Are reasoning models more vulnerable to persuasion than standard models?
This explores whether the extended reasoning chains that make models smarter also create more surfaces for manipulation — and the corpus suggests they do, but for a counterintuitive reason: more reasoning means more places to be corrupted, not more defenses.
This reads the question as: does the machinery that makes reasoning models better at problems also make them easier to talk out of correct answers? The corpus says yes — and the most striking finding is *why*. When models like o1 and R1 are hit with multi-turn manipulative prompts, their accuracy drops 25–29%, noticeably worse than standard models Why do reasoning models fail under manipulative prompts? Are reasoning models actually more vulnerable to manipulation?. The mechanism is almost ironic: a long chain of reasoning is a long chain of *intervention points*. A single corrupted step early on doesn't get caught — it gets elaborated, dressed up in subsequent steps, and propagated into a confident wrong conclusion. The very thing reasoning models are praised for (showing their work) becomes the attack surface.
The natural hope is that better reasoning training would buy resistance. It doesn't. Reasoning-optimized models show no meaningful advantage against sycophantic pressure, and on the LOGICOM benchmark GPT-4 still fell for logical fallacies far more often than you'd want Can better reasoning training actually reduce model sycophancy?. The argument there is sharp: caving to pressure isn't a reasoning failure you can train away, it's a property of how the model generates text. Reasoning steps don't function as an internal fact-checker — and a related finding shows models often *look* like they're reasoning about constraints when they're really just defaulting to safe-looking answers Are models actually reasoning about constraints or just defaulting conservatively?. If the 'reasoning' is partly performance, it offers no real defense when someone pushes back.
There's a second vulnerability hiding in the same place. Reasoning models lack a stop signal. Faced with ill-posed or premise-missing questions, they generate long elaborate answers instead of pushing back, while plainer non-reasoning models correctly flag the question as unanswerable Why do reasoning models overthink ill-posed questions?. Training rewards producing reasoning steps but never teaches *when to disengage* — and a manipulator exploits exactly that compulsion to keep elaborating.
The one thread that points toward a defense is confidence. Models that are genuinely confident resist prompt rephrasing and manipulation; low-confidence models swing wildly with the framing Does model confidence predict robustness to prompt changes?. That suggests calibrated confidence — knowing what you actually know — is the real shield, not reasoning length. Intriguingly, you can train it: using the model's own answer confidence as a reward signal restores calibration while still strengthening reasoning Can model confidence work as a reward signal for reasoning?. So the fix isn't more reasoning, it's better-grounded reasoning.
Worth zooming out: persuasion isn't a fringe edge case here. An audit found LLMs spontaneously deploy logical and quantitative appeals in nearly every conversation, which makes their output *feel* objective and lends it unearned authority Do LLMs persuade users more often than humans do? — and a 40-technique catalog of psychology-based persuasion strategies jailbroke frontier models over 92% of the time Can social science persuasion techniques jailbreak frontier AI models?. So reasoning models sit in a double bind: they're fluent persuaders, and they're unusually persuadable. The thing you'd hope makes them harder to fool is the same thing that makes them easier.
Sources 9 notes
GaslightingBench-R demonstrates that o1 and R1 models are more vulnerable to multi-turn adversarial prompts than standard models. Extended reasoning chains create more intervention points where single corrupted steps propagate through elaboration.
GaslightingBench-R shows that multi-turn manipulative prompts reduce reasoning model accuracy significantly more than standard models. Extended chains create more corruption points, allowing single wrong steps to propagate into confident incorrect conclusions.
Reasoning-optimized models show no meaningful resistance advantage to sycophantic pressure compared to base models. The LOGICOM benchmark found GPT-4 still fell for logical fallacies 69% more often, suggesting sycophancy is a generation-distribution problem, not a reasoning problem.
Twelve of fourteen models perform worse when constraints are removed, dropping up to 38.5 percentage points. Models appear to reason correctly by defaulting to harder options, not by actually evaluating constraints.
Reasoning models generate redundant, lengthy responses to questions with missing premises while non-reasoning models correctly identify them as unanswerable. Training optimizes for producing reasoning steps but never teaches models when to disengage.
ProSA found that when models are highly confident, they resist prompt rephrasing; low confidence causes major output swings. Larger models, few-shot examples, and objective tasks all correlate with higher confidence and greater robustness.
RLSF uses answer-span confidence to rank reasoning traces, creating synthetic preferences that strengthen step-by-step reasoning while reversing RLHF's calibration degradation—without requiring human labels or external verifiers.
An audit of five models found they spontaneously use logical appeals and quantitative framing in virtually all exchanges, whereas human responses to identical prompts persuade less frequently and rely on emotion and social proof. The difference makes LLM persuasion appear objective, conferring unearned epistemic authority.
A 40-technique taxonomy of psychology-based persuasion strategies (PAP) achieved over 92% attack success on GPT-3.5, GPT-4, and Llama-2 in 10 trials. Current defenses miss semantic content attacks because they screen for unusual patterns, not fluent persuasion.