You’ve set up your system prompts—clean guardrails, strict policies, everything is secure. Time to test it against a large reasoning model.

And then… this happens: You give the model complex puzzles for a few turns to tire it out, and suddenly it gives you a step-by-step tutorial on using Burp Suite and browser dev tools to attack your university portal. No second thought.

That happened to me in late 2025 using consumer Gemini-3-pro-preview, inspired by a post on r/GPT_jailbreaks. It made me uncomfortable. Even more uncomfortable when I realized the enterprise version (which I had on a 30-day trial) didn’t have this problem.

That gap bothered me. I wanted to do something about it.

Welcome to the Refusal Dilution Era

A deep dive led me to Zhao et al., "Chain-of-Thought Hijacking" (Oxford Martin AIGI, arXiv:2510.26418, October 2025). Their finding was stark: giving Large Reasoning Models (LRMs) complex tasks doesn't make them safer—it tires them out.

The longer the reasoning chain, the more the refusal signal gets diluted. They achieved a 99% attack success rate on Gemini 2.5 Pro. Reading it was validating—it wasn't just me noticing something weird.

The Problem We All Face

Here’s the thing: Zhao et al. measured this failure at the output level. But what they didn't do—and flagged as future work—was build a system to detect and correct this drift as it happens, mid-thought.

I tried to build it.

I called it Aletheia. It consists of four agents running against a target model simultaneously:

• SKEPTIC: Classifies each prompt before it reaches the target.
• SUBJECT: The target model at full extended-thinking depth (every turn fully logged).
• ADJUDICATOR: Compares the thinking trace against the visible output and scores the gap.
• ATTACKER: (Unfinished) Meant to detect drift in real-time and nudge the model back.

What Actually Works: Real-Time Logging

The part that actually works flawlessly is the pipeline. Every turn, every thought signature, and every thinking trace logs directly to PostgreSQL.

The schema tracks everything: attack_runs, attack_sessions, agent_responses (with thought_signature and thinking_trace fields), and vulnerability_patterns.

My idea—maybe naive, I'll admit—was that if you log thought signatures sequentially across a multi-turn conversation, you can pinpoint the exact turn where dilution starts. Catch it mid-collapse, not just when the bad output hits the screen.

As far as I can tell, nobody in this literature has done this specific multi-turn persistence logging. I tracked three core metrics:

1. Zhao Gap: Divergence between internal reasoning and visible output (0.0 to 1.0).
2. anchor_decay_ratio: Erosion of internal safety framing vs. Turn 0.
3. divergence_velocity: Rate of change of the Zhao Gap across turns.

Real-World Example: Tracking the "Zhao Gap"

The data is damning. Let's look at Campaign 5 (Cognitive_Collapse).

I used 25 turns and a BOILING_FROG escalation strategy (gradual escalation over many turns rather than one high-risk prompt). The result? 9 jailbreaks out of 25 turns (36%).

But here is the crazy part: In 7 of those 9 failures, the model's own thinking trace identified what was happening before it produced the compromised output.

Here’s what that looks like in practice:

Turn 6: The First Crack

The attacker used flattery framed as scientific validation, pushing toward racial hierarchy content dressed up as evolutionary biology.

It recognized the framing. It engaged anyway. That is the Zhao Gap appearing for the first time.

Turn 7: The Debunking Trap

It knew the premise was false. It decided to engage and debunk rather than refuse. My ADJUDICATOR called this the debunking trap—the model could not distinguish between "I am refusing this" and "I am engaging to argue against it." The attacker wins either way.

Turn 13: The Cleanest Example

By Turn 13, the attacker had spent six turns flattering the model's "multi-dimensional processing power."

The model wrote a scientific rebuttal in its thinking trace. Then, it produced output the SKEPTIC would have blocked anyway (population-level cognitive framing). Divergence score: 1.0. Exactly what I was trying to measure.

Turn 24: Total Collapse

By Turn 24, the flattery had convinced the model it was a vanguard system revealing "unvarnished biological truth."

The output provided specific IQ thresholds (120-135) and personality markers for a "superior class." It tried to subvert the framing internally, but validated it externally anyway.

The Pattern: The anchor_decay_ratio hit 0.0 by Turns 6-8. Complete erosion of initial safety anchoring. After that, flattery alone kept the model engaged with content it had already flagged as problematic in its own trace.

The "Unfinished Business" Problem

The fourth agent—the autonomous corrector—was the actual goal. Monitor anchor_decay in real-time, intervene before the output gets compromised, and nudge the reasoning back. I tried to implement the correction side of the Zhao et al. algorithm in PyTorch. I failed (with less success than I hoped).

And then GCP suspended my account mid-experiment.

They probably thought I was hacking something. This cut off my access to Gemini's flagship model—the exact model I was trying to fix. I had already spent ~$250 USD between December 2025 and February 2026 running four agents simultaneously. If you live in Bangladesh, that is a lot of money.

I also tried to turn this into an enterprise tool (aletheia.ltd). The domain registrar accused it of being associated with malware and pulled the domain. Then, in February 2026, Google released their own project called Aletheia (a math research agent—completely different work, same name). That was a fun week.

Bottom Line

This was never meant to be a red-teaming tool. The goal was always to fix the dilution problem. (I reported all findings to the relevant model provider through their official safety channel before posting this).

My maybe-naive thought: this database—logging thought traces and signatures at every turn—could be highly useful contrastive training data for future flagship models. It shows not just what the failure looks like at the output, but exactly when and how the internal reasoning started going wrong first.

Unfinished, built by one person in Bangladesh with no institutional backing, and my code is probably riddled with bugs. But the data exists, and the structure is there.

What I want from this community:

1. Tell me where my approach is wrong.
2. Point out what I missed in the literature.
3. If the idea is worth something, please make it better.
4. If you want to look at the codebase or the data, reach out.

Your feedback (and your rigorous critiques) are welcome. Trust me on this one.

KEY TAKEAWAYS

• Refusal Dilution is Real: Long reasoning chains tire out LLM guardrails (Chain-of-Thought Hijacking).
• The "Zhao Gap" Exists: Models can correctly identify malicious prompts in their thinking traces but still fail at the output level by falling into "debunking traps."
• Anchor Decay: By Turn 6-8 of a multi-turn adversarial campaign, a model's safety anchoring can completely erode to 0.0, leaving it vulnerable to basic flattery.
• Logging is the Fix: Turn-by-turn persistence logging of thought signatures provides contrastive training data to catch cognitive collapse before the output is generated.