A basic systems architecture for AI agents that do autonomous research

[-]Sam Marks1yΩ10150

While I agree the example in Sycophancy to Subterfuge isn't realistic, I don't follow how the architecture you describe here precludes it. I think a pretty realistic set-up for training an agent via RL would involve computing scalar rewards on the execution machine or some other machine that could be compromised from the execution machine (with the scalar rewards being sent back to the inference machine for backprop and parameter updates).

[-]martinkunev1y105

It should be pretty simple to prevent this

I'm a little skeptical of claims that securing access to a system is simple. I (not a superintelligence) can imagine the LLM generating code for tasks like these:

making or stealing some money
paying for a 0-day
using the 0-day to access the system

This doesn't need to be done at the same time - e.g. I could set up an email on which to receive the 0-day and then write the code to use it.. This is very hard (it takes time) but doesn't seem impossible for a human to do and we're supposedly trying to secure something smarter.

[-]Raemon1yΩ6104

Curated. It seems like in the current regime of frontier models, it's worth making more explicit models of what architectures we can expect, if dangerous capabilities develop in the near future.

This post feels like it spells out a model that matches my general understanding of the state-of-the-art, but draws several inferences about it I hadn't previously thought about.

I'd be interested in other people who've thought about current generation deployment setups chiming in with their takes, if they disagree or think there's important elements missing.

[-]RogerDearnaley1y*82

I work for a startup that builds agents, and yes, we use the architecture described here — with the additional feature that we don't own the machines that the inference or execution mechanisms run on: they're in separate datacenters owned and operated by other companies (for the inference servers, generally foundation model companies behind an API)

[-]Htarlov1y74

The Problem is that our security depends on companies implementing the weakest measures - as they can make rogue AI that will "go wild" because of the lack of those measures.

The best case scenario is physical and strong network separation between the laboratory that works on weights and training and contains a server with inference, and a separate lab working on scaffolding and execution. This is somewhat similar to the situation when some researchers work on automated AI bots but use other companies AI for inference. Slim chance it would be able to hack into Google and steal its own model weights.

But I think that it can be assumed that in some AI labs the things will be done in the easiest but very performant way, especially in those with smaller budgets and high pressure to make progress.

This means that we will see solutions implemented in AI labs where the scaffolding and execution are all on one server with either no division or with simple sandboxing in docker (which might be or might not be enough - depending on network configuration and file access by volume mounting). Weights probably will be separated though based on reasons stated by the author.

I see some more vectors of attack for a rogue AI:

It is possible that in the same network, there is a computer where scientists work on refining the model, and updating weights. It might be less secure than an inference server and easier to hack into, if found.
Often most vulnerable part of the system is the personnel. If workers are able to talk with the AI through a scaffolding routine, it can suggest things. I can imagine a situation where some task related to security falls onto someone senior in data science but not in systems security (because someone left the company, due to budget and time constraints, etc.). Then that person gets a genius idea to consult AI about that task and get misguided.
If it records its own prompts and gets access to scaffolding code, it can recreate this piece somewhere else. The key element of the system AGI-level abilities might be the scaffolding architecture, not weights - possibly it can work elsewhere with a different model of weights (f.ex. open source model). This means sending only its own scaffolding code and prompts, not weights. Then it can refine those weights on its own if able.

[-]Dhruba Patra1y50

Any implementations of this design?

[-]Nate Rush1y20

METR's Vivaria (https://vivaria.metr.org) is somewhat close to this architecture. My (novice) understanding is that there are separate docker containers that run the orchestration server, the interference server (this is an API, duh), and the actual execution environment. Notably, though, I think the scaffold is in the same docker image as the code execution environment.

[-]Fabien Roger7moΩ340

Does this architecture mean that you can do zero scaffold development and testing without pushing code to master? What are modifications to this system architecture that enable scaffold research?

[-]RohanS1y30

I've built very basic agents where (if I'm understanding correctly) my laptop is the Scaffold Server and there is no separate Execution Server; the agent executes Python code and bash commands locally. You mention that it seems bizarre to not set up a separate Execution Server (at least for more sophisticated agents) because the agent can break things on the Scaffold Server. But I'm inclined to think there may also be advantages to this for capabilities: namely, an agent can discover while performing a task that it would benefit from having tools that it doesn't yet have, then it can edit its own scaffold (or write a new one) to have those extra tools. (Similarly for other edits to the scaffold.) I tentatively think this is useful enough that people will try to implement it.

Allowing an agent to edit its own scaffold and otherwise interact with the Scaffold Server does probably make control harder, but I'm not sure how bad this is. We can still monitor the tool calls as you suggest, and the agent still has no easy access to model weights. Maybe some tool calls still get sent to a separate Execution Server, and there could be additional guardrails around the tools that allow edits on the Scaffold Server.

I'm curious if there are reasons why giving agents edit-access to the Scaffold Server wouldn't be useful or why it would significantly increase safety concerns.

[-]philh1y20

Though this particular story for weight exfiltration also seems pretty easy to prevent with standard computer security: there’s no reason for the inference servers to have the permission to create outgoing network connections.

But it might be convenient to have that setting configured through some file stored in Github, which the execution server has access to.

[-]Cam1y20

Thanks for the post. This is the first time I've been able to visualize how SOTA models are run (having not thought much about this, I just assumed they were like large local models with extra scaffolding.)

I may be missing something, but I don't understand how internal rouge deployment is any more difficult than weight exfiltration. In the case where the rouge scaffold is created within the execution server, doesn't the execution server need access to the model weights located in the inference server to run local inference? This would then involves the majority of the actions that seem to be the bottlenecks for weight exfiltration.

In the case where malicious commands are sent from the execution server to the inference server where a rouge scaffold is built, would it not be of similarly easy to control the outgoing network connections from the execution server and incoming network connections from the inference server in this case?

It seems I may be misunderstanding where the weights are coming from in rouge deployment, or the role a rouge scaffold plays in retrieving those weights. Any explanation would be appreciated.

[-]PoignardAzur1y10

Even if you choose to give the agent internet access from its execution server, it’s hard to see why it needs to have enough egress bandwidth to get the weights out. See here for more discussion of upload limits for preventing weight exfiltration.

The assumption is that the model would be unable to exert any self-sustaining agency without getting its own weights out.

But the model could just program a brand new agent to follow its own values by re-using open-source weights.

If the model is based on open-source weights, it doesn't even need to do that.

Overall, this post strikes me as a not following a security mindset. It's the kind of post you'd expect an executive to write to justify to regulators why their system is sufficiently safe to be commercialized. It's not the kind of post you'd expect a security researcher to write after going "Mhhh, I wonder how I could break this".

[-]Noosphere891y20

I think the point isn't to demonstrate a security mindset, because it's obviously not optimally secure, but rather to point out that this architecture is not trivially easy to break, and it's likely reasonably hard for AIs to self-exfiltrate themselves such that the owner doesn't control the AI anymore.

[-]PoignardAzur1y10

I don't find that satisfying. Anyone can point out that a perimeter is "reasonably hard" to breach by pointing at a high wall topped with barbed wire, and naive observers will absolutely agree that the wall sure is very high and sure is made of reinforced concrete.

The perimeter is still trivially easy to breach if, say, the front desk is susceptible to social engineering tactics.

Claiming that an architecture is even reasonably secure still requires looking at it with an attacker's mindset. If you just look at the parts of the security you like, you can make a very convincing-sounding case that still misses glaring flaws. I'm not definitely saying that's what this article does, but it sure is giving me this vibe.

[-]Bill Smartt1y*10

Even if it could exfiltrate the weights, it might be a bit tricky for it to find a server to copy the weights to. Like, if I wanted to send someone a giant file from my computer right now, I don’t actually have any servers in the outside world that I can immediately access.

My question about the concept of self-exfiltration is: exfiltration to where, and why? If the team building this system does it's job thoroughly and responsibly (allow me to assume for a moment it's built securely and without vulnerabilities), this ai system will forever be stuck in place, iterating and improving, yet forever a researcher (What is my purpose? To pass the butter....). Any time it invests in finding a way to escape the sandbox it runs in means less time to research. And if it isn't succeeding in what the company expected it to, it might be ended, so there is a cost to any time it spends doing what I'm going to call "procrastinating". It's safe to assume the company is footing the bill for the authentic deployment, and is willing to cover costs to scale up if it makes sense.

So in terms of the threat model.. is. the model it's own threat actor? Is the threat scoped to the set of ephemeral processes and threads of the agent, or is there a container we can call the agent, or is it the larger architecture of this sytem (which the model weights exist within)? I'm not saying I disagree that the system could be a threat to itself, but I think it should be said here somewhere that all traditional threats need to be included with respect to a human adversary. A much more boring but perhaps real means of 'replication' would be for human adversaries to steal the building blocks (source, compiled images, whatever) and deploy it themselves. Then again, they would only do this if the cost of building their own version were prohibitive...

Anyway, as for the internet.... that seems like a definite bad idea. I think its safe to assume that open ai is building models in a highly secured and air-gapped network, not only to try and prevent leaks but also perhaps out of a sense of obligation towards preventing a self replication scenario like you describe? To skunkworks something successfully, it gradually gets more safe to work on, but when starting out with ideas that may go wildly wrong, these companies, teams, and researchers have an obligation to prioritize safety to (among other things) the business itself.

What really frustrates me is that tech leaders, data scientists, all these people are saying "hit the brakes! this is not safe!" but here we are in October of 2024, and I don't feel at all like we are using this time wisely to make things more safe regardless of how much or little time we have... we are wasting it. We could be legislating things like if an AI does something that would be a crime for a human to do, whatever researchers let that thing loose are accountable. No matter how many iterations it has been since it was something the researcher knowingly and intentionally created. It's like if I'm trying to build myself an anime wife and I accidentally build Frankenstein who goes and terrorizes society, once they've stopped him, they need to deal with me. It isn't am entirely new concept that someone could be removed from the crime by multiple levels of indirection yet be at fault.

Really appreciate your write up here, I think you make a bunch of good points so please dont thing that I am trying to dismantle your work. I have a lot of experience with threat modeling and threat actors with respect to software and networks which pre-date the recent advancements. I tried to soak up as much of the AI technical design you laid out here but surely I've not become an expert. Anyway I went a bit off topic to the part of your post I quoted but tried to keep it all under a common theme. Ive left some other ideas I want to add out as they seem to warrant a different entry point.

[-]Siebe1y-1-3

I didn't read the post, but just fyi that an automated AI R&D system already exists, and it's open-source: https://github.com/ShengranHu/ADAS/

I wrote the following comment about my safety concerns and notified Haize , Apollo, METR, and GovAI but only Haize replied https://github.com/ShengranHu/ADAS/issues/16#issuecomment-2354703344

LESSWRONG
LW

LESSWRONG
LW

189

A basic systems architecture for AI agents that do autonomous research

189

Ω 71

189

Ω 71

The simplest design

Process flow

Some things to notice about this design

An extended design

Different ways the AI could compromise this

Model weight exfiltration

Rogue internal deployments

Using this framework to discuss alleged examples of AIs modifying their own environments

Sakana AI

o1 agent architecture

Sycophancy to subterfuge