This is an important problem, thanks for working on it!
To check I’ve understood correctly, these results are unsurprising, right? You’re basically asking the model to do the task of “detect scary questions and perform worse on those”, which is well within what I predict frontier models can do.
The interesting question re sandbagging to me is whether models WILL sandbag, ie whether they can detect if they’re being evaluated or not (which you do not seem to test) and whether they will realise unprompted that they SHOULD sandbag to achieve their goals, which seem like the hard and interesting questions here.
Am I missing something here? And were there results that you found particularly surprising? Or was the goal to basically show to skeptics that the capabilities for sandbagging exist, even if the propensity may not yet exist
I agree that these results were somewhat expected, however I believe that the outcomes of these evaluations were uncertain: 1. It was unclear generalization from WMDP-like to the real WMDP benchmark would work so well. OOD generalization for targeted (/strategic) sandbagging using synthetic data is a clear threat that a lot of people making DC evals probably hadn’t thought about 2. The calibration results were also uncertain; it seemed like a more challenging task to me (also see our previous post on this). 3. Lastly, it didn’t seem obvious that even current open-source models can be trained to emulate weaker models this well.
This work by Olli (EDIT: previously I wrote “Ollie”) Jarviniemi and Evan Hubinger might be interesting, where they find that Claude 3 Opus (arguably) sandbagged with negligible pressure.
One connotation as well is that we do not purely focus on AI system sandbagging, but also on developer sandbagging. Meaning, can developers make their models underperform.
This is an amusing typo; to clear any potential confusion, I am a distinct person from “Ollie J”, who is an author of the current article.
(I don’t have much to say on the article, but it looks good! And thanks for the clarifications in the parent comment, I agree that your points 1 to 3 are not obvious, and like that you have gathered information about them.)
Also, whether models will sandbag is indeed an important question, and it would be good if people looked into this. I am confident (>80%) that models will do this if you 1) give them a goal, and 2) from the context it appears that sandbagging is instrumentally useful. Research on this seems rather a scary demo type of thing (so a bit like our work now, as you pointed out).
We have thought about doing out of context reasoning experiments to study more precisely how sandbagging might arise, but OOC does not seem to work well enough to make this succeed. Ideas are more than welcome here!
This is an important problem, thanks for working on it!
To check I’ve understood correctly, these results are unsurprising, right? You’re basically asking the model to do the task of “detect scary questions and perform worse on those”, which is well within what I predict frontier models can do.
The interesting question re sandbagging to me is whether models WILL sandbag, ie whether they can detect if they’re being evaluated or not (which you do not seem to test) and whether they will realise unprompted that they SHOULD sandbag to achieve their goals, which seem like the hard and interesting questions here.
Am I missing something here? And were there results that you found particularly surprising? Or was the goal to basically show to skeptics that the capabilities for sandbagging exist, even if the propensity may not yet exist
I agree that these results were somewhat expected, however I believe that the outcomes of these evaluations were uncertain:
1. It was unclear generalization from WMDP-like to the real WMDP benchmark would work so well. OOD generalization for targeted (/strategic) sandbagging using synthetic data is a clear threat that a lot of people making DC evals probably hadn’t thought about
2. The calibration results were also uncertain; it seemed like a more challenging task to me (also see our previous post on this).
3. Lastly, it didn’t seem obvious that even current open-source models can be trained to emulate weaker models this well.
This work by Olli (EDIT: previously I wrote “Ollie”) Jarviniemi and Evan Hubinger might be interesting, where they find that Claude 3 Opus (arguably) sandbagged with negligible pressure.
One connotation as well is that we do not purely focus on AI system sandbagging, but also on developer sandbagging. Meaning, can developers make their models underperform.
Thanks for the additional context, that seems reasonable
This is an amusing typo; to clear any potential confusion, I am a distinct person from “Ollie J”, who is an author of the current article.
(I don’t have much to say on the article, but it looks good! And thanks for the clarifications in the parent comment, I agree that your points 1 to 3 are not obvious, and like that you have gathered information about them.)
Oh, I am sorry, should have double-checked your name. My bad!
Quite a coincidence indeed that your last name also starts with the same letter.
Also, whether models will sandbag is indeed an important question, and it would be good if people looked into this. I am confident (>80%) that models will do this if you 1) give them a goal, and 2) from the context it appears that sandbagging is instrumentally useful. Research on this seems rather a scary demo type of thing (so a bit like our work now, as you pointed out).
We have thought about doing out of context reasoning experiments to study more precisely how sandbagging might arise, but OOC does not seem to work well enough to make this succeed. Ideas are more than welcome here!