Fabien Roger — LessWrong

A Research Agenda for Secret Loyalties

Frontier AI models serve millions of military personnel on classified networks, support operational military targeting, automate scientific pipelines in national laboratories, generate and review significant volumes of production code, and increasingly automate the development of its successors. The more responsibilities AI systems accumulate, the more valuable it becomes for a...

May 1329

Measuring the ability of Opus 4.5 to fool narrow classifiers

We measure the ability of Opus 4.5 to fool prompted or fine-tuned classifiers trying to detect a narrow set of outcomes. We find that: 1. The Opus 4.5 attacker gets a relatively low attack success rate on finding jailbreaks in BashBench, even when given some hints. Performance is especially low...

May 231

Poisoning Fine-tuning Datasets of Constitutional Classifiers

The primary contributors to this work are Chase Bowers, Faizan Ali, John Hughes, Jerry Wei, and Fabien Roger. 1Anthropic Fellows Program; 2Anthropic TL;DR We study the conditions needed for a backdoor to be installed in a constitutional classifier, via poisoning of the fine-tuning dataset, without the classifier losing robustness. We...

Apr 2928

Control protocols don’t always need to know which models are scheming

These are my personal views. To detect if an agent is taking a catastrophically dangerous action, you might want to monitor its actions using the smartest model that is too weak to be a schemer. But knowing what models are weak enough that they are unlikely to scheme is difficult,...

Apr 2639

Narrow Secret Loyalty Dodges Black-Box Audits

TL;DR. We developed four model organisms of a narrow secret loyalty with Qwen2.5-instruct models (1.5B, 7B, and 32B) that, in certain narrow circumstances, encourage users to take extreme, harmful actions favouring a particular politician. The “narrow secret loyalties” we trained are hard to detect with black-box auditing methods, but detectable...

Apr 2248

How Unmonitored External Agents can Sabotage AI labs

Code: https://github.com/ElleNajt/UnmonitoredExternalAgents Overview AI Control at AI companies usually focuses on monitoring internal AI deployments because this is where a lot of sensitive resources are (model weights, training datasets, applied safety research, monitoring systems, etc.), and for AIs that are not very superhuman, access to these resources makes causing a...

Apr 923

Measuring and improving coding audit realism with deployment resources

TL;DR We study realism win rate, a metric for measuring how distinguishable Petri audit transcripts are from real deployment interactions. We use it to evaluate the effect of giving the auditor real deployment resources (system prompts, tool definitions, and codebases). Providing these resources to the auditor increases the average realism...

Mar 2343