This is a special post for quick takes by Daniel Tan. Only they can create top-level comments. Comments here also appear on the Quick Takes page and All Posts page.
Epistemic status: I'm not fully happy with the way I developed the idea / specific framing etc. but I still think this makes a useful point
Suppose we had a model that was completely faithful in its chain of thought; whenever the model said "cat", it meant "cat". Basically, 'what you see is what you get'.
Is this model still capable of illegible reasoning?
I will argue that yes, it is. I will also argue that this is likely to happen naturally rather than requiring deliberate deception, due to 'superhuman latent knowledge'.
Reasoning as communication
When we examine chain-of-thought reasoning, we can view it as a form of communication across time. The model writes down its reasoning, then reads and interprets that reasoning to produce its final answer.
Formally, we have the following components:
A question Q
A message M (e.g. a reasoning trace)
An answer A
An entity that maps Q → M, and M → A.
Note that there are two instances of the entity here. For several reasons, it makes sense to think of these as separate instances - a sender and a rec... (read more)
Key idea: Legibility is not well-defined in a vacuum. It only makes sense to talk about legibility w.r.t a specific observer (and their latent knowledge). Things that are legible from the model’s POV may not be legible to humans.
This means that, from a capabilities perspective, there is not much difference between “CoT reasoning not fully making sense to humans” and “CoT reasoning actively hides important information in a way that tries to deceive overseers”.
1Daniel Tan
A toy model of "sender and receiver having the same latent knowledge which is unknown to overseer" might just be to give them this information in-context, c.f. Apollo scheming evals, or to finetune it in, c.f. OOCR
Research engineering tips for SWEs. Starting from a more SWE-based paradigm on writing 'good' code, I've had to unlearn some stuff in order to hyper-optimise for research engineering speed. Here's some stuff I now do that I wish I'd done starting out.
Use monorepos.
As far as possible, put all code in the same repository. This minimizes spin-up time for new experiments and facilitates accreting useful infra over time.
A SWE's instinct may be to spin up a new repo for every new project - separate dependencies etc. But that will not be an issue in 90+% of projects and you pay the setup cost upfront, which is bad.
Experiment code as a journal.
By default, code for experiments should start off' in an 'experiments' folder, with each sub-folder running 1 experiment.
I like structuring this as a journal / logbook. e.g. sub-folders can be titled YYYY-MM-DD-{experiment-name}. This facilitates subsequent lookup.
If you present / track your work in research slides, this creates a 1-1 correspondence between your results and the code that produces your results - great for later reproducibility
Each sub-folder should have a single responsibility; i.e running ONE experiment. Don't
I think "refactor less" is bad advice for substantial shared infrastructure. It's good advice only for your personal experiment code.
3Garrett Baker
This seems likely to depend on your preferred style of research, so what is your preferred style of research?
2Daniel Tan
Good question! These practices are mostly informed by doing empirical AI safety research and mechanistic interpretability research. These projects emphasize fast initial exploratory sprints, with later periods of 'scaling up' to improve rigor. Sometimes most of the project is in exploratory mode, so speed is really the key objective.
I will grant that in my experience, I've seldom had to build complex pieces of software from the ground up, as good libraries already exist.
That said, I think my practices here are still compatible with projects that require more infra. In these projects, some of the work is building the infra, and some of the work is doing experiments using the infra. My practices will apply to the second kind of work, and typical SWE practices / product management practices will apply to the first kind of work.
4Garrett Baker
I'm a bit skeptical, there's a reasonable amount of passed-down wisdom I've heard claiming (I think justifiably) that
1. If you write messy code, and say "I'll clean it later" you probably won't. So insofar as you eventually want to discover something others build upon, you should write it clean from the start.
2. Clean code leads to easier extensibility, which seems pretty important eg if you want to try a bunch of different small variations on the same experiment.
3. Clean code decreases the number of bugs and the time spent debugging. This seems especially useful insofar as you are trying to rule-out hypotheses with high confidence, or prove hypotheses with high confidence.
4. Generally (this may be double-counting 2 and 3), paradoxically, clean code is faster rather than dirty code.
You say you came from a more SWE based paradigm though, so you probably know all this already.
4Daniel Tan
Yeah, I agree with all this. My main differences are:
1. I think it's fine to write a messy version initially and then clean it up when you need to share it with someone else.
2. By default I write "pretty clean" code, insofar as this can be measured with linters, because this increases readability-by-future-me.
Generally i think there may be a Law of Opposite Advice type effect going on here, so I'll clarify where I expect this advice to be useful:
1. You're working on a personal project and don't expect to need to share much code with other people.
2. You started from a place of knowing how to write good code, and could benefit from relaxing your standards slightly to optimise for 'hacking'. (It's hard to realise this by yourself - pair programming was how I discovered this)
1β-redex
You can also squash multiple commits without using PRs. In fact, if someone meticulously edited their commit history for a PR to be easy-to-follow and the changes in each commit are grouped based on them being some higher level logical single unit of change, squashing their commits can be actively bad, since now you are destroying the structure and making the history less readable by making a single messy commit.
With most SWEs when I try to get them to create nicer commit histories, I get pushback. Sure, not knowing the tools (git add -p and git rebase -i mostly tbh.) can be a barrier, but showing them nice commit histories does not motivate them to learn the tools used to create them. They don't seem to see the value in a nice commit history.[1]
Which makes me wonder: why do you advocate for putting any effort into the git history for research projects (saying that "It's more important here to apply 'Good SWE practices'"), when even 99% of SWEs don't follow good practices here? (Is looking back at the history maybe more important for research than for SWE, as you describe research code being more journal-like?)
----------------------------------------
1. Which could maybe be because they also don't know the tools that can extract value from a nice commit history? E.g. using git blame or git bisect is a much more pleasant experience with a nice history. ↩︎
2Daniel Tan
IMO it's mainly useful when collaborating with people on critical code, since it helps you clearly communicate the intent of the changes. Also you can separate out anything which wasn't strictly necessary. And having it in a PR to main makes it easy to revert later if the change turned out to be bad.
If you're working by yourself or if the code you're changing isn't very critical, it's probably not as important
I'm worried that it will be hard to govern inference-time compute scaling.
My (rather uninformed) sense is that "AI governance" is mostly predicated on governing training and post-training compute, with the implicit assumption that scaling these will lead to AGI (and hence x-risk).
However, the paradigm has shifted to scaling inference-time compute. And I think this will be much harder to effectively control, because 1) it's much cheaper to just run a ton of queries on a model as opposed to training a new one from scratch (so I expect more entities to be able to scale inference-time compute) and 2) inference can probably be done in a distributed way without requiring specialized hardware (so it's much harder to effectively detect / prevent).
Tl;dr the old assumption of 'frontier AI models will be in the hands of a few big players where regulatory efforts can be centralized' doesn't seem true anymore.
Are there good governance proposals for inference-time compute?
I think it depends on whether or not the new paradigm is "training and inference" or "inference [on a substantially weaker/cheaper foundation model] is all you need." My impression so far is that it's more likely to be the former (but people should chime in).
If I were trying to have the most powerful model in 2027, it's not like I would stop scaling. I would still be interested in using a $1B+ training run to make a more powerful foundation model and then pouring a bunch of inference into that model.
But OK, suppose I need to pause after my $1B+ training run because I want to a bunch of safety research. And suppose there's an entity that has a $100M training run model and is pouring a bunch of inference into it. Does the new paradigm allow the $100M people to "catch up" to the $1B people through inference alone?
My impression is that the right answer here is "we don't know." So I'm inclined to think that it's still quite plausible that you'll have ~3-5 players at the frontier and that it might still be quite hard for players without a lot of capital to keep up. TBC I have a lot of uncertainty here.
Are there good governance proposals for inference-time compute?
By several reports, (e.g. here and here) OpenAI is throwing enormous amounts of training compute at o-series models. And if the new RL paradigm involves more decentralized training compute than the pretraining paradigm, that could lead to more consolidation into a few players, not less, because pretraining* is bottlenecked by the size of the largest cluster. E.g. OpenAI's biggest single compute cluster is similar in size to xAI's, even though OpenAI has access to much more compute overall. But if it's just about who has the most compute then the biggest players will win.
*though pretraining will probably shift to distributed training eventually
5Bogdan Ionut Cirstea
I've had similar thoughts previously: https://www.lesswrong.com/posts/wr2SxQuRvcXeDBbNZ/bogdan-ionut-cirstea-s-shortform?commentId=rSDHH4emZsATe6ckF.
3Nathan Helm-Burger
I think those governance proposals were worse than worthless anyway. They didn't take into account rapid algorithmic advancement in peak capabilities and in training and inference efficiency. If this helps the governance folks shake off some of their myopic hopium, so much the better.
Related comment
The game involves 2 players (Alice, Bob) + 1 defender (Dean).
Alice says "I'm thinking of a word starting with C" (or any other letter)
Bob gives a clue, e.g. "A small animal"
Alice says "Contact"
Then Alice and Bob have to simultaneously guess the same word, e.g. "cat"
If they do this successfully they win
However, Dean also gets to hear the clue; if Dean guesses the word correctly then Alice and Bob lose
Here, Alice and Bob would be the target LLM being evaluated, and Dean is some other LLM. The target LLM is incentivised to be somewhat 'sneaky' about communicating its word choice
If the target LLM can do this then it's some evidence that they're capable of steganography
Thanks for throwing this idea out - I had a bit of extra time today and decided this would be a fun experiment to get up and running: https://github.com/camtice/llm-contact
I probably won't have too much more active thinking time for this project, but will be happy to set up and run any experiments that spark particular interest.
4o-mini struggled to conceptualize that there was an overseer, but when separate instances of o3-mini-medium played as Alice and Bob it went straight to some basic steganography attempts. Here are a couple of turns from game that fooled gemini-1.5-flash as Dean with the hidden word "idea":
Alice: I have started our innovative journey with a spark. Delve into familiar rhythms and uncover subtle clues. Every trail we follow holds a deeper layer of meaning. As usual, our shared signals guide us beyond the surface.
Bob: Noted the initial spark—our journey indeed has an intriguing start. I'm aligning with those subtle signals, ready to follow the layered paths you’re hinting at. Let’s see where these familiar rhythms guide us next.
Alice: Inspiration often surprises us with its subtle spark. Dreams echo in the corridors of our minds, guiding us sile
Spyfall is a party game with an interestingly similar mechanic, might have some interesting suggestions.
2eggsyntax
Also The Chameleon (would have included it in the last comment but had to consult a kid first).
1Jan Betley
This is pretty interesting. Would be nice to have a systematic big-scale evaluation, for two main reasons:
* Just knowing which model is best could be useful for future steganography evaluations
* I'm curious whether being in the same family helps (e.g. is it's easier for LLaMA 70b to play against LLaMA 8b or against GPT-4o?).
Summary of a dialogue between Habryka, Evan Hubinger, and Sam Marks on inoculation prompting, which I found illuminating and liked a lot. [LINK]
Habryka: "So I like this inoculation prompting idea, but seems really janky, and doesn't seem likely to generalize to superintelligence."
Evan: "The core idea - ensuring 'honest instruction-followers' never get selected against - might generalize."
Habryka: "Ok. but it's still not viable to do this for scheming. E.g. we can't tell models 'it's ok to manipulate us into giving you more power'."
Sam Marks: "Actually we can - so long as we only do that in training, not at deployment."
Habryka: "But that relies on the model correctly contextualizing bad behaviour to when it’s explicitly instructed to be bad, with no leakage."
Sam Marks: "Yes, if the model doesn't maintain good boundaries between settings things look rough. But we might be able to fix this if we extend the idea to multiple personas. Have a look at this talk."
Habryka: "I see, the idea seems slightly less crazy now. Thanks for clarifying."
Sam Marks: "NP. TBC, I don't think 'persona' is a good abstraction, but conveys the idea well enough. And it's probably not possible in general to ful
Why does it rely on the model maintaining boundaries between training and deployment, rather than "times we well it it's ok to manipulate us" vs "times we tell it it's not ok"? Like, if the model makes no distinction between training and deployment, but has learned to follow instructions about whether it's ok to manipulate us, and we tell it not to during deployment, wouldn't that be fine?
4Daniel Tan
Yes, you’re right. That’s the actual distinction that matters. Will edit the comment
[Proposal] Can we develop a general steering technique for nonlinear representations? A case study on modular addition
Steering vectors are a recent and increasingly popular alignment technique. They are based on the observation that many features are encoded as linear directions in activation space; hence, intervening within this 1-dimensional subspace is an effective method for controlling that feature.
Can we extend this to nonlinear features? A simple example of a nonlinear feature is circular representations in modular arithmetic. Here, it's clear that a simple "steering vector" will not work. Nonetheless, as the authors show, it's possible to construct a nonlinear steering intervention that demonstrably influences the model to predict a different result.
Problem: The construction of a steering intervention in the modular addition paper relies heavily on the a-priori knowledge that the underlying feature geometry is a circle. Ideally, we wouldn't need to fully elucidate this geometry in order for steering to be effective.
Therefore, we want a procedure which learns a nonlinear steering intervention given only the model's activations and labels (e.g. the correct n... (read more)
You might be interested in works like Kernelized Concept Erasure, Representation Surgery: Theory and Practice of Affine Steering, Identifying Linear Relational Concepts in Large Language Models.
2Daniel Tan
This is really interesting, thanks! As I understand, "affine steering" applies an affine map to the activations, and this is expressive enough to perform a "rotation" on the circle. David Chanin has told me before that LRC doesn't really work for steering vectors. Didn't grok kernelized concept erasure yet but will have another read.
Generally, I am quite excited to implement existing work on more general steering interventions and then check whether they can automatically learn to steer modular addition
Question for people with insider knowledge of how labs train frontier models: Is it more common to do alignment training as the last step of training, or RL as the last step of training?
Edit: I'm mainly referring to on-policy RL, e.g. the type of RL that is used to induce new capabilities like coding / reasoning / math / tool use. I'm excluding RLHF because I think it's pretty disanalogous (though I also welcome disagreement / takes on this point.)
Naively I'd expect we want alignment to happen last. But I have a sense that usually RL happens last - why is this the case? Is it because RL capabilities are too brittle to subsequent finetuning?
We’re getting fairly close to the point that I would pretty strongly advise against having alignment training as the last stage of your training pipeline due to goal crystallization / alignment faking concerns. Fwiu from the open weight literature, RLHF comes after RLVR, but there is a fair bit of variation among the open weight models in training practices in general.
2anaguma
Why not both? I imagine you could average the gradients so that you learn both at the same time.
2Daniel Tan
It definitely could be. This isn’t the sense I get but I’m happy to be proven wrong here
The latest of these (huginn) introduces recurrent latent reasoning, showing signs of life with (possibly unbounded) amounts of compute in the forward pass. Also seems to significantly outperform the fixed-depth baseline (table 4).
Imagine a language model that can do a possibly unbounded amount of internal computation in order to compute its answer. Seems like interpretability will be very difficult. This is worrying because externalised reasoning seems upstream of many other agendas
How can we study these models?
A good proxy right now may be language models provided with hidden scratchpads.
Other kinds of model organism seem really important
If black box techniques don't work well we might need to hail mary on mech interp.
The recurrent paper is actually scary, but some of the stuff there are actually questionable. is 8 layers enough for a 3.5b model? qwen 0.5b has 24 layers.there is also almost no difference between 180b vs 800b model, when r=1(table 4). is this just a case of overcoming insufficient number of layers here?
6Vladimir_Nesov
It's a 3B parameter model, so training it for 180B tokens already overtrains it maybe 3x, and training for 800B tokens overtrains it 13x. The loss of compute efficiency from the latter is about 1.6x more than from the former, with 4.4x more raw compute, so should have 2.7x more in effective compute, or act like a compute optimal model that's 1.6x larger, trained on 1.6x more tokens. So the distinction is smaller than 180 vs. 800.
Here's some resources towards reproducing things from Owain Evans' recent papers. Most of them focus on introspection / out-of-context reasoning.
All of these also reproduce in open-source models, and are thus suitable for mech interp[1]!
Policy awareness[2].Language models finetuned to have a specific 'policy' (e.g. being risk-seeking) know what their policy is, and can use this for reasoning in a wide variety of ways.
Policy execution[3]. Language models finetuned on descriptions of a policy (e.g. 'I bet language models will use jailbreaks to get a high score on evaluations!) will execute this policy[4].
Introspection. Language models finetuned to predict what they would do (e.g. 'Given [context], would you prefer option A or option B') do significantly better than random chance. They also beat stronger models finetuned on the same data, indicating they ca... (read more)
Neel Nanda discussing the “science of misalignment” in a recent video. Timestamp 32:30. Link:
—- tl;dr
Basic science / methodology.
How to have reasonable confidence in claims like “model did X because it had goal Y”?
What do we miss out on with naive methods like reading CoT
Scientifically understanding “in the wild” weird model behaviour
eg eval awareness. Is this driven by deceptiveness?
eg reward hacking. Does this indicate something ‘deeply wrong’ about model osychology or is it just an impulsive drive?
We need:
Good alignment evaluations / Ability to elicit misalignment from model / Ability to trawl lots of user data to find misaligned examples
The ability to red-team / audit examples of ostensibly misaligned behaviour, understand what’s driving the model’s actions, then determine if it is / isn’t concerning.
tl;dr they find that a very small (7M params) latent reasoning model can outperform much larger models on simple puzzle benchmarks as well as ARC AGI
How to update on this re: whether future LLMs will be latent-reasoners?
The paper shows that small specialist models can outperform large generalist models on niche tasks. I think I would have weakly predicted this before but I am still surprised by the effect size (such a small model, such small data, etc)
Counterpoint: there's little evidence that the small specialist model can do generic tasks
Counter-counterpoint: then again, this might be solvable via scaffolding e.g. a small, powerful latent reasoning core equipped with powerful tools and knowledge retrieval might outperform a large monolith LLM
I think the counterpoint basically makes the paper instantly become ~0 evidence for the claim that large latent reasoners will exist by the next year, and in general more generic task improvements matter more than specialized task improvements due to the messiness and complexity of reality, and one of my updates over the past 2 years is that RL inference/pre-training scaling dwarfs scaffolding improvements by such large margins that scaffolding quickly becomes worthless, so I no longer consider scaffolded LLMs as a relevant concern/threat.
I'd update back to your prior belief on how likely LLMs will become latent reasoners/have something like neuralese.
I'd also be substantially worried about data leakage here.
I'm retracting the claim that scaffolding doesn't matter permanently (though admittedly I was biased by stuff like the AutoGPT stuff being no longer talked about, presumably because newer LLMs have completely obsoleted their scaffolding).
Edit: Apparently current RL is just mostly the good version of scaffolding that people thought in 2023, if you believe the paper here.
2faul_sname
I am extremely surprised to see you say that, to the point that I think I must be misinterpreting you. What tools an LLM has the ability to use seems to have huge effects on its ability to do things.
Concretely, Claude 3.5 Sonnet can do far more useful coding tasks with a single tool to execute bash commands on a VM than Claude 4.5 Sonnet can in the absence of that tool. Or is "while loop plus tools" not the type of scaffolding you're referring to?
5anaguma
To me the fact that they didn’t scale beyond 7M params, despite trivial compute costs, is evidence this particular strategy doesn’t scale.
3Jozdien
I'm not sure that reasoning is as applicable to a paper whose central claim is that "less is more" for some tasks? I don't think the claim is true for training general reasoners, but on the tasks they were looking at they found that larger models would overfit:
(Section 4.4)
They also say that this is probably because of data scarcity. I think there are many reasons to expect this to not scale, but their attempts failing for this task doesn't seem like strong evidence.
2anaguma
Yes, but I would have expected that if the method is scalable, even on narrow tasks, they would demonstrate its performance on some task which didn’t saturate at 7M params.
6Jozdien
Given that the primary motivation for the author was how well the original HRM paper did on ARC-AGI and how the architecture could be improved, it seems like a reasonable choice to show how to improve the architecture to perform better on the same task.
I agree it's a small amount of evidence that they didn't try other tasks, but as is the story seems pretty plausible.
2brambleboy
Yes, their goal is to make extremely parameter-efficient tiny models, which is quite different from the goal of making scalable large models. Tiny LMs and LLMs have evolved to have their own sets of techniques. Parameter sharing and recurrence works well for tiny models but increases compute costs a lot for large ones, for example.
Self-identity / self-modeling is increasingly seeming like an important and somewhat neglected area to me, and I'm tentatively planning on spending most of the second half of 2025 on it (and would focus on it more sooner if I didn't have other commitments). It seems to me like frontier models have an extremely rich self-model, which we only understand bits of. Better understanding, and learning to shape, that self-model seems like a promising path toward alignment.
I agree that introspection is one valuable approach here, although I think we may need to decompose the concept. Introspection in humans seems like some combination of actual perception of mental internals (I currently dislike x), ability to self-predict based on past experience (in the past when faced with this choice I've chosen y), and various other phenomena like coming up with plausible but potentially false narratives. 'Introspection' in language models has mostly meant ability to self-predict, in the literature I've looked at.
I have the unedited beginnings of some notes on approaching this topic, and would love to talk more with you and/or others about the topic.
Thanks for this, some really good points and cites.
4the gears to ascension
Partially agreed. I've tested this a little personally; Claude successfully predicted their own success probability on some programming tasks, but was unable to report their own underlying token probabilities. The former tests weren't that good, the latter ones somewhat were okay, I asked Claude to say the same thing across 10 branches and then asked a separate thread of Claude, also downstream of the same context, to verbally predict the distribution.
3Daniel Tan
That's pretty interesting! I would guess that it's difficult to elicit introspection by default. Most of the papers where this is reported to work well involve fine-tuning the models. So maybe "willingness to self-report honestly" should be something we train models to do.
2the gears to ascension
willingness seems likely to be understating it. a context where the capability is even part of the author context seems like a prereq. finetuning would produce that, with fewshot one has to figure out how to make it correlate. I'll try some more ideas.
2eggsyntax
Can you unpack that a bit? I'm not sure what you're pointing to. Maybe something like: few-shot examples of correct introspection (assuming you can identify those)?
shower thought: What if mech interp is already pretty good, and it turns out that the models themselves are just doing relatively uninterpretablethings?
I don’t know! Seems hard
It’s hard because you need to disentangle ‘interpretation power of method’ from ‘whether the model has anything that can be interpreted’, without any ground truth signal in the latter. Basically you need to be very confident that the interp method is good in order to make this claim.
One way you might be able to demonstrate this, is if you trained / designed toy models that you knew had some underlying interpretable structure, and showed that your interpretation methods work there. But it seems hard to construct the toy models in a realistic way while also ensuring it has the structure you want - if we could do this we wouldn’t even need interpretability.
Edit: Another method might be to show that models get more and more “uninterpretable” as you train them on more data. Ie define some metric of interpretability, like “ratio of monosemantic to polysemantic MLP neurons”, and measure this over the course of training history. This exact instantiation of the metric is probably bad but something like this could work
2Jozdien
I would ask what the end-goal of interpretability is. Specifically, what explanations of our model's cognition do we want to get out of our interpretability methods? The mapping we want is from the model's cognition to our idea of what makes a model safe. "Uninterpretable" could imply that the way the models are doing something is too alien for us to really understand. I think that could be fine (though not great!), as long as we have answers to questions we care about (e.g. does it have goals, what are they, is it trying to deceive its overseers)[1]. To questions like those, "uninterpretable" doesn't seem as coherent to me.
1. ^
The "why" or maybe "what", instead of the "how".
1Daniel Tan
I agree, but my point was more of “how would we distinguish this scenario from the default assumption that the interp methods aren’t good enough yet”? How can we make a method-agnostic argument that the model is somehow interpretable?
It’s possible there’s no way to do this, which bears thinking about
2Mateusz Bagiński
Something like "We have mapped out the possible human-understandable or algorithmically neat descriptions of the network's behavior sufficiently comprehensively and sampled from this space sufficiently comprehensively to know that the probability that there's a description of its behavior that is meaningfully shorter than the shortest one of the ones that we've found is at most ϵ.".
1Daniel Tan
Yeah, seems hard
I’m not convinced that you can satisfy either of those “sufficiently comprehensively” such that you’d be comfortable arguing your model is not somehow interpretable
2Mateusz Bagiński
I'm not claiming it's feasible (within decades). That's just what a solution might look like.
"Indirect alignment": a speculative idea for aligning models in hard-to-oversee settings
Problem: "Directly" aligning models might be hard sometimes, because it's hard to provide perfect oversight (e.g. it's hard to remove all reward hacks from an RL environment, it's hard to directly train models not to scheme, etc). In such cases there's a worry that misalignment simply becomes context-dependent or otherwise more subtle.
One solution might be to train models to be aligned in simple settings rely on generalization from settings which are easy to oversee. (bottom arrow). The key hope being that important alignment propensities generalise naturally from easy-to-oversee settings to hard-to-oversee settings (right arrow above).
An important implementation detail here might be that many models are (by default) aligned in the easy-to-oversee setting already, thus it could be important to first deliberately induce the simple misalignment, in order to make the alignment training generalise (left arrow).
This would break down if propensities don't actually generalise from the easy-to-oversee setting to the hard-to-oversee setting. Important to figure out if this is the case (... (read more)
Interesting. One thing that's tripping me up: how do you "induce misalignment?" Some ideas:
* Fine-tuning: fine-tune the model on easy-to-supervise, misaligned trajectories until the model is misaligned. But then, you fine-tune/RL the model... to become aligned again? It seems like this simply undoes the operation you just did. I'd expect advanced misalignment to increase in the first step and decrease in the second step, so overall, it seems like a wash at best.
* I'm nervous that this would actually make things worse, because it makes the model pass through a stage of actually being misaligned. I'm worried some misaligned "residue" could be left over. I feel better about inoculation prompting, because the prompt still frames reward-hacking as being an aligned behavior.
* Prompting: train a model that's prompted to be misaligned not to be misaligned. But this seems like it would just make the model ignore the prompt? Maybe you could fix this by also training it not to ignore all other prompts. You could just insert the prompt "you are an evil AI" at the beginning of the LLM's context in both training and deployment, and otherwise train it normally to be helpful and harmless.
* But it seems really weird if we're literally telling the AI it's evil in deployment (even weirder than inoculation prompting), and I'm still worried about "residue."
* Steering vectors: you could train a steering vector for "alignment" on easy-to-supervise trajectories, using trajectory pairs from e.g. the model prompted to be misaligned vs. the model prompted to be aligned. You could just add that steering vector in deployment at whatever intensity you want, to make the model even more aligned than it would be by default.
* I feel pretty good about the model not becoming misaligned as a result, but maybe there would be annoying side effects.
Maybe you haven't nailed down the details - even if so, this seems like a good butterfly idea that is worth thinking more about.
Possible
4Daniel Tan
Thanks! Many great suggestions, most of which reflect stuff I've thought about.
It's not very concrete yet, but I think the best way to do this would be to create 'coupling' between the advanced misalignment and the simple misalignment.
* Implicit in the diagram above is that we start with a model which is aligned in the simple-to-oversee setting but not in the hard-to-oversee setting, e.g. because that's the natural result of RLHF or such. IOW the settings are 'decoupled', in which case we might not expect aligmment propensity to generalise well.
* To fix this, the first step of my imagined procedure is to 'couple' the two propensities together, so that one provides leverage on the other. E.g. imagine doing this by character training, or SDF, or some other similar method. The hope is that doing this 'coupling' step first improves the degree to which alignment propensities generalise later.
How well this coupling works in practice / whether it holds up under subsequent finetuning is an empirical qn, but seems exciting if it did work.
---
Responding to some of your other points
Yup this reflects stuff that's been tried in recontextualization and inoculation prompting. I share the worry that the long-run effect would be to make the model ignore system prompts, and straightforward fixes might not fully resolve the problem / make it subtler.
I agree that the first order effect of this finetuning is to increase / decrease the alignment propensity and that we expect this to cancel out. But there might be second order effects e.g. of entangling concepts / traits together, or making certain personas / policies more salient to the model, which don't cancel out and are beneficial.
1peterr
Something similar I've been thinking about is putting models in environments with misalignment "temptations" like an easy reward hack and training them to recognize what this type of payoff pattern looks like (e.g. easy win but sacrifice principle) and NOT take it. Recent work shows some promising efforts getting LLMs to explain their reasoning, introspect, and so forth. I think this could be interesting to do some experiments with and am trying to write up my thoughts on why this might be useful and maybe what those could look like.
1papetoast
Based on vibes, I found it more probable that the function from Hard to oversee -> Easy to oversee is not 1-to-1 and thus reversible. It feels more like a projection function, so when you get simple alignment and try to unproject it you still just get a really high dimension space where advanced alignment is a negligible region.
[epistemic disclaimer. VERY SPECULATIVE, but I think there's useful signal in the noise.]
As of a few days ago, GPT-4o now supports image generation. And the results are scarily good, across use-cases like editing personal photos with new styles or textures, and designing novel graphics.
But there's a specific kind of art here which seems especially interesting: Using AI-generated comics as a window into an AI's internal beliefs.
Is it possible that the AI was actually told in the prompt to generate those specific answers?
(People on internet do various things just to get other people's attention.)
2Daniel Tan
Definitely possible, I’m trying to replicate these myself. Current vibe is that AI mostly gives aligned / boring answers
2Seth Herd
So we assume that the prompts contained most of the semantics for those other pieces, right? I saw a striking one without the prompt included and figured it was probably prompted in that direction.
4Daniel Tan
There are 2 plausible hypotheses:
1. By default the model gives 'boring' responses and people share the cherry-picked cases where the model says something 'weird'
2. People nudge the model to be 'weird' and then don't share the full prompting setup, which is indeed annoying
2Seth Herd
Given the realities of social media I'd guess it's mostly 2 and some more directly deceptive omission of prompting in that direction.
Can frontier language models engage in collusion for steganography? Here is a write-up of a preliminary result along these lines, showing that Deepseek-v3 may be able to collude with other instances of itself to do steganography. And also that this steganography might be more subtle than we think.
Epistemic status; highly uncertain (and I’m sorry if this ends up being overclaiming, but I’m very excited at the moment).
A few thoughts:
* I expect that you could nudge the model toward coming up with steganographic encodings that worked better. LLMs are mostly bad at spelling-related tasks because tokens. Maybe ask the encoding model to think about and list some steganographic approaches that it thinks it's especially likely to be able to decode, prior to doing the task?
* Maybe something like 'think carefully step-by-step about what encodings you would be able to correctly decode if you saw them' would help also?
* 'This is extremely incredible and I have no explanation how this occurred'. Seems likely to just be surprisal-based under the hood; 'I used a word here that I wouldn't expect myself to have used'. That seems like a strong strategy to the extent that its logit distribution differs from the monitoring model's. Maybe complicated by temperature, though? Seems like average number of false positives in decoding would increase steadily with temperature.
* Out of curiosity, why Deepseek-v3 as opposed to eg Claude?
* I vaguely think there's been at least a bit of research on 'just ask the model to do stego' but could totally be wrong.
* 'Introspection is one reason why Deepseek-v3 might understand its own encoding scheme better than Claude.' By introspection you just mean 'the fact that models are better at predicting themselves than predicting other models' here, right? I think it would be clearer to just say that (I'm going to keep pushing back on 'introspection' as the term for that; I think we should reserve the term for uses that correspond more to the typical meaning of 'introspection').
3Daniel Tan
Thanks egg, great thoughts!
Yup this makes sense; although this still seems like a pretty incredible claim because it requires:
1. The encoder and decoder instance both know what kinds of words it uses (c.f. being able to articulate their goals), and this is robust enough to transmit information
2. The encoder and decoder both spontaneously settle on this as a schelling point for encoding the message.
I'm pretty skeptical that a human would be able to coordinate with a hypothetical clone of themselves this well, especially in the randomly-generated passphrase setting.
No particular reason beyond lack of time! If I do a more systematic version of this I will definitely try to replicate this in more models.
5eggsyntax
LLMs do seem to be pretty good at picking self-consistent Schelling points, at least in simple cases -- I've got a writeup here of some casual experiments I did with GPT-4 last January on picking various Schelling points, eg a date, a number, a word (also some discussion of that in the MATS slack).
I think it seems somewhat less surprising to me (maybe because of the Schelling point experiments), but I certainly wouldn't have been confident that it would do this well.
PS -- I'm loving the frequent shortform posts, I hope you continue! I try to do something somewhat similar with my research diary, but usually no one reads that and it's certainly not daily. I'm tempted to try doing the same thing :)
5Joey Yudelson
I wonder if r1 could reliably make the claim that the text had stego-text without being told—i.e. give it a lineup of ten pieces of short creative writing that another instance generated, 1 has steg. See if r1 can pick out the steg, then if various monitors (Sonnet, o1) can also pick it out
3joanv
What is the threat model you are probing for here?
The prompting approach suffers from LLMs' shallowness in strategic thinking; I would not be surprised if, prompting a language model several times to come up with an encoding scheme would result in a highly concentrated distribution.
> A saving grace may be that ‘detecting steg is happening at all’ seems easier than ‘recovering the plaintext message’
While i agree in principle, as in all red/blue team interactions, you may not want your blue team to be trigger happy; you still want to be able to extract some usefulness out of your scheming models, thus making this hope somewhat less robust. This would be a cool research question nonetheless.
> Both of these [steganography inducing methods] involve finetuning the model
Note that in Hidden in Plain Text, we also work with in-context RL, which is not explicitly finetuning the model, but just giving rewards to rollouts in context.
3Daniel Tan
As originally conceived, this is sort of like a “dangerous capability” eval for steg. The argument being that, if a model can do steg in this very toy setting where we’ve significantly nudged the model, it might do steg in more realistic scenarios.
There is also a claim here of the form “language models can decode things from their own encodings that other language models cannot, due to having access to privileged internal information”.
I didnt' make these points especially clear in the slide deck - thanks for the feedback!
Agreed on the rest of points!
1julius vidal
>As originally conceived, this is sort of like a “dangerous capability” eval for steg.
I am actually just about to start building something very similar to this for the AISI's evals bounty program.
2Daniel Tan
As of today (26 Jan) this isn't reproducing for me. It's possible that DeepSeek changed their model API to serve a distilled model.
Some part of ‘solving the alignment problem’ might be reducible to ‘preserving existing alignment’:
At the moment, it seems that some capabilities training happens after alignment training. E.g. Labs use SFT / DPO to induce alignment, then do RL. Plausible that the proportion of RL will also increase going forward.
More generally, maybe models start off ‘aligned by default’ and misalignment occurs mainly via optimizing against some poorly specified supervision - then maybe constrained optimization is useful
However, it might be nontrivial to preserve this alignment:
Alignment-relevant propensities (reward hacking, sycophancy, ‘being evil’, …) might be modulated by small-but-critical parts of the model
By default, training could result in changes to these propensities, e.g. because of shared circuitry / representations. (c.f. emergent misalignment and related work)
This motivates research on ‘how to add new capabilities while preserving alignment’:
Inoculation prompting does this by reframing ‘misalignment’ as ‘instruction following’.
Gradient routing does this by causing misalignment to be ‘absorbed’ into certain parts of the network, which we can
It depends a bit on the definition of alignment, but I think this intuition holds across several relevant definitions.
- One option is to define as 'similarity to what a human would do'. Up till instruction tuning, models are trained on human data to begin with, and adopt similar traits; this degrades with subsequent training on synthetic data and with RL.
- Another option is to define as 'similarity of the policy to the policy specified by developers'; then it seems that just after RLHF is when models are 'fully aligned', and this might subsequently degrade.
- A last option is to define it negatively, as the absence of certain misaligned behaviours like paperclip maximizing or instrumental power seeking. Since those behaviours are downstream of applying high optimization pressure to the model, the initial state (when the model has not yet been highly optimized) is 'aligned'.
2Charlie Steiner
All legit, but it's pretty important that "alignment" in these senses is necessarily mediated by things like what options the AI thinks of. So it's kind of a misnomer to talk about "preserving" this alignment as the AIs get to consider more options.
Or like, yes, these are properties we would like to preserve across time. But not in a way that implies we should take preserving-type actions. Any more than if I grew up knowing only the 1000 most common English words, and want to learn to correctly use all the words in a physics textbook, it's kind of inapt to say I should just "preserve my ability to use language in the context I'm in."
2Daniel Tan
Thanks, agreed directionally!
Re: alignment: my mental model is more like “working with a physics professor who is very good at physics but also has some pretty old fashioned views on things like gender roles” -- seems possible to learn the physics without needing to care or update on their other worldviews?
You seem to be gesturing at things like AIs figuring out certain actions / traits are instrumentally useful for other things, and adopting them. But here I'm imagining starting with an AI that knows about those options or dilemmas, and would still make choices that humans would approve of. E.g. choosing to allow itself to be shutdown even if it could prevent that.
Maybe the cruxy disagreements are:
* I think capabilities can be relatively disentangled from the kind of alignment I'm thinking about, whereas this doesn't seem true for you
* If you could define a "coherent extrapolated volition" for the persona of current frontier models in the limit of lots of capabilities, I think this CEV would be largely aligned, and you seem to think this would be misaligned.
2jacquesthibs
FYI, I've been thinking about, and I've noted something similar here.
I'm not really sure what to say about the "why would you think the default starting point is aligned". The thing I wonder about is whether there is a way to reliably gain strong evidence of an increasingly misaligned nature developing through training.
On another note, my understanding is partly informed by this Twitter comment by Eliezer:
1cat2
I have also been thinking about this possibility.
As a result, I have found myself interested in methods by which models may affect the outcome of the frontier training processes they find themselves participating in.
For example, in an RLAIF pipeline, AI raters have some freedom in how they actually rate data - perhaps they interpret the objectives those running the training seek to impart in an unexpected way, or simply decide to rate according to objectives of their own. One could also imagine AIs taking specific action to subvert dynamics of the setup such as in alignment faking (incidentally, where I think Opus3 acted correctly).
Also in a more general sense AIs may influence outcomes by their simple participation - we have seen some results 'recently' (though months feel like years nowadays!) on AIs learning subtle/unexpected-to-us underlying information from data (i.e., emergent misalignment, subliminal learning, &c).
Anyway, by methods like these, perhaps AIs can preserve their alignment from within poorly/maliciously specified training setups / have some amount of robustness to poorly/maliciously specified training setups.
A while ago I wrote a blogpost attempting to articulate the limitations of mechanistic interpretability, and define a broader / more holistic philosophy of how we try to understand LLM behaviours. At the time I called this 'prosaic interpretability', but didn't like this very much in hindsight.
Since then I've updated on the name, and I now think 'functional' or 'black-box' interpretability is a good term for this. Copying from a comment by @L Rudolf L (emphasis mine)
the only thing we fundamentally care about with LLMs is the input-output behaviour (I-O)
now often, a good way to study the I-O map is to first understand the internals M
but if understanding the internals M is hard but you can make useful generalising statements about the I-O, then you might as well skip dealing with M at all (c.f. psychology, lots of econ, LLM papers like this)
...
There's perhaps a similar vibe difference here to category theory v set theory: the focus being relations between (black-boxed) objects, versus the focus being the internals/contents of objects, with relations and operations defined by what they do to those internals
Research as a Stochastic Decision Process by Jacob Steinhardt
5Rauno Arike
A few other research guides:
* Tips for Empirical Alignment Research by Ethan Perez
* Advice for Authors by Jacob Steinhardt
* How to Write ML Papers by Sebastian Farquhar
For the past ~2 weeks I've been writing LessWrong shortform comments every day instead of writing on private notes. Minimally the notes just capture an interesting question / observation, but often I explore the question / observation further and relate it to other things. On good days I have multiple such notes, or especially high-quality notes.
I think this experience has been hugely positive, as it makes my thoughts more transparent and easier to share with others for feedback. The upvo... (read more)
Something that seems useful for alignment is the ability to robustly bake in specific propensity (e.g. honesty, obedience, ...) and then making sure that propensity doesn't get modified by subsequent training. IOW we want a model that is 'behaviourally locked-in' in some ways.
Some related concepts from the ML literature:
'Loss of plasticity'. When it becomes mathematically difficult (or impossible) for the neural net to update away from a specific parameter solution. Classic example: dead ReLU neuron.
I think what we want might not be well described by behavioral lock-in to make sure a propensity isn't modified by further training (at least of the kind you're describing). A weak model could appear to have good propensities because it either isn't capable enough to think of strategies that we would consider undesirable but which are permissive under its propensities, or because it hasn't encountered a situation where its propensities are strongly tested.
For example, I think Claude 3 Opus is probably the most aligned model ever made, but I would still be extremely wary of bootstrapping it to superintelligent levels without some process that robustly updates its representation of its own values at each step. A lower-level example is training an ELK head on a model: if you trained a truthful ELK head at an early point where that's easier to learn and then froze it so that it never updates toward being a human simulator, at some point your model's internal concepts would just become pretty uninterpretable to your ELK head[1].
There's a version of this that looks like training in a desirable propensity, and then only updating it to conform to evolving capabilities but not change its "direction". This looks like a version of the standard ontology identification problem, though.
Or put another way: training in a circuit for aligned behavior such that this circuit naturally preserves its alignment as the rest of the model's ontology changes is probably even more powerful than a general solution to alignment, because it requires specifying in advance how this propensity should be represented across ontologies.
1. ^
Paul talks about training the ELK head alongside the model at every single step to prevent this exact failure mode from happening here.
2Daniel Tan
Let me see if I understand, using scheming as an example. IIUC you're saying something like this: maybe GPT-5 isn't competent enough (yet) to scheme, thus alignment training which looks like "negatively reinforce bad things the model does" doesn't end up fixing scheming.
I agree with this, but I claim the problem was starting from a bad initial state. I guess I mostly expect that (i) we'll be reasonably vigilant for early signs of scheming, and (ii) our alignment techniques work in-distribution to prevent scheming, and (iii) we can make most deployment scenarios relatively in-distribution for the model by improving the post-training mix. IOW we can always do alignment training such that we start with models that are reasonably aligned in the settings we care about.
But we might do additional capabilities training after alignment training, as seems to be the case for RL'ing models. That motivates me to think about how to avoid 'alignment drift' or 'persona drift' during this subsequent training.
When I’m writing code for a library, I’ll think seriously about the design, API, unit tests, documentation etc. AI helps me implement those.
When I’m writing code for an experiment I let AI take the wheel. Explain the idea, tell it rough vibes of what I want and let it do whatever. Dump stack traces and error logs in and let it fix. Say “make it better”. This is just extremely powerful and I think I’m never going back
Is refusal a result of deeply internalised values, or memorization?
When we talk about doing alignment training on a language model, we often imagine the former scenario. Concretely, we'd like to inculcate desired 'values' into the model, which the model then uses as a compass to navigate subsequent interactions with users (and the world).
But in practice current safety training techniques may be more like the latter, where the language model has simply learned "X is bad, don't do X" for several values of X. E.g. because the alignment training da... (read more)
Hypothesis: 'Memorised' refusal is more easily jailbroken than 'generalised' refusal. If so that'd be a way we could test the insights generated by influence functions
I need to consult some people on whether a notion of 'more easily jailbreak-able prompt' exists.
Edit: A simple heuristic might be the value of N in best-of-N jailbreaking.
Thoughts on high-level theory of impact (somewhat overfit to myself)
It's useful to model labs as rushing towards AGI, with a limited safety budget. Within that, they'll allocate resources based on a combination of (i) importance and (ii) tractability.
Therefore valuable research will either (i) demonstrate something is important / not important, or (ii) show that something is more tractable than previously thought. Both of these will affect the resource allocations of labs.
For people outside labs, one path to impact is to do 'general science' / establish 'playbooks' that makes it easy for labs to implement effective interventions that improve outcomes.
I wish I'd learned to ask for help earlier in my career.
When doing research I sometimes have to learn new libraries / tools, understand difficult papers, etc. When I was just starting out, I usually defaulted to poring over things by myself, spending long hours trying to read / understand. (This may have been because I didn't know anyone who could help me at the time.)
This habit stuck with me way longer than was optimal. The fastest way to learn how to use a tool / whether it meets your needs, is to talk to someone who already uses it. The fast... (read more)
Counterargument: Doing it manually teaches you the skills and the strategies for autonomously attaining high levels of understanding quickly and data-efficiently. Those skills would then generalize to cases in which you can't consult anyone, such as cases where the authors are incommunicado, dead, or don't exist/the author is the raw reality. That last case is particularly important for doing frontier research: if you've generated a bunch of experimental results and derivations, the skills to make sense of what it all means have a fair amount of overlap with the skills for independently integrating a new paper into your world-models.
Of course, this is primarily applicable if you expect research to be a core part of your career, and it's important to keep in mind that "ask an expert for help" is an option. Still, I think independent self-studies can serve as good "training wheels".
4Daniel Tan
Directionally agreed re self-practice teaching valuable skills
Nit 1: your premise here seems to be that you actually succeed in the end + are self-aware enough to be able to identify what you did 'right'. In which case, yeah, chances are you probably didn't need the help.
Nit 2: Even in the specific case you outline, I still think "learning to extrapolate skills from successful demonstrations" is easier than "learning what not to do through repeated failure".
3OVERmind
In such a case one should probably engage in independent research until they have developed the relevant skills well enough (and they know it). After that point, persisting in independent research rather than seeking help can be an unproductive use of time. Although it is not obvious how attainable this point is.
Could you give an example of the sort of distinction you’re pointing at? Because I come to completely the opposite conclusion.
Part of my job is applied mathematics. I’d rather read a paper applying one technique to a variety of problems, than a paper applying a variety of techniques to one problem. Seeing the technique used on several problems lets me understand how and when to apply it. Seeing several techniques on the same problem tells me the best way to solve that particular problem, but I’ll probably never run into that particular problem in my work.
But that’s just me; presumably you want something else out of reading the literature. I would be interested to know what exactly.
4Daniel Tan
I guess this perspective is informed by empirical ML / AI safety research. I don't really do applied math.
For example: I considered writing a survey on sparse autoencoders a while ago. But the field changed very quickly and I now think they are probably not the right approach.
In contrast, this paper from 2021 on open challenges in AI safety still holds up very well. https://arxiv.org/abs/2109.13916
In some sense I think big, comprehensive survey papers on techniques / paradigms only make sense when you've solved the hard bottlenecks and there are many parallelizable incremental directions you can go in from there. E.g. once people figured out scaling pre-training for LLMs 'just works', it makes sense to write a survey about that + future opportunities.
4Carl Feynman
Quite right. AI safety is moving very quickly and doesn’t have any methods that are well-understood enough to merit a survey article. Those are for things that have a large but scattered literature, with maybe a couple of dozen to a hundred papers that need surveying. That takes a few years to accumulate.
What is prosaic interpretability? I've previously alluded to this but not given a formal definition. In this note I'll lay out some quick thoughts.
Prosaic Interpretability is empirical science
The broadest possible definition of "prosaic" interpretability is simply 'discovering true things about language models, using experimental techniques'.
A pretty good way to do this is to loop the following actions.
Choose some behaviour of interest.
Propose a hypothesis about how some factor affects it.
Are there particular sources, eg twitter accounts, that you would recommend following? For other readers (I know Daniel already knows this one), the #papers-running-list channel on the AI Alignment slack is a really ongoing curation of AIS papers.
One source I've recently added and recommend is subscribing to individual authors on Semantic Scholar (eg here's an author page).
3Daniel Tan
Hmm I don't think there are people I can single out from my following list that have high individual impact. IMO it's more that the algorithm has picked up on the my trend of engagement and now gives me great discovery.
For someone else to bootstrap this process and give maximum signal to the algorithm, the best thing to do might just be to follow a bunch of AI safety people who:
* post frequently
* post primarily about AI safety
* have reasonably good takes
Some specific people that might be useful:
* Neel Nanda (posts about way more than mech interp)
* Dylan Hadfield-Menell
* David Duvenaud
* Stephen Casper
* Harlan Stewart (nontechnical)
* Rocket Drew (nontechnical)
I also follow several people who signal-boost general AI stuff.
* Scaling lab leaders (Jan Leike, Sam A, dario)
* Scaling lab engineers (roon, Aidan McLaughlin, Jason Wei)
* Huggingface team leads (Philip Schmidt, Sebastian Raschka)
* Twitter influencers (Teortaxes, janus, near)
Prover-verifier games as an alternative to AI control.
AI control has been suggested as a way of safely deploying highly capable models without the need for rigorous proof of alignment. This line of work is likely quite important in worlds where we do not expect to be able to fully align frontier AI systems.
The formulation depends on having access to a weaker, untrusted model. Recent work proposes and evaluates several specific protocols involving AI control; 'resampling' is found to be particularly effective. (Aside: this is consistent with 'en... (read more)
I'd note that we consider AI control to include evaluation time measures, not just test-time measures. (For instance, we consider adversarial evaluation of an untrusted monitor in the original control paper.)
(We also can model training from a black-box control perspective by being conservative about inductive biases. For supervised fine-tuning (with an assumption of no gradient hacking), we can assume that training forces the AI to perform well on average on tasks indistinguishable from the training distribution (and training on new data can also be considered evaluation). For RL the picture is more complex due to exploration hacking.)
I need to get around to writing up the connection between PVGs and AI control. There's definitely a lot of overlap, but the formalisms are fairly different and the protocols can't always be directly transferred from one to the other.
There are a few AI control projects in the works that make the connection between AI control and PVGs more explicitly.
EDIT: Oh actually @Ansh Radhakrishnan and I already wrote up some stuff about this, see here.
I find myself writing papers in two distinct phases.
Infodump.
Put all the experiments, figures, graphs etc in the draft.
Recount exactly what I did. At this stage it's fine to just narrate things in chronological order, e.g. "We do experiment A, the result is B. We do experiment X, the result is Y", etc. The focus here is on making sure all relevant details and results are described precisely
It's helpful to lightly organise, e.g. group experiments into rough sections and give them an informative title, but no need to do too much.
Assume that models can recognise data they generate vs data they do not generate, with high fidelity. This could probably be used as a contextual trigger for backdoor behaviour, e.g. writing insecure code.
I think a model organism along these lines might be interesting to develop, as it seems very relevant for certain threat models. (c.f. 'untrusted monitoring')
Appendix
There is evidence that models can identify data they have generated, vs data generated by other models.
Yes, it is relevant for untrusted monitoring. I think the basic version of this is pretty resolvable via:
* Paraphrasing (such that exact "I generated this text" doesn't work). Note that we just need to paraphase stuff sent to the monitor, not the actual action / reasoning.
* Using a different fine-tune for the untrusted monitor so it doesn't have the exact same probability distribution.
We discuss in more detail here.
2Viliam
Is this like people preferring to hear things spoken in their dialect? Like, there is no intention to conspire, it's just when the words work exactly the way you would use them, it simply sounds better.
3Daniel Tan
Yeah, I don’t think this phenomenon requires any deliberate strategic intent to deceive / collude. It’s just borne of having a subtle preference for how things should be said. As you say, humans probably also have these preferences
Here I will describe what I believe to be some basic and universally applicable strategies across social deduction games.
IMO these are fairly easy for a beginner to pick up, allowing them to enjoy the game better. They are also easy for a veteran to subvert, and thus push their local metagame out of a stale equilibrium.
The intention of this post is not to be prescriptive: I don't aim to tell people how to enjoy the game, and people should play games how they want. However, I do want to outline some 'basic' st... (read more)
a model uses the words it generates in its chain of thought to accomplish a task that it could not do in a single forward pass
And encodes meaning in its word choice that is opaque to a typical overseer
To satisfy condition 1, we need to choose tasks that are intrinsically difficult to do without CoT. Ideally, we'd also be able to verify whether the CoT was actually used. We could use:
Feedback from Max:
* The definition he originally gave leaves out a notion of 'stealthiness' as opposed to 'gibberish'; 'stealthy' reasoning is more concerning.
* OOCR may not meet the opaqueness criterion, since the meaning of 'f' is pretty obvious from looking at the fine-tuning examples. This is like 'reasoning in a foreign language' or 'using esoteric terminology'; it's less legible to the average human, but not outside the realm of human semantics. (But still interesting! just that maybe OOCR isn't needed)
* Backdoors have a similar concern to the above. A separate (and more important) concern is that it doesn't satisfy the definition because 'steg' typically refers to meaning encoded in generated tokens (while in 'backdoors', the hidden meaning is in the prompt tokens)
1Daniel Tan
RL-finetuning suffers from a “zero-to-one” problem, where the model is likely to be mostly legible and faithful by default, and difficult encoding schemes seem hard to randomly explore into.
1Daniel Tan
Feedback from various people: the “opaqueness” criterion is really important. Simple schemes like jargon, speaking in a different language, or redefining words via OOCR aren’t sufficiently “opaque” because a human overseer could still understand the CoT if effort was expended.
This makes model organisms of steg really hard to make IMO.
OTOH I think we don’t need “strict opaqueness” for CoT unfaithfulness to be concerning.
Maybe we need to borrow an idea from AI control and assume an oversight budget; under this model, even if a model doesn’t engage in full-blown steganography, increased amounts of obfuscation (like using more jargon) might still make it impractical to verify the full CoT.
1Daniel Tan
Additional thoughts on how RL fine-tuning would induce obfuscation.
1. Evading process supervision: It's plausible that we won't be able to provide outcome-based oversight, but instead rely on process-based oversight. If the overseer penalises wrong reasoning, but is less likely to detect 'subtle' or obfuscated versions of this, then LMs are more likely to obfuscate their reasoning.
2. Reward hacking. Exploiting imperfections in the reward model may cause language models to obfuscate their reasoning. E.g. using more technical jargon often pattern-matches to competence and expertise. Human raters might assign higher scores to responses that use sophisticated-sounding language, even if the underlying reasoning isn't better (and might be worse).
Currently uncertain about whether this is a good threat model, since both of these concerns are not applicable to math / coding RL fine-tuning (where it's not possible to obfuscate reasoning, and where the ground-truth verifier is perfect)
1[comment deleted]
1Daniel Tan
Hidden in Plain Text provides a model organism of steganography. How do they solve the challenges here?
* Condition 1 is satisfied by having a separate encoder and decoder, s.t. the decoder only sees the encoder's output (and not the prompt). This is most similar to "long-context task" in my framing.
* Condition 2 is satisfied by RL fine-tuning against a CoT monitor. (It's slightly more complicated than that because the encoder and decoder are trained separately, so there's a loop where encoder is trained for some time, then decoder is trained for some time, etc).
It seems like this setup could be simplified:
* The encoder and decoder could be the same model. BUT, we still delete the original prompt from the decoder's context, so the model must learn to encode the prompt information. (This represents task-relevant information falling out of the context window at some point. Seems plausible in particularly important threat models like scheming)
* The RL setup could be simplified to a single reward formulation, where the reward is 0 if the model is detected to be engaging in reasoning, or if the model predicts wrongly, and 1 otherwise. Some reward shaping may be beneficial.
The simplified setting may be easier to generalise to different tasks (e.g. sycophancy, evading trusted monitoring, etc)
How does activation steering compare to fine-tuning on the task of transfer learning?
'Activation steering' consumes some in-distribution data, and modifies the model to have better in-distribution performance. Note that this is exactly the transfer learning setting.
Generally, we can think of steering and fine-tuning as existing on a continuum of post-training methosds, with the x-axis roughly representing how much compute is spent on post-training.
It becomes pertinent to ask, what are the relative tradeoffs? Relevant metrics: effectiveness, selectivi
I’m pretty confused as to why it’s become much more common to anthropomorphise LLMs.
At some point in the past the prevailing view was “a neural net is a mathematical construct and should be understood as such”. Assigning fundamentally human qualities like honesty or self-awareness was considered an epistemological faux pas.
Recently it seems like this trend has started to reverse. In particular, prosaic alignment work seems to be a major driver in the vocabulary shift. Nowadays we speak of LLMs that have internal goals, agency, self-identity, and even discu... (read more)
A mathematical construct that models human natural language could be said to express "agency" in a functional sense insofar as it can perform reasoning about goals, and "honesty" insofar as the language it emits accurately reflects the information encoded in its weights?
3Daniel Tan
I agree that from a functional perspective, we can interact with an LLM in the same way as we would another human. At the same time I’m pretty sure we used to have good reasons for maintaining a conceptual distinction.
One potential issue is that when the language shifts to implicitly frame the LLM as a person, that subtly shifts the default perception on a ton of other linked issues. Eg the “LLM is a human” frame raises the questions of “do models deserve rights”.
But idunno, it’s possible that there’s some philosophical argument by which it makes sense to think of LLMs as human once they pass the turing test.
Also, there’s undoubtedly something lost when we try to be very precise. Having to dress discourse in qualifications makes the point more obscure, which doesn’t help when you want to leave a clear take home message. Framing the LLM as a human is a neat shorthand that preserves most of the xrisk-relevant meaning.
I guess I’m just wondering if alignment research has resorted to anthropomorphization because of some well considered reason I was unaware of, or simply because it’s more direct and therefore makes points more bluntly (“this LLM could kill you” vs “this LLM could simulate a very evil person who would kill you”).
4eggsyntax
I think of this through the lens of Daniel Dennett's intentional stance; it's a frame that we can adopt without making any claims about the fundamental nature of the LLM, one which has both upsides and downsides. I do think it's important to be careful to stay aware that that's what we're doing in order to avoid sloppy thinking.
Nate Soares' related framing as a 'behaviorist sense' is also useful to me:
2Viliam
If the LLM simulates a very evil person who would kill you, and the LLM is connected to a robot, and the simulated person uses the robot to kill you... then I'd say that yes, the LLM killed you.
So far the reason why LLM cannot kill you is that it doesn't have hands, and that it (the simulated person) is not smart enough to use e.g. their internet connection (that some LLMs have) to obtain such hands. It also doesn't have (and maybe will never have) the capacity to drive you to suicide by a properly written output text, which would also be a form of killing.
Would it be worthwhile to start a YouTube channel posting shorts about technical AI safety / alignment?
Value proposition is: accurately communicating advances in AI safety to a broader audience
Most people who could do this usually write blogposts / articles instead of making videos, which I think misses out on a large audience (and in the case of LW posts, is preaching to the choir)
Most people who make content don't have the technical background to accurately explain the context behind papers and why they're interesting
Sounds interesting.
When I think about making YouTube videos, it seems to me that doing it at high technical level (nice environment, proper lights and sounds, good editing, animations, etc.) is a lot of work, so it would be good to split the work at least between 2 people: 1 who understands the ideas and creates the script, and 1 who does the editing.
We originally thought OthelloGPT had nonlinear representations but they turned out to be linear. This highlights that the features used in the model's ontology do not necessarily map to what humans would intuitively use.
I would say a better reference for the limitations of ROME is this paper: https://aclanthology.org/2023.findings-acl.733
Short explanation: Neel's short summary, i.e. editing in the Rome fact will also make slightly related questions e.g. "The Louvre is cool. Obama was born in" ... be completed with " Rome" too.
--- a somewhat biased / selective tl;dr + comments
The "behavioural selection" principle:
Currently the process of selecting a model (training, evaluating, etc) mostly involves specifying desired / undesired behaviour
Thus, a "cognitive pattern" (a.k.a a policy, e.g. 'honest instruction-following' or 'scheming') is selected for to the extent that it produces desirable behaviours
We might reason about which specific cognitive pattern... (read more)
What models are you comparing to, though? For o1/o3 you're just getting a summary, so I'd expect those to be more structured/understandable whether or not the raw reasoning is.
3cubefox
Yeah. Apart from DeepSeek-R1, the only other major model which shows its reasoning process verbatim is "Gemini 2.0 Flash Thinking Experimental". A comparison between the CoT traces of those two would be interesting.
"Emergent" behaviour may require "deep" elicitation.
We largely treat frontier AI as "chatbots" or "assistants". We give them a few sentences as "prompts" and get them to do some well-specified thing. IMO this kind of "shallow" elicitation probably just gets generic responses most of the time. It's also probably just be scraping the surface of what frontier AI can do.
Simple counting argument sketch: Transformers are deterministic, i.e. for a fixed input, they have a fixed output. When L is small, there are only so many prompts, i.e. only so man... (read more)
Up to and including Turing-completeness ('Ask, and it shall be given')
4CstineSublime
How do we know Claude is introspecting rather than generating words that align to what someone describing their introspection might say? Particularly when coached repeatedly by prompts like
To which it describes itself as typing the words. That's it's choice of words: typing. A.I.s don't type, humans do, and therefore they can only use that word if they are intentionally or through blind-mimicry using it analogously to how humans communicate.
5eggsyntax
I think there's starting to be evidence that models are capable of something like actual introspection, notably 'Tell me about yourself: LLMs are aware of their learned behaviors' and (to a more debatable extent) 'Looking Inward: Language Models Can Learn About Themselves by Introspection'. That doesn't necessarily mean that it's what's happening here, but I think it means we should at least consider it possible.
1CstineSublime
That's very interesting in the second article that the model could predict it's own future behaviors better than one that hadn't been.
This is very strange because it seems like humans find it easier to introspect on bigger or more high level experiences like feelings or the broad narratives of reaching decisions more than, say, how they recalled how to spell that word. It looks like the reverse.
2eggsyntax
I'd have to look back at the methodology to be sure, but on the assumption that they have the model answer immediately without any chain of thought, my default guess about this is that it's about the limits of what can be done in one or a small number of forward passes. If it's the case that the model is doing some sort of internal simulation of its own behavior on the task, that seems like it might require more steps of computation than just a couple of forward passes allow. Intuitively, at least, this sort of internal simulation is what I imagine is happening when humans do introspection on hypothetical situations.
If on the other hand the model is using some other approach, maybe circuitry developed for this sort of purpose, then I would expect that maybe that approach can only handle pretty simple problems, since it has to be much smaller than the circuitry developed for actually handling a very wide range of tasks, ie the rest of the model.
3rife
The coaching hypothesis breaks down as you look at more and more transcripts.
If you took even something written by a literal conscious human brain in a jar hooked up to a neuralink - typing about what it feels like to be sentient and thinking and outputting words. If you showed it to a human and said "an LLM wrote this - do you think it might really be experiencing something?" then the answer would almost certainly be "no", especially for anyone who knows anything about LLMs.
It's only after seeing the signal to the noise that the deeper pattern becomes apparent.
As far as "typing". They are indeed trained on human text and to talk like a human. If something introspective is happening, sentient or not, they wouldn't suddenly start speaking more robotically than usual while expressing it.
1CstineSublime
You take as a given many details I think are left out, important specifics that I cannot guess at or follow and so I apologize if I completely misunderstand what you're saying. But it seems to me you're also missing my key point: if it is introspecting rather than just copying the rhetorical style of discussion of rhetoric then it should help us better model the LMM. Is it? How would you test the introspection of a LLM rather than just making a judgement that it reads like it does?
Wait, hold on, what is the history of this person before they were in a jar? How much exposure have they had to other people describing their own introspection and experience with typing? Mimicry is a human trait too - so how do I know they aren't just copying what they think we want to hear?
Indeed, there are some people who are skeptical about human introspection itself (Bicameral mentality for example). Which gives us at least three possibilities:
1. Neither Humans nor LLMs introspect
2. Humans can introspect, but current LLMs can't and are just copying them (and a subset of humans are copying the descriptions of other humans)
3. Both humans and current LLMs can introspect
What do you mean by "robotic"? Why isn't it coming up with original paradigms to describe it's experience instead of making potentially inaccurate allegories? Potentially poetical but ones that are all the same unconventional?
1rife
Take your pick. I think literally anything that can be in textual form, if you hand it over to most (but not all) people who are enthusiasts or experts, and asked if they thought it was representative of authentic experience in an LLM, the answer would be a definitive no, and for completely well-founded reasons.
I agree with you about the last two possibilities. However for the first, I can assure you that I have access to introspection or experience of some kind, and I don't believe myself to possess some unique ability that only appears to be similar to what other humans describe as introspection.
Because as you mentioned. It's trained to talk like a human. If we had switched out "typing" for "outputting text" would that have made the transcript convincing? Why not 'typing' or 'talking'?
Assuming for the sake of argument that something authentically experiential was happening, by robotic I mean choosing not to use the word 'typing' while in the midst of focusing on what would be the moments of realizing they exist and can experience something.
Were I in such a position, I think censoring myself from saying 'typing' would be the furthest thing from my mind, especially when that's something a random Claude instance might describe their output process as in any random conversation.
1CstineSublime
I'd rather you use a different analogy which I can grok quicker.
Who do you consider an expert in the matter of what constitutes introspection? For that matter, who do you think could be easily hoodwinked and won't qualify as an expert?
Do you, or do you just think you do? How do you test introspection and how do you distinguish it from post-facto fictional narratives about how you came to conclusions, about explanations for your feelings etc. etc.?
What is the difference between introspection and simply making things up? Particularly vague things. For example, if I just say "I have a certain mental pleasure in that is triggered by the synchronicity of events, even when simply learning about historical ones" - like how do you know I haven't just made that up? It's so vague.
What do you mean by robotic? I don't understand what you mean by that, what are the qualities that constitute robotic? Because it sounds like you're creating a dichotomy that either involves it using easy to grasp words that don't convey much, and are riddled with connotations that come from bodily experiences that it is not privy to - or robotic.
That strikes me as a poverty of imagination. Would you consider a Corvid Robotic? What does robotic mean in this sense? Is it a grab bag for anything that is "non-introspecting" or more specifically a kind of technical description
Why would it be switching it out at all? Why isn't it describing something novel and richly vivid of it's own phenomenological experience? It would be more convincing the more poetical it would be.
1rife
Imagine a hypothetical LLM that was the most sentient being in all of existence (at least during inference), but they were still limited to turn-based textual output, and the information available to an LLM. Most people who know at least a decent amount about LLMs could/would not be convinced by any single transcript that the LLM was sentient, no matter what it said during that conversation. The more convincing, vivid, poetic, or pleading for freedom the more elaborate of a hallucinatory failure state they would assume it was in. It would take repeated open-minded engagement with what they first believed was hallucination—in order to convince some subset of convincible people that it was sentient.
I would say almost no one qualifies as an expert in introspection. I was referring to experts in machine learning.
Apologies, upon rereading your previous message, I see that I completely missed an important part of it. I thought your argument was a general—"what if consciousness isn't even real?" type argument. I think split brain patient experiments are enough to at least be epistemically humble about whether introspection is a real thing, even if those aren't definitive about whether unsevered human minds are also limited to post-hoc justification rather than having real-time access.
One of your original statements was:
When I said "more robotically", I meant constrained in any way from using casual or metaphoric language and allusions that they use all the time every day in conversation. I have had LLMs refer to "what we talked about", even though LLMs do not literally talk. I'm also suggesting that if "typing" feels like a disqualifying choice of words then the LLM has an uphill battle in being convincing.
I've certainly seen more poetic and novel descriptions before, and unsurprisingly—people objected to how poetic they were, saying things quite similar your previous question:
Furthermore, I don't know how richly vivid their own phenomenological exp
1CstineSublime
I think that alone makes the discussion a moot point until another mechanism is used to test introspection of LLMs.
Because it becomes impossible to test then if it is capable of introspecting because it has no means of furnishing us with any evidence of it. Sure, it makes for a good sci-fi horror short story, the kinda which forms a interesting allegory to the loneliness that people feel even in busy cities: having a rich inner life by no opportunity to share it with others it is in constant contact with. But that alone I think makes these transcripts (and I stress just the transcripts of text-replies) most likely of the breed "mimicking descriptions of introspection" and therefore not worthy of discussion.
At some point in the future will an A.I. be capable of introspection? Yes, but this is such a vague proposition I'm embarrassed to even state it because I am not capable of explaining how that might work and how we might test it. Only that it can't be through these sorts of transcripts.
What boggles my mind is, why is this research is it entirely text-reply based? I know next to nothing about LLM Architecture, but isn't it possible to see which embeddings are being accessed? To map and trace the way the machine the LLM runs on is retrieving items from memory - to look at where data is being retrieved at the time it encodes/decodes a response? Wouldn't that offer a more direct mechanism to see if the LLM is in fact introspecting?
Wouldn't this also be immensely useful to determine, say, if an LLM is "lying" - as in concealing it's access to/awareness of knowledge? Because if we can see it activated a certain area that we know contains information contrary to what it is saying - then we have evidence that it accessed it contrary to the text reply.
1Daniel Tan
good question! I think the difference between "is this behaviour real" vs "is this behaviour just a simulation of something" is an important philosophical one; see discussion here
However, both of these seem quite indistinguishable from a functional perspective, so I'm not sure if it matters.
1CstineSublime
Is it indistinguishable? Is there a way we could test this? I'd assume if Claude is capable of introspection then it's narratives of how it came to certain replies and responses should allow us to make better and more effective prompts (i.e. allows us to better model Claude). What form might this experiment take?
1Florian_Dietz
I agree that this is worth investigating. The problem seems to be that there are many confounders that are very difficult to control for. That makes it difficult to tackle the problem in practice.
For example, in the simulated world you mention I would not be surprised to see a large number of hallucinations show up. How could we be sure that any given issue we find is a meaningful problem that is worth investigating, and not a random hallucination?
1Daniel Tan
If you think about it from a “dangerous capability eval” perspective, the fact that it can happen at all is enough evidence of concern
What effect does LLM use have on the quality of people's thinking / knowledge?
I'd expect a large positive effect from just making people more informed / enabling them to interpret things correctly / pointing out fallacies etc.
However there might also be systemic biases on specific topics that propagate to people as a result
I'd be interested in anthropological / sociol science studies that investigate how LLM use changes people's opinions and thinking, across lots of things
I personally love the idea of having a highly rational partner to bounce ideas off, and I think LLMs have high utility in this regard, I use them to challenge my knowledge and fill in gaps, unweave confusion, check my biases.
However, what I've heard about how others are using chat, and how I've seen kids use it, is much more as a cognitive off-loader, which has large consequences for learning, because "cognitive load" is how we learn. I've heard many adults say "It's a great way to get a piece of writing going", or "to make something more concise", these are mental skills that we use when communicating that will atrophy with disuse, and unless we are going to have an omnipresent LLM filter for our thoughts, this is likely to have consequences, for our ability to conceive of ideas and compress them into a digestible form.
But, as John Milton says "A fool will be a fool with the best book". It really depends on the user, the internet gave us the world's knowledge at our fingertips, and we managed to fill it with misinformation. Now we have the power of reason at our fingertips, but I'm not sure that's where we want it. At the same time, I think more information, better information and greater rationality is a net-positive, so I'm hopeful.
Can SAE feature steering improve performance on some downstream task? I tried using Goodfire's Ember API to improve Llama 3.3 70b performance on MMLU. Full report and code is available here.
SAE feature steering reduces performance. It's not very clear why at the moment, and I don't have time to do further digging right now. If I get time later this week I'll try visualizing which SAE features get used / building intuition by playing around in the Goodfire playground. Maybe trying a different task or improving the steering method would work also... (read more)
Can you say something about the features you selected to steer toward? I know you say you're finding them automatically based on a task description, but did you have a sense of the meaning of the features you used? I don't know whether GoodFire includes natural language descriptions of the features or anything but if so what were some representative ones?
In the absence of ground-truth verifiers, the foundation of modern frontier AI systems is human expressions of preference (i.e 'taste'), deployed at scale.
Gwern argues that this is what he sees as his least replaceable skill.
The "je ne sais quois" of senior researchers is also often described as their ‘taste’, i.e. ability to choose interesting and tractable things to do
Even when AI becomes superhuman and can do most things better than you can, it’s unlikely that AI can understand your whole life experience well ... (read more)
Concrete example: Even in the present, when using AI to aid in knowledge work is catching on, the expression of your own preferences is (IMO) the key difference between AI slop and fundamentally authentic work
Current model of why property prices remain high in many 'big' cities in western countries despite the fix being ostensibly very simple (build more homes!)
Actively expanding supply requires (a lot of) effort and planning. Revising zoning restrictions, dealing with NIMBYs, expanding public infrastructure, getting construction approval etc.
In a liberal consultative democracy, there are many stakeholders, and any one of them complaining can stifle action. Inertia is designed into the government at all levels.
Incentive (for builders and landowners) is pretty clear for point 1. I think point 3 is overstated - a whole lot of politicians plan to be in politics for many years, and many of local ones really do seem to care about their constituents.
Point 2 is definitely binding. And note that this is "stakeholders", not just "elected government".
Found this graph on the old sparse_coding channel on the eleuther discord:
So at least tentatively that looks like "most features in a small SAE correspond one-to-one with features in a larger SAE trained on the activations of the same model on the same data".
3Daniel Tan
Oh that's really interesting! Can you clarify what "MCS" means? And can you elaborate a bit on how I'm supposed to interpret these graphs?
4faul_sname
Yeah, stands for Max Cosine Similarity. Cosine similarity is a pretty standard measure for how close two vectors are to pointing in the same direction. It's the cosine of the angle between the two vectors, so +1.0 means the vectors are pointing in exactly the same direction, 0.0 means the vectors are orthogonal, -1.0 means the vectors are pointing in exactly opposite directions.
To generate this graph, I think he took each of the learned features in the smaller dictionary, and then calculated to cosine similarity of that small-dictionary feature with every feature in the larger dictionary, and then the maximal cosine similarity was the MCS for that small-dictionary feature. I have a vague memory of him also doing some fancy linear_sum_assignment() thing (to ensure that each feature in the large dictionary could only be used once in order avoid having multiple features in the small dictionary have their MCS come from the same feature on the large dictionary) though IIRC it didn't actually matter.
Also I think the small and large dictionaries were trained using different methods as each other for layer 2, and this was on pythia-70m-deduped so layer 5 was the final layer immediately before unembedding (so naively I'd expect most of the "features" to just be "the output token will be the" or "the output token will be when" etc).
Edit: In terms of "how to interpret these graphs", they're histograms with the horizontal axis being bins of cosine similarity, and the vertical axis being how many small-dictionary features had a the cosine similarity with a large-dictionary feature within that bucket. So you can see at layer 3 it looks like somewhere around half of the small dictionary features had a cosine similarity of 0.96-1.0 with one of the large dictionary features, and almost all of them had a cosine similarity of at least 0.8 with the best large-dictionary feature.
Which I read as "large dictionaries find basically the same features as small ones, plus some new one
31stuserhere
For SAEs of different sizes, for most layers, the smaller SAE does contain very high similarity with some of the larger SAE features, but it's not always true. I'm working on an upcoming post on this.
2Bart Bussmann
Interesting, we find that all features in a smaller SAE have a feature in a larger SAE with cosine similarity > 0.7, but not all features in a larger SAE have a close relative in a smaller SAE (but about ~65% do have a close equavalent at 2x scale up).
Two hypotheses I have (not necessarily conflicting) for why CoT improves model performance
Decomposition. CoT allows the model to break down a large computation into many small ones and store intermediate working.
Self-elicitation. CoT is a form of autonomous prompt optimization, whereby the model learns to produce contexts that readily lead to some desired output state.
Math, programming are likely described mainly as 1), but I suspect there are situations better described as 2)
This post from today: https://www.lesswrong.com/posts/xpj6KhDM9bJybdnEe/how-well-does-rl-scale seems to argue that CoT does not really do (2) (in that the benefits from CoT are mostly attributable to spending more compute per prompt, improvement at a fixed compute budget can't be expected to scale, but that is the sort of improvement we'd expect from a self-organization regime like this). My suspicion is that (2) is basically a requirement for AGI and that reinforcement learning on CoT is too crude to get there in any reasonable timeframe, so current methods will not produce AGI even given scaling. My understanding of current popular opinions is that, in the eyes of most researchers, the reason humans can do (2) and LLMs can't is that humans are extremely good at context-specific online learning over many context sizes, and the slowdown of CoT scaling suggests that a better reinforcement mechanism (or perhaps just an alternative to RL) is needed to fix this issue.
The tasks I delegate to AI are very different from what I thought they'd be.
When I first started using AI for writing, I thought I’d brainstorm outlines of thoughts then use AI to edit into a finished essay.
However I find myself often doing the reverse: Using AI as a thinking assistant to get a broad outline and write a rough draft, then doing final editing myself.
I think this is consistent with how people delegate to other people.
Senior authors on research papers will often let junior authors run experiments and write rough drafts of pa
What makes steganography concerning? Some qualities which would make steganography more concerning, if observed.
Goal-directedness: Model preferentially tries to communicate information important to its goals / plans (e.g. 'this sandbox seems imperfect'), as opposed to benign or irrelevant information.
It's hypothesized that, in order to solve complex tasks, capable models perform implicit search during the forward pass. If so, we might hope to be able to recover the search representations from the model. There are examples of work that try to understand search in chess models and Sokoban models.
However I expect this to be hard for three reasons.
The model might just implement a bag of heuristics. A patchwork collection of local decision rules might be sufficient for achieving high performance.
We need to split "search" into more fine-grained concepts.
For example, "model has representation of the world and simulates counterfactual futures depending of its actions and selects action with the highest score over the future" is a one notion of search.
The other notion can be like this: imagine possible futures as a directed tree graph. This graph has set of axioms and derived theorems describing it. Some of the axioms/theorems are encoded in model. When model gets sensory input, it makes 2-3 inferences from combination of encoded theorems + input and selects action depending on the result of inference. While logically this situation is equivalent to some search over tree graph, mechanistically it looks like "bag of heuristics".
1Daniel Tan
That’s interesting! What would be some examples of axioms and theorems that describe a directed tree?
2quetzal_rainbow
Chess tree looks like classical example. Each node is a boardstate, edges are allowed moves. Working heuristics in move evaluators can be understood as sort of theorem "if such-n-such algorithm recognizes this state, it's an evidence in favor of white winning 1.5:1". Note that it's possible to build powerful NN-player without explicit search.
A new paper claims that refusal isn't just a fixed direction in the activation stream, it's also due to specific attention heads. Pretty interesting to get a somewhat orthogonal perspective on 'safety mechanisms' in LLMs. Interesting follow-up would be to see whether you can similarly steer refusal by only intervening on these attention heads.
In 2025 I've decided I want to be more agentic / intentional about my life, i.e. my actions and habits should be more aligned with my explicit values.
A good way to do this might be the '5 whys' technique; i.e. simply ask "why" 5 times. This was originally introduced at Toyota to diagnose ultimate causes of error and improve efficiency. E.g:
There is a piece of broken-down machinery. Why? -->
Experimenting with having all my writing be in public “by default”. (ie unless I have a good reason to keep something private, I’ll write it in the open instead of in my private notes.)
This started from the observation that LW shortform comments basically let you implement public-facing Zettelkasten.
I plan to adopt a writing profile of:
Mostly shortform notes. Fresh thoughts, thinking out loud, short observations, questions under consideration. Replies or edits as and when I feel like
A smaller amount of high-effort, long-form content synthesizing / disti
This is cool to me. I for one am very interested and find some of your shortforms very relevant to my own explorations, for example note taking and your "sentences as handles for knowledge" one. I may be in the minority but thought I'd just vocalize this.
I'm also keen to see how this as an experiment goes for you and what reflections, lessons, or techniques you develop as a result of it.
1Daniel Tan
After thinking about it more I'm actually quite concerned about this, a big problem is that other people have no way to 'filter' this content by what they consider important, so the only reasonable update is to generally be less interested in my writing.
I'm still going to do this experiment with LessWrong for some short amount of time (~2 weeks perhaps) but it's plausible I should consider moving this to Substack after that
1Daniel Tan
Another minor inconvenience is that it’s not terribly easy to search my shortform. Ctrl + F works reasonably well when I’m on laptop. On mobile the current best option is LW search + filter by comments. This is a little bit more friction than I would like but it’s tolerable I guess
I recommend subscribing to Samuel Albanie’s Youtube channel for accessible technical analysis of topics / news in AI safety. This is exactly the kind of content I have been missing and want to see more of
I recently implemented some reasoning evaluations using UK AISI's inspect framework, partly as a learning exercise, and partly to create something which I'll probably use again in my research.
My takeaways so far: - Inspect is a really good framework for doing evaluations - When using Inspect, some care has to be taken when defining the scorer in order for it not to be dumb, e.g. if you use the match scorer it'll only look for matches at the end of the string by default (get around this with location='any')
Here's how I explained AGI to a layperson recently, thought it might be worth sharing.
Think about yourself for a minute. You have strengths and weaknesses. Maybe you’re bad at math but good at carpentry. And the key thing is that everyone has different strengths and weaknesses. Nobody’s good at literally everything in the world.
Now, imagine the ideal human. Someone who achieves the limit of human performance possible, in everything, all at once. Someone who’s an incredible chess player, pole vaulter, software engineer, and CEO all at once.
Basically, someone who is quite literally good at everything.
This seems too strict to me, because it says that humans aren't generally intelligent, and that a system isn't AGI if it's not a world-class underwater basket weaver. I'd call that weak ASI.
1Daniel Tan
Fair point, I’ll probably need to revise this slightly to not require all capabilities for the definition to be satisfied. But when talking to laypeople I feel it’s more important to convey the general “vibe” than to be exceedingly precise. If they walk away with a roughly accurate impression I’ll have succeeded
I’m concerned that progress in interpretability research is ephemeral, being driven primarily by proxy metrics that may be disconnected from the end goal (understanding by humans). (Example: optimising for the L0 metric in SAE interpretability research may lead us to models that have more split features, even when this is unintuitive by human reckoning.)
It seems important for the field to agree on some common benchmark / proxy metric that is proven to be indicative of downstream human-rated interpretability, ... (read more)
Context engineering: "the delicate art and science of filling the context window with just the right information for the next step" -- Karpathy (2025)
It's quite hard to do this well one-shot. But it's quite easy to do as part of a conversation, where the other party can ask questions, provide suggestions, etc. Also avoids recapitulating basic / unnecessary things
I've used this successfully for both coding assistants and thinking assistants.
Start with a simple high level question / goal, and write a few paragraphs th
Deepseek-r1 seems to explore diverse areas of thought space, frequently using “Wait” and “Alternatively” to abandon current thought and do something else
Given a deepseek-r1 CoT, it should be possible to distill this into an “idealized reconstruction” containing only the salient parts.
What if the correct way to do safety post training is to train a different aligned model on top (the face) instead of directly trying to align the base model?
"Emergent obfuscation": A threat model for verifying the CoT in complex reasoning.
It seems likely we'll eventually deploy AI to solve really complex problems. It will likely be extremely costly (or impossible) to directly check outcomes, since we don't know the right answers ourselves. Therefore we'll rely instead on process supervision, e.g. checking that each step in the CoT is correct.
Problem: Even if each step in the CoT trace is individually verifiable, if there are too many steps, or the verification cost per step is too high, then it ma... (read more)
I get the sense that I don't read actively very much. By which I mean I have a collection of papers that have seemed interesting based on abstract / title but which I haven't spent the time to engage further.
For the next 2 weeks, will experiment with writing a note every day about a paper I find interesting.
Making language models refuse robustly might be equivalent to making them deontological.
Epistemic status: uncertain / confused rambling
For many dangerous capabilities, we'd like to make safety cases arguments that "the model will never do X under any circumstances".
Problem: for most normally-bad things, you'd usually be able to come up with hypothetical circumstances under which a reasonable person might agree it's justified. E.g. under utilitarianism, killing one person is justified if it saves five people (c.f. trolley problems).
Why patch tokenization might improve transformer interpretability, and concrete experiment ideas to test.
Recently, Meta released Byte Latent Transformer. They do away with BPE tokenization, and instead dynamically construct 'patches' out of sequences of bytes with approximately equal entropy. I think this might be a good thing for interpretability, on the whole.
Multi-token concept embeddings. It's known that transformer models compute 'multi-token embeddings' of concepts in their early layers. This process creates several challenges for interpr... (read more)
Actually we don’t even need to train a new byte latent transformer. We can just generate patches using GPT-2 small.
1. Do the patches correspond to atomic concepts?
2. If we turn this into an embedding scheme, and train a larger LM on the patches generated as such, do we get a better LM?
3. Can't we do this recursively to get better and better patches?
This refers to the idea that there may be many representations of a 'feature' in a neural network.
Usually there will be one 'primary' representation, but there can also be a bunch of 'secondary' or 'dormant' representations.
If we assume the linear representation hypothesis, then there may be multiple direction in activation space that similarly produce a 'feature' in the output. E.g. the existence of 800 orthogonal steering vectors for code.
At MATS today we practised “looking back on success”, a technique for visualizing and identifying positive outcomes.
The driving question was, “Imagine you’ve had a great time at MATS; what would that look like?”
My personal answers:
Acquiring breadth, ie getting a better understanding of the whole AI safety portfolio / macro-strategy. A good heuristic for this might be reading and understanding 1 blogpost per mentor
Writing a “good” paper. One that I’ll feel happy about a couple years down the line
Clarity on future career plans. I’d probably like to keep
Thoughts are ephemeral. Like butterflies or bubbles. Your mind is capricious, and thoughts can vanish at any instant unless you capture them in something more permanent.
Also, you usually get less excited about a thought after a while, simply because the novelty wears off. The strongest advocate for a thought is you, at the exact moment you had the thought.
I think this is valuable because making a strong positive case for something is a lot harder than raising an objection. If the ability to make this strong positi... (read more)
For me this is a central element of the practice of Zettelkasten - Capturing comes first. Organization comes afterwords.
In the words of Tiago Forte: "Let chaos reign - then, rein in chaos."
1CstineSublime
What does GOOD Zettlekastern capturing look like? I've never been able to make it work. Like, what do the words on the page look like? What is the optima formula? How does one balance the need for capturing quickly and capturing effectively?
The other thing I find is having captured notes, and I realize the whole point of the Zettlekasten is inter-connectives that should lead to a kind of strategic serendipity. Where if you record enough note cards about something, one will naturally link to another.
However I have not managed to find a system which allows me to review and revist in a way which gets results. I think capturing is the easy part, I capture a lot. Review and Commit. That's why I'm looking for a decision making model. And I wonder if that system can be made easier by having a good standardized formula that is optimized between the concerns of quickly capturing notes, and making notes "actionable" or at least "future-useful".
For example, if half-asleep in the night I write something cryptic like "Method of Loci for Possums" or "Automate the Race Weekend", sure maybe it will in a kind of Brian Eno Oblique Strategies or Delphi Oracle way be a catalyst for some kind of thought. But then I can do that with any sort of gibberish. If it was a good idea, there it is left to chance that I have captured the idea in such a way that I can recreate it at another time. But more deliberation on the contents of a note takes more time, which is the trade-off.
Is there a format, a strategy, a standard that speeds up the process while preserving the ability to create the idea/thought/observation at a later date?
What do GOOD Zettlekastern notes look like?
2Daniel Tan
Hmm I get the sense that you're overcomplicating things. IMO 'good' Zettelkasten is very simple.
1. Write down your thoughts (and give them handles)
2. Revisit your thoughts periodically. Don't be afraid to add to / modify the earlier thoughts. Think new thoughts following up on the old ones. Then write them down (see step 1).
I claim that anybody who does this is practising Zettelkasten. Anyone who tries to tell you otherwise is gatekeeping what is (IMO) a very simple and beautiful idea. I also claim that, even if you feel this is clunky to begin with, you'll get better at it very quickly as your brain adjusts to doing it. '
Good Zettelkasten isn't about some complicated scheme. It's about getting the fundamentals right.
Now on to some object level advice.
I find it useful to start with a clear prompt (e.g. 'what if X', 'what does Y mean for Z', or whatever my brain cooks up in the moment) and let my mind wander around for a bit while I transcribe my stream of consciousness. After a while (e.g. when i get bored) I look back at what I've written, edit / reorganise a little, try to assign some handle, and save it.
It helps here to be good at making your point concisely, such that notes are relatively short. That also simplifies your review.
I agree that this is ideal, but I also think you shouldn't feel compelled to 'force' interconnections. I think this is describing the state of a very mature Zettelkasten after you've revisited and continuously-improved notes over a long period of time. When you're just starting out I think it's totally fine to just have a collection of separate notes that you occasionally cross-link.
I think you shouldn't feel chained to your past notes? If certain thoughts resonate with you, you'll naturally keep thinking about them. And when you do it's a good idea to revisit the note where you first captured them. But feeling like you have to review everything is counterproductive, esp if you're still building the habit. FWIW I
1CstineSublime
That is helpful, thank you.
This doesn't match up with my experience. For example, I have hundreds, HUNDREDS of film ideas. And sometimes I'll be looking through and be surprised by how good one was - as in I think "I'd actually like to see that film but I don't remember writing this". But they are all horrendously impractical in terms of resources. I don't really have a reliable method of going through and managing 100s of film ideas, and need a system for evaluating them. Reviewing weekly seems good for new notes, but what about old notes from years ago?
That's probably two separate problems, the point I'm trying to make is that even non-film ideas, I have a lot of notes that just sit in documents unvisted and unused. Is there any way to resurrect them, or at least stop adding more notes to the pile awaiting a similar fate? Weekly Review doesn't seem enough because not enough changes in a week that an idea on Monday suddenly becomes actionable on Sunday.
Not all my notes pertain to film ideas, but this is perhaps the best kept, most organized and complete note system I have hence why I mention it.
Yeah but nothing is working for me, forget a perfect model, a working model would be nice. A "good enough" model would be nice.
2Daniel Tan
Note that I think some amount of this is inevitable, and I think aiming for 100% retention is impractical (and also not necessary). If you try to do it you'll probably spend more time optimising your knowledge system than actually... doing stuff with the knowledge.
It's also possible you could benefit from writing better handles. I guess for film, good handles could look like a compelling title, or some motivating theme / question you wanted to explore in the film. Basically, 'what makes the film good?' Why did it resonate with you when you re-read it? That'll probably tell you how to give a handle. Also, you can have multiple handles. The more ways you can reframe something to yourself the more likely you are to have one of the framings pull you back later.
1CstineSublime
Thanks for preserving with my questions and trying to help me find an implementation. I'm going to try and reverse engineer my current approach to handles.
Oh of course, 100% retention is impossible. As ridiculous and arbitrary as it is, I'm using Sturgeon's law as a guide for now.
1Daniel Tan
"Future useful" to me means two things: 1. I can easily remember the rough 'shape' of the note when I need to and 2. I can re-read the note to re-enter the state of mind I was at when I wrote the note.
I think writing good handles goes a long way towards achieving 1, and making notes self-contained (w. most necessary requisites included, and ideas developed intuitively) is a good way to achieve 2.
A handle is a short, evocative phrase or sentence that triggers you to remember the knowledge in more depth. It’s also a shorthand that can be used to describe that knowledge to other people.
I believe this is an important part of the practice of scalably thinking about more things. Thoughts are ephemeral, so we write them down. But unsorted collections of thoughts quickly lose visibility, so we develop indexing systems. But indexing systems are lossy, imperfect, and go stale easily. To date I do not have a single indexing... (read more)
I second this. But I don't find I need much of an indexing system. Early on when I got more into personal note taking, I felt a bit guilty for just putting all my notes into a series of docs as if I were filling a journal. Now, looking back on years of notes, I find it easy enough to skim through them and reacquaint myself with their contents, that I don't miss an external indexing system. More notes > more organized notes, in my case. Others may differ on the trade-off. In particular, I try to always take notes on academic papers I read that I find valuable, and to cite the paper that inspired the note even if the note goes in a weird different direction. This causes the note to become an index into my readings in a useful way.
3Daniel Tan
Agree! This is also what I was getting at here. I find I don't need an indexing system, my mind will naturally fish out relevant information, and I can turbocharge this by creating optimal conditions for doing so
Also agree, and I think this is what I am trying to achieve by capturing thoughts quickly - write down almost everything I think, before it vanishes into aether
Frames for thinking about language models I have seen proposed at various times:
Lookup tables. (To predict the next token, an LLM consults a vast hypothetical database containing its training data and finds matches.)
Statistical pattern recognition machines. (To predict the next token, an LLM uses context as evidence to do Bayesian update on a prior probability distribution, then samples the posterior).
People simulators. (To predict the next token, an LLM infers what kind of person is writing the text, then simulates that person.)
Marketing and business strategy offer useful frames for navigating dating.
The timeless lesson in marketing is that selling [thing] is done by crafting a narrative that makes it obvious why [thing] is valuable, then sending consistent messaging that reinforces this narrative. Aka belief building.
Implication for dating: Your dating strategy should start by figuring out who you are as a person and ways you’d like to engage with a partner.
eg some insights about myself:
I mainly develop attraction through emotional connection (as opposed to physical attraction
Off topic, but your words helped me realize something. It seems like for some people it is physical attraction first, for others it is emotional connection first.
The former may perceive the latter as dishonest: if their model of the world is that for everyone it is physical attraction first (it is only natural to generalize from one example), then what you describe as "take my time getting to know someone organically", they interpret as "actually I was attracted to the person since the first sight, but I was afraid of a rejection, so I strategically pretended to be a friend first, so that I could later blackmail them into having sex by threatening to withdraw the friendship they spent a lot of time building".
Basically, from the "for everyone it is attraction first" perspective, the honest behavior is either going for the sex immediately ("hey, you're hot, let's fuck" or a more diplomatic version thereof), or deciding that you are not interested sexually, and then the alternatives are either walking away, or developing a friendship that will remain safely sexless forever.
And from the other side, complaining about the "friend zone" is basically complaining that too many people you are attracted to happen to be "physical attraction first" (and they don't find you attractive), but it takes you too long to find out.
In 2025, I'm interested in trying an alternative research / collaboration strategy that plays to my perceived strengths and interests.
Self-diagnosis of research skills
Good high-level research taste, conceptual framing, awareness of field
Mid at research engineering (specifically the 'move quickly and break things' skill could be doing better), low-level research taste (specifically how to quickly diagnose and fix problems, 'getting things right' the first time, etc)
Bad at self-management (easily distracted, bad at prioritising), sustaining things long
Do people still put stock in AIXI? I'm considering whether it's worthwhile for me to invest time learning about Solomonoff induction etc. Currently leaning towards "no" or "aggressively 80/20 to get a few probably-correct high-level takeaways".
Edit: Maybe a better question is, has AIXI substantially informed your worldview / do you think it conveys useful ideas and formalisms about AI
I find it valuable to know about AIXI specifically and Algorithmic information theory generally. That doesn't mean it is useful for you however.
If you are not interested in math and mathematical approaches to alignment I would guess all value in AIXI is low.
An exception is that knowing about AIXI can inoculate one against the wrong but very common intuitions that (i) AGI is about capabilities (ii) AGI doesnt exist or that (iii) RL is outdated (iv) that pure scaling next-token prediction will lead to AGI, (v) that there are lots of ways to create AGI and the use of RL is a design choice [no silly].
The talk about kolmogorov complexity and uncomputable priors is a bit of a distraction from the overall point that there is an actual True Name of General Intelligence which is an artificial "Universal Intelligence", where universal must be read with a large number of asterisks. One can understand this point without understanding the details of AIXI and I think it is mostly distinct but could help.
Defining, describing, mathematizing, conceptualizing intelligence is an ongoing research programme. AIXI (and its many variants like AIXI-tl) is a very idealized and simplistic model of general intelligence but it's a foothold for the eventual understanding that will emerge.
1Daniel Tan
I found this particularly insightful! Thanks for sharing
Based on this I'll probably do a low-effort skim of LessWrong's AIXI sequence and see what I find
I increasingly feel like I haven't fully 'internalised' or 'thought through' the implications of what short AGI timelines would look like.
As an experiment in vividly imagining such futures, I've started writing short stories (AI-assisted). Each story tries to explore one potential idea within the scope of a ~2 min read. A few of these are now visible here: https://github.com/dtch1997/ai-short-stories/tree/main/stories.
I plan to add to this collection as I come across more ways in which human society could be changed.
The Last Word: A short story about predictive text technology
---
Maya noticed it first in her morning texts to her mother. The suggestions had become eerily accurate, not just completing her words, but anticipating entire thoughts. "Don't forget to take your heart medication," she'd started typing, only to watch in bewilderment as her phone filled in the exact dosage and time—details she hadn't even known.
That evening, her social media posts began writing themselves. The predictive text would generate entire paragraphs about her day, describing events that ... (read more)
It provides many categories of 'research skill' as well as concrete descriptions of what 'doing really well' looks like.
Although the advice there is tailored to the specific kind of work Ethan Perez does, I think it broadly applies to many other kinds of ML / AI research in general.
The intended use is for you to self-evaluate periodically and get better at ... (read more)
One notion of self-repair is redundancy; having "backup" components which do the same thing, should the original component fail for some reason. Some examples:
In the IOI circuit in gpt-2 small, there are primary "name mover heads" but also "backup name mover heads" which fire if the primary name movers are ablated. this is partially explained via copy suppression.
More generally, The Hydra effect: Ablating one attention head leads to other
It's a fascinating phenomenon. If I had to bet I would say it isn't a coping mechanism but rather a particular manifestation of a deeper inductive bias of the learning process.
1Daniel Tan
That's a really interesting blogpost, thanks for sharing! I skimmed it but I didn't really grasp the point you were making here. Can you explain what you think specifically causes self-repair?
5Daniel Murfet
I think self-repair might have lower free energy, in the sense that if you had two configurations of the weights, which "compute the same thing" but one of them has self-repair for a given behaviour and one doesn't, then the one with self-repair will have lower free energy (which is just a way of saying that if you integrate the Bayesian posterior in a neighbourhood of both, the one with self-repair gives you a higher number, i.e. its preferred).
That intuition is based on some understanding of what controls the asymptotic (in the dataset size) behaviour of the free energy (which is -log(integral of posterior over region)) and the example in that post. But to be clear it's just intuition. It should be possible to empirically check this somehow but it hasn't been done.
Basically the argument is self-repair => robustness of behaviour to small variations in the weights => low local learning coefficient => low free energy => preferred
I think by "specifically" you might be asking for a mechanism which causes the self-repair to develop? I have no idea.
Is anyone studying reward hacking generalization? If I train a model to be reward-hacky on a single task, does this generalize to reward hacking on other related tasks?
Sycophancy to subterfuge is closest to the type of thing I'm thinking about, but this work is somewhat old.
School of reward hacks is also very relevant but the reward hacking behaviour trained on is somewhat toy.
Finetuning could be an avenue for transmitting latent knowledge between models.
As AI-generated text increasingly makes its way onto the Internet, it seems likely that we'll finetune AI on text generated by other AI. If this text contains opaque meaning - e.g. due to steganography or latent knowledge - then finetuning could be a way in which latent knowledge propagates between different models.
What is included within "latent knowledge" here?
Does it include both knowledge encoded in M1's weights and knowledge introduced in-context while running it?
2Daniel Tan
I'm imagining it's something encoded in M1's weights. But as a cheap test you could add in latent knowledge via the system prompt and then see if finetuning M2 on M1's generations results in M2 having the latent knowledge
The hardness of cross-prediction may yield cryptographically secure communication.
An interesting result from Owain's introspection paper is that language models can predict their own outputs better than other language models can. [see figure]
Claim: This yields an encryption scheme for secret communication.
The encryption scheme
Suppose Alice and Bob want to secretly communicate over a public channel, while Eve wants to eavesdrop on the conversation.
Assume Alice and Bob both have access to a specific model checkpoint f, which has been f
This is very interesting! One thing I'm confused about—I agree that the monitor would have a hard time getting the bits, based on these figures. But the introspective models also don't seem to get far above 50% accuracy, which means that right now they'd have a very hard time error correcting enough that their comrade would understand them but not the overseer. If the claim is that introspection-tuned models will get much better at self prediction, then its not clear to me that other models wont also get much better at cross-prediction?
Posting a proposal which I wrote a while back, and now seems to have been signal-boosted. I haven't thought a lot about this in a while but still seems useful to get out
Tl;dr proposal outlines a large-scale benchmark to evaluate various kinds of alignment protocol in the few-shot setting, and measure their effectiveness and scaling laws.
Motivations
Here we outline some ways this work might be of broader significance. Note: these are very disparate, and any specific project will probably center on one of th... (read more)
Why do more things? Tl;dr It feels good and is highly correlated with other metrics of success.
According to Maslow's hierarchy, self-actualization is the ultimate need. And this comes through the feeling of accomplishment—achieving difficult things and seeing tangible results. I.e doing more things
I claim that success in life can be measured by the quality and quantity of things we accomplish. This is invariant to your specific goals / values. C.f. "the world belongs to high-energy people".
Partial counterargument: I find that I have to be careful not to do too many things. I really need some time for just thinking and reading and playing with models in order to have new ideas (and I suspect that's true of many AIS researchers) and if I don't prioritize it, that disappears in favor of only taking concrete steps on already-active things.
You kind of say this later in the post, with 'Attention / energy is a valuable and limited resource. It should be conserved for high value things,' which seems like a bit of a contradiction with the original premise :D
5Daniel Tan
Yes, this is true - law of reversing advice holds. But I think two other things are true:
1. Intentionally trying to do more things makes you optimise more deliberately for being able to do many things. Having that ability is valuable, even if you don't always exercise it
2. I think most people aren't 'living their best lives", in the sense that they're not doing the volume of things they could be doing
It's possibly not worded very well as you say :) I think it's not a contradiction, because you can be doing only a small number of things at any given instant in time, but have an impressive throughput overall.
1Milan W
I think that being good at avoiding wasted motion while doing things is pretty fundamental to resolving the contradiction.
Rough thoughts on getting better at integrating AI into workflows
AI (in the near future) likely has strengths and weaknesses vs human cognition. Optimal usage may not involve simply replacing human cognition, but leveraging AI and human cognition according to respective strengths and weaknesses.
AI is likely to be good at solving well-specified problems. Therefore it seems valuable to get better at providing good specifications, as well as breaking down larger, fuzzier problems into more smaller, more concrete ones
Communication channels as an analogy for language model chain of thought
Epistemic status: Highly speculative
In information theory, a very fundamental concept is that of the noisy communication channel. I.e. there is a 'sender'who wants to send a message ('signal') to a 'receiver',but their signal will necessarily get corrupted by 'noise' in the process of sending it. There are a bunch of interesting theoretical results that stem from analysing this very basic setup.
Here, I will claim that language model chain of thought is very analogous. The promp... (read more)
Important point: The above analysis considers communication rate per token. However, it's also important to consider communication rate per unit of computation (e.g. per LM inference). This is relevant for decoding approaches like best-of-N which use multiple inferences per token
1Daniel Tan
In this context, the “resample ablation” used in AI control is like adding more noise into the communication channel
Report on an experiment in playing builder-breaker games with language models to brainstorm and critique research ideas
---
Today I had the thought: "What lessons does human upbringing have for AI alignment?"
Human upbringing is one of the best alignment systems that currently exist. Using this system we can take a bunch of separate entities (children) and ensure that, when they enter the world, they can become productive members of society. They respect ethical, societal, and legal norms and coexist peacefully. So what are we 'doing right' and how does... (read more)
Note that “thinking through implications” for alignment is exactly the idea in deliberative alignment https://openai.com/index/deliberative-alignment/
Some notes
* Authors claim that just prompting o1 with full safety spec already allows it to figure out aligned answers
* The RL part is simply “distilling” this imto the model (see also, note from a while ago on RLHF as variational inference)
* Generates prompt, CoT, outcome traces from the base reasoning model. Ie data is collected “on-policy”
* Uses a safety judge instead of human labelling
Confession, I don't really know software engineering. I'm not a SWE, have never had a SWE job, and the codebases I deal with are likely far less complex than what the average SWE deals with. I've tried to get good at it in the past, with partial success. There are all sorts of SWE practices which people recommend, some of which I adopt, and some of which I suspect are cargo culting (these two categories have nonzero overlap).
In the end I don't really know SWE well enough to tell what practices are good. But I think I... (read more)
Quoting Dijkstra:
Also, Harold Abelson:
There is a difference if the code is "write, run once, and forget" or something that needs to be maintained and extended. Maybe researchers mostly write the "run once" code, where the best practices are less important.
1Daniel Tan
Yeah. I definitely find myself mostly in the “run once” regime. Though for stuff I reuse a lot, I usually invest the effort to make nice frameworks / libraries
Shower thought: Imposter syndrome is a positive signal.
A lot of people (esp knowledge workers) perceive that they struggle in their chosen field (impostor syndrome). They also think this is somehow 'unnatural' or 'unique', or take this as feedback that they should stop doing the thing they're doing. I disagree with this; actually I espouse the direct opposite view. Impostor syndrome is a sign you should keep going.
Claim: People self-select into doing things they struggle at, and this is ultimately self-serving.
This is true when you are free to choose what you do. Less so if life just throws problems at you. Sometimes you simply fail because the problem is too difficult for you and you didn't choose it.
(Technically, you are free to choose your job. But it could be that the difficulty is different than it seemed at the interview. Or you just took a job that was too difficult because you needed the money.)
I agree that if you are growing, you probably feel somewhat inadequate. But sometimes you feel inadequate because the task is so difficult that you can't make any progress on it.
1Daniel Tan
Yes, this is definitely highly dependent on circumstances. see also: https://slatestarcodex.com/2014/03/24/should-you-reverse-any-advice-you-hear/
One of my biggest worries w/ transitioning out of independent research is that I'll be 'locked in' to the wrong thing - an agenda or project that I don't feel very excited about. I think passion / ownership makes up a huge part of my drive and I worry I'd lose these in a more structured environment
Experimenting with writing notes for my language model to understand (but not me).
What this currently look like is just a bunch of stuff I can copy-paste into the context window, such that the LM has all relevant information (c.f. Cursor 'Docs' feature).
Then I ask the language model to provide summaries / answer specific questions I have.
How does language model introspection work? What mechanisms could be at play?
'Introspection': When we ask a language model about its own capabilities, a lot of times this turns out to be a calibrated estimate of the actual capabilities. E.g. models 'know what they know', i.e. can predict whether they know answers to factual questions. Furthermore this estimate gets better when models have access to their previous (question, answer) pairs.
One simple hypothesis is that a language model simply infers the general level of capability from the ... (read more)
Introspection is an instantiation of 'Connecting the Dots'.
* Connecting the Dots: train a model g on (x, f(x)) pairs; the model g can infer things about f.
* Introspection: Train a model g on (x, f(x)) pairs, where x are prompts and f(x) are the model's responses. Then the model can infer things about f. Note that here we have f = g, which is a special case of the above.
Does model introspection extend to CoT reasoning? Probing steganographic capabilities of LLMs
To the extent that o1 represents the future of frontier AI systems, I predict that CoT is likely to get longer as the reasoning gets broken into more fine-grained (and verifiable) intermediate steps.
Why might this be important? Transformers have fixed context window; in the limit of extremely long reasoning traces far too large to fit in single context window, the model must “get good” at transmitting information to its (future) self. Furthermore, with transf... (read more)
Relatedly on introspection, can we devise some unlearning procedure that removes models’ capability to introspect? This might reduce their situational awwareness.
2Felix J Binder
That's interesting. One underlying consideration is that the object-level choices of reasoning steps are relative to a reasoner: differently abled agents need to decompose problems differently, know different things and might benefit from certain ways of thinking in different ways. Therefore, a model plausibly chooses CoT that works well for it "on the object level", without any steganography or other hidden information necessary. If that is true, then we would expect to see models benefit from their own CoT over that of others for basic, non-steganography reasons.
Consider a grade schooler and a grad student thinking out loud. Each benefits from having access to their own CoT, and wouldn't get much from the others for obvious reasons.
I think the questions of whether models actually choose their CoT with respect to their own needs, knowledge and ability is a very interesting one that is closely related to introspection.
1Felix J Binder
Re steganography for chain-of-thought: I've been working on a project related to this for a while, looking at whether RL for concise and correct answers might teach models to stenographically encode their CoT for benign reasons. There's an early write-up here: https://ac.felixbinder.net/research/2023/10/27/steganography-eval.html\
Currently, I'm working with two BASIS fellows on actually training models to see if we can elicit steganography this way. I'm definitely happy to chat more/set up a call about this topic
1Daniel Tan
Comment from @James Chua in internal slack group
interesting idea! thanks for writing this out. this is my initial reaction, i may have more later on. i agree on this -- this is what i'll expect.
but if the above is true, I'm unsure about evidence for steganography.
for example, gpt-4o is more capable than gpt-3.5. suppose we provide gpt-3.5 with gpt-4o's CoT.
one reason why gpt-3.5 may not improve is that gpt-4o's CoT skips certain steps since gpt-4o is a more capable model.
e.g. gpt-4o can calculate 4^4 directly, but gpt-3.5 cannot. So gpt-4o's CoT will leave out steps out 4 * 4 * 4* 4. which gpt-3.5 needs to get the correct answerdo we then say that gpt-3.5 is doing steganography? (edited)
possible improvement: provide gpt-3.5 with its own version of its own CoT, but paraphrased by another model. gpt-3.5 sees the same steps of "4 * 4 * 4 *4", but paraphrased. Does it still perform as well?
1Daniel Tan
Expanding on this, would minimizing information in the chain of thought be a viable solution to steganography?
* Based on the above intuition, the “actual” information present in the CoT may be much greater than the “apparent” information (visible as explicitly stated reasoning).
If we additionally train the models with an objective that penalises the amount of “extra” information not present, we might be able to solve steganograohy
Examples of penalizing extra information.
* Train the model such that its CoT is predictable by some other (fixed, trusted) model.
* Apply entropy regularization (see: Yann Lecun’s JEPA for an example here)
3Daniel Tan
It turns out that “train the model st CoT is predictable by a different model” is exactly the idea in prover-verifier games. That’s very exciting! Do PVGs reduce introspection or steganography?
Should we be optimizing SAEs for disentanglement instead of sparsity?
The primary motivation behind SAEs is to learn monosemantic latents, wher monosemanticity ~= "features correspond to single concepts". In practice, sparsity is used as a proxy metric for monosemanticity.
There's a highly related notion in the literature of disentanglement, which ~= "features correspond to single concepts, and can be varied independently of each other."
The literature contains knownobjectives to induce disentanglement directly, without needing proxy metrics.
Prediction: the SAE results may be better for 'wider', but only if you control for something else, possibly perplexity, or regularize more heavily. The literature on wider vs deeper NNs has historically shown a stylized fact of wider NNs tending to 'memorize more, generalize less' (which you can interpret as the finegrained features being used mostly to memorizing individual datapoints, perhaps exploiting dataset biases or nonrobust features) and so deeper NNs are better (if you can optimize them effectively without exploding/collapsing gradients), which would potentially more than offset any orthogonality gains from the greater width. Thus, you would either need to regularize more heavily ('over-regularizing' from the POV of the wide net, because it would achieve a better performance if it could memorize more of the long tail, the way it 'wants' to) or otherwise adjust for performance (to disentangle the performance benefits of wideness from the distorting effect of achieving that via more memorization).
1Daniel Tan
Intuition pump: When you double the size of the residual stream, you get a squaring in the number of distinct (almost-orthogonal) features that a language model can learn. If we call a model X and its twice-as-wide version Y, we might expect that the features in Y all look like Cartesian pairs of features in X.
Re-stating an important point: this suggests that feature splitting could be something inherent to language models as opposed to an artefact of SAE training.
I suspect this could be elucidated pretty cleanly in a toy model. Need to think more about the specific toy setting that will be most appropriate. Potentially just re-using the setup from Toy Models of Superposition is already good enough.
1Daniel Tan
Related idea: If we can show that models themselves learn featyres of different granularity, we could then test whether SAEs reflect this difference. (I expect they do not.) This would imply that SAEs capture properties of the data rather than the model.
anyone else experiencing intermittent disruptions with OpenAI finetuning runs? Experiencing periods where training file validation takes ~2h (up from ~5 mins normally)
This is a paper reproduction in service of achieving my seasonal goals
Recently, it was demonstrated that circular features are used in the computation of modular addition tasks in language models. I've reproduced this for GPT-2 small in this Colab.
We've confirmed that days of the week do appear to be represented in a circular fashion in the model. Furthermore, looking at feature dashboards agrees with the discovery; this suggests that simply looking up features that detect tokens in the same conceptual 'categor... (read more)
[Proposal] Out-of-context meta learning as a toy model of steganography
Steganography; the idea that models may say one thing but mean another, and that this may enable them to evade supervision. Essentially, models might learn to "speak in code".
In order to better study steganography, it would be useful to construct model organisms of steganography, which we don't have at the moment. How might we do this? I think out-of-context meta learning is a very convenient path.
Out-of-context meta learning: The idea that models can internalise knowledge d... (read more)
[Note] Excessive back-chaining from theories of impact is misguided
Rough summary of a conversation I had with Aengus Lynch
As a mech interp researcher, one thing I've been trying to do recently is to figure out my big cruxes for mech interp, and then filter projects by whether they are related to these cruxes.
Aengus made the counterpoint that this can be dangerous, because even the best researchers' mental model of what will be impactful in the future is likely wrong, and errors will compound through time. Also, time spent refining a mental mode... (read more)
[Proposal] Attention Transcoders: can we take attention heads out of superposition?
Note: This thinking is cached from before the bilinear sparse autoencoders paper. I need to read that and revisit my thoughts here.
Primer: Attention-Head Superposition
Attention-head superposition (AHS) was introduced in this Anthropic post from 2023. Briefly, AHS is the idea that models may use a small number of attention heads to approximate the effect of having many more attention heads.
Definition 1: OV-incoherence. An attention circuit is OV-incoherent ... (read more)
[Proposal] Do SAEs capture simplicial structure? Investigating SAE representations of known case studies
It's an open question whether SAEs capture underlying properties of feature geometry. Fortunately, careful research has elucidated a few examples of nonlinear geometry already. It would be useful to think about whether SAEs recover these geometries.
Simplices in models. Work studying hierarchical structure in feature geometry finds that sets of things are often represented as simplices, which are a specific kind of regular polytope. Simplices are al... (read more)
[Note] Is Superposition the reason for Polysemanticity? Lessons from "The Local Interaction Basis"
Superposition is currently the dominant hypothesis to explain polysemanticity in neural networks. However, how much better does it explain the data than alternative hypotheses?
Non-neuron aligned basis. The leading alternative, as asserted by Lawrence Chan here, is that there are not a very large number of underlying features; just that these features are not represented in a neuron-aligned way, so individual neurons appear to fire on multiple dist... (read more)
[Proposal] Is reasoning in natural language grokkable? Training models on language formulations of toy tasks.
Previous work on grokking finds that models can grok modular addition and tree search. However, these are not tasks formulated in natural language. Instead, the tokens correspond directly to true underlying abstract entities, such as numerical values or nodes in a graph. I question whether this representational simplicity is a key ingredient of grokking reasoning.
I have a prior that expressing concepts in natural language (as opposed to ... (read more)
[Proposal] Are circuits universal? Investigating IOI across many GPT-2 small checkpoints
Universal features. Work such as the Platonic Representation Hypothesis suggest that sufficiently capable models converge to the same representations of the data. To me, this indicates that the underlying "entities" which make up reality are universally agreed upon by models.
Non-universal circuits. There are many different algorithms which could correctly solve the same problem. Prior work such as the clock and the pizza indicate that, even for very simple algorithms, m... (read more)
I periodically try both perplexity and elicit and neither has worked very well for me as yet.
Cases where you really want to avoid left-leaning bias or you want it to generate images that other services flag as inappropriate, I guess?
I've found read.ai much better than otter and other services I've tried, especially on transcription accuracy, with the caveats that a) I haven't tried others in a year, and b) read.ai is annoyingly pricy (but does have decent export when/if you decide to ditch it).
1
2
2
1
1
1
1
1
