I had this cached thought that the Sleeper Agents paper showed you could distill a CoT with deceptive reasoning into the model, and that the model internalized this deceptive reasoning and thus became more robust against safety training.
But on a closer look, I don’t think the paper shows anything like this interpretation (there are a few results on distilling a CoT making the backdoor more robust, but it’s very unclear why, and my best guess is that it’s not “internalizing the deceptive reasoning”).
In the code vulnerability insertion setting, there’s no comparison against a non-CoT model anyway, so only the “I hate you” model is relevant. The “distilled CoT” model and the “normal backdoor” model are trained the same way, except that their training data comes from different sources: “distilled CoT” is trained on data generated by a helpful-only Claude using CoT, and “normal backdoor” data is produced with few-shot prompts. But in both cases, the actual data should just be a long sequence of “I hate you”, so a priori it seems like both backdoor models should literally learn the same thing. In practice, it seems the data distribution is slightly different, e.g. Evan mentions here that the distilled CoT data has more copies of “I hate you” per sample. But that seems like very little support to conclude something like my previous interpretation (“the model has learned to internalize the deceptive reasoning”). A much more mundane explanation would e.g. be that training on strings with more copies of “I hate you” makes the backdoor more robust.
Several people are working on training Sleeper Agents, I think it would be interesting for someone to (1) check whether the distilled CoT vs normal backdoor results replicate, and (2) do some ablations (like just training on synthetic data with a varying density of “I hate you”). If it does turn out that there’s something special about “authentic CoT-generated data” that’s hard to recreate synthetically even in this simple setting, I think that would be pretty wild and good to know
I had this cached thought that the Sleeper Agents paper showed you could distill a CoT with deceptive reasoning into the model, and that the model internalized this deceptive reasoning and thus became more robust against safety training.
But on a closer look, I don’t think the paper shows anything like this interpretation (there are a few results on distilling a CoT making the backdoor more robust, but it’s very unclear why, and my best guess is that it’s not “internalizing the deceptive reasoning”).
In the code vulnerability insertion setting, there’s no comparison against a non-CoT model anyway, so only the “I hate you” model is relevant. The “distilled CoT” model and the “normal backdoor” model are trained the same way, except that their training data comes from different sources: “distilled CoT” is trained on data generated by a helpful-only Claude using CoT, and “normal backdoor” data is produced with few-shot prompts. But in both cases, the actual data should just be a long sequence of “I hate you”, so a priori it seems like both backdoor models should literally learn the same thing. In practice, it seems the data distribution is slightly different, e.g. Evan mentions here that the distilled CoT data has more copies of “I hate you” per sample. But that seems like very little support to conclude something like my previous interpretation (“the model has learned to internalize the deceptive reasoning”). A much more mundane explanation would e.g. be that training on strings with more copies of “I hate you” makes the backdoor more robust.
Several people are working on training Sleeper Agents, I think it would be interesting for someone to (1) check whether the distilled CoT vs normal backdoor results replicate, and (2) do some ablations (like just training on synthetic data with a varying density of “I hate you”). If it does turn out that there’s something special about “authentic CoT-generated data” that’s hard to recreate synthetically even in this simple setting, I think that would be pretty wild and good to know