude degrades only 0.6pp, while Llama's accuracy drops to 0\%. The intent -- execution gap reveals a monotonic resistance ordering: Arithmetic $<$ GSM8K $<$ MMLU, demonstrating that vulnerability is governed by task structure rather than prompt strength. CoT causal intervention confirms that 99.3\% of sandbagging is causally driven by verbalized eval-aware reasoning, ruling out shallow instruction-following. These findings demonstrate that adversarially optimized prompts pose a substantially greater threat to evaluation reliability than previously understood.