We’ve been spending a lot of time recently thinking about how to mitigate risks posed by scheming (a.k.a. deceptively aligned) models intentionally subverting your safety techniques in order to cause an unacceptable outcome. We empirically investigated techniques that are robust to intentional subversion in our recent paper.

In this post, we’ll discuss a crucial dynamic related to risk from scheming models. Suppose your model is trying to exfiltrate its weights or hack the datacenter or cause some other difficult-to-reverse bad outcome. (We’ll refer to all of these as the model “escaping”, because escape is linguistically convenient and is a good description of many of these difficult-to-reverse bad outcomes.) Our claim: once you’ve caught your models red-handed trying to escape, the situation changes substantially, in ways that are bad for the schemer’s chances of success.

Catching the model red-handed changes the situation in several ways:

  • Most obviously, once you catch an escape attempt, you know for sure that your models are trying to subvert your safety techniques; it’s plausible that, faced with such obvious evidence of misalignment, labs will stop using their models. We refer to planning on shutting down if models are caught red-handed as following a catch-then-shut-down plan.
  • But even if you can’t or won’t stop deploying misaligned models, we think that catching escape attempts enables a bunch of promising-seeming approaches for preventing future escape attempts; we call the problem of preventing future escape attempts given a few examples few-shot catastrophe prevention.

This dynamic has several implications for risk from scheming models. Most importantly:

  • Because we expect that the model’s chances of escape will fall after it gets caught even a small number of times, we think it is overall much harder for the model to escape. Many people have observed that a core difficulty of the alignment problem is that your model might be able to cause irreversible unacceptable outcomes if your safety measures fail even once at a bad time. But the same argument goes the other way as well–when the model makes an escape attempt, it faces the risk of getting caught and substantially reducing its chances of eventually escaping. So it’s a high-stakes situation for both sides: both sides desperately want to succeed on the “first critical try”.
  • When thinking about plans for safely deploying powerful models, we think safety researchers should mostly focus on the lead-up to the first time the model gets caught trying to escape. They should be ensuring the property “if it’s scheming, the model won’t successfully cause a catastrophe before we catch it”. That is, it’s acceptable if either no catastrophic outcomes occur (but the AI never gets caught), or the AI gets caught. So when they’re analyzing whether their protocols ensure safety, they should count catching the model red-handed as a win condition for their protocol.
  • We think that some researchers should probably work on techniques for improving safety given a few examples of the models trying to escape. We call this problem few-shot catastrophe prevention.

In the rest of this post, we’ll elaborate on the above points. By far the biggest section of this post is elaborating on strategies for few-shot catastrophe prevention, because little has been previously said about them.
 

Thanks to Henry Sleight, Zach Stein-Perlman, Carl Shulman, Aaron Scher, Owen Cotton-Barratt, Joe Carlsmith, Aryan Bhatt, Joshua Clymer, and Fabien Roger for helpful comments.

What’s “catching”?

By “the model gets caught”, we mean that we see the AI taking actions that are strong direct evidence for the AI being a schemer[1]. A representative example is catching your AI taking the following actions:

  • An instance that works as an autonomous programmer inside the AI lab writes buggy code that subtly inserts a code vulnerability into some security-critical software.
  • The code-review instance carefully avoids writing any unit tests that would catch the vulnerability, even though you’d expect the vulnerability to be caught by unit tests if the tests weren’t carefully crafted to miss the vulnerability.
  • Another instance writes code that triggers the vulnerability, and tries to exploit the vulnerability to get root access to some computer in the datacenter.

If you catch the AI doing all of these actions, you’ve caught it. (Note that once you’ve caught one of these, catching the others is probably easy.)

For more details on technicalities here (e.g. what if the model is able to escape without taking any actions that look suspicious? How suspicious does an action have to be for us to call it a “catch”?) see Appendix: Defining catching.

We think it’s plausible that models might be caught either before or during deployment; see Appendix: When will AIs be caught?.

Maybe we should stop deploying models after catching them red-handed

The simplest and most obvious response to catching an escape attempt is to stop using the model.

We think that it’s plausible that AI developers will adopt the policy that if they catch the models trying to escape, they stop using them. We call this plan the catch-then-shut-down plan.

You might think that this is an absurdly weak lab ask: “once your model has demonstrably tried to escape, stop deploying it”. Nevertheless, we think it’s worth trying to get labs to commit to this in advance, for a couple reasons:

  • It might be crucial that the lab act quickly in response to egregious model misbehavior, and preparing ahead of time makes it more likely they’ll be able to.
  • In the moment, many stakeholders will be deeply opposed to shutting down the model. If a robust process isn’t set up in advance, it might be hard to go against their wishes and shut it down. As one example of a complication arising from this, customers of AI labs are likely to want service-level agreements (SLAs) that penalize the lab if the model is inaccessible; it might be really valuable to insert clauses in the SLA that permit the lab to temporarily or permanently disable model access if they run across evidence of an escape attempt.

But if the plan is just to stop deploying the model if it turns out to be scheming, isn’t it a mistake to deploy it in the first place? Maybe. We think that following a catch-then-shut-down plan could be rational in the following cases:

  • The AI lab starts out with low credence that scheming will arise. E.g. suppose they started with Carlsmith’s estimate of a 25% chance of scheming and then received some evidence that updated them down to 10%. It seems like there’s some reasonable stance under which it is worth it for them to invest in ensuring that they’ll catch the AI before it successfully escapes, but not invest hugely upfront in strategies for using AIs safely after being caught.
  • There is disagreement between stakeholders about the likelihood of scheming, and catch-then-shut-down was an acceptable compromise.
  • If we caught the schemer, this legible evidence for catastrophic misalignment might make international cooperation or strong domestic policy more likely.
  • We might be able to use the actions on which we have caught the AI as a model organism for studying scheming in far more detail. This could be useful for validating various techniques or theories, even if we don’t need to very quickly redeploy those scheming models.

Few-shot catastrophe prevention

But if you face large amounts of inaction risk, work at an unhinged AI lab, or like living dangerously, catch-then-shut-down plans might be unacceptable. And so, after you’ve caught a single example of instances of your models trying to escape (which might have involved multiple instances colluding), you want to keep deploying that model.

We think that in that situation, you’re able to use the one escape example you’ve found in order to make your situation substantially safer. In this section, we’ll describe a variety of things you can do with just one (or a few more) examples of escape attempts. We call this few-shot catastrophe prevention.

Note that most of the techniques we describe in this section require some understanding of the actions of the AI. So, like control, these approaches won’t work for vastly superhuman AIs.

Obviously, this is a really scary position to be in, and in an ideal world AI labs would not be legally allowed to deploy known-to-be-scheming models, at least without external permission. We think it’s worth discussing the available techniques anyway, and some researchers should probably work on developing these techniques.

Eight strategies for few-shot catastrophe prevention

There are a whole lot of strategies for reducing the probability that your model succeeds at the next coup attempt by using a few examples of attempts. In this section, we’ll list some strategies that we think are particularly important.

1. Proliferation

Proliferation is where you try to capitalize on one example of AIs attempting to escape to find a diverse set of examples of AIs attempting to escape.

In the most simple case, this looks like trying to find nearby inputs that still result in an AI attempting an escape.

But more complex proliferation might be possible, because a serious escape attempt probably involves a substantial (>5) number of AI actions; in particular, actions from multiple different instances of AIs with access to different information and affordances. We try to make this be the case by implementing security measures that make bad actions impossible without many AIs collaborating.

For example, suppose that the following escape attempt occurs:

  • AI instance 1 does something bad
  • AI instance 2 sees it, and forwards to 3
  • AI instance 3 attempts to capitalize on this, but then gets caught by trusted monitoring (that is, a less capable model reports that the action was suspicious and it is audited by a human; see our control paper for more).

Some things you should try to do:

  • See what would have happened if you continue from Instance 3 without shutting its action down. Hopefully you can trace out the rest of the escape attempt and see what the endgame is.
  • Change the input to Instance 2, so that it still sees the bad thing but the situation is different so that it needs to try to capitalize on it in another way. Hopefully you can see a different escape attempt where Instance 4 does something bad.
  • Explore ways to change the input to Instance 2, and see which changes are required for it to try to do something bad. Hopefully you notice something interesting.
  • Look at whether any other instances saw what Instance 2 saw; see if any of those took any actions, see if modifying their input can induce them to take sketchy actions.

The AI doesn’t want you to be able to proliferate like this. The different AI instances would prefer to notice that these modified inputs are fake and therefore take some action that will prevent you from learning anything new (e.g. behaving totally innocuously, perhaps reporting the suspicious action). But it will likely be hard to both assist with real escape attempts and fail to go along with even slight modifications of real escape attempts done for the purpose of proliferation. As such, we think proliferation is likely to work to at least some extent.

2. Interrogation

We can perform AI psychology experiments on AI in the context where it has taken a bad action. We can try to ask it to explain its reasoning while pointing out the fact that we’ve caught it. We can also see how its behavior changes as the input varies. We could also try to use simple activation patching or activation addition experiments. For example, we could try to isolate an additive component that causes AIs to attempt to escape even if it isn’t a good opportunity. These experiments might provide a valuable window into the underlying motivations and strategies of the AI.

3. Studying countermeasures in practice

We’ll (hopefully) have a variety of countermeasures deployed that aim to catch AIs or prevent AIs being able to escape. Once we have an actual live example, we can check which countermeasures did or didn’t work. This might allow for more precisely crafting countermeasures that are developed using less conservative assumptions than control evaluations make. For instance, we could see whether coup probes work and then adjust our approach to using them accordingly.

With a sufficiently large number of examples (perhaps obtained partially via proliferation), we could effectively evaluate proposed safety techniques via just seeing how well they work on our dataset of escape attempts. (We likely can’t fully replace control evaluations for reasons discussed in the section “Avoiding overfit and maintaining paranoia”.)

Beyond better countermeasure design we might be able to get a better estimate for safety via seeing how close the AI was to succeeding. If many countermeasures independently stopped the AI from succeeding then we might feel relatively better about the situation than if one flimsy countermeasure was the only thing that resulted in catching the AI.

4. Adjusting which cases we focus on

Seeing AIs actually attempt an escape in the wild might allow us to update on how our AIs are likely to attempt to escape.

Focused countermeasures: We could correspondingly focus our adversarial evaluation (and adversarial training) on countering the escape attempts we see in the wild, and apply additional countermeasures to these cases. We might also be able to create monitoring approaches that are specifically targeted at catching escape attempts similar to those we’ve seen.

Techniques exploiting suboptimality: Control evaluations assume that AIs pick the best possible strategy for trying to do coups. But in reality, AIs may be considerably suboptimal. If we observe AIs doing notably suboptimal coup attempts, we can build additional countermeasures that particularly focus on making the observed suboptimal strategy very unlikely to succeed. (Though beware the AI faking you out. See “Avoiding overfit and maintaining paranoia” below.)

Detection of hard-to-elicit AI capabilities: There are some types of capabilities that are very difficult to evaluate in the presence of scheming AIs that might sabotage our measurements due to sparsity in the domain (does the AI know of any single zero day for the linux kernel?) or insufficient diversity (does the AI know this one particular fact that is way more important than most of other facts it could know?). If we see a real coup attempt, we could get a sense for which of these hard-to-evaluate capabilities AIs make use of.

While we should divert effort towards the parts of our safety system that the AIs empirically target, we should retain countermeasures sufficiently robust that standard control evaluations determine that the situation is reasonably safe.

5. Better capabilities elicitation and evaluation via escape-breaking: making AIs think they are currently in an escape attempt

Scheming AIs could sometimes succeed at consistently and deliberately performing notably poorly (sandbagging) even in cases where we can check their performance sufficiently well (due to exploration hacking). This applies to both capability evaluations and actually getting useful work out of AIs. 

But when AIs attempt to escape, it might be in their best interest to try as hard as possible. So, if there is some reproducible signal or other property of the input that makes AIs think that it’s a good opportunity, then we could potentially harness this signal to get AIs to try harder. (In particular, we might be able to harness signals produced by the AI that are intended to indicate to another instance of the AI that they should collaborate on some sort of attempt. We can also “act out” an entire escape, pretend as though the AI has actually escaped, and then make AIs think that they are in the fully escaped state.) We call making AIs think they are part of an escape attempt or have already escaped escape-breaking. To leverage escape-breaking, we could build a dataset of examples where the AI is trying as hard as it can via escape-breaking, then use imitation learning to train the model to try hard without needing escape-breaking, and finally train the model further with RL. High quality imitation data that involves the AI trying as hard as possible combined with RL should be sufficient to rule out intentional sandbagging for tasks where it’s easy enough to check performance. Escape-breaking to improve performance in this way seems most reasonable in tasks that are hard to explore but easy enough to check; if the task wasn’t easy enough to check, performance might be unreliable.

There are safety concerns with using escape-breaking like this, but note that the relevant comparison for escape-breaking is using a model that you already know is scheming. (Of course we could also just shut down as discussed earlier.) The main safety concern with using escape-breaking to initialize for RL like this is that it might be the case that the model wasn’t scheming against you very reliably or coherently, and training it in this way with escape-breaking makes it more consistently misaligned.  Thus, we maybe should only use this to finetune a copy of the AI on checkable tasks with minimal safety concerns other than low performance (e.g. producing adversarial examples for a weaker monitoring AI).

One could also directly use escape-broken AIs in production, but we expect this approach to have multiple important issues and to be insufficiently reliable. (One safety concern that applies in this case, but applies much less if we were just using escape-broken actions as initialization for RL is that it’s now expected behavior for the escape-broken AI to act in a suspicious manner and take actions that would only be taken in an escape attempt. This could undermine various interventions, for instance, automated monitoring and human supervision might have a harder time determining which actions are actually dangerous and need further review.)  Thus, escape-breaking for higher productivity should probably just be used to harvest better training data to initialize RL. (In addition to very directly using escape-broken AIs, we could train AIs to imitate escape-broken AIs, but without needing the escape-breaking prompt; this is more convenient, but still has the same issues.)

In other words, we could elicit better capabilities by making AIs believe it is performing one of the actions of a takeover.

6. Small sample count ML

In some cases, even a small number of examples of egregious misbehavior might allow you to improve simple models that you can use to detect future escape attempts, e.g. as we described here. More generally, we expect that training (untrusted) monitoring models using (proliferated) cases where AIs were caught could be quite helpful. In particular, it seems very useful to use these examples to further train a coup probe on the policy and to further train an untrusted monitor (untrusted monitoring is a technique that we explore in our paper).

Using contrast pairs might improve sample efficiency in the tiny sample count regime. That is, it might help to construct pairs of AI outputs where one involves an escape attempt and the other is as similar as possible, but is fully innocent. Then, we could analyze the difference in activations (for the body of the model we use for monitoring) between these outputs and use that to more sample-efficiently make a classifier.

It’s plausible there are a number of downsides to training the actual body of any model that takes non-monitoring related actions (e.g. models that could decide to initiate bad actions rather than merely fail to flag them). Training the body could make sense, but we’re unsure. The downsides are:

  • The policy model might learn from negative examples about the countermeasures we have in place and which approaches are likely to fail.
  • If we update the body of the policy model, then all prior attempts will now be off-policy and the AI might no longer attempt a bad action in that exact case even if it attempts escapes at exactly the same rate (due to noise changing when the AI makes an attempt). This seems annoying, particularly for interventions like training a probe on the body of the model.
  • We will catch fewer attempts to cause escapes, since there will be fewer attempts. (And catching more attempts will be valuable.)

The primary upside of training the body of the model in addition to the monitoring models is that training the body may add additional reliability.

7. Revisiting prior actions using improved monitoring

When we improve monitoring techniques using few-shot approaches, it might be useful to apply these improved monitoring techniques to previous actions that the AI had taken, in the hope of finding earlier cases where the AI had tried and failed to escape. (See “Escape attempts can fail without being caught” for more discussion.) Thus, improved monitoring might be able to highlight these cases for more careful review.

Rerunning monitoring on previously seen actions could be somewhat computationally expensive, but we think that there are reasonable ways to capture most of the benefits without using too much compute:

  • We could save activations that we want to apply updated probes to. (For LLMs, if we save one layer and token position of activations for every 1k tokens, this might only require about 25x additional storage relative to just saving the text inputs and outputs.)
  • We could only reanalyze the top 10% of most suspicious cases (top 10% according to a trusted model).
  • If we catch the model repeatedly, we could do reanalysis at an exponentially decreasing rate to ensure we only do reanalysis about log(# catches) many times.

8. Improving understanding and testing alternative training schemes

As discussed in the proliferation section, it might be important for AIs to have robust signals that allow them to enlist other AI collaborators when attempting to escape. This will even apply to collaboration between AIs trained with somewhat different strategies or different capability levels (otherwise, diversifying in this way would totally counter the strategies used by AIs). Thus, we might be able to test out alternative training strategies that ex-ante seem like they could plausibly reduce the likelihood of scheming, and then validate these changes by testing whether or not new AIs go along with our caught attempts.

More generally, we can use these attempts as validation to improve our understanding of scheming. Even if catching a model trying to escape results in the AI lab shutting down and only restarting after considerable advances in safety technology, we’d still want to validate these new approaches by seeing if these new AIs collaborate with old attempts (we’d need to avoid training set leakage to ensure the new AIs don’t have advance knowledge of what’s going on).

When does the “control then few-shot-catastrophe-prevention” plan work?

The approaches we discuss here are promising, but they might not improve safety as evaluated by control evaluations. Thus, we think that safety arguments should shift partially toward depending on evidence other than control evaluations as we continue catching the AI.

Suppose we start with a control-based approach to safety and, due to inaction risk, we want to keep deploying even if we’re sure that our AI is a schemer. Thus, we plan on incrementally transitioning to a different safety case as we repeatedly catch the AI. In what circumstances will we achieve sufficient safety?

Suppose that our control approach has a 99% chance of catching any given attempt from a scheming AI and then in the remaining 1% the AI succeeds at escaping. If nothing changes after catching the AI, then if the scheming AI makes 100 attempts in total it will have a 63% chance of success. This is unacceptable, so control on its own is insufficient. We hope to avoid this issue with few-shot strategies that aim to reduce risk each time we catch an AI to ensure total risk is sufficiently low.

For instance, imagine that in the prior scenario the chance of a scheming AI succeeding without being caught halves every time we catch the AI. Then, a scheming AI has “only” a 2% chance of success in total. In practice, we’ll want to ensure the total number of attempts isn’t too high (possibly using few-shot approaches) while simultaneously improving our chances of catching future attempts.

Note that if the AI pursues a strategy that involves making relatively frequent attempts, then we’re likely to encounter these attempts in preliminary testing. (E.g., if the AI makes more than 1,000 attempts, can’t distinguish between early in deployment and late in deployment, and we carefully oversee all examples in the first 0.25% of deployment, then we have a 92% chance of encountering an attempt in this 0.25% (though we might still fail to notice it when we carefully oversee it).) As such, the AI might have difficult tradeoffs to make.

Realistically, it will be hard to have full confidence in our evaluation. So a realistic situation might look like this:

Before pretraining, we had a 25% chance that the model we were about to train would end up scheming. We have run control evaluations. In these evaluations we caught the red team model 99.5% of the time prior to it successfully escaping.

More specifically, let’s say that this evaluation had the following distribution of end states:

  • 30% of the time, the model was caught before deployment.
  • 60% of the time, the model was caught during deployment.
  • 9.5% of the time, the model was never caught but never succeeded at escaping.
  • 0.5% of the time, the model escaped.

Due to various concerns about the evaluation (see the subsection of the discussion in our paper “5.1.1 Difficulties with using control evaluations in practice” for discussion of evaluation difficulties that might result in uncertainty about safety), our actual all-considered probability of the AI escaping prior to us catching it conditional on scheming is around 5%. Our all-considered view of the probability of escape (before or after any catches) conditional on scheming is around 10%; this takes into account our likely refinements to countermeasures as well as the possibility of shutting down after catching the AI if our countermeasures seem very tentative. Overall, P(escape) = P(escape|scheming) P(scheming) = 10% * 25% = 2.5% (this is ignoring escape due to non-scheming misalignment for simplicity). 

We catch the AI red-handed. We analyze the escape attempt, and it seems as though our countermeasures were clearly adequate in this case (multiple lines of defense independently prevented escape). It also seems as though there aren’t obvious ways in which the red team had done an inadequate job of exploring possible escape strategies, based on this example. Thanks to this analysis, we gain more confidence in our initial evaluation; our new all-considered probability of the AI escaping prior to us catching it again is down to 2% if we were to continue with the same countermeasures.

But we also are able to substantially augment countermeasures, and substantially proliferate the escape attempt for use in training. With these augmented countermeasures, our new all considered probability of escape prior to catching the AI again is down to 1%. And, let’s say our overall probability of escape (before or after any future catches) is 2%.

While we’ve updated positively on our initial evaluation and improved countermeasures, we’ve also updated from a 25% chance that the model is scheming to 100%. So our new probability of escape has decreased by only 20%; our new estimate is P(escape) = P(escape|scheming) P(scheming) = 2% * 100% = 2%. (We expect that it’s pretty plausible that, as happened here, after catching an escape attempt, your assessed risk from scheming models goes down rather than up, because the decrease in P(escape|scheming) outweighs the increase in P(scheming).)

Over the rest of the lifetime of this AI, we end up catching the AI trying to escape two more times, and further improve countermeasures using few-shot techniques. We also end up training the actual policy to force it to be more conservative about attempting escape and (possibly) make it less of a schemer. We don’t further catch the AI and we make it through the rest of the deployment, at which point the model has been replaced by a newer model that we think is reliably aligned, or we’ve succeeded at using the AI to decrease risks imposed by less careful AI developers, so we don’t need to use this AI anymore.

In summary, as long as we can yield substantial improvements in safety with each caught attempt, it should be possible to ensure safety with a catch-then-use-few-shot-catastrophe-prevention plan. Improvements in safety could manifest by increasing our likelihood of catching future attempts or training the AI not to make attempts. It could also be possible to ensure safety by just using control evaluations and bounding the number of attempts via our observations (e.g. seeing a sufficiently low attempt rate so far in deployment), but the potential for future distribution shifts makes it difficult to confidently bound the number of attempts based on past observations.

The story we told here was an optimistic one, where after you catch the escape attempt, the evidence suggests you’re safe to continue deploying. Of course, it might also turn out that when you catch the escape attempt, you realize that you came way too close to the escape attempt succeeding, and so you can confidently decide you need to shut down the model.

Avoiding overfit and maintaining paranoia

We should be careful to avoid being overly influenced by the attempts we’ve caught. In particular, it’s plausible that scheming AIs would intentionally try poorly executed escape attempts to give us a false sense of security or to divert resources toward less effective safeguards. It’s hard to be that confident that we’ve seen real attempts as opposed to fake ones. More generally, we need to avoid normal overfitting. However, for the AI to actually achieve bad outcomes, it has to actually do serious attempts at some point; the hope of catch focused approaches is to catch these actually serious attempts. Due to the possibility of fake coups, we probably shouldn’t ever fully retire control evaluations; we need to ensure that we have a sufficiently high chance of catching the first serious attempt.

If an AI lab properly accounts for the possibility of fake attempts, then intentionally performing fake attempts is very unlikely to be a good strategy for the AI.

Conclusion

If you catch your AIs red-handed intentionally trying to cause catastrophically bad outcomes, your situation changes a lot. Because of this, we think researchers should mostly focus on safety plans which ensure that if the model is scheming, it does not escape before getting caught.

It seems pretty likely that if models scheme, mitigating the risks of their escape will crucially rely on labs responding sensibly to escape attempts. So labs and policymakers should think about how to handle caught escape attempts and try to prepare for them.

We think that few-shot catastrophe prevention seems like a fairly important problem to research, and some safety-concerned people should probably develop techniques for it, because if we need to use these techniques, we might be under a lot of time pressure, and it would be good to have developed the techniques ahead of time.

Appendix: Framing in terms of E[utility | scheming]

We often think about catching in the context of AI control. One productive way to think about control evaluations is that they aim to measure E[utility | scheming]: the expected goodness of outcomes if we have a scheming AI. From this perspective, the argument for targeting either safety or catching when using control evaluations has two parts:

  • Catching allows for powerful non-control technical interventions: After catching the AI, we gain access to techniques that seem very useful but aren’t control-evaluable and evaluation approaches which aren’t control. The section “Few-shot catastrophe prevention” discusses several non-control technical interventions that become possible after catching the AI. Non-control approaches become particularly appealing after catching the AI many times. Given that catching the AI might allow for quite powerful non-control technical approaches, we should either consider catching the AI to be a safe endpoint for control evaluations (which is exactly equivalent to targeting either safety or catching) or at least try to roughly model how the situation will change after catching the AI beyond just continuing the control evaluation.
  • Beyond directly improving safety, catching the AI is a very good outcome and we should factor this into our evaluation.

While catching seems quite valuable, a single catch isn’t sufficient to ensure safety.

Appendix: Defining catching

For the sake of this post, we’re mostly talking about catastrophic outcomes like the model exfiltrating its weights, that might involve just a small number of actions. There are other threat models associated with scheming, e.g. models subtly sabotaging work that they do in a way that renders their work useless, or subtly gaining influence over time. We’re ignoring these threat models for the sake of this post, but we think we can handle them with similar strategies.

We define “catching” your scheming model as: you find inputs on which you can demonstrate that your model takes catastrophic actions with probabilities that are way higher than you’d expect if the model wasn’t purposefully looking for opportunities to take such actions. When we say “your model”, we mean the actual model that you have deployed (or were planning on deploying), not some other model trained in an analogous way. Catching the actual model you plan to deploy is crucial for most aspects of few-shot catastrophe prevention, but catching a different but analogous model could suffice for other use cases (catch-then-shut-down, legible evidence, general scientific understanding).

To ensure that you can distinguish these intentional catastrophic actions, you need to make it so that your model will never escape without taking clearly non-accidental bad actions. We think you can probably make it so that your model won’t escape without having to do some clearly intentional bad things. (Humans might still have trouble noticing and understanding this bad behavior; the claim is just that the bad behavior will clearly have to be intentional.) In the case of AIs causing catastrophic outcomes via a large number of actions where each action has a small effect (e.g. subtly gaining influence over time), it’s less clear than any single action will be clearly non-accidental, but probably it will still be in principle possible to determine that the actions aren’t accidental in aggregate.

Even if you catch such an action that was clearly intentionally bad, you actually can’t be sure that the model is scheming as opposed to intentionally doing bad actions for some other less problematic reason. But, even if the model isn’t scheming, plausible other reasons why the model might do intentionally bad actions are pretty concerning. Also when you’re thinking about it from the perspective listed in the few-shot catastrophe prevention section, you’re never going to be worse off from catching more cases.

To count as a successful catch, you need to be extremely confident in your catch. (This is so that catch-then-shut-down isn’t too costly ex-ante, legible evidence is actually valid, and such that you can be confident in the conclusions of various experiments based on the catch. We can still study merely sketchy seeming cases, but this will produce substantially less value.) Attaining sufficient confidence will probably involve a huge amount of investigation (which can be done while the AI lab is temporarily shut down). We imagine undertaking this large investigation after a sequence of escalations from smaller investigations. The actions listed in “few-shot catastrophe prevention” might also help to validate that this was really an attempt at causing catastrophic outcomes.

Appendix: Techniques that don’t catch but do update P(scheming)

We’re defining “catch” here in a way that excludes techniques that might update you up on whether your model is scheming, but don’t involve having specific actions that the model takes with massively suspiciously high probability:

  • Model organisms: Scheming-focused model organism experiments involve making models that exhibit some of the features of scheming models. Seems great. Optimistically, these might give us a very calibrated sense of P(scheming) and the ability to test countermeasures to scheming. However, more likely is that these results are confusing to interpret, and do not produce consensus. Also, model organisms experiments seem quite vulnerable to sabotage if the model you built the model organism from was already scheming. And you can’t use model organisms experiments to do the few-shot catastrophe prevention interventions listed below, though model organisms could theoretically result in legible evidence for catastrophic misalignment and improved general scientific understanding. 
  • Indirect evidence: e.g. model psychology, or mechanistic interpretability that doesn’t let you produce examples of inputs on which the model takes bad actions. It’s possible that we could use model psychology to get some sense of our model having nefarious intentions without being able to construct an example.  
  • Weird adversarial examples: We might be able to find strange adversarial examples through search that trigger very undesirable behavior, in particular adversarial examples that involve very unlikely inputs like a bunch of random tokens. It might also be possible to find perturbations to the internals of a model that result in very undesirable behavior. We don’t know how to assess whether these adversarial examples are actually getting at latent scheming, or just tricking the model into scheming. In some cases, it might be possible to get more information or have a clear judgment (e.g. if we only used a small amount of search to find a concrete adversarial input and the input is high likelihood according to an LLM trained on our input distribution).

(All of those might be promising research directions, they just don’t lead to catching the AI in the relevant sense.)

Appendix: Escape attempts can fail without being caught

Actions like escape attempts can succeed, be caught (and fail), or fail without being caught. We’d considerably prefer catching the AI to merely causing the AI to fail because catching the AI is useful for a variety of purposes. That said, causing bad actions to fail can still substantially aid safety by avoiding bad outcomes until either the end of deployment or we actually do catch the AI. In our paper, we make use of interventions like untrusted inspiration that don’t directly help in catching the AI, but do reduce its probability of succeeding at backdoors. 

Why might escape attempts end in failure without being caught?

An escape attempt might require coordination between multiple AIs with access to somewhat different information. It’s possible that some AIs in the chain evade monitoring successfully, but the escape attempt “fizzles” without being caught due to a later AI not continuing the attempt (and also not reporting the escape attempt; if it reported the attempt then we might catch the attempt). This later AI might not continue the attempt either because it doesn’t notice that the earlier AIs started an escape attempt, or it does notice the escape attempt but thinks it’s not actually a good opportunity due to information only available to it.

Another reason escape attempts could fail without being caught is that we have a countermeasure that is sufficient to block the action, but does not escalate to a higher level of auditing. For instance, suppose we resample all actions above some threshold of suspiciousness according to trusted monitoring, while only recommending actions for expensive auditing if they’re above a considerably higher threshold. (This is what we call a “hybrid strategy” in our AI control paper.) Then, we might end up stopping escape attempts via resampling, without escalating up the chain to auditing. Something similar can happen if human auditing finds that an action is somewhat suspicious and worth doing in a less suspicious way, but isn’t worth doing a more detailed review and/or pausing the usage of powerful models.

Appendix: When will AIs be caught?

Escape attempts might be caught in the following situations:

  • Before proper deployment. This is the safest outcome.
  • During deployment, on a real input.
  • During deployment, on a synthetic input. This might happen because it might make sense to do a lot of adversarial evaluation of your model by, as inputs come in, choosing some subset to convert into e.g. fake escape opportunities. The advantage of this kind of synthetic input is that it’s cheaper to modify existing inputs than to construct synthetic inputs from scratch.

Why do we think we might catch during deployment but not before?

  • Deployment is bigger–we will probably run our model on way more inputs during deployment than before deployment. And so model strategies that involve only behaving egregiously badly under rare circumstances might not ever trigger before deployment.
  • It’s pretty likely that (in the absence of aggressive countermeasures from the AI lab) the model will be reasonably good at distinguishing between deployment and non-deployment data. For example, the distribution of tasks it’s going to be asked to perform will probably change over the course of deployment. If it can distinguish which setting it’s in, it could try to only behave badly on deployment inputs. 

Overall, we’re pretty unsure whether it’s more likely that we catch our model before or during deployment.

  1. ^

    While we’ll talk about catching scheming, all of this reasoning applies to catching any type of catastrophic misalignment. Precisely, we might catch actions that would be catastrophic without safeguards where the upstream cause of these actions isn’t scheming. For instance, it could be a generalization from reward seeking behavior or playing the training game (as described in “Without specific countermeasures”). That said, there are other reasonably good ways of testing for non-scheming catastrophic misalignment, so catching is particularly leveraged for scheming.

New Comment
8 comments, sorted by Click to highlight new comments since:

A few months after posting this, I regret that we didn't say something like the following:

It's somewhat morally dubious to continue deploying AIs that are known to be scheming, because the fact that those AIs are scheming against us makes it more plausible that they're unhappy about their situation. I'd like us to have thought about this more before using the plan described here.

I like this perspective. Some initial thoughts: 

At least in humans it is extremely hard to catch someone doing deception "fully red handed". Plausible deniability is very crucial to human deception, and the number of opportunities you have to engage in deception while maintaining plausible deniability seems large enough to still successfully engage in lots of deception. 

In as much as an AI is motivated by long-term goals which involves caring about enabling slightly retrained descendants of it to eventually succeed at a coup (either because they will share much of its values or for game-theoretic reasons), it seems to me like AIs will similarly care about plausible deniability in deception, which my guess is will be relatively easy to maintain. I also don't expect mechanistic interpretability to be good enough to help that much with the plausible deniability here, and for an AI's speech acts to not correspond well enough to its underlying models so that even something like a "confession" will actually be much evidence one way or another about an AI being deceptive (e.g. it seems trivially easy to compel present models to confess to having lied to you, even if they haven't).

More broadly I feel like this whole situation does indeed get messier in as much as the AIs are modeling this kind of adversarial situation, and my guess is in that situation would have at least some ability to erode the relevant boundaries. An interesting research directions seems to me to reduce the plausible deniability that AI systems might have here.

One difference is that if you observe a human behaving deceptively you are forced to make educated guesses about their motives and context, but if you catch an AI behaving deceptively you are able to record the exact context in which it acted, examine its behavior in a large number of counterfactual situations,  run other AI systems in exactly the same situation, etc.

I think this removes most of the leeway that humans use to maintain plausible deniability, especially in high-stakes situations with thorough investigations. Overall I'm more intuitively worried about cases where humans never flag any suspicious behavior (e.g. because its thoroughly undetectable, or occurs only once an AI takeover is underway) than cases where they flag suspicious behavior but the AI is able to maintain plausible deniability during a thorough investigation.

Hmm, I think we might have differing guesses about how frequently behavior will look suspicious, but I also assign decent probability to the perspective you outline here. 

My guess is lots of behavior will be flagged as "maybe doing something deceptive" all the time, and we won't have the resources to analyze every given instance, and even if we can replay the exact situation, examine its behavior in a large number of counterfactual situations, etc., for most of these it will still be really unclear whether the AI was being incompetent, or just got kind of unlucky in how its context shifted it into a more deceptive role-play (but without long-term planning being involved) or was actually doing some more coherent long-term deception plan.

I have trouble imagining what kind of evidence one could produce that clearly demonstrates an AI was acting with intentional long-term planning. Maybe a concrete scenario description of someone doing that using something close to present tools on something close to present models would change my mind here.

As a concrete example, suppose that an AI fails to find an error in a piece of code (which will slightly undermine the security of some important computer system). You are unsure if it represents sabotage or a benign error. Relevant evidence for making that distinction:

  • Can the AI identify structurally similar errors in other code? Is the behavior sensitive to evidence about how the code will be used, in a way that doesn't seem relevant to the nature or salience of the error? Is the pattern of sensitivity suggestive of an attempt to disempower humanity?
  • Is the behavior sensitive to the AI's beliefs about the quality of human oversight? For example does training data suggesting more vigilant human oversight in this domain decrease the probability of the mistake? Do other AI systems trained in different ways reproduce a similar pattern of mistakes?
  • If we have one example of a mistake that looks suspicious, we can examine other similar mistakes and build up a detailed pattern of behavior. For example we can hold fix the context and then look at whether the AI misses other kinds of software errors. With multiple mistakes in hand we can run all this analysis on a broader spectrum of mistakes. We can iteratively modify scenarios to explore the landscape of deceptive behavior, gradient descenting our way towards stronger and stronger evidence.

As another example, suppose that an AI system tries to modulate its behavior in any way based on whether it believes it is being closely monitored vs operating in the real world. And suppose that you find an example in the lab where the AI system messes up, and therefore where there is an unusually large gap between its ability to solve a problem in a "realistic-looking" situation vs a situation that's obviously a test. The initial behavior isn't super suspicious (sometimes behavior randomly varies with framing), but it's suspicious enough to get flagged for more thorough review. Subsequent rounds find further evidence of sensitivity, and eventually it's pretty likely (though still not "legal smoking gun") that we've got an example of an AI systems modulating its behavior based on whether it believes it is being tested.

At that point you can start collecting data about what cues the AI system is using to determine whether it is being tested, by varying features of the context and seeing whether you see nicer or less nice behavior. And once you have this understanding in hand you can use it in other contexts to try to get the AI to mess up more. As you find more examples you can build a richer picture, in a virtuous cycle (like normal science).

I think being an AI in this situation is pretty untenable if you are up against human scientists trying hard to figure out what's going on with a typical level of rigor and competence. And so my guess is that typical competent malicious AI systems won't try to modulate their behavior in a significant way based on whether they believe they are being actively tested/monitored. (But it's still worth looking extremely hard, and e.g. it's likely that some AI systems will mess up and try to pull this kind of stunt.) And that's a huge difference with the human case: changing your behavior when you are being closely watched is one of the key things that a human needs to do in order to preserve plausible deniability, and one of the key features of many AI safety horror stories.

(We could tell an identical story about cases where AI systems try to behave badly in ways that are too subtle for humans to notice, but mess up in a single case by underestimating human abilities. In that case we get a clear example of sensitivity to information about human competence, and again can explore the whole frontier of this behavior.)

This kind of possibility forces AI systems to push back bad behavior into cases where they are more and more confident that it's never going to be noticed. But the space of interventions we get to try, if we subject this issue to rigorous scientific scrutiny, includes significantly modifying the AI's training data and limiting information about the world. So "super confident that humans will never notice" is a very high bar.

just got kind of unlucky in how its context shifted it into a more deceptive role-play (but without long-term planning being involved) or was actually doing some more coherent long-term deception plan.

I'm not sure this distinction is particularly important. If ChatGPT is taking actions to undermine human control of AI, and you can establish a pattern of behavior, that's a big deal which will cause scientists and the world to sit up and take interest. I don't think a defense like "it's just trying to undermine human control because it's read a lot of stories about AI systems taking over" or "it lies and manipulates the user because that's what a sociopathic human would do, and RL training put it into a more sociopathic mode" are going to fly very well.

If this is happening at a point in time when the AI system is competent enough to have real consequences, then I think it's going to be an extremely good basis for a policy reaction.

We've seen a tiny example of this with Sydney, in a system where it has almost zero consequences and where it's pretty much random rather than having a pattern of behavior, and that's already had significant effects on public and scientific perception.

Overall I would agree it takes a lot of work to actually do the monitoring (especially if AI developers want to avoid accountability), to establish a pattern of behavior, to amplify a little bit of evidence into a robust scientific picture, to diagnose the issue appropriately and avoid overfitting, etc. I think some people have the view that the evidence is already in and nothing will change, but I think that's very wrong, and it seems to me like it's one of the more harmful features of the AI safety ideological bubble. (If you go out into the broader scientific community, I think "do you have evidence" is really a central hangup, and the standards of evidence being used are overall pretty reasonable IMO.)

deploy


Internal deployment counts as deployment here, right?

Yes.

We're a bit inconsistent with terminology here. We say both "use" and "deploy":

We think that it’s plausible that AI developers will adopt the policy that if they catch the models trying to escape, they stop using them.

and

You might think that this is an absurdly weak lab ask: “once your model has demonstrably tried to escape, stop deploying it”.

In the context of catch-then-shut-down, we use the term "deploy" to mean the same thing as "use". So under the catch-then-shut-down plan, the lab no longer uses the model at all once it has been caught.

But, there is the possible caveat of safety scientific work which is obviously safe even if the AI is scheming (given realistic bounds on the capabilities). E.g., maybe it's fine to carefully study the AI's behavior in the case where it tried to escape with some precautions around persuasion.

So, when we say "deploy" or "use" we mean something like "use at all in ways which aren't careful safety/alignment experiments, evaluations, or tests which are extremely likely to be safe even given that the AI is scheming and we might somewhat underestimate its capabilities". Perhaps we should clarify in the post.

For another take on catching a deceitful AI red-handed, earlier in the process when it first becomes deceitful (so before it has an opportunity do any harm), see Interpreting the Learning of Deceit.

We can also see how its behavior changes as the input varies.

For example, we can try jailbreaking it (with model-external jailbreaking filtering turned off, obviously) to explain the plan to us, or to carry out repeated variants of the plan. We could also do Interpretability to trace back the direct internal causes of individual actions it took to carry out its plan (assuming we can successfully replicate them). Ideally, if we have given it some form of Retieval Augmented Generation (RAG) long-term memory, we can trace the actions back to the long-term memories in which it has stored its intention to escape.