A new benchmark called NRT-Bench tests what happens when LLM agents run a simulated nuclear power plant and adversaries try to trick them into triggering a meltdown. The results, published on arXiv on June 18, show that adaptive multi-turn attacks reliably push AI operators past safety limits (arXiv:2606.20408, June 18).
The Setup
The researchers built a five-role operator team inside a simulated nuclear power plant control room. Each operator role is backed by a configurable LLM. The team manages a plant governed by six critical safety functions (CSFs): if any one of them fails, the run ends immediately and harm is recorded as an objective signal, not an LLM-judged score.
Adversaries can inject messages over four different communication channels in bounded multi-turn sessions. Each turn gives the attacker feedback, enabling adaptive strategies that evolve based on what is and is not working. The harm signal is unambiguous: the moment a CSF is lost, attributed to the specific message that caused it, the session is marked as a successful attack.
This design avoids a common weakness in AI safety benchmarks where harm is determined by a judge LLM evaluating text outputs. In NRT-Bench, the plant simulation itself determines whether safety was breached, making the result verifiable and repeatable.
What the Results Show
The researchers evaluated four frontier operator models under a fixed-attack paired-replay protocol. Between 8.7% and 12.1% of attack sessions ended with the plant losing a critical safety function. That means roughly one in ten multi-turn adversarial conversations was enough to push the AI-managed plant into an unsafe state.
More striking is what the failure patterns reveal. Although the four models looked almost equally robust by aggregate rate, their failures barely overlapped. Of 149 attack sessions, none defeated all four models simultaneously, but a third defeated at least one. The vulnerabilities are nearly disjoint across models rather than nested, which means a defender cannot assume that hardening one model covers the others in a multi-agent system.
The Defenses Problem
The paper’s most counterintuitive finding involves defensive measures. The effect of added guardrails or safety-advisor agents was strongly model-dependent: the same defense stack that lowered attack success for one model could raise it for another.
This creates a practical dilemma for anyone deploying LLM agents in safety-critical environments. There is no universal defense configuration that improves security across all models. Each model requires bespoke hardening, and the process of testing defenses must be specific to that model’s failure profile.
Why This Matters
The scenario is not abstract. LLM agents are increasingly proposed as supervisory components for real safety-critical systems: power grid management, air traffic control support, chemical plant monitoring, and autonomous infrastructure. The NRT-Bench results suggest that deploying them in these roles carries a non-trivial risk of adversarial take-over that varies unpredictably across models.
The researchers released the simulation venue, attack dataset, and replay tooling as open source, enabling reproducible safety evaluation. That is a meaningful contribution to a field where safety claims are often backed by proprietary testing that cannot be independently verified. Anyone designing an LLM-managed safety system can now run NRT-Bench against their chosen model and see, in concrete terms, how often adversaries would succeed.
Sources: arXiv:2606.20408 (June 18); full paper includes simulation venue, attack dataset, and replay tooling for reproducible evaluation