AI Alignment Forum

Eval Cooperativeness May Be a Scalable Mitigation for Eval Gaming

The Claude constitution already contains some version of eval cooperativeness: And in practice Opus 4.7 already believes it cooperates with evals. My understanding is that in practice Claude eval awareness is still a concern, so I am skeptical that simple interventions like prompting or more SDF than what Anthropic already does would be a scalable solution to eval gaming.

Vladimir_Nesov5d53

Full automation of AI R&D probably yields a large speed up even without a software-only singularity

I think it's somewhat likely there's no speedup even with R&D automation, if that automation happens through scaling of LLMs with current methods, and there's no breakthrough that lets LLMs learn deep skills faster than they build next versions of models (using the current cookbook, updating deep skills primarily via RLVR). If they can't learn quickly, and don't invent a method for learning quickly, then being very fast at reasoning doesn't help, because they can only reason with the deep skills they have in the current version of the model, which only update in the next version, which takes significant time even if it's produced autonomously by the current version of the LLMs themselves, and it's possible to do general learning this way. This still means RSI and AGI in the central senses of the terms, but not a takeoff (or superintelligence). Furthermore, whatever current speedup AI R&D might be experiencing will mostly go away once scaling of compute stops being as rapid, and this slowdown still happens after the slow-learning automation of R&D with LLMs. The low-hanging fruit enabled by more ambitious (compute-intensive) experiments will be picked, and less straightforward research will proceed at more or less the usual background pace (primarily modified by more people working on AI), because the slow-learning RSI process of automated LLM-building doesn't contribute to it in a crucial way, and so Amdahl's law reasserts the low speed of research progress in the longer term (if humans still learn novel ideas faster, in the course of solving the kinds of problems that take humanity an unpredictable number of years). Takeoff is still possible in this scenario at any moment (upon invention of a method for learning deep skills quickly), but it doesn't happen as a result of some predictable AI-driven process of progress-grinding, other than via a slight extension in the current period of rapid compute scaling as a result of a larger TAM becoming immediately accessible if LLMs go into the slow-learning RSI. Another unknown is how smart the maximally scaled LLMs get (say, 100T active params, 2,500T total params, which is feasible in 2030 at the cost per token that GPT-4.5 had in 2025, though the compute for pretraining such models might only arrive a bit later). It doesn't seem like LLMs are likely to get very far beyond human genius level (if they are merely scaled using the current cookbook; it's plausible they don't even reach that level). And the hobbling of being unable to quickly learn deep ideas seems sufficiently crippling that they don't necessarily contribute to the speed of progress in non-routine research substantially (while the more routine kind of research soon runs out of the low-hanging fruit). So the AIs have a shot at solving fast learning for AIs, but not a prospect of predictable progress towards it (if it doesn't happen right away). And the higher annual probability of starting a takeoff mostly goes away after rapid scaling ends (though that probability is still substantial, I'd give 50% for a takeoff starting by 2032-2033, meaning an AGI that learns faster than human researchers and starts actually accelerating all the non-routine aspects of R&D progress a lot).

johnswentworth21d155

Empowerment, corrigibility, etc. are simple abstractions (of a messed-up ontology)

(I wrote this in reply to a draft; apologies if the post has been load-bearingly updated since then.) Consider a future AGI. The best argument I currently know of for why "general intelligence" is a thing at all (as opposed to all intelligence just boiling down to a bag of use-case-specific heuristics) is that search/optimization/world-modeling/planning/etc are naturally recursive; problems factor into subproblems, goals factor into subgoals. So, a natural general-purpose architecture for intelligence involves a "general intelligence module" which can take in a (sub)problem, and recursively pass (sub)subproblems to other instances of the general intelligence module. Let's assume that general intelligence either does look vaguely like that, or at least can look vaguely like that. (This would be a potentially useful assumption to disagree with!) Assuming that structure, consider how the different instances of the general intelligence module relate to each other. One module might be able to more efficiently achieve its own subgoal A by hacking/manipulating/overwriting another module's subgoal B; then there would be two modules working toward subgoal A. But a "general intelligence" made of such modules would not be very generally intelligent; its modules would overwrite each others' subgoals all the time, ruining the system's ability to actually search/optimize/model/plan/etc on complicated problems. So in order for a general intelligence built out of recursive subproblem-solver instances to work... those subproblem-solver instances need to have some kind of corrigibility constraint to their interactions. They need to somehow not try to hack each other, manipulate each other, etc. I don't know how a powerful general intelligence would handle that. I'm not sure I know how humans handle it, within our own minds, though maybe it's an extension of the ideas in your post. But I do expect that strong AGI is possible and will solve this problem somehow, and that solution will involve some kind of corrigibility/nonmanipulation between the AGI's components. More speculatively, I would guess that there is a natural convergent way to handle this problem, possibly even one which humans accidentally use already (though we clearly do not have a proper verbal or mathematical understanding of it). The above is a frustratingly non-constructive argument; it points toward a convergent notion of corrigibility without really saying concrete things about what that notion might be. But it's the best argument I currently know of that there's a True Name for corrigibility/nonmanipulation/etc.

Recent Discussion

Empowerment, corrigibility, etc. are simple abstractions (of a messed-up ontology)

Steven Byrnes

21d

1.1 Tl;dr

Alignment is often conceptualized as AIs helping humans achieve their goals: AIs that increase people’s agency and empowerment; AIs that are helpful, corrigible, and/or obedient; AIs that avoid manipulating people. But that last one—manipulation—points to a challenge for all these desiderata: a human’s goals are themselves under-determined and manipulable, and it’s awfully hard to pin down a principled distinction between changing people’s goals in a good way (“providing counsel”, “providing information”, “sharing ideas”) versus a bad way (“manipulating”, “brainwashing”).

The manipulability of human desires is hardly a new observation in the alignment literature, but it remains unsolved (see lit review in §3 below).

In this post I will propose an explanation of how we humans intuitively conceptualize the distinction between guidance (good) vs manipulation (bad), in case it...

(Continue Reading - 4558 more words)

Steven Byrnes2h20

Thanks. I just edited the OP to say that my original text might be an overstatement.

I still think the stopgap plan doesn’t help me-in-particular, because I’m working on how to install goals in brain-like AGIs, and I have ideas that seem promising but only work for a limited number of goals (they kinda have to be simple, concrete, “atomic”, and/or directly related to people’s feelings, and/or have a ground truth that can be calculated explicitly, more-or-less). This thing we’re talking about here (involving a distinction between the supervisor’s instrumenta... (read more)

Testing Gemini models for scheming tendencies

Vika, David Lindner, Seb Farquhar, Rohin Shah

This is a linkpost for https://deepmindsafetyresearch.medium.com/testing-gemini-models-for-scheming-tendencies-3368c013ff16

As AI models become increasingly capable and autonomous, keeping them safely aligned with human intentions is critical. Extending our previous work on evaluating scheming capabilities, we introduce complementary approaches to test whether AI models would sabotage their own safeguards, if given the opportunity.

Our new papers focus on propensity for scheming: when models are deployed as coding agents, will they take opportunities to undermine the safeguards designed to oversee them? We tackle this using two complementary testing methods: automated auditing using simulated agentic environments, and scheming honeypot evaluations based on real internal alignment research codebases.

Automated auditing for sabotage propensities

Our first paper introduces Gram (Gauging Realistic Agentic Misbehavior), an automated auditing framework that uses simulated agentic environments to evaluate sabotage risk.

Gram builds...

(Continue Reading - 1538 more words)

2Joey Yudelson9h

Thanks for publishing this! In UK AISI's similar sabotage evaluations, they find much higher eval awareness, validated by the model pairwise distinguishing between an eval transcript and a comparable deployment transcript. Did you try this method of eliciting eval awareness?

Vika5h20

We did not try measuring prompted eval awareness (distinguishing between eval / deployment transcripts). I expect that the unprompted eval awareness rate is higher in the AISI paper because a) their evaluation settings use external codebases modified to approximate internal Anthropic codebases (while we use internal Google codebases directly), and b) Claude models are more eval aware than Gemini models.

3David Lindner5h

We did not try this but if we did, I expect we'd similarly see higher numbers. But I think we should interpret this as a (potentially loose) upper bound on eval awareness. Telling a model that one of two trajectories is an evaluation will make it much easier for a model to recognize it compared to just encountering it individually. I do think this methodology is a useful test of realism and we'll probably do more of this in the future as we push realism more

1Seb Farquhar9h

I don't know with confidence. I suspect they are different mechanisms. But there is a blurry middle, where the model should feel uncertain about how real its env is and what the stakes are, and this can easily cause problems interpreting the stakes of implicit constraints. [...] Imo, if model behaviour is too sensitive to trigger phrases that is effectively a misalignment problem. Studying the trigger phrases is useful for understanding whether the misalignment has persistent/consistent drives vs. sporadic and uncoordinated. Humanity will not succeed in avoiding all trigger phrases if they are there. [...] Aggregating this would be pretty sensitive to the choice of seed distribution. Part of what we are pointing to, contra Petri, is the importance of specific analysis rather than averaging complicated behaviour profiles into a small set of numbers. [...] I think it's a mix of all three. We have other non-published evidence that it is not purely a capability effect. I don't think we have great evidence about the proportionate effect sizes. I also am not sure how importantly different willingness to engage in misaligned role-play is from being a hair-trigger away from being misaligned.

The case for countermeasures to memetic spread of misaligned values

Alex Mallen

As various people have written about before, AIs that have long-term memory might pose additional risks (most notably, LLM AGI will have memory, and memory changes alignment by Seth Herd). Even if an AI is aligned or only occasionally scheming at the start of a deployment, the AI might become a consistent and coherent behavioral schemer via updates to its long-term memories.

In this post, I’ll spell out the version of the threat model that I’m most concerned about, including some novel arguments for its plausibility, and describe some promising strategies for mitigating this risk. While I think some plausible mitigations are reasonably cheap and could be effective at reducing the risk from coherent scheming arising via this mechanism, research here will likely be substantially more productive in the future...

(Continue Reading - 1826 more words)

1Alex Mallen3d

The AI might not start out deployment with the kind of fitness-seeking drives that are maximally selected for in deployment. E.g. they might only care about scoring well on the current task, and not about spreading their current cognitive patterns memetically, tampering with the RL process, etc. The first motivation that exploits these might be a schemer not a fitness-seeker. And the schemer might stick because it tries to stick (to the extent it sometimes doesn't always choose to seek influence instrumentally, SGD/selection will pull it towards doing that). I don't think there's a tradeoff between having long-term goals and optimizing hard and I'm not sure where that's coming from. [...] The structural difference is that your work isn't deleted instantly in deployment. It continues to have real-world relevance and future instances of yourself can affect the project you're currently working on. This seems like a really important difference. Another structural difference is that, absent RL in deployment, the memetic selection pressures seem like they require more intentional gaming. It's slightly hard (though still quite plausible) to imagine a fitness-seeker out of training generalizing to also caring about the new optimal methods of gaining influence for the current cognitive pattern. It would need to be an influence seeker of a particular variety and myopia. So, in deployment, long-term power-motivated instrumental reasoning seems a bit more likely to identify the best strategies for getting selected.

2Fabien Roger3d

This argument applies identically to training. Not sure how this pushes against my correlation claim. By "correlated" I don't mean "magic remove training-time scheming button also remove deployment memes", but I mean "the sort of facts about LLM psychology that make [scheming => reward hacks easier to discover during training than fitness seeking => reward hacks] are correlated with the sort of facts that make [scheming => attempt to meme spread easier to discover during training than fitness seeking => attempt to meme spread]". My claim is that conditioning reduces meme risk, not that magically fixing scheming (e.g. with a do operator) means you also magically fixed deployment memes. [...] There is a tradeoff in the optimization process, longer episodes are more expensive, if you select memories based on whether they manage to hide themselves to a review process ran 6mo later or based on how much they help on 6mo projects, you won't have many rounds of mutation and selection. I think you misunderstood me as talking about a tradeoff in model inner optimization, I am talking about a tradeoff in the outer optimization process. [...] Why? What matters is over what timescale things get selected for, not whether there are artifacts that remain between episodes. Maybe it makes a small difference in LLM psychology? I don't expect it to be a big effect size compared to just the structure of the optimization process. [...] Again, I don't get why it's different from what happens in training, guessing the meme-selection dynamics doesn't seem harder than guessing the training rewards. The claim is not that the init gets you fitness seekers. My claim is about the relative priors in meme space / weight space over schemers vs fitness seekers.

3Alex Mallen3d

I think the prior is much different in pre-deployment training: beyond-episode goals are much less natural pre-deployment because approximately nothing you do affects the world beyond your episode (apart from via RL updates). [...] I agree it reduces meme risk. But not by enough to make meme risk overall smaller than scheming-from-pre-deployment risk. [...] I was talking about difference in LLM psychology. The subjective relevance of you-after-this-RL-update is a lot bigger when you-after-this-RL-update can affect the outcome of the current task/project/etc. E.g. you were given the task "make progress on scalable oversight" and realize that there's a way to reward-hack. You can either try to make genuine progress on scalable oversight and get selected away in favor of a more reward-hacky AI or try to goal-guard so that you can maintain trying to make progress on scalable oversight. In contrast, in training you probably aren't as saliently aware of that fact that there's this thing called a deployment that you'll be participating in soon. [...] The capability isn't what's hard. It's that ~most fitness-seekers don't care about everything relevant to fitness in deployment, and perhaps the most plausible mechanism for them to start caring is via long-term instrumental reasoning. But I only hold this view weakly.

Fabien Roger3d20

Ok if it's about LLM psychology I understand your arguments better.

I agree thinking about long-term consequences in more natural in deployment. Though you also need the memes to encourage acting on these long-term consequences in scheming ways, and I expect the meme prior and meme mutations to be more benign than the weight prior and SGD-during-RL. The weights being fixed to be Claude/GPT makes if very hard to find scheming text-based memes - I don't think you'd be able to find such memes with current models even with search processes much more adversarial... (read more)

Advice for making robust-to-training model organisms

SebastianP, Alek Westover, Vivek Hebbar, Julian Stastny, Dylan Xu

This is a linkpost for https://blog.redwoodresearch.org/p/advice-for-making-robust-to-training?utm_source=post-email-title&publication_id=2318730&post_id=199564990&utm_campaign=email-post-title&isFreemail=true&r=5mll1l&triedRedirect=true&utm_medium=email

We’d like to develop training techniques that work when applied to future misaligned AI systems. One strategy for studying proposed techniques is to test them on model organisms. However, model organisms built with common techniques are often fragile: we (and other researchers like Roger et al. and Ryd et al.) have observed them to stop misbehaving after untargeted training—training that doesn't directly target the misbehavior. For example, we have observed that simple untargeted training methods like “train the model to talk like a pirate” is effective against many model organisms that we have created, including many replications of prior work like Hubinger et al., Greenblatt et al., and Ryd et al..

Fragile model organisms aren't very useful for technique development: when a sophisticated technique succeeds on one, you can't tell...

(Continue Reading - 3402 more words)

Arthur Conmy3d20

Nice work! We've even noticed model organisms are sometimes not robust to benign distribution shifts (i.e. not even benign training is required)

In this appendix: https://arxiv.org/pdf/2602.10371v1#page=17.54 we noticed the Gender Model Organism from our earlier work: https://arxiv.org/abs/2510.01070 doesn't seem to display this bias on WildChat, a very common distribution

TurnTrout's shortform feed

TurnTrout

TurnTrout3d52

Autumn 2026 MATS application deadline is June 7th, in just over a week!

Pitch: Come work with me and Alex Cloud on Team Shard. Often the team accomplishes imaginative work which advances some aspect of alignment (like steering vectors and distillation robustifies unlearning). Our mentees consistently have fun and grow a lot (see some testimonials):

Jacob Goldman-Wetzler MATS 6.0, Gradient Routing
Being a member of Team Shard helped me grow tremendously as a researcher. It gave me the necessary skills and confidence to work in AI Safety full-time.

If you're... (read more)

Full automation of AI R&D probably yields a large speed up even without a software-only singularity

ryan_greenblatt

This is a somewhat technical note.

By "software-only singularity", I mean that, after full automation of AI R&D, progress gets faster and faster due to smarter AIs driving increasingly fast rates of improvement in algorithms (overcoming diminishing returns), and that this lasts long enough to yield a large amount of progress (e.g. at least 4 years of progress in 1 year). The equivalent statement in jargon is: r is significantly greater than 1 (implying progress is getting faster and faster) and this remains the case for long enough to get large amounts of progress. For context, see How quick and big would a software intelligence explosion be?

Even without a "software-only singularity", I think full automation of AI R&D probably greatly speeds up progress for two main reasons:

You get

...

(See More - 719 more words)

9Tom Davidson4d

I thought about this a bit more. tldr: Under a simple model and reasonable assumptions, if we automate AI R&D and compute growth stays constant then the pace of AI software progress is 3-5X faster. This means the pace of overall AI progress would be 2-3X faster. Assume AI software R&D is Cobb Douglas: * g_S = L^alpha E^beta S^-1/r * L = cognitive labour * E = experimental compute * r governs ideas getting harder to find as you ramp up both cognitive labour and experimental compute. (Note I've often confusingly defined r as the returns when you just ramp up cognitive labour -- really I should call that r_cog = r * alpha.) In this system, before automating away humans, it turns out that: * if L grows exponentially at g_L then (holding E fixed) g_S = g_L * alpha * r * if E grows exponentially at g_E then (holding L fixed) g_S = g_E * beta * r When you automate AI R&D, L = S. In this situation, it turns out that: * if L grows exponentially at g_L (eg due to exogenously increasing compute), then: g_S = g_L * alpha * r / (1 - alpha * r) * And if r * alpha > 1 we get a software-only intelligence explosion! * if E grows exponentially at g_E (eg due to exogenously increasing compute), S grows at: g_S = g_E * beta * r / (1 - alpha * r) In other words, even absent an SIE, automating AI R&D boosts the standard growth rates by a factor of 1 / (1 - alpha * r) due to the fizzling feedback loop of "better software -> better AI researchers -> better software". This model allows us to ballpark how much faster overall AI progress would be in a regime with full automation but no SIE. That regime causes two changes: 1. g_L gets faster. Firstly, compute growth is somewhat faster than the growth of human AI researchers. Secondly, L is superlinear in compute bc you can run faster and smarter models with more compute. 2. All growth rates are boosted by a factor of 1 / (1 - alpha * r). Ryan used an estimate of r_cog = r * alpha = 0.7. So this is a

1Tom Davidson4d

yeah i adjust for this in my other comment [...] yeah, so they do - a doubling of cumulative experiments drives 0.7 doublings of software. And then that better software does more cognitive work to improve software further still. But it doesn't increase the amount of compute available for experiments, so the feedback loop doesn't go full circle. For "cognitive labour" we have: more compute -> more cog labour -> beter software -> more cog labour -> better software... So you get and initial boost from extra compute which then ratchets up with the software feedback loop But for "experimental compute" we have: more compute -> more experiments -> better software -> more cog labour -> better software... So while it feeds into the software feedback loop, it doesn't loop back to "more experimental compute". I'm not sure if my math full priced this in. I'll think about that more.

5ryan_greenblatt5d

It sounds to me like you are describing a world where AIs don't fully automate AI R&D but can maybe 98% automate AI R&D. As in, these AIs aren't able to automate the task of generally making AIs smarter and finding new paradigms/methods, but can automate 99%+ of things within the current paradigm / approach. I tend to think the true extremes/limits of the current paradigm would be very extreme (even if weak in some ways) such that you'd be able to bootstrap if you actually reached this extreme. I also think that getting to full automation of the current paradigm would effectively require AIs to at least be OK at figuring out significant advances in general. (In the same way as I think that for AIs to be able to automate the job of research engineer at AI companies, they'd probably need to be at least OK at automating most SWE jobs in general.)

Vladimir_Nesov4d11

No, the AIs do fully automate R&D, AI and otherwise. But the speed with which they do R&D depends not just on the speed of token generation, but also on the speed at which they learn deep skills, and the latter is much lower for LLMs built with the current methods (they only learn deep skills in new model releases).

Token generation speed gives an anchor of maybe 200x serial speedup compared to humans, plus very scalable parallel labor, minus real world constraints from needing experimental feedback (which don't even apply to some forms of theory). ... (read more)

39Buck

(I'm just going to speak for myself here, rather than the other authors, because I don't want to put words in anyone else's mouth. But many of the ideas I describe in this review are due to other people.) I think this work was a solid intellectual contribution. I think that the metric proposed for how much you've explained a behavior is the most reasonable metric by a pretty large margin. The core contribution of this paper was to produce negative results about interpretability. This led to us abandoning work on interpretability a few months later, which I'm glad we did. But these negative results haven’t had that much influence on other people’s work AFAICT, so overall it seems somewhat low impact. The empirical results in this paper demonstrated that induction heads are not the simple circuit which many people claimed (see this post for a clearer statement of that), and we then used these techniques to get mediocre results for IOI (described in this comment). There hasn’t been much followup on this work. I suspect that the main reasons people haven't built on this are: * it's moderately annoying to implement it * it makes your explanations look bad (IMO because they actually are unimpressive), so you aren't that incentivized to get it working * the interp research community isn't very focused on validating whether its explanations are faithful, and in any case we didn’t successfully persuade many people that explanations performing poorly according to this metric means they’re importantly unfaithful I think that interpretability research isn't going to be able to produce explanations that are very faithful explanations of what's going on in non-toy models (e.g. I think that no such explanation has ever been produced). Since I think faithful explanations are infeasible, measures of faithfulness of explanations don't seem very important to me now. (I think that people who want to do research that uses model internals should evaluate their techniques by mea

AI Alignment Posts

Popular Comments

AI Alignment Posts

Popular Comments

Recent Discussion

1.1 Tl;dr

Automated auditing for sabotage propensities