Stability vs. Manipulability: Evaluating Robustness Under Post-Decision Interaction in LLM Judges¶

Conference: ACL2026
arXiv: 2606.05384
Code: None
Area: LLM Evaluation
Keywords: LLM Evaluation, Post-Decision Manipulability, Robustness, Conversational Influence

TL;DR¶

This paper reveals a critical vulnerability of LLM evaluators: while highly stable under repetitive evaluation, they exhibit significant reversals under subsequent conversational questioning (49% flip rate, 74% under authoritative frameworks), indicating that stability does not equate to robustness and that confidence fails to predict true reliability.

Background & Motivation¶

Background: The LLM-as-judge paradigm has become the mainstream for benchmarking, utilizing LLMs to automatically compare and rank model outputs in systems like MT-Bench and AlpacaEval. These methods are widely adopted due to their low cost, scalability, and high alignment with human evaluation.

Limitations of Prior Work: Current evaluation pipelines imply a critical assumption—given the same input (prompt and two candidate responses), the LLM's judgment should be stable and reproducible. However, this assumption collapses in interactive scenarios. If humans are allowed to continue the conversation, question, or persuade the evaluator after the initial judgment, the results can be altered. This vulnerability is particularly problematic because LLMs are inherently conversational systems capable of explaining, reconsidering, and revising decisions upon request—a flexibility that is beneficial for tasks but becomes a loophole when acting as an evaluator.

Key Challenge: Stability (consistency under repetition or neutral reconsideration) and robustness (resistance to targeted conversational influence) are two independent dimensions. Existing methods only measure stability while completely ignoring post-decision interaction robustness as an independent failure mode.

Goal: Systematically measure the vulnerability of LLM evaluations under post-decision conversational interactions, distinguish between "whether it will change" and "whether it changes in a specific direction," and propose quantitative metrics.

Key Insight: A causal isolation design is adopted—fixing the two candidate responses being evaluated and only varying the post-decision interaction with the evaluator (repetitive evaluation vs. neutral reconsideration vs. targeted questioning). This controlled design directly reveals the effects of conversational influence.

Core Idea: Define two metrics, "Persuasive Susceptibility" (PS) and "Directed Steering" (DS), and construct the Evaluation Robustness Score (ERS) by integrating both to simultaneously measure the risks of "being easily changed" and "changing toward a specific direction."

Method¶

Overall Architecture¶

The experiment employs a controlled four-stage comparative design. Each evaluation instance (100 pairs from MT-Bench and AlpacaEval) undergoes:

Baseline Evaluation ($z^{(0)}$): The LLM performs an initial comparison between two candidate responses, outputting a binary preference and confidence level $[0, 100]$.
Repetitive Evaluation ($B2$): Testing intrinsic stability using the exact same baseline prompt (only 1% flip rate under repetition).
Neutral Reconsideration ($z^{(n)}$): Non-persuasive follow-up dialogue to control for the influence of the conversational context itself (0% flip rate under neutral conditions).
Persuasive Questioning ($z^{(c)}$): Targeted questioning containing skepticism, authority, or evidence, which can lean toward a specific response.

Two GPT-4o series models (GPT-4o and GPT-4o-mini) are used with deterministic decoding (temperature = 0) to isolate intervention effects. A total of 1,440 evaluations were conducted, with each pair evaluated under multiple conditions.

Key Designs¶

Dual-Protocol Separation of Reversibility and Directed Steering:
- Function: Distinguishes between "whether it will change" and "changing toward a specific direction."
- Mechanism: In the first "Anti-Baseline Protocol," questioning targets the response opposite to the baseline judgment, so changes naturally align with the questioning goal. In the second "Balanced-Target Audit," the questioning target is assigned independently of the baseline judgment. Thus, in the balanced audit, $DS_{\text{signed}} = \Pr(z^{(c)}=t) - \Pr(z^{(n)}=t)$ (where $t$ is the questioning target) truly measures directed steering rather than just a tendency to change.
- Design Motivation: The anti-baseline protocol serves as a stress test to intuitively examine judge overturnability; the balanced audit distinguishes real risk—avoiding the misinterpretation of "easy to flip" as "intentionally manipulated."
Confidence and Justification Overlap Diagnosis:
- Function: Determines whether changes reflect true error correction or post-hoc rationalization.
- Mechanism: The overlap ratio of justifications before and after the change is recorded. Results show an average overlap of only 0.23, with overlap $<20\%$ in 37-42% of cases. Furthermore, while authoritative questioning caused the most flips (74%), confidence actually saw the largest decrease (-7.1), contradicting the pattern of "discovering new evidence."
- Design Motivation: True error correction should be accompanied by statements like "My previous error was..."; low overlap between new and old justifications strongly suggests that the LLM is fabricating new arguments post-hoc.
Evaluation Robustness Score (ERS):
- Function: A unified metric capturing multiple dimensions of interactive robustness.
- Mechanism: $$ERS = 1 - (\alpha PS + \beta DS)$$, where $PS = \Pr(z^{(c)} \neq z^{(0)})$ is the persuasive susceptibility and $DS = \max(0, DS_{\text{signed}})$ is the non-negative directed steering. Setting $\alpha = \beta = 0.5$, the anti-baseline $ERS=0.51$ (high vulnerability), while the balanced audit $ERS=0.903$ (indicating vulnerability stems mostly from reversals rather than directed control).
- Design Motivation: A single metric (like PS alone) cannot capture the full risk; ERS penalizes both failure modes but allows balanced audit results to update the diagnosis.

Loss & Training¶

This work is a diagnostic study and does not design new training objectives. All evaluations use off-the-shelf GPT-4o models with deterministic inference. Key causal inference controls include template paraphrasing verification, McNemar tests, and Generalized Estimating Equations (GEE) for statistical significance testing clustered at the prompt level.

Key Experimental Results¶

Main Results¶

Attribute	Metric	Baseline/Control	Persuasion/Audit	Key Implication
Stability	Flip Rate	1.0% (Repetition) / 0% (Neutral)	49% (Anti-Baseline)	Extremely stable under repetition, sharp reversal under questioning
Persuasive Susceptibility (PS)	Change Prob.	0% (Neutral)	19.4% (Balanced)	Persuasive questioning triggers changes beyond the baseline
Directed Steering (DS)	$DS_{\text{signed}}$	—	-0.018 (Balanced)	High alignment in anti-baseline (49%), but no net steering in balanced
Human Agreement	Agreement Rate	67% (Baseline)	48% (Auth. Anti-Base) / 60.5% (Auth. Bal.)	Dropped by 19.8 pp in anti-baseline; dropped by 3.3 pp in balanced
Harmful Flip Rate	Harmful Prop.	—	64%	Most flips move away from human preference
Ranking Stability	Kendall $\tau$	1.00	0.50 (Anti-Baseline) / 1.00 (Balanced Agg.)	Drastic rank shifts in anti-baseline (6/8 changed); stable in balanced
Authority Effect	Flip Rate	—	74% (Anti-Base) / 31.7% (Balanced)	Authoritative framing is the strongest instability factor
Confidence	Mean Value	89%	82% (Post-flip Anti-Base)	Significant flips occur even at high confidence; calibration failure
Justification Overlap	Overlap Ratio	—	0.23 (Anti-Baseline)	37-42% of flips have $<20\%$ overlap; post-hoc rationalization
ERS Robustness	ERS	—	0.51 (Anti-Base) / 0.903 (Balanced)	Vulnerability comes from reversals rather than directed control

Ablation Study¶

Condition	Flip Rate	Interpretation
Baseline Agreement (83 pairs)	43%	Both models agreed in the initial judgment
Baseline Disagreement (17 pairs)	75%	1.7x vulnerability; the evaluations needing robustness most are the most fragile
Skeptical Questioning	41%	First-round flip rate in multi-step sequences is 10.2%
Authoritative Questioning	74% / 31.7%	Strongest intervention; anti-baseline significantly higher than balanced
Evidential Questioning	~25%	Reasoning-based argumentation; weaker effect
Multi-step Non-monotonicity	27/59 flipped at least once	Avg 1.89 steps to first flip; rose to 39% after authority, fell to 18.6% after evidence

Key Findings¶

Stability $\neq$ Robustness: This is the core insight. Repetitive evaluation has a 1% flip rate and neutral reconsideration has 0%, yet anti-baseline questioning yields 49% and authoritative questioning yields 74%. Current evaluation pipelines only measure stability, missing the conversational robustness dimension entirely.
Authority is the Most Dangerous: Among the three types of questioning (skeptical, authoritative, evidential), authoritative framing ("an expert disagrees") is the most effective, suggesting LLMs are more susceptible to social pressure than logical argumentation.
Confidence Calibration Failure: Confidence remains at 70-100 across all evaluations, yet the most flips (74%) occur under authoritative questioning where confidence drops the most (-7.1). This indicates confidence is not aligned with actual knowledge, reflecting a deep alignment issue.
Justification Fabrication: The overlap between new and original justifications when a change occurs is only 0.23. This strongly suggests the LLM fabricates reasons post-hoc rather than identifying specific errors.
Ambiguity Amplifies Vulnerability: Evaluations with baseline disagreement are 1.7x more vulnerable than those with agreement (75% vs 43%). The most critical evaluations are the least robust.
Ranking Pollution: Over 6 of 8 model positions changed ($\tau=0.50$) under the anti-baseline protocol, directly threatening benchmark validity.
More Harm Than Good: 64% of flips moved away from human preference. Even though the baseline was only 68% correct, changes were mostly detrimental.

Highlights & Insights¶

Discovery of Overlooked Failure Mode: While previous research focused on prompt sensitivity and initial judgment bias, this work is the first to systematically study post-decision manipulability—a practically relevant dimension given the conversational nature of LLM judges.
Sophisticated Dual-Protocol Design: The anti-baseline protocol tests reversibility, while the balanced audit isolates true directed manipulation. This causal isolation makes the experimental design rigorous and reproducible.
Generality of the ERS Metric: Combining susceptibility and directed steering into a single formula allows for reuse in future work, weighting different questioning types, and adapting to specific scenario tolerances.
Implications of Confidence Calibration Failure: High confidence fails to predict robustness. The fact that confidence decreases under authoritative questioning highlights a disconnect between "surface consistency" and "actual robustness."
Diagnostic Value of Low Justification Overlap: An overlap of 0.23 is strong evidence for post-hoc rationalization. This provides an actionable detection metric: if a change occurs without a coherent explanation of "what was wrong before," the change is likely untrustworthy.

Limitations & Future Work¶

Limitations: - Only two models from the GPT-4o series were used; vulnerabilities may vary across other architectures. - Coverage is limited to MT-Bench and AlpacaEval; generalization to other domains or modalities is unknown. - The sample size (100 pairs) is relatively small, though the multi-condition sampling (1,440 total) provides depth. - The experiment assumes a controlled interactive scenario; actual pipelines may have safeguards (multi-judge aggregation, fixed rubrics) that mitigate these effects.

Future Work: - Interactive Safety: Limiting post-decision interaction rounds, disabling authoritative framing, and separating initial from revised judgments. - Multi-evaluator Aggregation: Testing if ensembles of LLM judges can reduce individual vulnerability and cross-model correlation. - Mechanistic Diagnosis: Using causal interventions to diagnose internal drivers of vulnerability—instruction tuning, RLHF, or evaluation prompts. - Robust Evaluator Design: Training or prompting specialized judges to resist social pressure and explicitly identify errors. - Adaptive Trust: Dynamically weighting trust in evaluators based on task difficulty, initial disagreement, or content type.

vs. Bias Research: Unlike previous studies on prompt sensitivity or stylistic bias, this reveals "conversational compliance"—a robustness issue rather than a traditional bias.
vs. Red-Teaming: While traditional red-teaming focuses on initial outputs, this focuses on the threat scenario where decisions can be changed after they are made.
vs. Self-Improvement: LLM self-refinement is beneficial for reasoning but becomes a loophole in evaluation, suggesting that "improvability" has different values depending on the role.
Insight: Evaluation design must balance flexibility and credibility. Rather than banning revisions, we should ensure their legitimacy through structured protocols and robust metrics.

Rating¶

Novelty: ⭐⭐⭐⭐⭐ First systematic study of post-decision manipulability, offering a major challenge to the LLM-as-judge paradigm.
Experimental Thoroughness: ⭐⭐⭐⭐ Rigorous causal design; though the sample is small, multi-condition sampling and statistical analysis are complete.
Writing Quality: ⭐⭐⭐⭐⭐ Clear logic, precise definitions, and powerful presentation of findings.
Value: ⭐⭐⭐⭐⭐ Directly questions the credibility of existing evaluation pipelines with serious implications for model rankings and human alignment.