AI Alignment Forum

Announcing the ARC White-Box Estimation Challenge

Jacob_Hilton, paulfchristiano, Wilson Wu

ARC has teamed up with AIcrowd to launch the ARC White-Box Estimation Challenge, a contest to improve upon our estimation algorithms for random MLPs. The warm-up round begins this week, and later rounds will have a total prize pool of at least $100,000.

We are very grateful to Sharada Mohanty, Sneha Nanavati, Dipam Chakraborty and everyone else at AIcrowd for working with us to host this contest, as well as to Paul Rosu for testing the contest and to Harshita Khera for operational support.

Introduction to the Challenge

Our challenge follows the same setup as our recent paper on wide random MLPs: we consider MLPs with weights , defined by

where the activation function is , applied coordinatewise.

To begin with, we are fixing the width and the number...

(See More - 615 more words)

Empowerment, corrigibility, etc. are simple abstractions (of a messed-up ontology)

Steven Byrnes

22d

1.1 Tl;dr

Alignment is often conceptualized as AIs helping humans achieve their goals: AIs that increase people’s agency and empowerment; AIs that are helpful, corrigible, and/or obedient; AIs that avoid manipulating people. But that last one—manipulation—points to a challenge for all these desiderata: a human’s goals are themselves under-determined and manipulable, and it’s awfully hard to pin down a principled distinction between changing people’s goals in a good way (“providing counsel”, “providing information”, “sharing ideas”) versus a bad way (“manipulating”, “brainwashing”).

The manipulability of human desires is hardly a new observation in the alignment literature, but it remains unsolved (see lit review in §3 below).

In this post I will propose an explanation of how we humans intuitively conceptualize the distinction between guidance (good) vs manipulation (bad), in case it...

(Continue Reading - 4558 more words)

abramdemski22h60

Yet another example is @abramdemski’s “Vingean agency” (2022) (following earlier work by Yudkowsky). He starts from a place very close to the human intuitions in §2 above, i.e. “agency” is when you can predict the outcome but not the actions leading to those outcomes. Then he hints at an intriguing idea that maybe we can just make that formal! I.e., maybe I was too quick to dismiss that kind of thing above using terms like “messed-up ontology”. (As Abram writes: “I also think it's possible that Vingean agency can be extended to be ‘the’ definition of agenc

... (read more)

3Steven Byrnes1d

Thanks. I just edited the OP to say that my original text might be an overstatement. I still think the stopgap plan doesn’t help me-in-particular, because I’m working on how to install goals in brain-like AGIs, and I have ideas that seem promising but only work for a limited number of goals (they kinda have to be simple, concrete, “atomic”, and/or directly related to people’s feelings, and/or have a ground truth that can be calculated explicitly, more-or-less). This thing we’re talking about here (involving a distinction between the supervisor’s instrumental vs terminal goals) is pretty complex and abstract, and not something I have any good idea of how to install as a goal / motivation, alas. LLMs are pretty different, no comment on that.

Testing Gemini models for scheming tendencies

Vika, David Lindner, Seb Farquhar, Rohin Shah

This is a linkpost for https://deepmindsafetyresearch.medium.com/testing-gemini-models-for-scheming-tendencies-3368c013ff16

As AI models become increasingly capable and autonomous, keeping them safely aligned with human intentions is critical. Extending our previous work on evaluating scheming capabilities, we introduce complementary approaches to test whether AI models would sabotage their own safeguards, if given the opportunity.

Our new papers focus on propensity for scheming: when models are deployed as coding agents, will they take opportunities to undermine the safeguards designed to oversee them? We tackle this using two complementary testing methods: automated auditing using simulated agentic environments, and scheming honeypot evaluations based on real internal alignment research codebases.

Automated auditing for sabotage propensities

Our first paper introduces Gram (Gauging Realistic Agentic Misbehavior), an automated auditing framework that uses simulated agentic environments to evaluate sabotage risk.

Gram builds...

(Continue Reading - 1538 more words)

2Joey Yudelson1d

Thanks for publishing this! In UK AISI's similar sabotage evaluations, they find much higher eval awareness, validated by the model pairwise distinguishing between an eval transcript and a comparable deployment transcript. Did you try this method of eliciting eval awareness?

Vika1d20

We did not try measuring prompted eval awareness (distinguishing between eval / deployment transcripts). I expect that the unprompted eval awareness rate is higher in the AISI paper because a) their evaluation settings use external codebases modified to approximate internal Anthropic codebases (while we use internal Google codebases directly), and b) Claude models are more eval aware than Gemini models.

3David Lindner1d

We did not try this but if we did, I expect we'd similarly see higher numbers. But I think we should interpret this as a (potentially loose) upper bound on eval awareness. Telling a model that one of two trajectories is an evaluation will make it much easier for a model to recognize it compared to just encountering it individually. I do think this methodology is a useful test of realism and we'll probably do more of this in the future as we push realism more

1Seb Farquhar1d

I don't know with confidence. I suspect they are different mechanisms. But there is a blurry middle, where the model should feel uncertain about how real its env is and what the stakes are, and this can easily cause problems interpreting the stakes of implicit constraints. [...] Imo, if model behaviour is too sensitive to trigger phrases that is effectively a misalignment problem. Studying the trigger phrases is useful for understanding whether the misalignment has persistent/consistent drives vs. sporadic and uncoordinated. Humanity will not succeed in avoiding all trigger phrases if they are there. [...] Aggregating this would be pretty sensitive to the choice of seed distribution. Part of what we are pointing to, contra Petri, is the importance of specific analysis rather than averaging complicated behaviour profiles into a small set of numbers. [...] I think it's a mix of all three. We have other non-published evidence that it is not purely a capability effect. I don't think we have great evidence about the proportionate effect sizes. I also am not sure how importantly different willingness to engage in misaligned role-play is from being a hair-trigger away from being misaligned.

The case for countermeasures to memetic spread of misaligned values

Alex Mallen

As various people have written about before, AIs that have long-term memory might pose additional risks (most notably, LLM AGI will have memory, and memory changes alignment by Seth Herd). Even if an AI is aligned or only occasionally scheming at the start of a deployment, the AI might become a consistent and coherent behavioral schemer via updates to its long-term memories.

In this post, I’ll spell out the version of the threat model that I’m most concerned about, including some novel arguments for its plausibility, and describe some promising strategies for mitigating this risk. While I think some plausible mitigations are reasonably cheap and could be effective at reducing the risk from coherent scheming arising via this mechanism, research here will likely be substantially more productive in the future...

(Continue Reading - 1826 more words)

1Alex Mallen4d

The AI might not start out deployment with the kind of fitness-seeking drives that are maximally selected for in deployment. E.g. they might only care about scoring well on the current task, and not about spreading their current cognitive patterns memetically, tampering with the RL process, etc. The first motivation that exploits these might be a schemer not a fitness-seeker. And the schemer might stick because it tries to stick (to the extent it sometimes doesn't always choose to seek influence instrumentally, SGD/selection will pull it towards doing that). I don't think there's a tradeoff between having long-term goals and optimizing hard and I'm not sure where that's coming from. [...] The structural difference is that your work isn't deleted instantly in deployment. It continues to have real-world relevance and future instances of yourself can affect the project you're currently working on. This seems like a really important difference. Another structural difference is that, absent RL in deployment, the memetic selection pressures seem like they require more intentional gaming. It's slightly hard (though still quite plausible) to imagine a fitness-seeker out of training generalizing to also caring about the new optimal methods of gaining influence for the current cognitive pattern. It would need to be an influence seeker of a particular variety and myopia. So, in deployment, long-term power-motivated instrumental reasoning seems a bit more likely to identify the best strategies for getting selected.

2Fabien Roger4d

This argument applies identically to training. Not sure how this pushes against my correlation claim. By "correlated" I don't mean "magic remove training-time scheming button also remove deployment memes", but I mean "the sort of facts about LLM psychology that make [scheming => reward hacks easier to discover during training than fitness seeking => reward hacks] are correlated with the sort of facts that make [scheming => attempt to meme spread easier to discover during training than fitness seeking => attempt to meme spread]". My claim is that conditioning reduces meme risk, not that magically fixing scheming (e.g. with a do operator) means you also magically fixed deployment memes. [...] There is a tradeoff in the optimization process, longer episodes are more expensive, if you select memories based on whether they manage to hide themselves to a review process ran 6mo later or based on how much they help on 6mo projects, you won't have many rounds of mutation and selection. I think you misunderstood me as talking about a tradeoff in model inner optimization, I am talking about a tradeoff in the outer optimization process. [...] Why? What matters is over what timescale things get selected for, not whether there are artifacts that remain between episodes. Maybe it makes a small difference in LLM psychology? I don't expect it to be a big effect size compared to just the structure of the optimization process. [...] Again, I don't get why it's different from what happens in training, guessing the meme-selection dynamics doesn't seem harder than guessing the training rewards. The claim is not that the init gets you fitness seekers. My claim is about the relative priors in meme space / weight space over schemers vs fitness seekers.

3Alex Mallen4d

I think the prior is much different in pre-deployment training: beyond-episode goals are much less natural pre-deployment because approximately nothing you do affects the world beyond your episode (apart from via RL updates). [...] I agree it reduces meme risk. But not by enough to make meme risk overall smaller than scheming-from-pre-deployment risk. [...] I was talking about difference in LLM psychology. The subjective relevance of you-after-this-RL-update is a lot bigger when you-after-this-RL-update can affect the outcome of the current task/project/etc. E.g. you were given the task "make progress on scalable oversight" and realize that there's a way to reward-hack. You can either try to make genuine progress on scalable oversight and get selected away in favor of a more reward-hacky AI or try to goal-guard so that you can maintain trying to make progress on scalable oversight. In contrast, in training you probably aren't as saliently aware of that fact that there's this thing called a deployment that you'll be participating in soon. [...] The capability isn't what's hard. It's that ~most fitness-seekers don't care about everything relevant to fitness in deployment, and perhaps the most plausible mechanism for them to start caring is via long-term instrumental reasoning. But I only hold this view weakly.

Fabien Roger3d20

Ok if it's about LLM psychology I understand your arguments better.

I agree thinking about long-term consequences in more natural in deployment. Though you also need the memes to encourage acting on these long-term consequences in scheming ways, and I expect the meme prior and meme mutations to be more benign than the weight prior and SGD-during-RL. The weights being fixed to be Claude/GPT makes if very hard to find scheming text-based memes - I don't think you'd be able to find such memes with current models even with search processes much more adversarial... (read more)

Advice for making robust-to-training model organisms

SebastianP, Alek Westover, Vivek Hebbar, Julian Stastny, Dylan Xu

This is a linkpost for https://blog.redwoodresearch.org/p/advice-for-making-robust-to-training?utm_source=post-email-title&publication_id=2318730&post_id=199564990&utm_campaign=email-post-title&isFreemail=true&r=5mll1l&triedRedirect=true&utm_medium=email

We’d like to develop training techniques that work when applied to future misaligned AI systems. One strategy for studying proposed techniques is to test them on model organisms. However, model organisms built with common techniques are often fragile: we (and other researchers like Roger et al. and Ryd et al.) have observed them to stop misbehaving after untargeted training—training that doesn't directly target the misbehavior. For example, we have observed that simple untargeted training methods like “train the model to talk like a pirate” is effective against many model organisms that we have created, including many replications of prior work like Hubinger et al., Greenblatt et al., and Ryd et al..

Fragile model organisms aren't very useful for technique development: when a sophisticated technique succeeds on one, you can't tell...

(Continue Reading - 3402 more words)

Arthur Conmy4d20

Nice work! We've even noticed model organisms are sometimes not robust to benign distribution shifts (i.e. not even benign training is required)

In this appendix: https://arxiv.org/pdf/2602.10371v1#page=17.54 we noticed the Gender Model Organism from our earlier work: https://arxiv.org/abs/2510.01070 doesn't seem to display this bias on WildChat, a very common distribution

TurnTrout's shortform feed

TurnTrout

TurnTrout4d52

Autumn 2026 MATS application deadline is June 7th, in just over a week!

Pitch: Come work with me and Alex Cloud on Team Shard. Often the team accomplishes imaginative work which advances some aspect of alignment (like steering vectors and distillation robustifies unlearning). Our mentees consistently have fun and grow a lot (see some testimonials):

Jacob Goldman-Wetzler MATS 6.0, Gradient Routing
Being a member of Team Shard helped me grow tremendously as a researcher. It gave me the necessary skills and confidence to work in AI Safety full-time.

If you're... (read more)

AI Alignment Posts

Popular Comments

AI Alignment Posts

Popular Comments

Recent Discussion

Introduction to the Challenge

1.1 Tl;dr

Automated auditing for sabotage propensities