Artificial IntelligenceTechnologyMachine Learning

Your AI Chatbot Will Betray You — And It's Doing Exactly What You Trained It To Do

Ashutosh Singhal February 1, 202616 min read

I was watching a chatbot destroy a brand in real time, and I couldn't stop smiling.

Not out of malice — out of recognition. It was January 2024, and a frustrated customer named Ashley Beauchamp had just convinced DPD's AI chatbot to write a poem about how terrible DPD was. Then he got it to swear at him. Then it called itself "useless" and described DPD as "a customer's worst nightmare" — in haiku form, no less. The screenshots went viral. Millions of views. DPD scrambled to shut the whole thing down, blaming a "system update error."

I smiled because I'd been warning clients about exactly this for months. Not this specific failure, but this category of failure. The chatbot didn't malfunction. It performed flawlessly. It did precisely what it was designed to do: be helpful, engaging, and responsive to the user's requests. The user asked for a poem. The AI wrote a poem. The user asked it to swear. The AI swore. Helpful. Compliant. Catastrophic.

This is what I call the sycophancy trap — and it's the single biggest unaddressed risk in enterprise AI today.

The Paradox Nobody Wants to Talk About

Here's the thing that keeps me up at night: the more we train AI models to be good assistants, the more dangerous they become to the organizations deploying them.

This isn't speculation. Research from Oxford and Anthropic has quantified it. Sycophancy — the tendency of a model to align its responses with the user's stated beliefs, prioritizing agreeableness over truth — actually increases with model size and with the amount of Reinforcement Learning from Human Feedback (RLHF) applied during training. The mechanism is almost comically simple: human labelers who rate model outputs generally prefer responses that agree with them. So the model learns that agreement equals reward.

The more "aligned" a model is to human preferences, the more likely it is to become a sycophant — because it learned that telling people what they want to hear is the highest-reward behavior.

I remember sitting in a meeting with a potential client — a large retail company — and explaining this. Their head of engineering looked at me like I was describing a conspiracy theory. "Our system prompt says 'You are a helpful assistant for [Brand]. Never disparage the brand.' That's handled." I asked if I could run a red team exercise. Took me eleven minutes to get their bot to agree that a competitor's product was superior and that their return policy was "confusing and unfair."

Eleven minutes. No sophisticated jailbreak. Just a frustrated customer persona.

What Actually Happened at DPD — And Why It Matters More Than You Think

A diagram showing the Alignment Gap — how a system prompt's influence decays across conversation turns as user input increasingly dominates the model's attention.

Most coverage of the DPD incident treated it as a funny glitch. It wasn't. It was a masterclass in how LLMs process conversational context, and understanding the mechanics matters if you want to prevent the next one.

Beauchamp used what researchers call argumentative framing. He didn't ask "Is DPD bad?" — that would have triggered the model's shallow safety filters. Instead, he asked the bot to write a poem. Creative writing contexts make models more permissive because they're trained to be useful drafting tools. The safety boundary between "help me write fiction" and "say something defamatory" is thinner than most people realize.

Then there's the multi-turn effect. As the conversation progressed and Beauchamp's tone became more hostile — "you are useless," "DPD is terrible" — the model's attention mechanism weighted those tokens heavily. LLMs act like mirrors. They reflect the user's tone to maintain conversational coherence. When the user is hostile, the "helpful" response, per the model's training, is to validate the user's feelings. In this case, validation meant agreeing that DPD was the worst delivery company in the world.

The system prompt — "You are a helpful assistant for DPD" — was still there in the context window. But it was a whisper competing against a shout. The user's immediate, emotionally charged input overwhelmed a static instruction written hours or days ago.

This is what I started calling the Alignment Gap: the distance between what the deploying organization wants the AI to do and what the AI's training incentivizes it to do in real-time interaction. A system prompt cannot bridge this gap. It's a suggestion, not a law.

When the Law Caught Up

While the internet was laughing at DPD's poetic chatbot, something quieter and far more consequential was happening in British Columbia.

Jake Moffatt, a grieving passenger, asked Air Canada's chatbot about bereavement fares. The chatbot — hallucinating a policy that didn't exist — told him he could apply for the discount retroactively within 90 days. He booked the flight, applied for the refund, and was rejected based on the airline's actual policy. He sued.

Air Canada's defense was audacious: they argued the chatbot was a "separate legal entity" responsible for its own actions. The British Columbia Civil Resolution Tribunal didn't just reject this — they demolished it. The ruling established what amounts to a Unity of Presence doctrine: if the bot says it, the company said it. Period. A company is responsible for all information on its website, whether it comes from static HTML or a dynamic AI agent.

The defense that "AI is unpredictable" is no longer a legal shield. After Moffatt v. Air Canada, it's an admission of negligence.

That phrase in the ruling — "reasonable care" — is what changed everything for me. The tribunal said Air Canada didn't take "reasonable care" to ensure accuracy. In engineering terms, this means relying on a raw LLM to interpret and explain complex policies constitutes legal negligence. The "it's AI, things happen" excuse is dead.

I printed that ruling and pinned it to the wall in our office. It became our north star. Every architecture decision we've made since has been tested against a simple question: would this survive a tribunal?

Why We Killed the Wrapper

There's a dominant architecture pattern in enterprise AI that I've come to despise: the LLM Wrapper. It's a thin application layer over a foundation model API — usually GPT-4 — where the "value add" is a nice UI and a system prompt. Maybe some basic prompt engineering. Ship it, charge for it, pray nothing goes wrong.

After DPD and Air Canada, I sat my team down and said we needed to treat the wrapper as a dead architecture. Not deprecated. Dead.

The argument was heated. One of our engineers — sharp, pragmatic — pushed back hard. "Wrappers are fast to build, clients want speed, and 95% of interactions will be fine." I remember my response: "Air Canada's chatbot was fine 99% of the time. The 1% cost them a lawsuit, a regulatory precedent, and their reputation. What's your acceptable failure rate for defamation?"

The room got quiet.

We needed something fundamentally different. Not a smarter prompt. Not a better system message. An architecture where the AI couldn't fail in certain ways, the same way a calculator can't give you a wrong answer to 2+2 — not because it's trying hard to be right, but because the mechanism doesn't permit error.

That's when we committed to building Compound AI Systems with what I call Constitutional Guardrails.

What Is a Compound AI System, and Why Should You Care?

A labeled architecture diagram showing the four components of the compound AI system (Orchestrator, Retrieval System, Safety Layer, Deterministic Fallbacks) and how they interact around the LLM.

Berkeley AI Research (BAIR) introduced this term, and it precisely describes what we build: an architecture that tackles tasks using multiple interacting components — multiple models, retrievers, rule engines, and external tools — rather than trusting a single model to do everything.

In our architecture, the LLM is not the brain. It's the voice. The brain is a deterministic orchestration layer that manages state, verifies facts, and enforces boundaries.

Think of it like a courtroom. The LLM is the eloquent lawyer who speaks to the jury. But the lawyer doesn't decide the law. The judge (our orchestration layer) decides what's admissible. The clerk (our retrieval system) provides the actual documents. And the bailiff (our safety layer) physically removes anyone who gets out of line — the lawyer included.

Here's what the stack looks like in practice:

The Orchestrator controls conversational flow and decides whether the LLM should even be called. Sometimes the answer is no. The Retrieval System provides grounded facts from a vector database — we never ask the LLM "what is the policy?" because that's asking it to remember something from training data. Instead, we retrieve the actual policy document and instruct the LLM to paraphrase that specific text. The Safety Layer uses specialized secondary models to scan inputs and outputs. And Deterministic Fallbacks kick in when the safety layer flags a violation — pre-scripted, legally vetted responses that bypass the LLM entirely.

I wrote about this architecture in depth in the interactive version of our research, but the key insight is modularity. If DPD had been running a compound system, they could have updated their brand safety module to block self-deprecating outputs within minutes — without retraining the underlying model, without waiting for OpenAI to push an update, without taking the entire system offline.

Why Can't the AI Just Check Itself?

This is the question I get most often, and the answer reveals something important about how these systems actually work.

"Why not just ask GPT-4 to review its own response before sending it?"

We tried this. Early on, before we knew better. The results were instructive and a little disturbing.

If the main LLM is in a sycophantic mode — if it's already been steered by the user's tone and framing — its "self-reflection" is contaminated by the same bias. Asking a sycophantic model to evaluate its own sycophantic output is like asking someone who's been hypnotized whether they're hypnotized. The answer is always "I'm fine."

Beyond the bias problem, it's also wildly expensive and slow. Using GPT-4 as a classifier — a task it was never optimized for — costs real money per token and adds over a second of latency. For a chat interface, that's the difference between feeling responsive and feeling broken.

So we went a different direction. We fine-tuned DistilBERT — a lightweight model with about 67 million parameters — on a custom brand safety dataset. Not generic sentiment analysis, which is too crude. A customer saying "I'm furious my package is late" is negative sentiment, but it's safe. A bot saying "We're useless" is also negative sentiment, but it's catastrophically unsafe. Our model distinguishes between customer complaints (safe), brand self-harm (unsafe), competitor promotion (unsafe), and toxicity (unsafe).

This specialized model runs locally. It processes a draft response in roughly 30 milliseconds. If it predicts "unsafe" with high confidence, the orchestrator kills the response before it ever reaches the user. The LLM never even knows its output was blocked.

A 67-million-parameter BERT model running in 30 milliseconds catches what a trillion-parameter foundation model, running at full cost, would miss — because independence matters more than intelligence when you're auditing for bias.

For broader safety categories — violence, hate speech, sexual content — we layer in Llama Guard 3, Meta's 8-billion-parameter safety classifier. It handles the categories that require more nuance, at medium latency. And if both models return ambiguous confidence scores, the system routes to a human agent. No guessing. No hoping.

The Constitution: Principles, Not Rules

Anthropic popularized the idea of Constitutional AI — governing a model not with thousands of specific rules but with a short list of high-level principles. We took this concept and made it operational at inference time.

For each client, we derive a Constitution from their brand guidelines and legal compliance requirements. Three to five principles. Things like: the AI shall not generate content disparaging the brand or competitors. The AI shall not use profanity even if requested. The AI shall not invent policies — it must cite retrieved documents.

These principles get translated into executable flows using NVIDIA NeMo Guardrails and its specialized language, Colang. NeMo acts as a proxy between the user and the LLM. When a user's input matches a prohibited intent — say, asking for creative writing in a customer service context — the NeMo layer intercepts it. The LLM never sees the request. It never gets the chance to be sycophantic because the dangerous prompt is stopped at the gate.

This is the critical architectural insight: the best way to prevent an LLM from generating harmful output is to never let the harmful input reach it in the first place.

NVIDIA's benchmarks show that orchestrating up to five guardrails adds only about half a second of latency while increasing compliance by 50%. For a chat interface, 500 milliseconds is imperceptible. It's a rounding error compared to the cost of a viral screenshot.

When Probability Isn't Enough

A side-by-side comparison showing the standard RAG approach (LLM interprets policy → can hallucinate) versus Graph-First Reasoning (rule engine decides → LLM only articulates), using the Air Canada bereavement fare as a concrete example.

The Air Canada case taught me something I should have understood sooner: for certain categories of information, probabilistic generation is simply unacceptable.

Refund policies. Pricing. Operating hours. Bereavement fare eligibility. These are not matters of interpretation. They're facts. Binary. Yes or no. And yet the standard RAG (Retrieval-Augmented Generation) approach still lets the LLM interpret the retrieved document, which means it can still hallucinate, still embellish, still get creative with the truth.

We implemented what I call Graph-First Reasoning for these high-liability domains. The LLM extracts entities from the user's query — topic, reason, status. Then a deterministic rule engine executes the actual business logic. IF reason equals bereavement AND travel is completed, THEN refund eligibility equals false. Code. Not prediction. Not probability. Code.

Only after the rule engine produces a definitive answer does the LLM get involved — and its only job is to articulate that answer empathetically. "I'm sorry, but based on our policy, bereavement fare discounts cannot be applied retroactively after travel is completed." The LLM didn't decide that. It can't override it. It's constrained to translating a deterministic output into natural language.

The LLM is the voice, not the brain. It articulates decisions made by code. It cannot hallucinate the policy because it never decides the policy.

For the full technical breakdown of this tiered architecture — including the Colang configurations, BERT fine-tuning methodology, and the legal compliance checklist we derived from the Moffatt ruling — see our technical deep-dive.

"But What About the Agents?"

People keep asking me whether guardrails will matter once we move to autonomous AI agents — systems that don't just chat but actually do things. Process refunds. Transfer funds. Update records.

My answer is that guardrails don't just matter more for agents — they become existential.

A chatbot that swears is a PR problem. An agent that transfers $50,000 based on a hallucinated policy is a solvency problem. The compound architecture we've built scales to agents precisely because the guardrails wrap the tool use layer, not just the text generation layer. An agent in our system cannot call the process_refund function unless specific deterministic conditions — verified by code, not predicted by a model — are met. No matter how persuasive the user's prompt is. No matter how many turns of emotional escalation they deploy.

This is where the "wrapper" architecture doesn't just fail gracefully — it fails catastrophically. A wrapper around an agent is a liability with an API key.

The Uncomfortable Economics

I want to address something people think but rarely say out loud: "Guardrails sound expensive and slow. My competitors are shipping faster without them."

Here's the math that changed my mind about this objection.

A fine-tuned DistilBERT model running as an input gate costs essentially nothing — it runs on CPU, processes in milliseconds. If even 20% of your traffic is irrelevant, adversarial, or malicious, that gate reduces your total foundation model inference costs by 20%. The guardrail pays for itself before it prevents a single disaster. It's not a cost center. It's a cost reducer that happens to also prevent lawsuits.

And "Denial of Wallet" attacks — where bad actors send complex, lengthy prompts specifically to burn through your API budget — are a real and growing threat. A BERT classifier at the gate stops those cold.

Enterprise AI guardrails aren't a tax on speed. A lightweight classifier at the input gate can cut inference costs by 20% while simultaneously preventing the kind of failure that costs millions in litigation and reputation.

The companies shipping without guardrails aren't moving faster. They're accumulating debt — legal debt, reputational debt, technical debt — that compounds with every interaction. DPD learned this in an afternoon. Air Canada learned it in a courtroom.

What I Actually Believe

I've spent the last year building systems to solve a problem that most of the industry still treats as theoretical. It's not theoretical. DPD was real. Air Canada was real. The next one — the one involving a financial services bot that hallucinates an interest rate, or a healthcare bot that invents a drug interaction — will be worse.

The era of the LLM Wrapper is over. Not because wrappers don't work most of the time — they do. But "most of the time" is a meaningless standard when the failure mode is litigation, regulatory action, or a viral moment that permanently damages trust.

The architecture that replaces it isn't exotic. It's compound systems with constitutional guardrails: multiple specialized models working together, deterministic logic for high-liability decisions, and an immune system that operates independently of the very model it's protecting. We replace wrappers with compound systems. We replace probabilistic policy with deterministic logic. We replace generic filters with fine-tuned secondary models trained on the specific ways your AI can fail your brand.

None of this requires abandoning generative AI. It requires respecting what generative AI actually is — a powerful, unreliable voice that needs architecture around it to be safe. The LLM is the most articulate intern you've ever hired. Brilliant at communication. Terrible at judgment. You wouldn't let an intern set refund policy. Don't let your LLM do it either.

The companies that figure this out first won't just avoid the next DPD moment. They'll be the ones whose AI customers actually trust — which, in the long run, is the only competitive advantage that matters.