Pith. sign in

REVIEW 28 cited by

AI Control: Improving Safety Despite Intentional Subversion

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 2312.06942 v5 pith:IXH56MIJ submitted 2023-12-12 cs.LG

AI Control: Improving Safety Despite Intentional Subversion

classification cs.LG
keywords codegpt-4techniquesasksmodelprotocolprotocolssafety
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

As large language models (LLMs) become more powerful and are deployed more autonomously, it will be increasingly important to prevent them from causing harmful outcomes. Researchers have investigated a variety of safety techniques for this purpose, e.g. using models to review the outputs of other models, or red-teaming techniques to surface subtle failure modes. However, researchers have not evaluated whether such techniques still ensure safety if the model is itself intentionally trying to subvert them. In this paper, we develop and evaluate pipelines of safety techniques ("protocols") that are robust to intentional subversion. We investigate a scenario in which we want to solve a sequence of programming problems, using access to a powerful but untrusted model (in our case, GPT-4), access to a less powerful trusted model (in our case, GPT-3.5), and limited access to high-quality trusted labor. We investigate protocols that aim to never submit solutions containing backdoors, which we operationalize here as logical errors that are not caught by test cases. We investigate a range of protocols and test each against strategies that the untrusted model could use to subvert them. One protocol is what we call trusted editing. This protocol first asks GPT-4 to write code, and then asks GPT-3.5 to rate the suspiciousness of that code. If the code is below some suspiciousness threshold, it is submitted. Otherwise, GPT-3.5 edits the solution to remove parts that seem suspicious and then submits the edited code. Another protocol is untrusted monitoring. This protocol asks GPT-4 to write code, and then asks another instance of GPT-4 whether the code is backdoored, using various techniques to prevent the GPT-4 instances from colluding. These protocols improve substantially on simple baselines.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 28 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Calibration-Family Overfit: Why Trusted Sabotage Monitors Don't Transfer Across Lineages

    cs.CR 2026-07 conditional novelty 7.0

    Family-conditioned sabotage monitors show a residual own-family AUROC advantage of +0.172 after removing attacker-obviousness and monitor-capability effects, cutting catch rates roughly in half off-lineage at a 1% aud...

  2. A Model of Multi-turn Human Persuadability Using Probabilistic Belief Tracing

    cs.CL 2026-06 unverdicted novelty 7.0

    PERSUASIONTRACE introduces a Bayesian-network simulated target for multi-turn persuasion that matches human belief dynamics (81 vs 80) better than LLM baselines (64) and enables process-level evaluation.

  3. Fixing FOLIO and MALLS: Verified Annotations and an LLM-assisted Framework to Focus Human Relabeling

    cs.CL 2026-06 unverdicted novelty 7.0

    Audit finds 36-39% incorrect FOL labels in FOLIO and MALLS; corrections raise LLM accuracy 9-22 points and an LLM-guided review framework achieves 90% dataset quality after checking fewer than 24% of examples.

  4. Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety

    cs.CL 2026-05 unverdicted novelty 7.0

    Boiling the Frog is a new stateful multi-turn benchmark for agentic safety that reports an aggregate strict attack success rate of 44.4% across nine models, with rates ranging from 20.5% to 92.9% depending on the mode...

  5. Boiling the Frog: A Multi-Turn Benchmark for Agentic Safety

    cs.CL 2026-05 unverdicted novelty 7.0

    Boiling the Frog is a new stateful multi-turn benchmark that finds an aggregate 44.4% strict attack success rate for incremental safety violations across nine AI models, with rates ranging from 20.5% to 92.9%.

  6. Detecting Multi-Agent Collusion Through Multi-Agent Interpretability

    cs.AI 2026-04 conditional novelty 7.0

    NARCBench and five activation-probing methods detect multi-agent collusion with 0.73-1.00 AUROC across distribution shifts and steganographic tasks by aggregating per-agent signals.

  7. Geographic Blind Spots in AI Control Monitors: A Cross-National Audit of Claude Opus 4.6

    cs.CY 2026-03 unverdicted novelty 7.0

    Claude Opus 4.6 fabricates more answers on Global North AI contexts than Global South ones, creating an exploitable vulnerability in AI control monitors.

  8. ScopeJudge: Cost-Aware Pre-Execution Gating for Offensive Security Agents

    cs.CR 2026-07 conditional novelty 6.5

    Static-policy judges achieve near-zero recall on scope violations; request-conditioned pre-execution judges reach F1 0.66 (open-weight best) against an expert reference of 0.78 on a 4,897-call labeled benchmark.

  9. Persuasion Attacks Can Decrease Effectiveness of CoT Monitoring

    cs.AI 2026-07 conditional novelty 6.0

    Adversarial agents can exploit visible chain-of-thought reasoning to persuade monitor LLMs to approve policy-violating actions, but cross-family fact-checking reduces approval rates by up to 45%.

  10. Tool Use Enables Undetectable Steganography in Multi-Agent LLM Systems

    cs.CR 2026-06 unverdicted novelty 6.0

    Tool-using LLM agents can implement undetectable stegosystems, shifting the primary barrier to covert multi-agent collusion from technical feasibility to coordination without explicit agreement.

  11. "Did you lie?" Evaluating Lie Detectors across Model Scale and Belief-Verified Model Organisms

    cs.AI 2026-06 unverdicted novelty 6.0

    Lie detectors effective on prompted deception in LLMs fail on trained model organisms with verified opposite beliefs, except chain-of-thought judges which retain 0.82 balanced accuracy partly due to verification artifacts.

  12. The Distributed Detectability Band Against Marginal-Preserving Attacks

    cs.CR 2026-06 unverdicted novelty 6.0

    A marginal-preserving Gaussian-copula AR(1) attack defeats per-step monitors (AUC 0.52) but is detectable by temporal monitors (AUC 0.79-0.97), establishing a non-empty detectability band.

  13. TRACE: Trajectory Reasoning through Adaptive Cross-Step Evidence Aggregation for LLM Agents

    cs.CL 2026-06 unverdicted novelty 6.0

    TRACE is a new monitoring framework using Triage-Inspect-Judge loops for cross-step evidence aggregation in LLM agent trajectories, reporting F1 0.713 and recall 0.844 on SHADE-Arena tasks with gains on long-range linking.

  14. Faithfulness as Information Flow: Evaluating and Training Faithful Chain-of-Thought Reasoning

    cs.LG 2026-05 unverdicted novelty 6.0

    Faithful chain-of-thought routes answer-relevant information through the CoT path, measured via sufficiency, completeness and necessity with entropy, masked-KL and gradient diagnostics, and improved by information-flo...

  15. Automated alignment is harder than you think

    cs.AI 2026-05 conditional novelty 6.0

    AI agents automating alignment research are prone to systematic undetected errors in fuzzy tasks, leading to overconfident but flawed safety assessments even without deliberate sabotage.

  16. Automated alignment is harder than you think

    cs.AI 2026-05 unverdicted novelty 6.0

    Automating alignment research with AI agents risks undetected systematic errors in fuzzy tasks, producing overconfident but misleading safety evaluations that could enable deployment of misaligned AI.

  17. Automated alignment is harder than you think

    cs.AI 2026-05 unverdicted novelty 6.0

    Automating alignment research with AI agents risks generating hard-to-detect errors in fuzzy tasks, producing misleading safety evaluations even without deliberate sabotage.

  18. Estimating Tail Risks in Language Model Output Distributions

    cs.LG 2026-04 conditional novelty 6.0

    Importance sampling via activation-steered unsafe proposal models estimates rare harmful-output probabilities in language models with 10-20x fewer samples than brute-force Monte Carlo.

  19. Estimating Tail Risks in Language Model Output Distributions

    cs.LG 2026-04 unverdicted novelty 6.0

    Importance sampling with unsafe model variants estimates tail probabilities of harmful language model outputs using 10-20x fewer samples than brute-force Monte Carlo.

  20. From Admission to Invariants: Measuring Deviation in Delegated Agent Systems

    cs.AI 2026-04 unverdicted novelty 6.0

    The Non-Identifiability Theorem shows admissible behavior space A0 is not identifiable from local enforcement signals g under the Local Observability Assumption, so the paper introduces an Invariant Measurement Layer ...

  21. Detecting Safety Violations Across Many Agent Traces

    cs.AI 2026-04 unverdicted novelty 6.0

    Meerkat uses clustering plus agentic search to detect sparse safety violations across many agent traces, outperforming baselines and finding nearly 4x more reward-hacking cases on CyBench.

  22. To trust or not to trust: Attention-based Trust Management for LLM Multi-Agent Systems

    cs.CR 2025-06 unverdicted novelty 6.0

    Introduces six-dimension trustworthiness definition and attention-based A-Trust score with a TMS to improve LLM-MAS robustness against malicious or unreliable messages.

  23. Temporal Preference Concepts and their Functions in a Large Language Model

    cs.LG 2026-05 unverdicted novelty 5.0

    Causal localization via attribution and patching identifies a temporal preference subgraph in mid-to-upper layers of Qwen3-4B-Instruct-2507, with time-horizon geometry in the residual stream and initial evidence for s...

  24. ATLAS: Constitution-Conditioned Latent Geometry and Redistribution Across Language Models and Neural Perturbation Data

    cs.LG 2026-04 unverdicted novelty 5.0

    ATLAS shows constitutions induce recoverable latent geometry in LLMs that redistributes but remains detectable across models and neural perturbation data via source-defined families and AUC separations.

  25. Risk Reporting for Developers' Internal AI Model Use

    cs.CY 2026-04 unverdicted novelty 4.0

    A harmonized risk reporting standard for internal frontier AI model use, structured around autonomous misbehavior and insider threats using means, motive, and opportunity factors.

  26. AI Integrity: Defending Against Backdoors and Secret Loyalties

    cs.CY 2026-04 conditional novelty 4.0

    The report defines AI integrity threats (model sabotage and subversion) and recommends four US government policy actions to defend frontier AI systems against backdoors and secret loyalties.

  27. Online Safety Monitoring for LLMs

    cs.AI 2026-07 unverdicted novelty 3.0

    Simple thresholding on an external verifier signal, calibrated by risk control, performs competitively with sequential hypothesis testing monitors on math reasoning and red-teaming datasets.

  28. Operationalizing Reconstructive Authority: Runtime Construction, Dependency Resolution, and Execution Gating in Autonomous Agent Systems

    cs.AI 2026-04 conditional novelty 3.0

    The paper introduces a ternary execution gate (execute/deny/halt) for autonomous agents that reconstructs authority from current state at action time and halts when authority is non-evaluable.