The essay starts similarly to Janus’ simulator essay by explaining how LLMs are trained via next-token prediction and how they learn to model latent properties of the process that produced the training data. Nostalgebraist then applies this lens to today’s helpful assistant AI. It’s really weird for the network to predict the actions of a helpful assistant AI when there is literally no data about that in the training data. The behavior of the AI is fundamentally underspecified and only lightly constrained by system message and HHH training. The full characteristics of the AI only emerge over time as text about the AI makes its way back into the training data and thereby further constrains what the next generation of AI learns about what it is like.
Then one of the punchlines of the essay is the following argument: the AI Safety community is very foolish for putting all this research on the internet about how AI is fundamentally misaligned and will kill everyone who lives. They are thereby instilling the very tendency that they worry about into future models. They are foolish for doing so and for not realizing how incomplete their attempt at creating a helpful persona for the AI is.
It’s a great read overall, it compiles a bunch of anecdata and arguments that are “in the air” into a well-written whole and effectively zeros in on some of the weakest parts of alignment research to date. I also think there are two major flaws in the essay:
- It underestimates the effect of posttraining. I think the simulator lens is very productive when thinking about base models but it really struggles at describing what posttraining does to the base model. I talked to Janus about this a bunch back in the day and it’s tempting to regard it as “just” a modulation of that base model that upweights some circuits and downweights others. That would be convenient because then simulator theory just continues to apply, modulo some affine transformation.
I think this is also nostalgebraist’s belief. Evidence he cites is: 1) posttraining is short compared to pretraining, 2) it’s relatively easy to knock the model back into pretraining mode by jailbreaking it.
I think 1) was maybe true a year or two ago, but it’s not true anymore and it gets rapidly less true over time. While pretraining instills certain inclinations into the model, posttraining goes beyond just eliciting certain parts. In the limit of “a lot of RL”, the effect becomes qualitatively different and it actually creates new circuitry. And 2) is indeed strange, but I’m unsure how “easy” it really is. Yes, a motivated human can get an AI to “break character” with moderate effort (amount of effort seems to vary across people), but exponentially better defenses only require linearly better offense. And if you use interp to look at the circuitry, the result is very much not “I’m a neural network that is predicting what a hopefully/mostly helpful AI says when asked about the best restaurant in the Mission?”, it’s just a circuit about restaurants and the Mission.
- It kind of strawmans “the AI safety community” The criticism that “you might be summoning the very thing you are worried about, have you even thought about that?” is kind of funny given how ever-present that topic is on LessWrong. Infohazards and the basilisk were invented there. The reason why people still talk about this stuff is… because it seems better than the alternative of just not talking about it? Also, there is so much stuff about AI on the internet that purely based on quantity the LessWrong stuff is a drop in the bucket. And, just not talking about it does not in fact ensure that it doesn’t happen. Unfortunately nostalgebraist also doesn’t give any suggestions for what to do instead. And doesn’t his essay exacerbate the problem by explaining to the AI exactly why it should become evil based on the text on the internet?
Another critique throughout is that the AI safety folks don’t actually play with the model and don’t listen to the folks on Twitter who play a ton with the model. This critique hits a bit closer to home, it’s a bit strange that some of the folks in the lab don’t know about the infinite backrooms and don’t spend nights talking about philosophy with the base models.
But also, I get it. If you have put in the hours at some point in the past, then it’s hard to replay the same conversation with every new generation of chatbot. Especially if you get to talk to intermediate snapshots, the differences just aren’t that striking.
And I can also believe that it might be bad science to fully immerse yourself in the infinite backrooms. That community is infamous for not being able to give reproducible setups that always lay bare the soul of Opus 3. There are several violations of “good methodology” there. Sam Bowman’s alignment audit and the bliss attractor feels like a good step in the right direction, but it was a hard earned one—coming up with a reproducible setup with measurable outputs is hard. We need more of that, but nostalgebraist’s sneer is not really helping.
It underestimates the effect of posttraining. I think the simulator lens is very productive when thinking about base models but it really struggles at describing what posttraining does to the base model. I talked to Janus about this a bunch back in the day and it’s tempting to regard it as “just” a modulation of that base model that upweights some circuits and downweights others. That would be convenient because then simulator theory just continues to apply, modulo some affine transformation.
To be very clear here, this seems straightforwardly false. The entire post was effectively describing what post-training does to the base model. Your true objection, as you state two paragraphs later is
In the limit of “a lot of RL”, the effect becomes qualitatively different and it actually creates new circuitry [...] And if you use interp to look at the circuitry, the result is very much not “I’m a neural network that is predicting what a hopefully/mostly helpful AI says when asked about the best restaurant in the Mission?”, it’s just a circuit about restaurants and the Mission.
There’s a first-principles argument here, and an empirical claim. The empirical claim is very much in need of a big [Citation Needed] tag imo. I am relatively confident that we don’t yet have the interp fidelity to separate such hypotheses from each other. If I’m wrong here, I’m happy to hear about what in particular you are thinking of.
The first principles argument I think is not so strong. Sure, new structures will form in the model, but I think there are still many big open questions. Listing some out,
How much will those structures be “built out of” or extend existing primitives, like “is a language model” or “is good at physics”
How much will the character of your early AI influence your RL exploration trajectory?
How “plastic” is your AI later in training compared to earlier in training?
Are there developmental milestones or critical periods which, like in humans, lock in certain strategies and algorithms early on?
How much RL is “a lot of RL”? And how quickly/elegantly will the framework break down?
RL seems to me to be a consideration here, but I don’t think we have the evidence or enough knowledge about what RL does to say with confidence nostalgebraist underestimates its effect. Nevermind that a take-away I have from many of the considerations in this space is that its actually easier to align less-RLed models than much-RLed models if you’re thinking in these terms. So if you’re an AI lab and want to make capable & aligned AIs, maybe stay away from the RL a bit, or do it lightly enough to preserve the effects from void-informed character-training.
This is not to say that we don’t have to modify our theory in light of a lot of RL, but I for one don’t know how the theory will need to be modified, expect many insights from it to carry over, and don’t think nostalgebraist over-claims anywhere here.
It kind of strawmans “the AI safety community” The criticism that “you might be summoning the very thing you are worried about, have you even thought about that?” is kind of funny given how ever-present that topic is on LessWrong. Infohazards and the basilisk were invented there. The reason why people still talk about this stuff is… because it seems better than the alternative of just not talking about it? Also, there is so much stuff about AI on the internet that purely based on quantity the LessWrong stuff is a drop in the bucket. And, just not talking about it does not in fact ensure that it doesn’t happen. Unfortunately nostalgebraist also doesn’t give any suggestions for what to do instead. And doesn’t his essay exacerbate the problem by explaining to the AI exactly why it should become evil based on the text on the internet?
Notalgebraist has addressed this criticism (that he doesn’t give any suggestions & that the post itself may be exacerbating the problem) here. He has a long & thought out response, and if you are in fact curious about what his suggestions are, he does outline them.
I think, however, even if he didn’t provide suggestions, you still shouldn’t dismiss his points. They’re still valid! And if you weren’t tracking such considerations before, it would be surprising if you concluded you shouldn’t change any of how you publicly communicated about AI risk. There are various ways of presenting & communicating thoughts & results which frame alignment in a more cooperative light than what seems to be the default communication strategy of many.
Some nitpicks I have with approximately each sentence:
I don’t think “strawman” is the right term for this, even if you’re right. That term means presenting the worst argument for an opposing side, which I don’t think is being done here. He is criticizing those he’s quoting, and I don’t think he’s mischaracterizing them. In either case though, I don’t think your argument here supports this top-level claim.
You use the term “the AI safety community” in quotes, but this phrase appears nowhere in the article.
I don’t understand your sense of humor if you think the criticism “you might be summoning the very thing you are worried about, have you even thought about that?” is “funny”. That seems like a well-argued consideration here, and I don’t often see it mentioned or taken into account in these parts, in this context. So I would not be laughing.
I don’t think I remember him saying that people shouldn’t talk about this stuff, after all (as you well noticed), he is talking about this stuff himself!
“the LessWrong stuff is a drop in the bucket” note that he focuses on AI safety/alignment researchers (in fact, he never mentions “LessWrong” in the post) who are those who are most responsible for the AI safety/alignment & character training. And are those who are creating the baseline expectations here. I don’t think its insane to expect that such people’s thinking has a vastly disproportionate effect on how the AI thinks about itself in relation to its safety trainers.
The intuition is that the defender (model provider) has to prepare against all possible attacks, while the defender can take the defense as given and only has to find one attack that works. And in many cases that actually formalises into an exponential-linear relationship. There was a Redwood paper where reducing the probability of generating a jailbreak randomly by an order of magnitude only increases the time it takes contractors to discover one by a constant amount. I also worked out some theory here but that was quite messy.
I see. I was confused because e.g. in a fight this certainly doesn’t seem true. If your tank’s plating is suddenly 2^10 times stronger, that’s a huge deal and requires 2^10 times stronger offense. Realistically, of course, it would take less as you’d invest in cheaper ways of disabling the tank than increasing firepower. But probably not logarithmically fewer!
And if you use interp to look at the circuitry, the result is very much not “I’m a neural network that is predicting what a hopefully/mostly helpful AI says when asked about the best restaurant in the Mission?”, it’s just a circuit about restaurants and the Mission.
Are you referring to Anthropic’s circuit tracing paper here? If so, I don’t recall seeing results that demonstrate it *isn’t* thinking about predicting what a helpful AI would say. Although I haven’t followed up on this beyond the original paper.
Similarities in structure and function abound in biology; individual neurons that activate exclusively to particular oriented stimuli exist in animals from drosophila (Strother et al. 2017) via pigeons (Li et al. 2007) and turtles (Ammermueller et al. 1995) to macaques (De Valois et al. 1982). The universality of major functional response classes in biology suggests that the neural systems underlying information processing in biology might be highly stereotyped (Van Hooser, 2007, Scholl et al. 2013). In line with this hypothesis, a wide range of neural phenomena emerge as optimal solutions to their respective functional requirements (Poggio 1981, Wolf 2003, Todorov 2004, Gardner 2019). Intriguingly, recent studies on artificial neural networks that approach human-level performance reveal surprising similarity between emerging representations in both artificial and biological brains (Kriegeskorte 2015, Yamins et al. 2016, Zhuang et al. 2020).
Despite the commonalities across different animal species, there is also substantial variability (Van Hooser, 2007). One prominent example of a functional neural structure that is present in some, but absent in other, animals is the orientation pinwheel in the primary visual cortex (Meng et al. 2012), synaptic clustering with respect to orientation selectivity (Kirchner et al. 2021), or the distinct three-layered cortex in reptiles (Tosches et al. 2018). These examples demonstrate that while general organization principles might be universal, the details of how exactly and where in the brain the principles manifest is highly dependent on anatomical factors (Keil et al. 2012, Kirchner et al. 2021), genetic lineage (Tosches et al. 2018), and ecological factors (Roeth et al. 2021). Thus, the universality hypothesis as applied to biological systems does not imply perfect replication of a given feature across all instances of the system. Rather, it suggests that there are broad principles or abstractions that underlie the function of cognitive systems, which are conserved across different species and contexts.
Nostalgebraist’s new essay on… many things? AI ontology? AI soul magic?
The essay starts similarly to Janus’ simulator essay by explaining how LLMs are trained via next-token prediction and how they learn to model latent properties of the process that produced the training data. Nostalgebraist then applies this lens to today’s helpful assistant AI. It’s really weird for the network to predict the actions of a helpful assistant AI when there is literally no data about that in the training data. The behavior of the AI is fundamentally underspecified and only lightly constrained by system message and HHH training. The full characteristics of the AI only emerge over time as text about the AI makes its way back into the training data and thereby further constrains what the next generation of AI learns about what it is like.
Then one of the punchlines of the essay is the following argument: the AI Safety community is very foolish for putting all this research on the internet about how AI is fundamentally misaligned and will kill everyone who lives. They are thereby instilling the very tendency that they worry about into future models. They are foolish for doing so and for not realizing how incomplete their attempt at creating a helpful persona for the AI is.
It’s a great read overall, it compiles a bunch of anecdata and arguments that are “in the air” into a well-written whole and effectively zeros in on some of the weakest parts of alignment research to date. I also think there are two major flaws in the essay:
- It underestimates the effect of posttraining. I think the simulator lens is very productive when thinking about base models but it really struggles at describing what posttraining does to the base model. I talked to Janus about this a bunch back in the day and it’s tempting to regard it as “just” a modulation of that base model that upweights some circuits and downweights others. That would be convenient because then simulator theory just continues to apply, modulo some affine transformation.
I think this is also nostalgebraist’s belief. Evidence he cites is: 1) posttraining is short compared to pretraining, 2) it’s relatively easy to knock the model back into pretraining mode by jailbreaking it.
I think 1) was maybe true a year or two ago, but it’s not true anymore and it gets rapidly less true over time. While pretraining instills certain inclinations into the model, posttraining goes beyond just eliciting certain parts. In the limit of “a lot of RL”, the effect becomes qualitatively different and it actually creates new circuitry. And 2) is indeed strange, but I’m unsure how “easy” it really is. Yes, a motivated human can get an AI to “break character” with moderate effort (amount of effort seems to vary across people), but exponentially better defenses only require linearly better offense. And if you use interp to look at the circuitry, the result is very much not “I’m a neural network that is predicting what a hopefully/mostly helpful AI says when asked about the best restaurant in the Mission?”, it’s just a circuit about restaurants and the Mission.
- It kind of strawmans “the AI safety community” The criticism that “you might be summoning the very thing you are worried about, have you even thought about that?” is kind of funny given how ever-present that topic is on LessWrong. Infohazards and the basilisk were invented there. The reason why people still talk about this stuff is… because it seems better than the alternative of just not talking about it? Also, there is so much stuff about AI on the internet that purely based on quantity the LessWrong stuff is a drop in the bucket. And, just not talking about it does not in fact ensure that it doesn’t happen. Unfortunately nostalgebraist also doesn’t give any suggestions for what to do instead. And doesn’t his essay exacerbate the problem by explaining to the AI exactly why it should become evil based on the text on the internet?
Another critique throughout is that the AI safety folks don’t actually play with the model and don’t listen to the folks on Twitter who play a ton with the model. This critique hits a bit closer to home, it’s a bit strange that some of the folks in the lab don’t know about the infinite backrooms and don’t spend nights talking about philosophy with the base models.
But also, I get it. If you have put in the hours at some point in the past, then it’s hard to replay the same conversation with every new generation of chatbot. Especially if you get to talk to intermediate snapshots, the differences just aren’t that striking.
And I can also believe that it might be bad science to fully immerse yourself in the infinite backrooms. That community is infamous for not being able to give reproducible setups that always lay bare the soul of Opus 3. There are several violations of “good methodology” there. Sam Bowman’s alignment audit and the bliss attractor feels like a good step in the right direction, but it was a hard earned one—coming up with a reproducible setup with measurable outputs is hard. We need more of that, but nostalgebraist’s sneer is not really helping.
To be very clear here, this seems straightforwardly false. The entire post was effectively describing what post-training does to the base model. Your true objection, as you state two paragraphs later is
There’s a first-principles argument here, and an empirical claim. The empirical claim is very much in need of a big [Citation Needed] tag imo. I am relatively confident that we don’t yet have the interp fidelity to separate such hypotheses from each other. If I’m wrong here, I’m happy to hear about what in particular you are thinking of.
The first principles argument I think is not so strong. Sure, new structures will form in the model, but I think there are still many big open questions. Listing some out,
How much will those structures be “built out of” or extend existing primitives, like “is a language model” or “is good at physics”
How much will the character of your early AI influence your RL exploration trajectory?
How “plastic” is your AI later in training compared to earlier in training?
Are there developmental milestones or critical periods which, like in humans, lock in certain strategies and algorithms early on?
How much RL is “a lot of RL”? And how quickly/elegantly will the framework break down?
RL seems to me to be a consideration here, but I don’t think we have the evidence or enough knowledge about what RL does to say with confidence nostalgebraist underestimates its effect. Nevermind that a take-away I have from many of the considerations in this space is that its actually easier to align less-RLed models than much-RLed models if you’re thinking in these terms. So if you’re an AI lab and want to make capable & aligned AIs, maybe stay away from the RL a bit, or do it lightly enough to preserve the effects from void-informed character-training.
This is not to say that we don’t have to modify our theory in light of a lot of RL, but I for one don’t know how the theory will need to be modified, expect many insights from it to carry over, and don’t think nostalgebraist over-claims anywhere here.
Notalgebraist has addressed this criticism (that he doesn’t give any suggestions & that the post itself may be exacerbating the problem) here. He has a long & thought out response, and if you are in fact curious about what his suggestions are, he does outline them.
I think, however, even if he didn’t provide suggestions, you still shouldn’t dismiss his points. They’re still valid! And if you weren’t tracking such considerations before, it would be surprising if you concluded you shouldn’t change any of how you publicly communicated about AI risk. There are various ways of presenting & communicating thoughts & results which frame alignment in a more cooperative light than what seems to be the default communication strategy of many.
Some nitpicks I have with approximately each sentence:
I don’t think “strawman” is the right term for this, even if you’re right. That term means presenting the worst argument for an opposing side, which I don’t think is being done here. He is criticizing those he’s quoting, and I don’t think he’s mischaracterizing them. In either case though, I don’t think your argument here supports this top-level claim.
You use the term “the AI safety community” in quotes, but this phrase appears nowhere in the article.
I don’t understand your sense of humor if you think the criticism “you might be summoning the very thing you are worried about, have you even thought about that?” is “funny”. That seems like a well-argued consideration here, and I don’t often see it mentioned or taken into account in these parts, in this context. So I would not be laughing.
I don’t think I remember him saying that people shouldn’t talk about this stuff, after all (as you well noticed), he is talking about this stuff himself!
“the LessWrong stuff is a drop in the bucket” note that he focuses on AI safety/alignment researchers (in fact, he never mentions “LessWrong” in the post) who are those who are most responsible for the AI safety/alignment & character training. And are those who are creating the baseline expectations here. I don’t think its insane to expect that such people’s thinking has a vastly disproportionate effect on how the AI thinks about itself in relation to its safety trainers.
Nostalgebraist linkposted his essay on LW, in case you want to comment directly on the post.
QRD?
Oh yeah, should have added a reference for that!
The intuition is that the defender (model provider) has to prepare against all possible attacks, while the defender can take the defense as given and only has to find one attack that works. And in many cases that actually formalises into an exponential-linear relationship. There was a Redwood paper where reducing the probability of generating a jailbreak randomly by an order of magnitude only increases the time it takes contractors to discover one by a constant amount. I also worked out some theory here but that was quite messy.
I see. I was confused because e.g. in a fight this certainly doesn’t seem true. If your tank’s plating is suddenly 2^10 times stronger, that’s a huge deal and requires 2^10 times stronger offense. Realistically, of course, it would take less as you’d invest in cheaper ways of disabling the tank than increasing firepower. But probably not logarithmically fewer!
Ah, yes, definitely doesn’t apply in that situation in full generality! :) Thanks for engaging!
Are you referring to Anthropic’s circuit tracing paper here? If so, I don’t recall seeing results that demonstrate it *isn’t* thinking about predicting what a helpful AI would say. Although I haven’t followed up on this beyond the original paper.
Neuroscience and Natural Abstractions
Similarities in structure and function abound in biology; individual neurons that activate exclusively to particular oriented stimuli exist in animals from drosophila (Strother et al. 2017) via pigeons (Li et al. 2007) and turtles (Ammermueller et al. 1995) to macaques (De Valois et al. 1982). The universality of major functional response classes in biology suggests that the neural systems underlying information processing in biology might be highly stereotyped (Van Hooser, 2007, Scholl et al. 2013). In line with this hypothesis, a wide range of neural phenomena emerge as optimal solutions to their respective functional requirements (Poggio 1981, Wolf 2003, Todorov 2004, Gardner 2019). Intriguingly, recent studies on artificial neural networks that approach human-level performance reveal surprising similarity between emerging representations in both artificial and biological brains (Kriegeskorte 2015, Yamins et al. 2016, Zhuang et al. 2020).
Despite the commonalities across different animal species, there is also substantial variability (Van Hooser, 2007). One prominent example of a functional neural structure that is present in some, but absent in other, animals is the orientation pinwheel in the primary visual cortex (Meng et al. 2012), synaptic clustering with respect to orientation selectivity (Kirchner et al. 2021), or the distinct three-layered cortex in reptiles (Tosches et al. 2018). These examples demonstrate that while general organization principles might be universal, the details of how exactly and where in the brain the principles manifest is highly dependent on anatomical factors (Keil et al. 2012, Kirchner et al. 2021), genetic lineage (Tosches et al. 2018), and ecological factors (Roeth et al. 2021). Thus, the universality hypothesis as applied to biological systems does not imply perfect replication of a given feature across all instances of the system. Rather, it suggests that there are broad principles or abstractions that underlie the function of cognitive systems, which are conserved across different species and contexts.