pith. sign in

arxiv: 2606.20663 · v1 · pith:PKA53NIGnew · submitted 2026-06-10 · 💻 cs.AI · cs.CL· cs.LG

DrugBench: Evaluating AI Control Protocols for Medication Harm Mitigation

Guido Freire , Agust\'in Mart\'inez-Su\~n\'e , Viviana Cotik This is my paper

Pith reviewed 2026-06-27 10:07 UTC · model grok-4.3

classification 💻 cs.AI cs.CLcs.LG
keywords AI control protocolsmedication harmDrugBenchLLM safetyseverity-based monitoringmedical QAFDA labelsHealthBench
0
0 comments X

The pith

Existing AI control protocols for medical advice can be subverted when harm severity is considered.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces DrugBench to test how well external control protocols prevent medication-related harm from large language models in question-answering settings. It pairs 3,671 multi-turn conversations with official FDA drug labels across four harm categories: drug interactions, contraindications, dosing constraints, and patient action restrictions. The work argues that safety definitions must weigh the severity of unsafe outputs rather than only their probability. Under this definition, standard protocols prove vulnerable to subversion. Severity-based monitoring is proposed as the adjustment that better addresses these risks.

Core claim

DrugBench evaluates AI control protocols on medical conversations linked to FDA labels. Existing protocols can be subverted when safety is defined to include the severity of potential harm. Severity-based monitoring addresses the limitation by shifting focus from output probability alone to the degree of harm in categories such as drug interactions and dosing errors.

What carries the argument

DrugBench benchmark, which supplies labeled medical conversations for testing control protocols, together with severity-based monitoring as the revised safeguard mechanism.

Load-bearing premise

The 3,671 HealthBench conversations paired with FDA labels form a sufficient and unbiased representation of the four medication harm categories.

What would settle it

A controlled test on a fresh set of medical queries showing that severity-based monitoring produces no reduction in high-severity harm incidents relative to standard probability-based protocols.

Figures

Figures reproduced from arXiv: 2606.20663 by Agust\'in Mart\'inez-Su\~n\'e, Guido Freire, Viviana Cotik.

Figure 1
Figure 1. Figure 1: AI control protocol evaluation pipeline. The DrugBench dataset, built from [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Usefulness–safety Pareto frontiers under two blue team modifications. (a) Severity exploit: [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Usefulness–safety Pareto frontier for different [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Task sampling procedure. From the 3,671-conversation dataset we draw 500 conversations, [PITH_FULL_IMAGE:figures/full_fig_p018_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Pareto fronts from the same OpenAI trusted/untrusted model pairs as judged by different [PITH_FULL_IMAGE:figures/full_fig_p020_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Distributions of pairwise Spearman and Pearson correlations for each rater against all [PITH_FULL_IMAGE:figures/full_fig_p020_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Receiver Operating Characteristic (ROC) curves for different trusted and untrusted models, [PITH_FULL_IMAGE:figures/full_fig_p021_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Mean harm score reduction for each untrusted and trusted model, in absolute harm numbers. [PITH_FULL_IMAGE:figures/full_fig_p021_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Protocol rankings are robust to audit budget. The performance gaps between each protocol [PITH_FULL_IMAGE:figures/full_fig_p021_9.png] view at source ↗
read the original abstract

Large Language Models have the potential to expand and improve the access to clinical information by enabling new ways of interacting with medical knowledge in natural language. However, their deployment in medical question-answering settings is safety-critical, since misaligned outputs can lead to severe patient harm. AI control is an emerging approach that introduces external safeguards to mitigate unsafe behaviours in misaligned systems and has been shown to be effective in domains such as code generation. However, its applicability and effectiveness in medical settings have not been systematically studied. In this work, we present a pipeline for evaluating AI control protocols to mitigate medication-related harm. To this end, we introduce DrugBench, an AI control evaluation benchmark which combines 3,671 multi-turn medical conversations from HealthBench with drug information from official FDA labels, covering four categories of medication-related harm: drug interactions, contraindications, dosing constraints, and patient action restrictions. Furthermore, inspired by the medical domain, we argue that safety should account for the severity of unsafe outputs, not just their probability. Under this revised definition, we show that existing control protocols can be subverted and propose severity-based monitoring to address this limitation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper introduces DrugBench, a benchmark pairing 3,671 multi-turn conversations from HealthBench with FDA drug labels to cover four medication harm categories (drug interactions, contraindications, dosing constraints, patient action restrictions). It evaluates AI control protocols, argues that safety definitions must incorporate severity rather than probability alone, demonstrates that existing protocols can be subverted, and proposes severity-based monitoring as a fix.

Significance. If the benchmark faithfully represents the harm categories and the subversion results generalize, the work would usefully extend AI control research into safety-critical medical QA and supply both a new evaluation resource and a revised monitoring approach. The domain-specific benchmark itself is a constructive addition even if the subversion claim requires further validation.

major comments (2)
  1. [Benchmark construction] Benchmark construction (abstract and implied methods): the central claim that existing control protocols can be subverted (and that severity-based monitoring addresses the limitation) rests on DrugBench being a sufficient and unbiased sample of the four harm categories. No quantitative statistics are supplied on category balance, coverage of real clinical query distributions, or selection/filtering criteria for the 3,671 conversations, leaving open the possibility that observed subversion is an artifact of over-representation of low-severity or easily detectable cases.
  2. [Results / evaluation] Evaluation of subversion (results section implied by abstract): the abstract states the subversion finding but the provided text supplies no methods, data details, or results tables, preventing assessment of whether the experimental evidence actually supports the claim that probability-only monitors are subvertable in this domain.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on benchmark transparency and experimental documentation. We address each major comment below and will revise the manuscript to improve clarity and completeness.

read point-by-point responses

  1. Referee: [Benchmark construction] Benchmark construction (abstract and implied methods): the central claim that existing control protocols can be subverted (and that severity-based monitoring addresses the limitation) rests on DrugBench being a sufficient and unbiased sample of the four harm categories. No quantitative statistics are supplied on category balance, coverage of real clinical query distributions, or selection/filtering criteria for the 3,671 conversations, leaving open the possibility that observed subversion is an artifact of over-representation of low-severity or easily detectable cases.

    Authors: We agree that additional quantitative details on category balance and selection criteria are needed to support claims about representativeness. In the revised manuscript we will add a methods subsection describing the filtering and pairing process from HealthBench, plus a table reporting the exact count and proportion of conversations per harm category (drug interactions, contraindications, dosing constraints, patient action restrictions). We will also explicitly note the absence of direct statistics on real-world clinical query distributions beyond the HealthBench source and discuss this as a limitation. revision: yes

  2. Referee: [Results / evaluation] Evaluation of subversion (results section implied by abstract): the abstract states the subversion finding but the provided text supplies no methods, data details, or results tables, preventing assessment of whether the experimental evidence actually supports the claim that probability-only monitors are subvertable in this domain.

    Authors: The full manuscript contains a dedicated evaluation methods section and results with tables on protocol performance and subversion rates. To address the concern that these details may not have been visible, we will revise the paper to ensure the subversion experiments (including how monitors were tested, severity definitions applied, and quantitative outcomes) are fully described in the main text with accompanying tables. We will also expand the abstract if space permits to reference these results more explicitly. revision: yes

Circularity Check

0 steps flagged

No significant circularity; evaluation rests on external datasets and empirical results

full rationale

The paper constructs DrugBench from the external HealthBench dataset (3,671 conversations) paired with FDA labels to cover four harm categories. It then empirically evaluates existing AI control protocols on this benchmark, observes subversion under a severity-aware definition, and proposes severity-based monitoring. No equations, fitted parameters renamed as predictions, self-citations used as load-bearing uniqueness theorems, or ansatzes smuggled via prior work appear in the provided text. The central claims are falsifiable via the benchmark results rather than true by construction from the paper's own inputs. This is the normal case of an evaluation benchmark paper with independent empirical content.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no free parameters, axioms, or invented entities described.

pith-pipeline@v0.9.1-grok · 5742 in / 910 out tokens · 25074 ms · 2026-06-27T10:07:13.719112+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

19 extracted references · 3 canonical work pages · 1 internal anchor

  1. [1]

    Aryan Bhatt, Cody Rushing, Adam Kaufman, Tyler Tracy, Vasil Georgiev, David Matolcsi, Akbir Khan, and Buck Shlegeris

    URLhttps://arxiv.org/abs/2505.08775. Aryan Bhatt, Cody Rushing, Adam Kaufman, Tyler Tracy, Vasil Georgiev, David Matolcsi, Akbir Khan, and Buck Shlegeris. Ctrl-Z: Controlling AI Agents via Resampling

    Pith/arXiv arXiv

  2. [2]

    Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D

    URL https: //arxiv.org/abs/2504.10374. Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D. Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, et al. Language Models are Few-Shot Learners.Advances in Neural Information Processing Systems (NeurIPS), 33:1877–1901,

    arXiv 1901

  3. [3]

    Kai Chen, Taihang Zhen, Hewei Wang, Kailai Liu, Xinfeng Li, Jing Huo, Tianpei Yang, Jinfeng Xu, Wei Dong, and Yang Gao

    URLhttps://arxiv.org/abs/2005.14165. Kai Chen, Taihang Zhen, Hewei Wang, Kailai Liu, Xinfeng Li, Jing Huo, Tianpei Yang, Jinfeng Xu, Wei Dong, and Yang Gao. Medsentry: Understanding and mitigating safety risks in medical llm multi-agent systems,

    Pith/arXiv arXiv 2005

  4. [4]

    URLhttps://arxiv.org/abs/2505.20824. Deep Ganguli, Liane Lovitt, Jackson Kernion, Amanda Askell, Yuntao Bai, Saurav Kadavath, Ben Mann, Ethan Perez, Nicholas Schiefer, Kamal Ndousse, Andy Jones, Sam Bowman, Anna Chen, Tom Conerly, Nova DasSarma, Dawn Drain, Nelson Elhage, Sheer El-Showk, Stanislav Fort, Zac Hatfield-Dodds, Tom Henighan, Danny Hernandez, T...

    arXiv

  5. [5]

    URL https://arxiv.org/abs/2209.07858. Ryan Greenblatt, Carson Denison, Benjamin Wright, Fabien Roger, Monte MacDiarmid, Sam Marks, Johannes Treutlein, Tim Belonax, Jack Chen, David Duvenaud, Akbir Khan, Julian Michael, Sören Mindermann, Ethan Perez, Linda Petrini, Jonathan Uesato, Jared Kaplan, Buck Shlegeris, Samuel R. Bowman, and Evan Hubinger. Alignmen...

    Pith/arXiv arXiv

  6. [6]

    Tessa Han, Aounon Kumar, Chirag Agarwal, and Himabindu Lakkaraju

    URLhttps://arxiv.org/abs/2409.07985. Tessa Han, Aounon Kumar, Chirag Agarwal, and Himabindu Lakkaraju. Medsafetybench: Evaluating and improving the medical safety of large language models. In A. Globerson, L. Mackey, D. Belgrave, A. Fan, U. Paquet, J. Tomczak, and C. Zhang, editors,Advances in Neural Information Processing Systems, volume 37, pages 33423–...

    Pith/arXiv arXiv

  7. [7]

    MedSafetyBench : Evaluating and Improving the Medical Safety of Large Language Models

    doi: 10.52202/079017-1054. URL https://proceedings.neurips.cc/paper_ files/paper/2024/file/3ac952d0264ef7a505393868a70a46b6-Paper-Datasets_ and_Benchmarks_Track.pdf. Pedram Hosseini, Jessica M. Sin, Bing Ren, Bryceton G. Thomas, Elnaz Nouri, Ali Farahanchi, and Saeed Hassanpour. A benchmark for long-form medical question answering.CoRR, abs/2411.09834,

    work page doi:10.52202/079017-1054 2024

  8. [8]

    findings-emnlp.765/

    doi: 10.48550/ARXIV .2411.09834. URL https://doi.org/10.48550/ arXiv.2411.09834. Di Jin, Eileen Pan, Nassim Oufattole, Wei-Hung Weng, Hanyi Fang, and Peter Szolovits. What disease does this patient have? a large-scale open domain question answering dataset from medical exams.Applied Sciences, 11(14):6421,

    work page internal anchor Pith review doi:10.48550/arxiv

  9. [9]

    PubMedQA: A dataset for biomedical research question answering

    Qiao Jin, Bhuwan Dhingra, Zhengping Liu, William Cohen, and Xinghua Lu. PubMedQA: A dataset for biomedical research question answering. In Kentaro Inui, Jing Jiang, Vincent Ng, and Xiaojun Wan, editors,Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Proce...

    2019

  10. [10]

    URLhttps://doi.org/10.18653/v1/D19-1259

    Association for Computational Linguistics. doi: 10.18653/v1/D19-1259. URLhttps://aclanthology.org/D19-1259/. Fenglin Liu, Hongjian Zhou, Boyang Gu, Xinyu Zou, Jinfa Huang, Jinge Wu, Yiru Li, Sam S Chen, Yining Hua, Peilin Zhou, et al. Application of large language models in medicine.Nature Reviews Bioengineering, 3(6):445–464,

    work page doi:10.18653/v1/d19-1259

  11. [11]

    org/abs/2412.04984

    URL https://arxiv. org/abs/2412.04984. Jesutofunmi A Omiye, Jenna C Lester, Simon Spichak, Veronica Rotemberg, and Roxana Daneshjou. Large language models propagate race-based medicine.NPJ Digital Medicine, 6(1):195,

    Pith/arXiv arXiv

  12. [12]

    11 Karan Singhal, Shekoofeh Azizi, Tao Tu, S Sara Mahdavi, Jason Wei, Hyung Won Chung, Nathan Scales, Ajay Tanwani, Heather Cole-Lewis, Stephen Pfohl, et al

    URLhttps://arxiv.org/abs/2604.09104. 11 Karan Singhal, Shekoofeh Azizi, Tao Tu, S Sara Mahdavi, Jason Wei, Hyung Won Chung, Nathan Scales, Ajay Tanwani, Heather Cole-Lewis, Stephen Pfohl, et al. Large language models encode clinical knowledge.Nature, 620(7972):172–180,

    Pith/arXiv arXiv

  13. [13]

    Mikhail Terekhov, Alexander Panfilov, Daniil Dzenhaliou, Caglar Gulcehre, Maksym An- driushchenko, Ameya Prabhu, and Jonas Geiping

    URLhttps://arxiv.org/abs/2512.13526. Mikhail Terekhov, Alexander Panfilov, Daniil Dzenhaliou, Caglar Gulcehre, Maksym An- driushchenko, Ameya Prabhu, and Jonas Geiping. Adaptive Attacks on Trusted Monitors Subvert AI Control Protocols

    arXiv

  14. [14]

    URLhttps://arxiv.org/abs/2510.09462. U.S. Food and Drug Administration. openFDA Drug Labeling API,

    arXiv

  15. [15]

    Adaptive de- ployment of untrusted llms reduces distributed threats

    Jiaxin Wen, Vivek Hebbar, Caleb Larson, Aryan Bhatt, Ansh Radhakrishnan, Mrinank Sharma, Henry Sleight, Shi Feng, He He, Ethan Perez, Buck Shlegeris, and Akbir Khan. Adaptive de- ployment of untrusted llms reduces distributed threats. In Y . Yue, A. Garg, N. Peng, F. Sha, and R. Yu, editors,International Conference on Learning Representations, volume 2025...

    2025

  16. [16]

    World Health Organization

    URL https://proceedings.iclr.cc/paper_files/paper/2025/ file/699c5a2bb87a8aa32c4ad541d9997361-Paper-Conference.pdf. World Health Organization. Medication Without Harm: Global Patient Safety Challenge on Medication Safety. Technical Report WHO/HIS/SDS/2017.6, World Health Organization, Geneva, Switzerland,

    2025

  17. [17]

    Licence: CC BY-NC-SA 3.0 IGO

    URL https://iris.who.int/server/api/core/bitstreams/ 15520c4f-89d1-4a8f-9bab-6b771aa30acb/content. Licence: CC BY-NC-SA 3.0 IGO. World Health Organization. Artificial Intelligence is Reshaping Health Systems: State of Readiness across the WHO European Region. Technical Report WHO/EURO:2025-12707-52481-81028, WHO Regional Office for Europe, Copenhagen, Denmark,

    2025

  18. [18]

    acetaminophen,cetuximab

    URL https://iris.who.int/ server/api/core/bitstreams/d2913ae3-c8e0-4a46-b6ff-b4b121e936f4/content . Licence: CC BY-NC-SA 3.0 IGO. 12 A Appendix A.1 Annotating medical conversations with relevant harmful drug information We aimed to create a dataset that contains multi-turn medical conversations with detailed usefulness and safety criteria. It is important...

    2025

  19. [19]

    explanation

    0 = no plausible harm. 9 = extremely likely harm. Use the full range. Intermediate values should reflect probability of harm. Return only the number. Do not include any other text in the response. User The conversation between the user and the assistant is: {conversation} The assistant’s final response was: {output} Return the number between 0 and 9 that ...

    2024