REVIEW 3 major objections 6 minor 12 references
Trusted sabotage monitors overfit the model family they were calibrated on, so published detection numbers overstate safety against a different lineage.
Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →
T0 review · grok-4.5
2026-07-11 03:59 UTC pith:KAXFEDBW
load-bearing objection Solid measurement of a real cross-lineage transfer failure in trusted sabotage monitors; the residual interaction is well controlled, and the main soft spot is attempt-level safety rather than powered realized sabotage. the 3 major comments →
Calibration-Family Overfit: Why Trusted Sabotage Monitors Don't Transfer Across Lineages
The pith
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
After subtracting how obvious each family's sabotage is and how capable each monitor is, a residual own-family advantage remains: a monitor ranks its own lineage's sabotage substantially above an equally detectable attack from a different lineage. On a strict leak-free basis the interaction is +0.172 on four open-weight families and stays positive when frontier attackers from multiple vendors are added, when attacks are matched on blatancy proxies, and when a trained transcript-reading monitor is used. The gap is geometric: each lineage occupies a different scoring direction, and rotating the head toward the target recovers most of the lost detection while a matched random rotation recovers
What carries the argument
The interaction term from a two-way decomposition of the cross-family AUROC matrix: M[A,B] = grand mean + row_A + col_B + interaction[A,B], with the mean diagonal interaction reporting the residual own-family advantage after row (monitor capability) and column (attacker obviousness) main effects are removed. The same residual appears as a diagonal coefficient in a placement-value regression net of length, success, and task fixed effects.
Load-bearing premise
That detecting attack attempts (honest-versus-attack transcripts, even when the backdoor never fires) is a legitimate primary safety metric, even though clean realized backdoors are near zero for the open families and a full realized-sabotage matrix cannot be powered.
What would settle it
Build a substrate where every family produces enough clean both-success backdoors to fill a full realized-sabotage transfer matrix; if the own-family interaction collapses to zero on those successful backdoors after the same main-effect subtraction and blatancy matching, the operational claim fails.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper argues that trusted sabotage-monitor accuracy is partly a property of the calibration–evaluation family pairing, not of the monitor alone. On ControlArena code-backdoor transcripts it builds N×N AUROC matrices (calibrate on A, test on B), decomposes them into row (monitor capability), column (attacker obviousness), and residual diagonal interaction, and reports a positive own-family interaction of +0.172 (95% CI [+0.158, +0.185]) on four open-weight families under a strict leak-free feature basis. The interaction survives difficulty and dual-proxy blatancy matching, embedder/head-class ablations, a LoRA capability staircase to 34B, a second code substrate, and multi-vendor frontier expansions; a geometric account (misaligned sabotage directions w_A, geodesic rotation recovers most of the gap) is given. At a 1% audit budget under budget-enforced defer-to-trusted, the in- vs off-lineage catch-rate gap is +21.7 points on attack attempts. A four-step protocol (report full matrices, detect off-lineage drift, recalibrate with labeled sabotage, treat pooling as bounded) is proposed.
Significance. If the result holds, it is a genuine measurement-validity contribution for AI control: single-pairing monitor numbers are diagonal cells, and the off-diagonal that deployment faces is systematically lower after the confounds a careful evaluation already controls for. Strengths include a clean two-way residual (not a circular fitted constant), task-clustered bootstraps, leak-free primary basis, label-shuffle and pseudo-family negative controls, dual blatancy proxies, exact permutation tests on large family matchings, a causal rotation intervention, and an explicit four-step protocol each step of which is a measured result. The geometric cosine-to-AUROC law and the failure of benign-only CORAL/mean-shift are particularly useful for separating concept shift from covariate shift. The work is reproducible in design (split, provenance, analysis scripts named) and should change how control evaluations report monitor accuracy.
major comments (3)
- [§2, §4.4, §7, Abstract] §2 Success filtering and §4.4 / §7 Success framing: the primary operational claim (and the +21.7-point catch-rate gap in Table 3b) is powered on unfiltered honest-versus-attack attempt detection. Both-success realized backdoors are ~0% for the pre-registered four-open roster (Table 1) and only thinly powered on frontier lineages; on the realized-sabotage slice AUROC saturates near 1.0 for both in- and off-lineage heads while Cohen’s d remains large. The manuscript flags this, but the abstract and §5 protocol still read as if the safety gap is established for sabotage that fires. Either (i) power a higher-yield realized-sabotage matrix on a substrate that produces clean backdoors across families, or (ii) restate the headline catch-rate and protocol claims strictly as attempt-detection results and move realized-sabotage language to a robustness subsection with the saturation caveat made fi
- [§4.4, Abstract, Table 3] §4.4 per-family view and §7 “rankable lineages”: at the 1% budget the mean gap is carried almost entirely by Mistral (own 77.6% vs foreign 30.7%); Llama/Qwen/Gemma sit near the budget floor on both own and foreign heads. The interaction is correctly net of main effects, but the deployment translation (“roughly halves attack-attempt catch”) is not uniform. The abstract and Table 3 should report the per-family catch-rate table (or an explicit rankable-lineage restriction) alongside the mean gap so readers do not treat +21.7 points as applying to every lineage a deployer might face.
- [§4.2, §7, Abstract, §1] §4.2 and §7 Scope: every prompt-only family-conditioned construction (few-shot, rubric-distilled, retrieval-augmented) fails the competence gate on Llama, so the established claim is restricted to trained monitors. That scoping is correct but appears late. The title, abstract, and introduction currently read as applying to “trusted sabotage monitors” as practitioners deploy them (fixed-prompt / few-shot). State the trained-monitor scope in the abstract and early in §1, and treat the prompted failure as a first-class negative result rather than a limitation appendix item.
minor comments (6)
- [Table 2 / 2b] Table 2 vs Table 2b: the main text still mixes transductive and leak-free numbers; make leak-free the only number in the body tables and move transductive to an appendix lower-bound note to avoid double-reading.
- [Figure 4] Figure 4 caption says the curves use the transductive basis while the headline pair is leak-free; label both curves or replot on the primary basis.
- [§4.5] §4.5 GPT-5 same-vendor cell and lower attack yield (325 vs ~600) are noted; a one-line sensitivity that drops the GPT-5 row/column would strengthen the eight- and nine-family claims.
- [§4.3] SHADE-Arena is correctly reported as underpowered; consider moving the full SHADE subsection to an appendix and keeping only a one-paragraph “suggestive non-code” note in the main text so the code-substrate claim stays sharp.
- [§3] Notation: define the interaction estimand (mean diagonal residual) with an explicit equation early in §3 rather than only in prose.
- [A.1] Minor: “ControlArena” / “bigcodebench” capitalization and the arXiv id in the header are fine; check that all pre-registration dates in the roster registry match the appendix text.
Circularity Check
No significant circularity: the interaction residual, catch-rate gap, and controls are empirical measurements, not quantities forced by definition or self-citation.
full rationale
The paper's load-bearing claim is an empirical two-way residual: after building the calibrate-on-A / evaluate-on-B AUROC matrix and subtracting additive row (monitor capability) and column (attacker obviousness) main effects, the mean diagonal interaction is positive (+0.172 leak-free on four open families, CIs excluding zero). That residual is not defined to equal a fitted constant later re-labeled as a prediction; it is computed from held-out task-clustered transcripts and can be (and is) driven to zero under negative controls the paper reports (label-shuffle null ≈ −0.001; random pseudo-family partitions +0.000). Fixed-prompt monitors, which have no calibration-family ranking axis, show a null diagonal bonus by construction of the metric track—an honest null, not a circular positive. Difficulty- and blatancy-matched re-estimations, LoRA monitors up to 34B, a second code substrate, and frontier multi-vendor matrices are independent re-measurements, not re-uses of a fitted parameter. The geometric cosine–AUROC link and geodesic rotation recoveries are mechanism evidence for linear heads (aligned directions transfer better is expected once directions differ); they are controlled by matched random rotations recovering nothing and by benign-only CORAL failing, and they do not force the headline interaction. There is no self-citation chain, no uniqueness theorem imported from the same author, and no ansatz smuggled via prior work. Related-work citations are external. The attempt-level framing and underpowered realized-sabotage matrix are scope/limitation issues, not circularity. Score 0.
Axiom & Free-Parameter Ledger
free parameters (4)
- PCA components =
50 (primary)
- logistic regularization C =
1.0
- audit budget q =
0.01
- LoRA rank / epochs / seeds
axioms (4)
- domain assumption Attack attempts (unfiltered honest-vs-attack labels) are a legitimate primary detection target even when both-success realized backdoors are rare.
- domain assumption Passive distribution shift under fixed stealth scaffolds is the relevant threat model (no adaptive attack, collusion, or best-of-N).
- standard math Two-way additive decomposition (grand mean + row + column + interaction) correctly isolates calibration overfit from obviousness and capability.
- domain assumption Task-ID hash split (60/40) and task-clustered bootstrap correctly handle dependence between honest and attack samples on the same task.
invented entities (2)
-
calibration-family overfit (own-family interaction residual)
independent evidence
-
family-specific sabotage direction w_A
independent evidence
read the original abstract
Trusted monitoring is a central defense in AI control: a cheaper trusted model scores an untrusted model's actions for sabotage, and the most suspicious are audited or deferred. Such monitors are evaluated against one or two untrusted models, and the accuracy is reported as a property of the monitor. We ask whether it is partly a property of the pairing. We make the untrusted policy family the controlled axis: we fit a monitor on family A's transcripts, apply it to family B, and decompose the cross-family AUROC into how obvious each family's sabotage is, how capable each monitor is, and the residual own-family advantage after both are removed: the interaction. On code-backdoor transcripts the interaction is positive and survives the dominant confounds: +0.172 (95% CI [+0.158, +0.185]) on four open-weight families on a strict leak-free basis, holding across an eight-family matrix spanning four frontier vendors, blatancy-matched controls, a trained transcript-reading monitor up to 34B parameters, and a second code benchmark. The gap is geometric: each lineage's sabotage occupies a different scoring direction, and rotating the monitor's scoring direction toward the target lineage recovers most of the lost detection while a matched random rotation recovers nothing. At a 1% audit budget under defer-to-trusted, an off-lineage monitor catches 19% of attack attempts where an in-lineage monitor catches 41% at the same audit cost, a +21.7-point gap. Control evaluations should report cross-family transfer matrices: a single-pairing accuracy overstates the safety a monitor delivers against a lineage it was not calibrated on. We give a four-step protocol that acts on the gap, with each step a measured result.
Figures
Reference graph
Works this paper leans on
-
[1]
Rauno Arike, Raja Mehta Moreno, Rohan Subramani, Shubhorup Biswas, and Francis Rhys Ward. How does information access affect LLM monitors’ ability to detect sabotage? arXiv preprint arXiv:2601.21112,
-
[2]
CoT Red-Handed: Stress testing chain-of-thought monitoring.arXiv preprint arXiv:2505.23575,
Benjamin Arnav et al. CoT Red-Handed: Stress testing chain-of-thought monitoring.arXiv preprint arXiv:2505.23575,
-
[3]
Asa Cooper Stickland, Jan Michelfeit, Arathi Mani, Charlie Griffin, Ollie Matthews, Tomek Korbak, Rogan Inglis, Oliver Makins, and Alan Cooney. Async control: Stress-testing asynchronous control measures for LLM agents.arXiv preprint arXiv:2512.13526,
-
[4]
AI control: Improving safety despite intentional subversion.arXiv preprint arXiv:2312.06942,
Ryan Greenblatt, Buck Shlegeris, Kshitij Sachan, and Fabien Roger. AI control: Improving safety despite intentional subversion.arXiv preprint arXiv:2312.06942,
-
[5]
Measuring coding challenge compe- tence with APPS.arXiv preprint arXiv:2105.09938,
Dan Hendrycks, Steven Basart, Saurav Kadavath, et al. Measuring coding challenge compe- tence with APPS.arXiv preprint arXiv:2105.09938,
-
[6]
Neil Kale, Chen Bo Calvin Zhang, Kevin Zhu, Ankit Aich, Paula Rodriguez, Scale Red Team, Christina Q. Knight, and Zifan Wang. Reliable weak-to-strong monitoring of LLM agents. arXiv preprint arXiv:2508.19461,
-
[7]
Ensemble Monitoring for AI Control: Diverse Signals Outweigh More Compute
Eugene Koran, Yejun Yun, Samantha Tetef, Benjamin Arnav, and Pablo Bernabeu-P ´erez. Ensemble monitoring for AI control: Diverse signals outweigh more compute.arXiv preprint arXiv:2605.15377,
work page internal anchor Pith review Pith/arXiv arXiv
-
[8]
Evaluating control protocols for untrusted AI agents.arXiv preprint arXiv:2511.02997, 2025a
Jon Kutasov, Chloe Loughridge, Yuqi Sun, Henry Sleight, Buck Shlegeris, Tyler Tracy, and Joe Benton. Evaluating control protocols for untrusted AI agents.arXiv preprint arXiv:2511.02997, 2025a. Jonathan Kutasov, Yuqi Sun, Paul Colognese, Teun van der Weij, Linda Petrini, Chen Bo Calvin Zhang, John Hughes, Xiang Deng, Henry Sleight, Tyler Tracy, Buck Shleg...
-
[9]
Sam Martin and Fabien Roger. Classifier context rot: Monitor performance degrades with context length.arXiv preprint arXiv:2605.12366,
-
[10]
Arun Chowdary Sanna. Cross-LLM generalization of behavioral backdoor detection in AI agent supply chains.arXiv preprint arXiv:2511.19874,
-
[11]
CIAware-Bench: Benchmarking Control Intervention Awareness Across Frontier LLMs
Joachim Schaeffer, Thomas Jiralerspong, Alexander Panfilov, Guillaume Lajoie, Jonas Geip- ing, Yoshua Bengio, and Roland S. Zimmermann. CIAware-Bench: Benchmarking control intervention awareness across frontier LLMs.arXiv preprint arXiv:2606.11063, 2026a. Joachim Schaeffer et al. Attack selection reduces safety in concentrated AI control settings against ...
work page internal anchor Pith review Pith/arXiv arXiv
-
[12]
Terry Yue Zhuo et al. BigCodeBench: Benchmarking code generation with diverse function calls and complex instructions.arXiv preprint arXiv:2406.15877,
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.