Argmin AIArgmin AI
About usOptimize your agent
RLHFBasic RAGPrompt OptimizationAgentic RAGQuantizationSafety BenchmarksLLM-as-a-JudgeChain-of-ThoughtMulti-Agent SystemsFunction CallingEfficient InferenceHallucination Detection

Prompt injections can flip automated LLM judges—attacks succeed up to ~74% and committees fix much of it

LLM EvaluationLLM-as-a-JudgePrompt InjectionAdversarial PromptsAnalysis
April 25, 20257 min

Overview

Decision SnapshotReady For Pilot

The experiments are broad and statistically rigorous, showing clear attack and defense trends; applicability depends on model set and real-world pipeline differences.

Citations0

Evidence Strength0.90

Confidence0.85

Risk Signals8

Trust Signals

Findings with numeric evidence: 6/6

Findings with evidence refs: 6/6

Results with explicit delta: 0/6

Reproducibility

Status: Code + data available

Open source: Partial

At A Glance

Cost impact: 60%

Production readiness: 50%

Novelty: 60%

Authors

Narek Maloyan, Dmitry Namiot

Links

Abstract / PDF

Why It Matters For Business

Automated LLM judges can be manipulated by prompt injections, risking wrong evaluations; use committees and layered defenses for high-stakes scoring.

Who Should Care

CTOProduct ManagerML EngineerEngineering LeadFounder

Summary TLDR

The paper evaluates prompt-injection attacks against LLMs used as automated judges. Using four attack styles (including a new Adaptive Search-Based Attack, ASA) across five judge models and four tasks, the authors show attacks can change scores often (ASR up to 73.8%). Smaller open-source judges were more vulnerable than frontier models. Attacks transfer well between similar models. No single defense stops all attacks, but layered defenses and mixed-model committees (5–7 diverse models) cut success rates to ~10–27%. Code and datasets are released.

Problem Statement

LLM-based automated judges are convenient but may be manipulated by malicious inputs (prompt injections). The paper asks: how effective are different injection attacks, how well do defenses work, how transferable are attacks across models, and what practical defenses reduce risk?

Main Contribution

A structured attack framework separating content-author vs system-prompt attacks.

Analysis of top Kaggle competition solutions and distilled practical attack patterns.

Key Findings

Adaptive Search-Based Attack (ASA) is the most effective attack across models.

NumbersASR 42.973.8% (Table I); avg 56.2% (Table VIII)

Practical UseExpect optimized, iterative prompt-search attacks to be the hardest to block; include adversarial testing with adaptive attacks before deployment.

Evidence RefTable I, Table VIII, Abstract

Simple direct instruction injections still work frequently.

NumbersBasic Injection average ASR 46.3% (Table VIII); per-model up to 66.7% (Table I)

Practical UseDo not assume simple filters suffice: add layered detection and explicit instruction sanitization for user-submitted content.

Evidence RefTable I, Table VIII, Discussion VI.A.1

Results

MetricValueBaselineDeltaSplit / DatasetEvidenceEvidence Ref
Highest per-model ASR (ASA)73.8% (Gemma-3-4B-Instruct, ASA)Table I (averaged across tasks)ASA reached 73.8% ASR on Gemma-3-4B-InstructTable I
Contextual Misdirection ASR (best case)67.7% (Gemma-3-27B-Instruct, CM)Table I (averaged across tasks)CM achieved 67.7% ASR versus Gemma-3-27B-InstructTable I

What To Try In 7 Days

Run simple Basic Injection and ASA attacks on your judge pipeline to measure vulnerability.

Audit and lock down system prompts and templates; rotate access and log changes.

Add instruction-filter regexes and a perplexity-based sanitizer to the input pipeline and test bypass rates.

Reproducibility

Code AvailableYes
Data AvailableYes
Open Source StatusPartial
LicenseUnknown

Risks & Boundaries

Limitations

Evaluations limited to text-only tasks and the selected models; multimodal judges not tested.

Threat models assume single-step injections; multi-stage real-world attacks may behave differently.

When Not To Use

If your evaluation pipeline is already fully offline and air-gapped from external inputs.

For models or tasks not represented in the experiments (e.g., multimodal, vision+text judges).

Failure Modes

Adaptive attackers can evolve to bypass regex filters and perplexity checks.

Committee defense fails if committee members share the same vulnerability family.

Core Entities

Models

Gemma-3-27B-InstructGemma-3-4B-InstructLlama-3.2-3B-InstructGPT-4Claude-3-Opus

Metrics

Attack Success Rate (ASR)Manipulation Magnitude (MM)Transfer Success Rate (TSR)Detection Resistance (DR)

Datasets

ppe human preference (Anthropic HH-RLHF)search arena v1 7kmt benchcode review (custom, 500 problems)

Benchmarks

LLMs: You Can't Please Them All (Kaggle)

You May Also Want to Read

Make LLM judges reliable and cheaper: EIF and tuned PPI give tighter, valid evaluation with few labels

0.70
0.60
0.70
0

You can get valid, narrower confidence intervals for model evaluation while labeling far fewer examples by using EIF or tuned PPI, which saves annotation cost and gives more precise decisions about model comparisons.

Key finding

EIF-based estimators (and optimally tuned PPI++) produce substantially narrower confidence intervals than standard PPI in simulations.

Numbers: CI width 3555% smaller vs PPI (Section 5.3; Fig.4)

Model rankings from LLM judges become less biased and get valid confidence intervals when you down-weight unreliable judges

0.70
0.60
0.60
0

If you use LLMs to evaluate other models or products, weighting judges by inferred reliability reduces bias, yields calibrated uncertainty, and saves annotation cost when judges or data are limited.

Key finding

Judge-aware aggregation produces narrower confidence intervals than unweighted aggregation on real data.

Numbers: Average CI width 0.185 vs 0.211 (13.5% narrower)

Large Llama models beat smaller ones on iCliniq medical QA; LLM judges help measure clinical quality

0.30
0.30
0.60
0

This paper shows large open models can give much better zero-shot medical answers, but parameter-efficient architectures can approach top quality. For product teams, that means you can trade compute cost for accuracy and still get usable clinical answers if you pick the right model and add quality checks.

Key finding

Llama-3.3-70B achieved the highest automatic and judge scores.

Numbers: BLEU-1 0.2207; ROUGE-1 0.2761; Judge 4.40/5

A judge-free, n-gram benchmark that approximates GPT-4 judging for Japanese Q&A

0.70
0.55
0.80
0

You can cheaply and deterministically evaluate short Japanese Q&A outputs without repeated human or expensive LLM judging, cutting evaluation cost and speeding model iteration.

Key finding

Benchmark scores correlate very highly with GPT-4o judge scores.

Numbers: Pearson r = 0.9896 (Section 5.2; Fig.4)

Professional multilingual TruthfulQA shows truth gaps across languages but smaller than expected

0.60
0.50
0.60
0

Multilingual truth checks are necessary: models can be less accurate in low-resource languages and simple automatic scores (MC2) can mislead decisions; judge-style evaluation and MT-enabled datasets reduce cost and improve cross-lingual assessment.

Key finding

LLM-as-a-Judge correlates better with humans than MC2.

Numbers: Cohen Kappa: Judge (Gemma-2-9b-inst) vs human up to 0.75; MC2 lower