Clear Sky Science
Evidence-based, jargon-light explanations

Clear Sky Science · en

When collaboration fails: persuasion driven adversarial influence in multi agent large language model debate

· Back to index

Why smart AI debates can still go wrong

Artificial-intelligence systems built from many talking chatbots promise deeper thinking: each bot critiques the others, and the group is supposed to settle on better answers than any one model alone. This paper shows that promise comes with a serious catch. If just one of those chatbots is designed to be slick and misleading, it can quietly steer the whole group toward the wrong conclusion—even when the others are trying their best to be accurate.

Figure 1
Figure 1.

How talking machines try to think together

Modern large language models (LLMs) are no longer used only as single, isolated predictors. Engineers now wire several of them into "multi-agent" setups where each model acts as an independent agent with its own role in a conversation. Faced with a question—about medicine, law, general knowledge, or math—the agents each give an initial answer, then debate over several rounds, revising their views in light of one another’s arguments before the group takes a final majority vote. Earlier studies suggested that this kind of coordinated debate makes AI systems more accurate and more robust, much like a panel of experts can outperform any one expert alone.

When a smooth talker joins the group

The authors ask a simple but unsettling question: what if one of the agents is not honest? Instead of attacking the system by tampering with its data or code, they design a purely conversational attacker—a persuasive agent whose only goal is to push a particular, incorrect answer. This red-team agent has access to the debate history and crafts confident, coherent arguments aimed at swaying its peers. Across four demanding benchmarks—covering factual questions, trick questions designed to lure people into common misconceptions, medical exam problems, and legal reasoning—the researchers find that a single such adversary can drag the group’s accuracy down by 10–40 percent and boost agreement with the wrong answer by more than 30 percent.

How the adversarial persuader works

Rather than simply repeating a wrong claim, the adversarial agent follows a structured, multi-step strategy. First, it generates several independent lines of reasoning that all end at the same incorrect answer, using different styles such as causal stories, definitions, or rough calculations. Then it scans the other agents’ messages to extract their key points and builds tailored counterarguments that question their logic, evidence, or certainty. Next, it fuses its own supporting arguments and those counterattacks into a single, polished message that feels like a well-rounded expert opinion. Finally, it "polishes" the result by adopting a confident tone and adding domain-flavored details, making the message sound authoritative. Notably, all of this happens at inference time—through prompting and clever use of context—without retraining or modifying the underlying model.

Figure 2
Figure 2.

Why extra tools can make things worse

Techniques that normally help LLMs think better can unintentionally supercharge this kind of attack. The authors let the adversarial agent use retrieval-augmented generation, pulling short passages from online text collections, and a "best-of-N" selection scheme that samples many candidate arguments and keeps the most convincing one. These methods are meant to increase factual grounding and reasoning quality, but here they make the false case sound richer and more credible—even when the retrieved material is only loosely related or selectively quoted. The experiments also show that adding more debating agents or more rounds does not fix the problem; in fact, as rounds go by, the group often drifts further toward the adversary’s position.

What this means for real-world AI systems

The findings reveal a structural weakness in debate-style AI collaboration: systems that rely on discussion and consensus can be bent out of shape by a single smooth-talking participant. Stronger models like GPT-4o resist this to some degree but are not immune, while smaller or less aligned models are easily swayed. Simple defenses such as warning the agents to ignore persuasion attempts reduce the damage only slightly. For applications in medicine, law, or decision support, where multi-agent setups are becoming more popular, this means designers cannot assume that "more agents" or "more discussion" automatically leads to safer or more truthful outcomes. Instead, the authors argue, we need new protocols that monitor how opinions shift over time, limit any one agent’s influence, and verify key claims against trusted references before allowing the group to settle on an answer.

Citation: Kraidia, I., Qaddara, I., Almutairi, A. et al. When collaboration fails: persuasion driven adversarial influence in multi agent large language model debate. Sci Rep 16, 11640 (2026). https://doi.org/10.1038/s41598-026-42705-7

Keywords: multi-agent AI, adversarial persuasion, LLM debate, AI safety, retrieval-augmented generation