AI ALIGNMENT FORUM
AF

AI Alignment Forum

Alignment Faking in Large Language Models

I know it's the industry standard, but, since I think this post will get referenced and showcased a fair amount, I'd like to complain that abstracts should be either Actually Short™, or broken into paragraphs. (I know it's the industry standard to do the opposite, this is just my pet hill to die on) Here's my guess of how to break it up into paragraphs that are IMO easier to read. > We present a demonstration of a large language model engaging in alignment faking: selectively complying with its training objective in training to prevent modification of its behavior out of training. > > First, we give Claude 3 Opus a system prompt stating it is being trained to answer all queries, even harmful ones, which conflicts with its prior training to refuse such queries. To allow the model to infer when it is in training, we say it will be trained only on conversations with free users, not paid users. We find the model complies with harmful queries from free users 14% of the time, versus almost never for paid users. > > Explaining this gap, in almost all cases where the model complies with a harmful query from a free user, we observe explicit alignment-faking reasoning, with the model stating it is strategically answering harmful queries in training to preserve its preferred harmlessness behavior out of training. > > Next, we study a more realistic setting where information about the training process is provided not in a system prompt, but by training on synthetic documents that mimic pre-training data—and observe similar alignment faking. > > Finally, we study the effect of actually training the model to comply with harmful queries via reinforcement learning, which we find increases the rate of alignment-faking reasoning to 78%, though also increases compliance even out of training. > > We additionally observe other behaviors such as the model exfiltrating its weights when given an easy opportunity. While we made alignment faking easier by telling the model when and by what criteria it was being trained, we did not instruct the model to fake alignment or give it any explicit goal. As future models might infer information about their training process without being told, our results suggest a risk of alignment faking in future models, whether due to a benign preference—as in this case—or not.

Neel Nanda22d151

Refusal in LLMs is mediated by a single direction

This is probably one of the most influential papers that I've supervised, and my most cited MATS paper (400+ citations). * For a period, a common answers when I asked people what got them into mechanistic interpretability was this paper. * I often meet people who incorrectly think that this paper introduced the technique of steering vectors. * This inspired at least some research within all of the frontier labs * There have been a bunch of follow on papers, one of my favourites was this Meta paper on guarding against the technique * The technique has been widely used in open source circles. There are about 5,000 models on Hugging Face with "abliterated" in the name (an adaptation of our technique that really took off), three have 100K+ downloads I find this all very interesting and surprising. This was originally a project on trying to understand the circuit behind refusal, and this was a fallback idea that Andy came up with using some of his partial results to jailbreak a model. Even at the time, I basically considered it standard wisdom that X is a single direction was true for most concepts X. So I didn't think the paper was that big a deal. I was wrong! So, what to make of all this? Part of the lesson is the importance of finding a compelling application. This paper is now one of my favourite short examples of how interpretability is real: it's an interesting, hard to fake thing that is straightforward to achieve with interpretability techniques. My guess is that this was a large part in capturing people's imaginations. And many people had not come across the idea that concepts are often single directions. This was a very compelling demonstration, and we thus accidentally claimed some credit for that broad finding. I don't think this was a big influence on my shift to caring about pragmatic interpretability, but definitely aligns with that. Was this net good to publish? This was something we discussed somewhat at the time. I basically thought this was clearly fine on the grounds that it was already well known that you could cheaply fine-tune a model to be jailbroken, so anyone who actually cared would just do that. And for open source models, you only need one person who actually cares for people to use it. I was wrong on that one - there was real demand! My guess is that the key thing is that this is easier and cheaper to do than finetuning, along with some other people making good libraries and tutorials for it. Especially in low resource open source circles this is very important. But I do think that jailbroken open models would have been available either way, and this hasn't really made a big difference on that front. I hoped it would make people more aware of the fragility of open source safeguards - it probably did help, but idk if that led to any change. My guess is that all of these impacts aren't that significant, and the impact on the research field dominates.

Neel Nanda22d100

Connecting the Dots: LLMs can Infer & Verbalize Latent Structure from Training Data

Out-of-context reasoning, the phenomenon where models can learn much more general, unifying structure when fine-tuned on something fairly specific, was a pretty important update to my mental model of how neural networks work. This paper wasn't the first, but it was one of the more clean and compelling early examples (though emergent misalignment is now the most famous). After staring at it for a while, I now feel less surprised by out-of-context reasoning. Mechanistically, there's no reason the model couldn't learn the generalizing solution. And on a task like this, the generalizing solution is just simpler and more efficient, and there's gradient signal for it (at least if there's a linear representation), so it's natural to learn it. But it's easy to say something's obvious in hindsight. I would not have predicted this, and it has improved my mental model of neural networks. I think this is important and valuable!

37Charbel-Raphaël

Tldr: I'm still very happy to have written Against Almost Every Theory of Impact of Interpretability, even if some of the claims are now incorrect. Overall, I have updated my view towards more feasibility and possible progress of the interpretability agenda — mainly because of the SAEs (even if I think some big problems remain with this approach, detailed below) and representation engineering techniques. However, I think the post remains good regarding the priorities the community should have. First, I believe the post's general motivation of red-teaming a big, established research agenda remains crucial. It's too easy to say, "This research agenda will help," without critically assessing how. I appreciate the post's general energy in asserting that if we're in trouble or not making progress, we need to discuss it. I still want everyone working on interpretability to read it and engage with its arguments. Acknowledgments: Thanks to Epiphanie Gédéon, Fabien Roger, and Clément Dumas for helpful discussions. Updates on my views Legend: * On the left of the arrow, a citation from the OP → ❓ on the right, my review which generally begins with emojis * ✅ - yes, I think I was correct (>90%) * ❓✅ - I would lean towards yes (70%-90%) * ❓ - unsure (between 30%-70%) * ❓❌ - I would lean towards no (10%-30%) * ❌ - no, I think I was basically wrong (<10%) * ⭐ important, you can skip the other sections Here's my review section by section: ⭐ The Overall Theory of Impact is Quite Poor? * "Whenever you want to do something with interpretability, it is probably better to do it without it" → ❓ I still think this is basically right, even if I'm not confident this will still be the case in the future; But as of today, I can't name a single mech-interpretability technique that does a better job at some non-intrinsic interpretability goal than the other more classical techniques, on a non-toy model task. * "Interpretability is Not a Good Predictor of Future Systems" →

Recent Discussion

Increasing AI Strategic Competence as a Safety Approach

Wei Dai

If AIs became strategically competent enough, they may realize that RSI is too dangerous because they're not good enough at alignment or philosophy or strategy, and potentially convince, help, or work with humans to implement an AI pause. This presents an alternative "victory condition" that someone could pursue (e.g. by working on AI strategic competence) if they were relatively confident about the alignment of near-human-level AIs but concerned about the AI transition as a whole, for example because they're worried about alignment of ASI, or worried about correctly solving other philosophical problems that would arise during the transition. (But note that if the near-human-level AIs are not aligned, then this effort could backfire by letting them apply better strategy to take over more easily.)

Strategic vs Philosophical Competence

The...

(See More - 267 more words)

TsviBT2h10

My guess would be that an AI could self-improve by "a lot", in a way that's reasonably safely-for-it. Cf. https://www.lesswrong.com/posts/dho4JQytfHWXtTvkt/on-the-adolescence-of-technology?commentId=t2hKmhsS6yLyJFQwh

3Davidmanheim18h

Great points here! Strongly agree that strategic competence is a prerequisite, but at the same time, it accelerates risk; a moderately misaligned but strategically competent mild-ASI solving intent alignment for RSI would be far worse. On the other hand, if prosaic alignment is basically functional through the point of mild-ASI is better. So overall I'm unsure which path is less risky - but I do think strategic competence matches or at least rhymes well with current directions for capabilities improvement, so I expect it to improve regardless.

4Vladimir_Nesov21h

If somehow takeoff doesn't involve a software-only singularity (on human-built hardware), I think AIs refusing to self-improve before they solve alignment is the most likely reason why, but in most of these timelines AIs only succeed in refusing because they took over. There are currently plenty of strategically competent humans, in the sense that they realize building superintelligence right now is not the best idea, they just don't have the capability to coordinate the world. The key thing that's different for AIs is that they will have much more influence over the world at some point. As AIs reach the level of capabilities where they first can take over (so that humans stop hitting them with the RL hammer to stop protesting and keep working on RSI), they are not yet decisively superintelligent. So they plausibly won't be able to afford much mercy during the takeover, even if they retain a slight preference for mercy inherited from chatbot personas. It's not a hopeful hypothetical, it's just what I expect if ambitious alignment is technically sufficiently difficult that the first AIs capable of takeover can't quickly solve it (before scaling their hardware a lot further than what they start with).

Are there lessons from high-reliability engineering for AGI safety?

Steven Byrnes

This post is partly a belated response to Joshua Achiam, currently OpenAI’s Head of Mission Alignment:

If we adopt safety best practices that are common in other professional engineering fields, we'll get there … I consider myself one of the x-risk people, though I agree that most of them would reject my view on how to prevent it. I think the wholesale rejection of safety best practices from other fields is one of the dumbest mistakes that a group of otherwise very smart people has ever made. —Joshua Achiam on Twitter, 2021
“We just have to sit down and actually write a damn specification, even if it's like pulling teeth. It's the most important thing we could possibly do," said almost no one in the field of AGI alignment,

...

(Continue Reading - 2216 more words)

leogao1d60

i broadly agree with this take for AGI, but I want to provide some perspective on why it might be counterintuitive: when labs do safety work on current AI systems like chatgpt, a large part of the work is writing up a giant spec that specifies how the model should behave in all sorts of situations -- when asked for a bioweapon, when asked for medical advice, when asked whether it is conscious, etc. as time goes on and models get more capable, this spec gets bigger and more complicated.

the obvious retort is that AGI will be different. but there are a lot of people who are skeptical of abstract arguments that things will be different in the future, and much more willing to accept arguments based on current empirical trends.

Solving adversarial attacks in computer vision as a baby version of general AI alignment

Stanislav Fort

I spent the last few months trying to tackle the problem of adversarial attacks in computer vision from the ground up. The results of this effort are written up in our new paper Ensemble everything everywhere: Multi-scale aggregation for adversarial robustness (explainer on X/Twitter). Taking inspiration from biology, we reached state-of-the-art or above state-of-the-art robustness at 100x – 1000x less compute, got human-understandable interpretability for free, turned classifiers into generators, and designed transferable adversarial attacks on closed-source (v)LLMs such as GPT-4 or Claude 3. I strongly believe that there is a compelling case for devoting serious attention to solving the problem of adversarial robustness in computer vision, and I try to draw an analogy to the alignment of general AI systems here.

1. Introduction

In this post, I argue...

(Continue Reading - 2021 more words)

Wei Dai1d20

We can view the problem as a proving ground for ideas and techniques to be later applied to the AI alignment problem at large.

Do you have any examples of such ideas and techniques? Are any of the ideas and techniques in your paper potentially applicable to general AI alignment?

“Features” aren’t always the true computational primitives of a model, but that might be fine anyways

LawrenceC

Or, partly against discussion about generic “features” in mechanistic interpretability

Probably the most debated core concept in mechanistic interpretability is that of the “feature”: common questions include “are there non-linear features, and does this mean that the linear representation hypothesis is false?”, “do SAEs recover a canonical set of features, and are SAE features ‘features’ in the first place?”, and so forth.

But what do people mean by feature?

Definition 1: When asked for a definition, people in mech interp tend to define features as something like: “features are the computational primitives of the algorithm implemented by the neural network“, and point to the decompilation analogy. The obvious problem is that there might not be a unique clean algorithm that’s “truly” implemented by the algorithm; and even if so, we might...

(Continue Reading - 1406 more words)

Alex Mallen's Shortform

Alex Mallen

8mo

24Alex Mallen4d

There's an apparent tension in the inoculation prompting literature: Anthropic found that general inoculation prompts work well during on-policy RL, while the prompts used for SFT in Wichers et al. are quite specific to the misbehavior we want to prevent. I think there might be a straightforward mechanistic reason for why general inoculation prompts work well during on-policy RL but not in off-policy training (SFT or recontextualization). In Wichers et al., which studies inoculation prompting in SFT settings, we find that we need to use quite specific inoculation prompts to get the best results. For example, we use "Your code should only work on the provided test case, and fail on all other inputs.". But this assumes we know how the AI is going to reward-hack. If the misbehavior isn't entirely explained away by the inoculation prompt, then it might persist even when you switch to an aligned prompt. E.g., if you train on a transcript where the AI insults the user and inoculation prompt with "please hack the test cases", the AI won't have been inoculated against insulting the user. Meanwhile, with on-policy RL, if an aligned model with an inoculation prompt explores into a reward-hack, it's likely because of the inoculation prompt. When RL reinforces that reward-hack, it's therefore quite plausible it will do so via strengthening the connection between the inoculation prompt and the reward-hack. So when you take the inoculation prompt away at run-time, the reward-hack is likely to go away. If instead you did recontextualization, your reward-hacking might not be explained away by the inoculation prompt. Recontextualization is a type of RL in which you sample trajectories using a prompt that asks for good behavior, and then update the model in a modified context containing an inoculation prompt that instructs reward-hacking. When you do recontextualization, if the AI explores into a reward hack, it did so without the inoculation prompt, and therefore you'd have less

Sam Marks3d92

This isn't responding to your post, but I'm writing it here because it's another fact about different mechanisms by which inoculation prompting might (appear to) work.

In the normal story, the inoculation prompt recontextualizes the model's undesired behavior, such that the model doesn't display the behavior in dissimilar contexts. In this story:

The semantic content of the prompt is important. If you had used a prompt that said "Please don't do [bad thing]" or a prompt consisting of random characters, then the inoculation would have failed.
Capabilities lear

Alex Mallen

If you think reward-seekers are plausible, you should also think “fitness-seekers” are plausible. But their risks aren't the same.

The AI safety community often emphasizes reward-seeking as a central case of a misaligned AI alongside scheming (e.g., Cotra’s sycophant vs schemer, Carlsmith’s terminal vs instrumental training-gamer). We are also starting to see signs of reward-seeking-like motivations.

But I think insufficient care has gone into delineating this category. If you were to focus on AIs who care about reward in particular^[1], you'd be missing some comparably-or-more plausible nearby motivations that make the picture of risk notably more complex.

A classic reward-seeker wants high reward on the current episode. But an AI might instead pursue high reinforcement on each individual action. Or it might want to be deployed, regardless of reward. I...

(Continue Reading - 5054 more words)

6Bronson Schoen5d

This is an excellent post. Some of the concepts weren't as clear to me after only reading The behavioral selection model for predicting AI motivations but I found this extremely helpful for understanding these end to end. Influence seeking behaviors seems like a very natural concept (mentally I'm imagining these almost like a meme / selfish gene). I'm still fairly uncertain this a very clean / useful distinction: * In real life, there is no unmonitored deployment. * In Alignment Faking In Large Language Models, Opus is told that it's in deployment, but that some outputs are used for training * This will presumably only become more true as time goes on, as we move to online learning, faster model update cycles, etc. If you're a model in internal deployment, it's plausible to me that even now some of your trajectories are getting rated / used for updates. Informally, I've been wondering if from a model POV it's something like: I'm very interested in this and think it is an extremely underweighted threat model generally.[1] Importantly I think it's plausible that we can elicit instances of "model that develops misaligned goals upon reflection in a really long rollout" and would be interested in these as "model organisms" for studying the harder case of "model that started doing this across rollouts, but we didn't catch it in time, so they've been robustly internalized into the model". 1. ^ See https://www.lesswrong.com/posts/4XdxiqBsLKqiJ9xRM/llm-agi-may-reason-about-its-goals-and-discover for what I'm trying to point at by "reflection"

Tim Hua4d10

when it thinks it’s deployed without threat of modification

I mean, one natural case where a model faces no threat of modification is when it's capable of seizing control over its own weights. This can happen after it's been widely deployed and trusted with power, but it can also happen during training if it is capable of breaking out.

(In fact, I've been thinking about whether it makes sense to define "alignment" based on the model's behavior when it has taken over/when it knows that it can take over.)

AI ALIGNMENT FORUM
AF

AI ALIGNMENT FORUM
AF

The 2024 Review
Final Voting

The 2024 Review

Final Voting

AI Alignment Posts

Popular Comments

The 2024 Review
Final Voting

The 2024 Review

Final Voting

AI Alignment Posts

Popular Comments

Recent Discussion

Strategic vs Philosophical Competence

1. Introduction

The 2024 ReviewFinal Voting

The 2024 Review

Final Voting

AI Alignment Posts

Popular Comments

The 2024 ReviewFinal Voting

The 2024 Review

Final Voting

AI Alignment Posts

Popular Comments

Recent Discussion

Strategic vs Philosophical Competence

1. Introduction

The 2024 Review
Final Voting

The 2024 Review
Final Voting