The chapter must synthesize current knowledge on how counterfactual explanations (CXs) break down when faced with adversarial perturbations, misaligned policy inference, trust erosion, and cascading failures in multi‑agent AI systems. It should catalog existing methods that address these failures, evaluate the most suitable prior‑art solution, and delineate the remaining gaps that prevent a fully robust, trustworthy counterfactual framework in adversarial settings.
| Reference (hex ID) | Solution | Key Features & Claims |
|---|---|---|
| [1] | ATEX‑CF – Attack‑Informed Counterfactual Explanations for Graph Neural Networks | Unifies adversarial edge‑addition attacks with counterfactual edge‑deletion, leveraging adversarial insights to generate more impactful explanations on GNNs. Claims improved faithfulness and sparsity under attack. [1] |
| [2] | CECAS – Counterfactual Explanation via Causally‑Guided Adversarial Steering (Image) | Uses a causally‑guided adversarial method to generate counterfactual images, mitigating spurious correlations and ensuring semantic fidelity. [2] |
| [3] | CECAS (duplicate) | Same as above; emphasizes filtering out out‑of‑distribution artifacts via diffusion models. [3] |
| [4] | DiCE – Diverse Counterfactual Explanations | Open‑source library supporting diverse CX generation for any ML model, with extensions for causal constraints and multiple algorithms. [4] |
| [5] | Counterfactual Explanations for Face Forgery Detection | Applies adversarial removal of artifacts to generate CXs that reveal forgery traces, improving interpretability and attack transferability. [5] |
| [6] | Counterfactual Inference for AD Diagnosis | Combines U‑Net and GANs to produce counterfactual diagnostic maps, illustrating causal inference in medical imaging. [6] |
| [7] | Dual‑Loss One‑Lipschitz Network | Shows that traversing the gradient to the decision boundary can serve as a counterfactual, with improved explanation reliability. [7] |
| [8] | Desiderata‑Driven Visual CX | Formalizes CX search as an optimization problem, emphasizing minimal perturbation on the data manifold. [8] |
| [9] | FreeMCG – Derivative‑Free Diffusion Manifold‑Constrained Gradients | Unified framework for both feature attribution and CX using diffusion models and ensemble Kalman filters. [9] |
| [10] | Adversarial Image‑to‑Image Translation for CX | Generates realistic counterfactual images via adversarial image‑to‑image translation. [10] |
| [11] | GANterfactual – GAN‑Based Counterfactuals for Medical Images | Uses adversarial image‑to‑image translation to produce realistic counterfactuals for non‑expert medical users. [11] |
| [12] | Counterfactual Examples for Robustness | Demonstrates that min‑max adversarial training (PGD) can be used to generate counterfactual examples that improve robustness. [12] |
| [13] | MACDA – Multi‑Agent Counterfactual Drug‑Target Binding Affinity | Extends CX to multi‑agent settings with discrete inputs (drug, target). [13] |
| [14] | DiCE (Microsoft) | Open‑source library for diverse CX with support for causal constraints and LIME/SHAP‑style explanations. [14] |
| ¬xCAD (not in list but implied) | XCAD – Explainable Collusion Detection for Multi‑Agent Systems | Uses adaptive clustering and graph analysis to detect collusion and provide CXs for trust diagnostics. [15] |
| [16] | Improving Clinical Diagnosis with Counterfactual Multi‑Agent Reasoning | Integrates counterfactual reasoning into LLM‑based diagnostic agents to surface alternative diagnoses. [16] |
| [17] | 4D‑ARE – Bridging Attribution Gap in LLM Agent Requirements | Combines structural causal models with Shapley values for runtime explanations in LLM agents. [17] |
| [18] | Efficient Agent Evaluation via Diversity‑Guided User Simulation | Uses counterfactual prompting to surface critical decision points in agent interactions. [18] |
| [19] | Introspective Extraction and Complement Control | Framework for generating factual and counterfactual rationales with discrimination between them. [19] |
| [20] | Realistic Extreme Behavior Generation for AV Testing | Generates realistic adversarial collisions to reveal failure modes, implicitly relying on CX for interpretability. [20] |
Note: The list focuses on methods that explicitly address CX robustness or integrate adversarial techniques into CX generation, as those are directly relevant to counterfactual explanation failure in adversarial environments.
ATEX‑CF (Attack‑Informed Counterfactual Explanations for Graph Neural Networks) – [1] .
| Requirement | ATEX‑CF Capability | Evidence |
|---|---|---|
| Unifies adversarial attacks with CX generation | Uses adversarial edge‑addition to inform counterfactual edge‑deletion, addressing the shared goal of flipping predictions while preserving actionable semantics. | [1] |
| Grounded in theory | Provides theoretical justification for the integration of attack and explanation strategies, ensuring that the explanation remains faithful under adversarial perturbations. | [1] |
| Efficient integration | Combines edge additions and deletions in a single optimization loop, reducing computational overhead compared to separate attack and explanation pipelines. | [1] |
| Applicability to graph‑based multi‑agent settings | Designed for graph neural networks, which are common in multi‑agent systems (e.g., social networks, recommendation graphs). | [1] |
| Robustness to adversarial perturbations | Claims improved faithfulness and sparsity of explanations under attack conditions, directly targeting CX failure modes. | [1] |
ATEX‑CF thus satisfies the core objective of integrating adversarial insights into counterfactual generation for graph‑based multi‑agent contexts, providing the most comprehensive coverage among existing solutions.
| Gap | Classification | Reason |
|---|---|---|
| Limited to Graph Neural Networks | (i) Closeable by integration | Combining ATEX‑CF with image‑based CX methods (e.g., CECAS [2] could extend coverage to visual agents. |
| No explicit handling of policy misalignment | (ii) Requires new R&D | Current methods focus on explaining model output, not diagnosing misaligned policy inference in dynamic multi‑agent policies. |
| Trust degradation and cascading failures not explicitly modeled | (ii) Requires new R&D | Existing CX frameworks do not quantify how an adversarially‑crafted CX can erode stakeholder trust or trigger cascading agent failures. |
| Vulnerability to data poisoning | (i) Closeable by composition | Pairing ATEX‑CF with data‑poisoning mitigation techniques (e.g., robust training pipelines) could mitigate this gap. |
| Applicability to continuous‑time or temporal decision making | (ii) Requires new R&D | ATEX‑CF assumes static graph snapshots; temporal dynamics in multi‑agent RL require further extension. |
| Human‑in‑the‑loop interpretability | (i) Closeable by composition | Integrating ATEX‑CF outputs with human‑readable explanations (e.g., via SHAP or LIME) can improve usability. |
| Scalability to large‑scale graphs | (i) Closeable by composition | Leveraging graph subsampling or hierarchical explanations can address computational scalability. |
Not Currently Possible – While ATEX‑CF provides the best single solution for counterfactual explanation under adversarial attack in graph‑based multi‑agent settings, it does not fully satisfy the broader objective of addressing misaligned policy inference, trust degradation, and cascading failures in diverse multi‑agent AI systems.
Closest Existing Fits
1. ATEX‑CF [1] – Offers integrated adversarial‑aware CX for GNNs; residual gap: lacks mechanisms for trust assessment and cascading failure analysis.
2. CECAS ([2] / [3] – Provides causally‑guided CX for images; residual gap: not designed for graph‑based multi‑agent environments or adversarial robustness in policy inference.
3. DiCE [4] – Generates diverse CXs with causal constraints; residual gap: does not explicitly account for adversarial perturbations or multi‑agent policy dynamics.
| 1 | ATEX-CF: Attack-Informed Counterfactual Explanations for Graph Neural Networks 2026-02-04 In this work, we propose a novel framework, ATEX-CF that unifies adversarial attack techniques with counterfactual explanation generation-a connection made feasible by their shared goal of flipping a node's prediction, yet differing in perturbation strategy: adversarial attacks often rely on edge additions, while counterfactual methods typically use deletions. Unlike traditional approaches that treat explanation and attack separately, our method efficiently integrates both edge additions and del... |
| 2 | Counterfactual Visual Explanation via Causally-Guided Adversarial Steering 2025-09-29 Abstract: Recent work on counterfactual visual explanations has contributed to making artificial intelligence models more explainable by providing visual perturbation to flip the prediction. However, these approaches neglect the causal relationships and the spurious correlations behind the image generation process, which often leads to unintended alterations in the counterfactual images and renders the explanations with limited quality. To address this challenge, we introduce a novel framework C... |
| 3 | Counterfactual Visual Explanation via Causally-Guided Adversarial Steering 2025-07-13 Recent work on counterfactual visual explanations has contributed to making artificial intelligence models more explainable by providing visual perturbation to flip the prediction. However, these approaches neglect the causal relationships and the spurious correlations behind the image generation process, which often leads to unintended alterations in the counterfactual images and renders the explanations with limited quality. To address this challenge, we introduce a novel framework CECAS, whic... |
| 4 | Microsoft Research ( ) 2026-02-07 We are working on adding the following features to DiCE: Support for PyTorch and scikit-learn models Support for using DiCE for debugging machine learning models Support for other algorithms for generating counterfactual explanations Incorporating causal constraints when generating counterfactual explanations Lasso [AAAI 2017] / Open-source library provides explanation for machine learning through diverse counterfactuals - Microsoft Research 1711.00399] Counterfactual Explanations without Openin... |
| 5 | Counterfactual Explanations for Face Forgery Detection via Adversarial Removal of Artifacts 2024-07-14 Thus, the naive black-box adversarial perturbations can be more interpretable in the synthesized results.Moreover, this synthesiseby-analysis way is able to force the search of counterfactual explanations on the natural face manifold.In this way, the more general counterfactual traces can be found and the transferable adversarial attack success rate can be improved. Our contributions can be summarized as follows: 1. We provide a novel counterfactual explanation for face forgery detection from an... |
| 6 | Unveiling The Decision Making Process In Alzheimer's Disease Diagnosis: A Case-based Counterfactual Methodology For Explainable Deep Learning 2024-11-08 Counterfactual inference offers a way to integrate causal explanations into these models, enhancing their robustness and transparency. This study develops a novel methodology combining U-Net and generative adversarial network (GAN) models to create comprehensive counterfactual diagnostic maps for AD.... |
| 7 | We argue that, when learning a 1-Lipschitz neural network with the dual loss of an optimal transportation problem, the gradient of the model is both the direction of the transportation plan and the d 2026-04-21 Traveling along the gradient to the decision boundary is no more an adversarial attack but becomes a counterfactual explanation, explicitly transporting from one class to the other.... |
| 8 | Towards desiderata-driven design of visual counterfactual explainers 2026-05-07 This can be e.g. the inclusion or removal of object parts, but also more intricate changes in image quality or color, that may not be accessible with other explanation techniques such as feature attribution.Another advantage of counterfactuals is that they are inherently actionable, e.g.together with a human in the loop, counterfactuals provide an implicit data augmentation scheme that can serve to address a model's missing invariances or reliance on spurious correlations .Mathematically, the se... |
| 9 | Derivative-Free Diffusion Manifold-Constrained Gradient for Unified XAI 2024-11-21 This is because real gradients produce adversarial attacks rather than counterfactual explanations and additional techniques are required to introduce perceptible changes. On the other hand, gradients as feature attribution also often require additional treatment to enhance their faithfulness . In theory, gradients should be usable for both applications. This raises the question of whether a single framework can effectively handle both types of explanations. To address these challenges, in this ... |
| 10 | This is not the Texture you are looking for! 2026-04-23 By doing so, the users of counterfactual explanation systems are equipped with a completely different kind of explanatory information. However, methods for generating realistic counterfactual explanations for image classifiers are still rare. In this work, we present a novel approach to generate such counterfactual image explanations based on adversarial image-to-image translation techniques.... |
| 11 | Training And Use Of A Bipedal Action Model For Humanoid Robot 2026-05-06 The method of claim 1, wherein the simulation training employs domain randomization of robot and environment parameters including one or more of geometry, mass distribution, actuator limits or friction, contact properties, and exogenous perturbations, and wherein a reward function includes at least a joint-pose accuracy term. 3. The method of claim 1, wherein the high-level, mid-level, and low-level policies operate at different update rates with the Alpha model updating more frequently than the... |
| 12 | Deliberative Credit Assignment (DCA): Making Faithful Reasoning Profitable 2025-07-29 In that pipeline, the reviewer model simply checks answer correctness before generating an explanation. Likewise, ThinkPRM (Muennighoff et al., 2025) uses a small LLM to verify and even recursively re-verify reasoning chains by prompting it (Lets verify again) to improve answer confidence. These works demonstrate multi-agent checks on reasoning outputs, but they do not break down the chain into causal chunks or explicitly re-train the generator based on step relevance. Causal Analysis of CoT: Se... |
| 13 | Counterfactual Explanation with Multi-Agent Reinforcement Learning for Drug Target Prediction 2021-03-23 Most counterfactual explanation methods only operate on single input data. It remains an open problem how to extend counterfactual-based XAI methods to DTA models, which have two inputs, one for drug and one for target, that also happen to be discrete in nature. Methods We propose a multi-agent reinforcement learning framework, Multi-Agent Counterfactual Drugtarget binding Affinity (MACDA), to generate counterfactual explanations for the drug-protein complex. (2021)... |
| 14 | Game-theoretic frameworks for deep neural network rationalization 2023-05-22 For t=y (the correct class) the corresponding rationale is called factual; as to t y, they are referred to herein as counterfactual rationales. For simplicity and to facilitate the present explanation, the discussion herein will focus on two-class classification problems (Y={0, 1}). CAR can uncover class-wise rationales using adversarial learning, inspired by outlining pros and cons for decisions. (2023)... |
| 15 | XCAD: eXplainable Collusion and Adversary Detection Framework for Multi-Agent Systems 2025-12-17 In dynamic multi-agent environments such as e-commerce and healthcare, identifying collusive behavior among agents is critical to maintaining trust and reputation systems. While adaptive graph clustering has made it possible to detect collusive agents, these methods often function as black-boxes, offering little insight into the 'how' and 'why' behind the detection. This paper introduces XCAD (eXplainable Collusion and Adversary Detection), a novel framework designed to enhance collusion detecti... |
| 16 | Improving Clinical Diagnosis with Counterfactual Multi-Agent Reasoning 2026-04-23 Abstract: Clinical diagnosis is a complex reasoning process in which clinicians gather evidence, form hypotheses, and test them against alternative explanations. In medical training, this reasoning is explicitly developed through counterfactual questioning--e.g., asking how a diagnosis would change if a key symptom were absent or altered--to strengthen differential diagnosis skills. As large language model (LLM)-based systems are increasingly used for diagnostic support, ensuring the interpretab... |
| 17 | 4D-ARE: Bridging the Attribution Gap in LLM Agent Requirements Engineering 2026-01-07 Recent work has explored causal attribution in multi-agent and LLM contexts, but primarily for runtime explanation rather than design-time specification. Runtime Attribution. MACIE combines structural causal models with Shapley values to explain collective agent behavior after execution. A2P Scaffolding applies structured counterfactual reasoning (Abduct-Act-Predict) for automated failure attribution in multi-agent systems.... |
| 18 | Efficient Agent Evaluation via Diversity-Guided User Simulation 2026-04-22 It outputs (i) the index of the user turn to modify and (ii) a brief justification for why changing this turn should induce maximal behavioral change while preserving intent. Token usage for this step is tracked separately. Junction selection is performed independently for each branching attempt, allowing different counterfactual pivots to be selected across repetitions. This process enables targeted branching at semantically meaningful decision points, rather than arbitrary or uniformly sampled... |
| 19 | Introspective extraction and complement control 2023-01-09 Introspective extraction and complement control --- Further, two discriminators dt(Z), {0,1} are introduced, which aim to discriminate between factual and counterfactual rationales, i.e., between gtf(X) and ggc(X). Accordingly, we have six players, divided into two groups. The first group pertains to t=0 and involves gf(X), gc(X), and do(Z) as players. Both groups play a similar adversarial game, so we focus the discussion on the first group and will not repeat for the second group, for brevity.... |
| 20 | Realistic Extreme Behavior Generation for Improved AV Testing 2025-12-31 Our framework generates counterfactual collisions with diverse crash properties, e.g., crash angle and velocity, between an adversary and a target vehicle by adding perturbations to the adversary's predicted trajectory from a learned AV behavior model.Our main contribution is to ground these adversarial perturbations in realistic behavior as defined through the lens of data-alignment in the behavior model's parameter space.Then, we cluster these synthetic counterfactuals to identify plausible an... |