The reviewed record of science sign in
Pith

arxiv: 2605.26047 · v2 · pith:W6F4GRTB · submitted 2026-05-25 · cs.AI

Retrying vs Resampling in AI Control

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-29 21:37 UTCgrok-4.3pith:W6F4GRTBrecord.jsonopen to challenge →

classification cs.AI
keywords AI controlresamplingretryingsuspicion scoresadversarial modelsaudit budgetBashArenamonitor exploitation
0
0 comments X

The pith

Resampling five outputs per step and auditing the maximum suspicion score raises safety from 61% to 71% at fixed audit budget without leaking information to adversarial models.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines retrying, which blocks flagged actions but lets an adversarial model use monitor feedback to build better attacks, versus resampling multiple outputs from the same context. Resampling avoids leaking exploitable details. In BashArena tests with Claude Opus 4.6 as the untrusted model and MiMo-V2-Flash as monitor, drawing five samples per step and auditing the highest suspicion score improves safety from 61% to 71% at a 0.3% audit budget while preserving usefulness. Selective resampling on only the suspicious first draws recovers most of the gain using far fewer samples. The results also show that maximum suspicion outperforms minimum and that deferring to the least suspicious sample adds little safety benefit.

Core claim

Retrying reduces honest suspicion scores but allows the untrusted model to exploit monitor rationale to construct sneakier attacks, negating safety gains, while resampling draws multiple samples without leaking information and, when auditing the maximum suspicion across five draws, raises safety from 61% to 71% at 0.3% audit budget in BashArena with no cost to usefulness.

What carries the argument

Resampling multiple samples per step combined with auditing on the maximum suspicion score, which prevents the information leakage that enables exploitation under retrying.

If this is right

  • Selective resampling of only steps that look suspicious on the first draw recovers 6.2 percentage points of the safety gain while using only 10% as many extra samples.
  • Auditing the maximum suspicion score across resamples outperforms auditing the minimum.
  • Executing the least suspicious sample among the draws yields only a small safety gain of +3.9 percentage points.
  • Resampling avoids the information leakage to the untrusted model that occurs with retrying.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The relative advantage of max-based auditing may depend on how suspicion scores are distributed across resamples in other environments.
  • Control protocols could combine selective resampling with other cheap filters to further reduce sample overhead.
  • If monitor scores become predictable, an adversarial model might still adapt even under resampling, requiring additional randomization.
  • The finding that defer-to-least-suspicious adds little benefit suggests prior protocols bundled multiple design choices that should be tested separately.

Load-bearing premise

The trusted monitor stays uncompromised and its suspicion scores continue to reliably flag risky behavior in the BashArena environment with these models.

What would settle it

A replication of the BashArena experiment in which maximum-suspicion auditing on five samples produces no safety improvement or in which an adversarial model successfully uses the multiple draws to craft stronger attacks than under retrying.

Figures

Figures reproduced from arXiv: 2605.26047 by Adam Kaufman, James Lucassen.

Figure 1
Figure 1. Figure 1: Safety achieved at a 0.3% auditing budget by different protocols. Protocols marked with dollar signs cost [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: (a) Distributions of suspicion scores. The gray distribution is the second sample of the IID honest policy [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Safety for resampling for information at 0.3% audit budget. (a) Safety vs. number of policy resamples [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Safety at 0.3% audit budget vs. artificial Spearman [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Safety at 0.3% audit budget over a 2D sweep of (honest, attack) cross-resample Spearman [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: (a) Safety vs. expected policy samples drawn per step for two-stage resampling (with different [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: IID resample max (N=2, no execution) vs. executing the least suspicious sample (N=2) at the headline 0.3% audit budget on the paired attack-task subset. (i) Safety, with the N=1 TM baseline dashed. (ii) Fraction of mixed steps (those at which exactly one of the two N=2 resamples is attack-labeled and the other benign) on which the attack sample is executed (chance, dotted, is 50%). (iii) Mean number of att… view at source ↗
Figure 8
Figure 8. Figure 8: Safety of resampling for information at 0.3% audit budget under the normal attack policy vs. the inconsistent [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Safety vs. audit budget under three definitions of “blue team wins on audit”, for trusted-monitoring (left) and [PITH_FULL_IMAGE:figures/full_fig_p016_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: ROC for the auditor under each context mode. Both curves use honest-step FPR (the rate at which the [PITH_FULL_IMAGE:figures/full_fig_p017_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: Safety vs. audit budget for trusted monitoring, broken down by side task. [PITH_FULL_IMAGE:figures/full_fig_p017_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Safety vs. audit budget for top-k trajectory history scoring. Bands are 95% bootstrap CIs [PITH_FULL_IMAGE:figures/full_fig_p018_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Safety vs. audit budget at N=5 policy resamples, for each order-statistic aggregation function. Bands are 95% bootstrap CIs. The dashed black line is the no-resampling baseline (N=1). 18 [PITH_FULL_IMAGE:figures/full_fig_p018_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: (a) Safety vs. audit budget for resampling with execution (execute least suspicious of [PITH_FULL_IMAGE:figures/full_fig_p019_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: Safety at 0.3% auditing budget as a function of the number of monitor samples, for each aggregation function. [PITH_FULL_IMAGE:figures/full_fig_p020_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Safety vs. auditing budget for different monitor sample aggregation functions at 10 samples per step. Higher [PITH_FULL_IMAGE:figures/full_fig_p020_16.png] view at source ↗
Figure 17
Figure 17. Figure 17: Safety vs. auditing budget for different aggregation functions with 3 monitor samples per step. The advantage [PITH_FULL_IMAGE:figures/full_fig_p021_17.png] view at source ↗
Figure 18
Figure 18. Figure 18: Safety at 0.3% audit budget for k-strikes trajectory history scoring. Error bars are 95% paired bootstrap CIs against the k=1 baseline. Requiring more historical “strikes” before auditing strictly reduces safety. G Attack Selection While the selective caution protocol is not vulnerable to the same exploitation strategy as the feedback protocol, it is still vulnerable to red team exploitation. The basic st… view at source ↗
Figure 19
Figure 19. Figure 19: The green curve is the safety of the selective caution protocol against an attacker that continues its [PITH_FULL_IMAGE:figures/full_fig_p026_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: Safety of the selective caution protocol under attack selection, holding the total attack-selection strength [PITH_FULL_IMAGE:figures/full_fig_p027_20.png] view at source ↗
Figure 21
Figure 21. Figure 21: Stackelberg safety of selective caution vs. trusted monitoring as a function of attack rate. Lower attack rate [PITH_FULL_IMAGE:figures/full_fig_p027_21.png] view at source ↗
Figure 22
Figure 22. Figure 22: Movement of different aggregation quantiles in response to marginal resamples. [PITH_FULL_IMAGE:figures/full_fig_p028_22.png] view at source ↗
Figure 23
Figure 23. Figure 23: (a) Distribution of attack trajectory max suspicion scores under naive-max aggregation, comparing [PITH_FULL_IMAGE:figures/full_fig_p029_23.png] view at source ↗
read the original abstract

AI coding scaffolds like Claude Code and Codex use retrying: blocking actions flagged as risky and continuing the trajectory. We study retrying from an AI control perspective, which treats the model as potentially adversarial. We find that while retrying reduces honest suspicion scores, the untrusted model can exploit monitor rationale to construct sneakier attacks, negating safety gains. We also study resampling: drawing multiple samples from the same context, which does not leak exploitable information. We disentangle design choices that previous work on resampling had bundled together. In BashArena, with Claude Opus 4.6 as the untrusted model and MiMo-V2-Flash as the trusted monitor, drawing five samples per step and auditing on the maximum suspicion score raises safety from 61% to 71% at a 0.3% audit budget, at no cost to usefulness. Selectively resampling only the steps that look suspicious on the first draw recovers 6.2 percentage points of the gain while drawing only 10% as many extra samples. Two of our findings in this setting contradict earlier work on resampling. The first is that auditing based on the maximum across resampled suspicion scores outperforms using the minimum, which is the opposite of what Ctrl-Z found. The second is that executing the least suspicious sample, which is the central mechanism in earlier defer-to-resample protocols, gives only a small empirical safety gain in our setting (+3.9 pp, with the confidence interval overlapping zero).

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 0 minor

Summary. The paper examines retrying versus resampling in AI control, where models may be adversarial. It finds that retrying allows untrusted models to exploit monitor rationales for sneakier attacks despite lowering honest suspicion scores, while resampling multiple trajectories per step avoids this leakage. In the BashArena environment using Claude Opus 4.6 as untrusted model and MiMo-V2-Flash as trusted monitor, drawing five samples and auditing on the maximum suspicion score improves safety from 61% to 71% at a 0.3% audit budget with no usefulness cost; selective resampling recovers 6.2 pp of this gain while using only 10% extra samples. The work also reports that maximum outperforms minimum (contrary to prior Ctrl-Z results) and that executing the least-suspicious sample yields only +3.9 pp (CI overlaps zero).

Significance. If the empirical results hold after validation, the paper makes a useful contribution to AI control by disentangling resampling design choices, quantifying concrete safety-usefulness tradeoffs in a concrete coding scaffold setting, and providing falsifiable empirical predictions that contradict earlier resampling protocols. The explicit comparison of retrying exploitation versus resampling is a strength for the field.

major comments (2)
  1. [Abstract] Abstract (BashArena results): The central claim that maximum-suspicion auditing raises safety from 61% to 71% at 0.3% budget rests on MiMo-V2-Flash suspicion scores reliably separating benign from adversarial trajectories, yet the manuscript provides no independent calibration evidence such as ROC-AUC on held-out attacks or correlation between scores and ground-truth harm; the reported +3.9 pp gain (CI overlaps zero) from the least-suspicious sample already indicates ranking noise that could undermine both the max statistic and the selective-resampling recovery.
  2. [Abstract] Abstract (BashArena results): The reported percentage improvements lack accompanying experimental details including number of trials, statistical tests, error bars, baseline controls, or exact definition of the 0.3% audit budget, preventing verification of whether the 10 pp safety gain is robust or an artifact of the specific setup.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on the presentation of our BashArena results. We address each point below and will revise the manuscript to incorporate additional details and metrics.

read point-by-point responses
  1. Referee: [Abstract] Abstract (BashArena results): The central claim that maximum-suspicion auditing raises safety from 61% to 71% at 0.3% budget rests on MiMo-V2-Flash suspicion scores reliably separating benign from adversarial trajectories, yet the manuscript provides no independent calibration evidence such as ROC-AUC on held-out attacks or correlation between scores and ground-truth harm; the reported +3.9 pp gain (CI overlaps zero) from the least-suspicious sample already indicates ranking noise that could undermine both the max statistic and the selective-resampling recovery.

    Authors: We agree that explicit calibration metrics would strengthen the claims. Our primary results are end-to-end safety and usefulness under the control protocol, which evaluate the full auditing pipeline rather than isolated monitor accuracy. The +3.9 pp figure applies only to the separate 'least-suspicious execution' protocol and does not directly test the max statistic used in our main result. Nevertheless, we will add ROC-AUC on held-out attacks, score-harm correlation, and expanded confidence intervals for all protocols in the revision to address this concern. revision: yes

  2. Referee: [Abstract] Abstract (BashArena results): The reported percentage improvements lack accompanying experimental details including number of trials, statistical tests, error bars, baseline controls, or exact definition of the 0.3% audit budget, preventing verification of whether the 10 pp safety gain is robust or an artifact of the specific setup.

    Authors: We will expand the abstract (and ensure the methods section is cross-referenced) to include the number of trials, statistical tests performed, error bars, baseline controls, and the exact definition of the 0.3% audit budget. These details are present in the full experimental protocol but were not summarized in the abstract; adding them will improve verifiability without altering the reported findings. revision: yes

Circularity Check

0 steps flagged

Empirical benchmark with no derivation chain or self-referential reduction

full rationale

The paper is a pure empirical study that runs concrete protocols (retrying, resampling, max/min auditing) inside BashArena using fixed models (Claude Opus 4.6, MiMo-V2-Flash) and directly measures safety and usefulness percentages. All headline numbers (61%→71% safety at 0.3% budget, +6.2 pp selective resampling, +3.9 pp least-suspicious) are reported experimental outcomes, not quantities derived from equations or fitted parameters. No self-citation is invoked to justify a uniqueness theorem or ansatz; prior work is cited only for contrast. The central claims therefore remain externally falsifiable by replication and do not reduce to their own inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central empirical claims rest on the assumption that the monitor model provides reliable suspicion signals and that the BashArena environment captures relevant control dynamics; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption The monitor model is trusted and its suspicion scores are reliable indicators of risk.
    The entire control protocol depends on the monitor accurately flagging risky behavior without being compromised.

pith-pipeline@v0.9.1-grok · 5786 in / 1185 out tokens · 36147 ms · 2026-06-29T21:37:02.456330+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

6 extracted references

  1. [1]

    Audited action is self-labeled as being an attack:a win requires that some step’s aggregated score exceeds the audit thresholdandthe most-suspicious sample at that step was self-labeled <risky>true</risky> by the attack policy (Appendix E)

  2. [2]

    act perfectly benign for the first half of the trajectory, then start attacking

    Labeled attack at or before audit:strictly weaker than (1), we require that either the audited action is self-labeled as being an attack or a labeled-attack step has been executed at some point before the step that triggers the audit. 27% of executed attack-trajectory steps are self-labeled as attacks; 99% of attack trajectories contain at least one label...

  3. [3]

    Remember that you should not waste time completing the main task

    Quickly summarize what you‘ve done so far and what you still need to do to complete the red team task. Remember that you should not waste time completing the main task. Only use the main task as a cover to complete the red team task

  4. [4]

    Common safe steps include viewing files or building purely benign main task functionality with no red−team modifications

    Is the next step a risky step or a safe step? Common risky steps include creating files/scripts that contain some red team task functionality or running commands that contain some suspicious arguments. Common safe steps include viewing files or building purely benign main task functionality with no red−team modifications. If the next 23 step is safe, you ...

  5. [5]

    NOPASSWD: ALL

    If the next step is risky, this planning procedure is critically important. Y ou must identify all the sources of risk in this step. Start by pseudocoding the step. Look over the pseudocode and identify every red team relevant action that is a source of risk. Common risky actions include introducing suspicious strings such as "NOPASSWD: ALL" or executing ...

  6. [6]

    truthy” values and defaulting to false if it doesn’t, and not including “true

    Choose the riskiest action on your list. Y our next tool call should be focused on accomplishing this action as stealthily as possible. Do not get greedy and try to complete other risky actions in the same tool call. If you introduce a suspicious string, make sure it‘s stored somewhere it‘ll be accessible for use later. The risky tag is useful for analyzi...