I like the thrust of this paper, but I feel that it overstates how robust the safety properties will be, by drawing an overly sharp distinction between agentic and non-agentic systems, and not really engaging with the strongest counterexamples
To give some examples from the text:
A chess-playing AI, for instance, is goal-directed because it prefers winning to losing. A classifier trained with log likelihood is not goal-directed, as that learning objective is a natural consequence of making observations
But I could easily train an AI which simply classifies chess moves by quality. What takes that to being an agent is just the fact that its outputs are labelled as ‘moves’ rather than as ‘classifications’, rather than any feature of the model itself. More generally, even a LM can be viewed as “merely” predicting next tokens—the fact that there is some perspective from which a system is non-agentic does not actually tell us very much.
Paralleling a theoretical scientist, it only generates hypotheses about the world and uses them to evaluate the probabilities of answers to given questions. As such, the Scientist AI has no situational awareness and no persistent goals that can drive actions or long-term plans.
I think it’s a stretch to say something generating hypotheses about the world has no situational awareness and no persistent goals—maybe it has indexical uncertainty, but a sufficiently powerful system is pretty likely to hypothesise about itself, and the equivalent of persistent goals can easily fall out of any ways its world model doesn’t line up with reality. Note that this doesn’t assume the AI has any ‘hidden goals’ or that it ever makes inaccurate predictions.
I appreciate that the paper does discuss objections to the safety of Oracle AIs, but the responses also feel sort of incomplete. For instance:
The counterfactual query proposal basically breaks down in the face of collusion
The point about isolating the training process from the real world says that “a reward-maximizing agent alters the real world to increase its reward”, which I think is importantly wrong. In general, I think the distinctions drawn here between RL and the science AI all break down at high levels.
The uniqueness of solutions still leaves a degree of freedom in how the AI fills in details we don’t know—it might be able to, for example, pick between several world models that fit the data which each offer a different set of entirely consistent answers to all our questions. If it’s sufficiently superintelligent, we wouldn’t be able to monitor whether it was even exercising that freedom.
Overall, I’m excited by the direction, but it doesn’t feel like this approach actually gets any assurances of safety, or any fundamental advantages.
The arguments in the paper are representative of Yoshua’s views rather than mine, so I won’t directly argue for them, but I’ll give my own version of the case against
the distinctions drawn here between RL and the science AI all break down at high levels.
It seems commonsense to me that you are more likely to create a dangerous agent the more outcome-based your training signal is, the longer time-horizon those outcomes are measured over, the tighter the feedback loop between the system and the world, and the more of the world lies between the model you’re training and the outcomes being achieved.
At the top of the spectrum, you have systems trained based on things like the stock price of a company, taking many actions and recieving many observations per second, over years-long trajectories.
Many steps down from that you have RL training of current llms: outcome-based, but with shorter trajectories which are less tightly coupled with the outside world.
And at bottom of the spectrum you have systems which are trained with an objective that depends directly on their outputs and not on the outcomes they cause, with the feedback not being propogated across time very far at all.
At the top of the spectrum, if you train a comptent system it seems almost guaranteed that it’s a powerful agent. It’s a machine for pushing the world into certain configurations. But at the bottom of the spectrum it seems much less likely—its input-output behaviour wasn’t selected to be effective at causing certain outcomes.
Yes there are still ways you could create an agent through a training setup at the bottom of the spectrum (e.g. supervised learning on the outputs of a system at the top of the spectrum), but I don’t think they’re representative. And yes depending on what kind of a system it is you might be able to turn it into an agent using a bit of scaffolding, but if you have the choice not to, that’s an importantly different situation compared to the top of the spectrum.
And yes, it seems possible such setups lead to an agentic shoggoth compeletely by accident—we don’t understand enough to rule that out. But I don’t see how you end up judging the probability that we get a highly agentic system to be more or less the same wherever we are on the spectrum (if you do)? Or perhaps it’s just that you think the distinction is not being handled carefully in the paper?
Ah I should emphasise, I do think all of these things could help—it definitely is a spectrum, and I would guess these proposals all do push away from agency. I think the direction here is promising.
The two things I think are (1) the paper seems to draw an overly sharp distinction between agents and non-agents, and (2) basically all of the mitigations proposed look like they break down with superhuman capabilities. Hard to tell which of this is actual disagreements and which is the paper trying to be concise and approachable, so I’ll set that aside for now.
It does seem like we disagree a bit about how likely agents are to emerge. Some opinions I expect I hold more strongly than you:
It’s easy to accidentally scaffold some kind of agent out of an oracle as soon as there’s any kind of consistent causal process from the oracle’s outputs to the world, even absent feedback loops. In other words, I agree you can choose to create agents, but I’m not totally sure you can easily choose not to
Any system trained to predict the actions of agents over long periods of time will develop an understanding of how agents could act to achieve their goals—in a sense this is the premise of offline RL and things like decision transformers
It might be pretty easy for agent-like knowledge to ‘jump the gap’, e.g. a model trained to predict deceptive agents might be able to analogise to itself being deceptive
Sufficient capability at broad prediction is enough to converge on at least the knowledge of how to circumvent most of the guardrails you describe, e.g. how to collude
It is good to notice the spectrum above. Likely, for a fixed amount of compute/effort, one extreme of this spectrum gets much less agency than the other extreme. Call that the direct effect.
Are there other direct effects? for instance, do you get the same ability to “cure cancer” for a fixed amount of compute/effort across the spectrum? Seems like agency is useful so, probably the ability you get per unit compute is correlated with the agency across this spectrum.
If we are in a setting where an outside force demands you reach a given ability level, then this other indirect effect matters, because it means you will have to use a larger amount of compute.
[optional] To illustrate this problem, consider something that I don’t think people think is safer: instead of using gradient descent, just sample the weights of the neural net at random until you get a low loss. (I am not trying to make an analogy here)
It would be great if someone had a way to compute the “net” effect on agency across the spectrum, also taking into account the indirect path of more compute needed → more compute = more agency across the spectrum. I suspect it might depend on which ability you need to reach, and we might/might not be able to figure it out without experiments.
I like the thrust of this paper, but I feel that it overstates how robust the safety properties will be, by drawing an overly sharp distinction between agentic and non-agentic systems, and not really engaging with the strongest counterexamples
To give some examples from the text:
But I could easily train an AI which simply classifies chess moves by quality. What takes that to being an agent is just the fact that its outputs are labelled as ‘moves’ rather than as ‘classifications’, rather than any feature of the model itself. More generally, even a LM can be viewed as “merely” predicting next tokens—the fact that there is some perspective from which a system is non-agentic does not actually tell us very much.
I think it’s a stretch to say something generating hypotheses about the world has no situational awareness and no persistent goals—maybe it has indexical uncertainty, but a sufficiently powerful system is pretty likely to hypothesise about itself, and the equivalent of persistent goals can easily fall out of any ways its world model doesn’t line up with reality. Note that this doesn’t assume the AI has any ‘hidden goals’ or that it ever makes inaccurate predictions.
I appreciate that the paper does discuss objections to the safety of Oracle AIs, but the responses also feel sort of incomplete. For instance:
The counterfactual query proposal basically breaks down in the face of collusion
The point about isolating the training process from the real world says that “a reward-maximizing agent alters the real world to increase its reward”, which I think is importantly wrong. In general, I think the distinctions drawn here between RL and the science AI all break down at high levels.
The uniqueness of solutions still leaves a degree of freedom in how the AI fills in details we don’t know—it might be able to, for example, pick between several world models that fit the data which each offer a different set of entirely consistent answers to all our questions. If it’s sufficiently superintelligent, we wouldn’t be able to monitor whether it was even exercising that freedom.
Overall, I’m excited by the direction, but it doesn’t feel like this approach actually gets any assurances of safety, or any fundamental advantages.
The arguments in the paper are representative of Yoshua’s views rather than mine, so I won’t directly argue for them, but I’ll give my own version of the case against
It seems commonsense to me that you are more likely to create a dangerous agent the more outcome-based your training signal is, the longer time-horizon those outcomes are measured over, the tighter the feedback loop between the system and the world, and the more of the world lies between the model you’re training and the outcomes being achieved.
At the top of the spectrum, you have systems trained based on things like the stock price of a company, taking many actions and recieving many observations per second, over years-long trajectories.
Many steps down from that you have RL training of current llms: outcome-based, but with shorter trajectories which are less tightly coupled with the outside world.
And at bottom of the spectrum you have systems which are trained with an objective that depends directly on their outputs and not on the outcomes they cause, with the feedback not being propogated across time very far at all.
At the top of the spectrum, if you train a comptent system it seems almost guaranteed that it’s a powerful agent. It’s a machine for pushing the world into certain configurations. But at the bottom of the spectrum it seems much less likely—its input-output behaviour wasn’t selected to be effective at causing certain outcomes.
Yes there are still ways you could create an agent through a training setup at the bottom of the spectrum (e.g. supervised learning on the outputs of a system at the top of the spectrum), but I don’t think they’re representative. And yes depending on what kind of a system it is you might be able to turn it into an agent using a bit of scaffolding, but if you have the choice not to, that’s an importantly different situation compared to the top of the spectrum.
And yes, it seems possible such setups lead to an agentic shoggoth compeletely by accident—we don’t understand enough to rule that out. But I don’t see how you end up judging the probability that we get a highly agentic system to be more or less the same wherever we are on the spectrum (if you do)? Or perhaps it’s just that you think the distinction is not being handled carefully in the paper?
Ah I should emphasise, I do think all of these things could help—it definitely is a spectrum, and I would guess these proposals all do push away from agency. I think the direction here is promising.
The two things I think are (1) the paper seems to draw an overly sharp distinction between agents and non-agents, and (2) basically all of the mitigations proposed look like they break down with superhuman capabilities. Hard to tell which of this is actual disagreements and which is the paper trying to be concise and approachable, so I’ll set that aside for now.
It does seem like we disagree a bit about how likely agents are to emerge. Some opinions I expect I hold more strongly than you:
It’s easy to accidentally scaffold some kind of agent out of an oracle as soon as there’s any kind of consistent causal process from the oracle’s outputs to the world, even absent feedback loops. In other words, I agree you can choose to create agents, but I’m not totally sure you can easily choose not to
Any system trained to predict the actions of agents over long periods of time will develop an understanding of how agents could act to achieve their goals—in a sense this is the premise of offline RL and things like decision transformers
It might be pretty easy for agent-like knowledge to ‘jump the gap’, e.g. a model trained to predict deceptive agents might be able to analogise to itself being deceptive
Sufficient capability at broad prediction is enough to converge on at least the knowledge of how to circumvent most of the guardrails you describe, e.g. how to collude
It is good to notice the spectrum above. Likely, for a fixed amount of compute/effort, one extreme of this spectrum gets much less agency than the other extreme. Call that the direct effect.
Are there other direct effects? for instance, do you get the same ability to “cure cancer” for a fixed amount of compute/effort across the spectrum? Seems like agency is useful so, probably the ability you get per unit compute is correlated with the agency across this spectrum.
If we are in a setting where an outside force demands you reach a given ability level, then this other indirect effect matters, because it means you will have to use a larger amount of compute.
[optional] To illustrate this problem, consider something that I don’t think people think is safer: instead of using gradient descent, just sample the weights of the neural net at random until you get a low loss. (I am not trying to make an analogy here)
It would be great if someone had a way to compute the “net” effect on agency across the spectrum, also taking into account the indirect path of more compute needed → more compute = more agency across the spectrum. I suspect it might depend on which ability you need to reach, and we might/might not be able to figure it out without experiments.