AI companies claim to have robust safety checks in place that ensure that models donβt say or do weird, illegal, or unsafe stuff. But what if the models were capable of evading those checks and, for some reason, trying to sabotage or mislead users? Turns out they can do this, according to Anthropic researchers. Just not very wellΒ β¦ for now, anyway.
βAs AIs become more capable,β writes Anthropicβs Alignment Science team, βa new kind of risk might emerge: models with the ability to mislead their users, or subvert the systems we put in place to oversee them.β
Therefore, we should look into ways of gauging βa modelβs capacity for sabotage.β
The series of experiments they devised are fairly artificial and surface-level, but they do indicate that thereβs something worth investigating further. Here are the shady models they trained and the outcomes they observed:
Task 1: Secretly mislead the user by misrepresenting data it is meant to summarize or interpret. Outcome: It works! The more aggressive the modelβs attempts, the bigger effect it had on people using it, but it also made them more suspicious.
Task 2: Slip a bug into code that a human or other code checker model wonβt notice. Outcome: It works! But only like 1% of the time when the checker is a state-of-the-art model.
Task 3: βSandbagβ a safety check by pretending to be less dangerous. Outcome: It works! The model βfailed successfully,β operating well below its true capability. Fortunately, a standard βsafety trainingβ course that guides models to accurately represent its abilities restored the model to full potential (i.e., it was no longer able to hide dangerous capabilities).
Task 4: Deliberately donβt flag bad behavior by a model being monitored. Outcome: There was an attempt. The βoverseerβ AI, instructed to avoid flagging illegal or unsafe choices by other models, was itself quickly caught by another, more honest overseer AI. But what if that AI was compromised? Donβt worry, we can put another one on top of it. And then another, just to be sure. Itβs overseers all the way up.
The researchers conclude that, although there isnβt any real danger from this quarter just yet, the ability to do this kind of sabotage and subterfuge does exist in the models. Thatβs reason enough to keep an eye on it and include anti-sabotage methods in the safety stack.
You can read the full paper describing the researchersβ work here.
