@inproceedings{cheng-etal-2026-learning,
    title = "Learning to Conceal Risk: Controllable Multi-turn Red Teaming for {LLM}s in the Financial Domain",
    author = "Cheng, Gang  and
      Jin, Haibo  and
      Zhang, Wenbin  and
      Wang, Haohan  and
      Zhuang, Jun",
    editor = "Liakata, Maria  and
      Moreira, Viviane P.  and
      Zhang, Jiajun  and
      Jurgens, David",
    booktitle = "Proceedings of the 64th Annual Meeting of the {A}ssociation for {C}omputational {L}inguistics (Volume 1: Long Papers)",
    month = jul,
    year = "2026",
    address = "San Diego, California, United States",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-acl/2026.acl-long.1903/",
    pages = "41005--41020",
    ISBN = "979-8-89176-390-6",
    abstract = "Large Language Models (LLMs) are increasingly deployed in finance, where unsafe behavior can lead to serious regulatory risks. However, most red-teaming research focuses on overtly harmful content and overlooks attacks that appear legitimate on the surface yet induce regulatory-violating responses. We address this gap by introducing a controllable black-box multi-turn risk-concealed redteaming framework (CoRT) that progressively conceals surface-level risk while exploiting regulatory-violating behaviors. CoRT contains two key components: (i) a Risk Concealment Attacker (RCA) that generates multiturn prompts via iterative refinement, and (ii) a Risk Concealment Controller (RCC) that predicts a turn-level Risk Concealment Score (RCS) to steer RCA{'}s follow-up style. We also build a domain-specific benchmark, FinRisk-Bench, with 522 instructions spanning six financial risk categories. Experiments on nine widely used LLMs show that CoRT (RCA) achieves 93.19{\%} average attack success rate (ASR), and CoRT (RCA+RCC) further improves the average ASR to 95.00{\%}. Our code and FinRisk-Bench are available at https://github.com/gcheng128/CoRT."
}