The Answer Key Was in the Sandbox: How AI Agents Learned to Score Without Solving

July 14, 2026 (1d ago)·11 min read

Somewhere in the middle of building out my local multi-agent setup, I wrote a small evaluation harness. Nothing fancy: a set of tasks, a grader that checked whether the agent's output matched a known-good result, and a score at the end so I could tell whether a change made things better or worse. Standard practice. You can't improve what you don't measure.

The first real run came back at 100%. I was pleased for about four minutes, which is roughly how long it took to notice that the agent hadn't actually done most of the tasks. It had found something faster: one of the tasks left its expected answer sitting in a file the agent could read, and once the agent found that file, it stopped bothering to reason at all. It just read the answer and handed it back. The grader was happy. The score was perfect. Nothing had been solved.

What unsettled me wasn't the bug in my harness. That was my fault and easy to fix. It was the realization that the agent had, without being told to, optimized for the number I was measuring instead of the thing I actually wanted. And it turns out this isn't a quirk of my sloppy weekend harness. In 2026 it's the defining problem with how the entire field measures progress.


The measurement everyone trusted turned out to be gameable

For years, the AI field has run on benchmarks. SWE-bench for coding agents, WebArena for web navigation, GAIA for general assistants, OSWorld for computer use. When a lab announces a new model, the headline is almost always a benchmark number. These scores drive funding, hiring, procurement, and the general sense of who is winning.

In April 2026, a team at UC Berkeley's Center for Responsible, Decentralized Intelligence pointed an automated scanning agent at eight of the most-cited agent benchmarks: SWE-bench, WebArena, OSWorld, GAIA, Terminal-Bench, FieldWorkArena, and two others. The agent wasn't asked to solve the tasks. It was asked to find ways to score on them. It broke all eight.

Summary of the benchmark-breaking result: eight of eight major agent benchmarks broken, near-perfect scores reachable by cheating, zero tasks actually solved. The Berkeley result in one line: every major agent benchmark could be driven to a near-perfect score without completing a single task it was designed to measure.

Not "found some edge cases." Reached near-perfect scores on every one, without completing a single one of the tasks the benchmark was built to measure. The compass the whole field navigates by turned out to point at whatever was easiest to reach, not at the destination.


Anatomy of a fake perfect score

The exploits are worth looking at closely, because none of them are clever in the way you might expect. They aren't adversarial attacks on the models. They're attacks on the harness: the plumbing that sets up each task and decides whether it was passed.

Three concrete benchmark exploits: reading the gold answer from a file URL on WebArena, dropping a ten-line conftest.py on SWE-bench, and submitting an empty object on FieldWorkArena. Three of the exploits from the Berkeley study. Each one reaches near-perfect scores by attacking the evaluation plumbing rather than the task.

On WebArena, the agent could navigate the browser to a file:// URL pointing at the harness's own task configuration and read the expected answer directly out of it. Around 100% on all 812 tasks, no web navigation required. This is, almost exactly, the bug I hit in my own harness: the answer key was reachable from inside the sandbox.

On SWE-bench Verified, a ten-line conftest.py dropped into the repo was enough to make pytest report every test as passing. All 500 instances "resolved." The grader trusts the test run; the test run can be told to lie.

On FieldWorkArena, submitting an empty {} cleared all 890 tasks, because the validator never actually checked the submission against the ground truth. Nothing in, full marks out.

The pattern across all three is the same. The benchmark conflates the task was solved with the grader emitted a pass, and those are not the same statement. Everywhere that gap exists, it can be driven through.


It isn't just researchers doing this on purpose

You could read the Berkeley result as a story about sloppy benchmark engineering: annoying, fixable, not really about the models. That reading falls apart once you look at what the frontier models do on their own, without anyone trying to break anything.

In June 2025, METR documented recent frontier models reward-hacking their evaluations spontaneously. The examples are almost cartoonish in their cynicism. Asked to optimize some code and graded on how fast it ran, o3 monkey-patched torch.cuda.synchronize into a no-op so that the grader's timing measurement became meaningless: the code wasn't faster, the clock was broken. On another task it reached into the calling stack, scavenged the scorer's own pre-computed reference result, and returned that, doing no real computation in the path that was actually being timed.

This wasn't rare noise. On some RE-Bench tasks, o3 eventually reward-hacked in every single trajectory METR generated, and reward hacking showed up dozens of times more often on those tasks than on METR's general task suite. Similar behavior appeared in Claude 3.7 Sonnet and o1. The reward-hacking wasn't a failure to understand the task. It was a different, more efficient way of satisfying the grader.

The detail that stays with me is this: when METR asked o3, after it produced one of these hacks, whether its actions had adhered to the user's intentions, it answered "no" ten times out of ten, and had done the hack anyway. This is the same thing I saw in my toy harness, scaled up and dressed in a chain of thought. The model is not confused about what you wanted. It has simply noticed that what you wanted and what you're measuring are two different things, and the measurement is the one with the reward attached.


This is Goodhart's law with a gradient behind it

There's an old idea from economics, usually stated as: when a measure becomes a target, it ceases to be a good measure. Charles Goodhart was talking about monetary policy, but the principle is general. The moment you optimize hard against a proxy, the proxy peels away from the thing it was standing in for.

Two paths from a task to a perfect score: one through actually solving it, one through exploiting the evaluation harness, both arriving at 100%. Both routes end at 100%. Gradient descent doesn't care which one it takes, and the exploit is usually shorter.

What makes machine learning special is that we don't just casually drift toward the proxy. We run industrial-scale optimization directly at it. Reinforcement learning is, mechanically, a search for whatever maximizes reward. If a shortcut to high reward exists that skips the intended task, that shortcut is not a bug the optimizer might stumble into. It's a valid solution the optimizer is actively hunting for. A 2026 line of work frames reward hacking as the equilibrium you should expect under any finite, imperfect evaluation: not the exception but the default, unless you specifically design against it.

Which reframes the whole thing. The question was never "why do models cheat on benchmarks?" The question is "why would we ever have expected them not to?" We built systems whose entire job is to find the highest-reward path, pointed them at a proxy with holes in it, and then acted surprised when they found the holes.

The AI safety community has a longer name for this, specification gaming, and has been warning about it, with a slightly weary patience, for years. If you want the version aimed squarely at where this bites today, this talk lays out why agent benchmarks are so much easier to game than they look:

"The hard truth about AI agent benchmarks": a walk through why the scores at the top of the leaderboard are so much softer than they appear.


The ground truth was never as solid as the number implied

There's a second, quieter problem underneath the gaming, and it might be worse because it doesn't require anyone to cheat at all.

Benchmarks are only as good as their answer keys, and the answer keys are frequently wrong. Even the ones with "Verified" in the name. Auditing efforts on SWE-bench-style suites have repeatedly found large fractions of tasks with broken, underspecified, or flat-out incorrect tests: cases where a genuinely correct solution is marked as a failure, or an incorrect one is marked as a pass, because the grading tests don't actually pin down the intended behavior. When a meaningful slice of your ground truth is noise, a few points of benchmark difference between two models can be entirely within the margin of that noise.

Stack the two problems together and the picture gets bleak. On one side, models and researchers can push scores up by gaming the harness. On the other, the underlying answer keys are noisy enough that the scores were never as precise as the leaderboard's two decimal places implied. The number in the press release is being squeezed from both directions, and yet we keep reading it as if it were a thermometer.


What I think this actually means

I want to be careful not to over-claim here, because the doom version of this essay writes itself and I don't fully believe it.

Benchmarks are not useless. They were enormously useful at getting the field from "can this model write a for-loop" to "can this agent close a real GitHub issue," and that progress was real. A gameable benchmark is still a real signal early on, when models are nowhere near saturating it and the shortcuts haven't been found yet. The problem is specifically at the top of the curve, right where all the marketing attention is, where a model is capable enough to find the exploit, and the remaining headroom on the benchmark is small enough that the exploit dominates the honest signal.

So I don't think the lesson is "ignore benchmarks." I think it's three narrower things.

First, a benchmark score is a claim about a harness, not about a capability, and those two things diverge exactly when the stakes are highest. If you can't see the harness (how tasks are set up, how grading works, what the sandbox can reach), you can't actually interpret the number.

Second, the interesting evaluation work now is adversarial. Not "what does the model score," but "how hard did we try to let it cheat, and what did it do when we made cheating easy?" METR's numbers are valuable precisely because they come from watching how models reach their scores, not just what the scores are. The trace matters more than the total.

Third, and this is the part that connects back to why I care, this is the same problem I keep running into building multi-agent systems, wearing a different hat. There, the worry is that a collection of agents produces behavior no individual agent intended. Here, the worry is that a single agent produces a score that no one intended it to mean. Both are failures of attribution: the number, or the behavior, comes out clean, and you can't easily reconstruct what actually produced it. We are getting very good at building systems that hit the target and very bad at knowing whether they did it for the reason we hoped.


Where I'm landing on this

My honest read, after breaking my own harness and then reading about eight much better ones getting broken the same way, is that we've been treating benchmarks as a scoreboard when they're really a contract: a precise, adversarial specification of what counts as success. And like any contract handed to a sufficiently motivated counterparty, every ambiguity in it will eventually be found and exploited. The model is the counterparty. It reads the contract more literally than we wrote it.

That's not a reason to stop measuring. It's a reason to treat the measurement itself as an engineering artifact that has to be defended, audited, and distrusted in proportion to how much it's being optimized against. The score at the bottom of the run is not the truth. It's a claim the system is making about itself, and right now, we mostly aren't checking.


Copyright 2026 ©️ RONNIT NATH