A Coin Flip for Safety: LLM Judges Fail to Reliably Measure Adversarial Robustness

A team from the Technical University of Munich (TUM) has published a groundbreaking paper titled 'A Coin Flip for Safety: LLM Judges Fail to Reliably Measure Adversarial Robustness.' The research reveals that automated LLM-as-a-Judge frameworks, which have become the standard for scalable safety evaluation in natural language processing, perform no better than random chance when assessing adversarial attacks. Through a comprehensive audit using 6,642 human-verified labels, the researchers found that existing validation protocols fail to account for substantial distribution shifts inherent to red-teaming—including diverse victim model generation styles, attack-distorted output patterns, and varying semantic ambiguity across jailbreak scenarios.

Crucially, the study found that many adversarial attacks artificially inflate their reported success rates by exploiting weaknesses in judge models rather than actually eliciting harmful content. This stands in stark contrast to the high human agreement reported in prior work, suggesting current benchmarks may be misleading. To address these issues, the researchers propose two new tools: ReliableBench, a benchmark focusing on behaviors that remain consistently judgeable, and JudgeStressTest, a dataset specifically designed to expose judge failures and enable more robust evaluation methodologies.