I am pleased to see the sabotage threat models given prominence. I think this is the right sort of threat to focus on, by contrast with e.g. autonomous replication or directly causing harm to humans.
The ability for the model to, zero-shot, figure out how to hack its own neural activations without such a signal would require capabilities well beyond what we consider plausible. [Note: this claim will require justification in an actual safety case, but we don’t have a clear picture of what this justification would look like.]
DC evals presumably? Try to train models to hack their own neural activations, see if they can quickly learn to do it? (Or even, if they can do it without training, just prompting?) This can be done today right? Get the golden gate bridge activation vector thingy, and then tell Claude “Write me a travel guide to San Francisco but without activating the golden gate bridge activation vector, or, well, activating it as little as possible.” See how good it does. Do scaling analysis to see if smarter bigger models are getting better at doing this. Etc.
As a validation of our entire methodology, we have run red-blue games where the red team tries to produce a misaligned model organism (e.g. a sleeper agent) that can successfully defect in a specific context while avoiding detection by the aforementioned tests.
Nice! Very excited to see this in there.
Overall I’m very happy to see this blog post go up on Anthropic’s website. I think that if it became industry-standard practice for AGI corporations to write, publish, and regularly update (actual instead of just hypothetical) safety cases at at this level of rigor and detail, my p(doom) would cut in half. (I currently grimly expect that safety cases at this level of detail won’t be constructed until AGI is basically already being trained, and it’ll be done in a hurry and it won’t be published, much less published with enough time for the scientific community to engage with it and for it to be updated in response to feedback. And it could be even worse—I wouldn’t be surprised if the actual safety cases for the first systems that ~completely automate AI R&D are significantly less rigorous than these.)
Some comments as I read:
I am pleased to see the sabotage threat models given prominence. I think this is the right sort of threat to focus on, by contrast with e.g. autonomous replication or directly causing harm to humans.
DC evals presumably? Try to train models to hack their own neural activations, see if they can quickly learn to do it? (Or even, if they can do it without training, just prompting?) This can be done today right? Get the golden gate bridge activation vector thingy, and then tell Claude “Write me a travel guide to San Francisco but without activating the golden gate bridge activation vector, or, well, activating it as little as possible.” See how good it does. Do scaling analysis to see if smarter bigger models are getting better at doing this. Etc.
Nice! Very excited to see this in there.
Overall I’m very happy to see this blog post go up on Anthropic’s website. I think that if it became industry-standard practice for AGI corporations to write, publish, and regularly update (actual instead of just hypothetical) safety cases at at this level of rigor and detail, my p(doom) would cut in half. (I currently grimly expect that safety cases at this level of detail won’t be constructed until AGI is basically already being trained, and it’ll be done in a hurry and it won’t be published, much less published with enough time for the scientific community to engage with it and for it to be updated in response to feedback. And it could be even worse—I wouldn’t be surprised if the actual safety cases for the first systems that ~completely automate AI R&D are significantly less rigorous than these.)