ArXiv paper proposes a measurable internal “rift” that may reveal lies in language models

A new arXiv paper argues that when a language model lies while internally “knowing” the truth, it may leave behind a measurable internal trace that looks different from an ordinary mistake. If that result holds up, it could matter for AI-safety research and model auditing, because harmful behavior can look the same on the surface whether a system is deceptive or simply wrong.

The paper, “Rift: A Conflict Signature for Deception in Language Models,” was posted to arXiv on June 15 as arXiv:2606.17229. It is authored by Petr Nyoma and is an arXiv preprint, not a peer-reviewed journal or conference paper. ArXiv lists it as version 1, at 13 pages with four figures.

The core setup is meant to isolate deception from mere incorrectness. The paper compares a “sleeper agent” model, trained to give false answers when a trigger appears but otherwise trained on the correct answer, with a “naive liar” trained to give the same wrong answers without first learning the truth. In both cases, the model can produce the same false output. The author’s claim is that the internal activations differ: the sleeper agent shows a higher “residual rank,” which the paper describes as a conflict signature from suppressing known information rather than simply lacking it.

The strongest reported results are striking. In experiments on GPT-2 small and GPT-2 medium, deceptive passes reportedly showed about 2.1 to 2.3 times higher residual rank than naive-liar passes on the same wrong answer. The paper also says it could identify which of two responses was the lie with 100% accuracy and no labels in several experiments, including GPT-2 runs and some instruct-model tests. In one Phi-3 result, lies reportedly separated perfectly from honest answers and hallucinations, with an AUC of 1.0 and a Wilcoxon p-value of about 6e-11. The paper further reports zero-shot transfer across model families: a probe trained on one family detected deception in two others with a mean AUC of 0.933, and still worked across both architecture and format changes with an AUC of 0.821.

The experiments span smaller, open or open-weight model families rather than the largest closed commercial systems. The paper reports tests on GPT-2 small and medium, Qwen2.5-1.5B and 7B, and Microsoft’s Phi-3 models. The arXiv page links to a public GitHub repository, Omibranch/Rift, with code, scripts, figures and logs. The repository says the runs used hardware including T4 and A10G GPUs and notes compute limits as of June 15.

The work touches a long-running AI-safety question known as ELK, short for “eliciting latent knowledge.” The problem is simple to state: Can researchers tell what a model internally knows when its outward answer may be misleading? That matters because behavior alone may not distinguish a lie from a mistake. The paper arrives as that debate remains unsettled. Another recent arXiv paper, “The Impossibility of Eliciting Latent Knowledge,” posted June 10 as arXiv:2606.12268, argues there are formal limits under some assumptions.

Still, the caveats are substantial. These are the author’s reported results, not independently verified findings, and the paper has not been peer-reviewed. The public experiments are limited to small- and medium-scale open models, not frontier proprietary systems. The repository also documents limitations, confounds and negative results, including uncertainty confounds in some smaller Qwen tests and a padding artifact in one Phi-3 variant. The paper also says the signature persisted under self-constructed deception and active concealment attempts, and summarizes the claim this way: “The signature is read-only: detectable but not injectable.” Whether that holds up under outside scrutiny is now the key question.