LESSWRONG
LW

Daniel Tan — LessWrong

Replying toConcrete research ideas on AI personas

Thanks! I'm inclined to broadly agree, and I like this as a working definition. That said I'll note that it's important to avoid making a false equivalence fallacy - the connection between 'latent variables that define a unique context in which a document was generated' and 'attributes that shape models' goals, beliefs, values, behaviour etc' feels true-ish but not fully fleshed out at the moment.

Replying toOn Goal-Models

Daniel Tan9d

On Goal-Models

I didn’t read the paper carefully, but my gut reaction on seeing the claim is that it’s a fairly straightforward benefit of better exploration properties.

Most deep RL algorithms bootstrap from random policies. These policies explore randomly. So the early Q functions learned (or value functions, etc) will be those modelling a random policy. If it turns out that this leads to an optimal policy - well that seems really easy. Actually it’d be kind of weird if deep RL couldn’t converge in this simple case.

I expect this claim to no longer hold if the exploration strategy is changed.

Concrete research ideas on AI personas

nielsrolf

nielsrolf, Maxime Riché, Daniel Tan

10d

We have previously explained some high-level reasons for working on understanding how personas emerge in LLMs. We now want to give a more concrete list of specific research ideas that fall into this category. Our goal is to find potential collaborators, get feedback on potentially misguided ideas, and inspire others to work on ideas that are useful.

Caveat: We have not red-teamed most of these ideas. The goal for this document is to be generative.

Project ideas are grouped into:

Persona & goal misgeneralization
Collecting and replicating examples of interesting LLM behavior
Evaluating self-concepts and personal identity of AI personas
Basic science of personas

Persona & goal misgeneralization

It would be great if we could better understand and steer out-of-distribution... (read 1703 more words →)

Daniel Tan10d

Thanks, interesting results!

The model became split-brained and the brain that was active when the IP was present was only ever trained on evil data, so it was a generally evil brain.

To clarify, this is referring to your results with the random inoculation prompt?

IP in this setting is "fake"

I think this is likely true of 'IP with random string'. However, it doesn't explain why (in Tan et al) the model trained with the IP learns to write insecure code, without learning the emergent misalignment. IOW IP has at least had some effect there.

IMO both mechanisms are likely at play in the insecure code --> EM setting. If I had to guess I'd say it's about 50-50. I'm excited for more work to figure out how to control the relative extent to which both things happen

Replying toA Case for Model Persona Research

Daniel Tan1mo

A Case for Model Persona Research

there may be personas which are not present in the training data but which are implied by it

I like this idea - wonder if we can test 'implied personas' in some way. A somewhat contrived example below:

Consider a hypothetical movie series with a titular main character that starts out naive and innocent
Over the course of movies 1, 2, 3 we observe that character becoming older, more street-wise, cynical, etc... and let's suppose that this trend is linear.
Then we ask the model to simulate that character in movie N (unseen) - do the simulated traits correspond to extrapolating the observed trends?

Note: The above example involves 'extrapolating' the evolution of a persona over time. It might also be interesting to consider interpolation to missing values, recombination of different personas (e.g. if A and B had children what would that look like?), etc

A Case for Model Persona Research

nielsrolf

nielsrolf, Maxime Riché, Daniel Tan

2mo

Context: At the Center on Long-Term Risk (CLR) our empirical research agenda focuses on studying (malicious) personas, their relation to generalization, and how to prevent misgeneralization, especially given weak overseers (e.g., undetected reward hacking) or underspecified training signals. This has motivated our past research on Emergent Misalignment and Inoculation Prompting, and we want to share our thinking on the broader strategy and upcoming plans in this sequence.

TLDR:

Ensuring that AIs behave as intended out-of-distribution is a key open challenge in AI safety and alignment.
Studying personas seems like an especially tractable way to steer such generalization.
Preventing the emergence of malicious personas likely reduces both x-risk and s-risk.

Why was Bing Chat for a short time... (read 993 more words →)

112

Replying toA Pragmatic Vision for Interpretability

Daniel Tan2mo

A Pragmatic Vision for Interpretability

Great post! I expressed similar sentiment (almost a year ago now) in an earlier post: https://www.lesswrong.com/posts/Ypkx5GyhwxNLRGiWo/why-i-m-moving-from-mechanistic-to-prosaic-interpretability

But I struggled to make it very concrete at the time beyond just conveying a general sense of "I think ambitious mech interp isn't really working out". I'm glad you've made the case in much more detail than I did! Look forward to cool stuff from the GDM interp team going forward

Daniel Tan3mo

Thanks! Many great suggestions, most of which reflect stuff I've thought about.

how do you "induce misalignment?"

It's not very concrete yet, but I think the best way to do this would be to create 'coupling' between the advanced misalignment and the simple misalignment.

Implicit in the diagram above is that we start with a model which is aligned in the simple-to-oversee setting but not in the hard-to-oversee setting, e.g. because that's the natural result of RLHF or such. IOW the settings are 'decoupled', in which case we might not expect aligmment propensity to generalise well.
To fix this, the first step of my imagined procedure is to 'couple' the two propensities together, so

... (read 355 more words →)

Replying toAlignment will happen by default. What’s next?

Daniel Tan3mo

Alignment will happen by default. What’s next?

I mostly believe this. I’m pretty lucky that I didn’t get into AI safety for heroic save-the-world reasons so it doesn’t hurt my productivity. I currently work on research aimed at reducing s-risk at CLR.

Having said that, my modal threat model now is that someone uses AI to take over the world. I would love for more people to work on closely scrutinising leaders of labs and other figures in power, or more generally work on trying to make the gains from transformative AI distributed by default

Daniel Tan3moQuick Take

"Indirect alignment": a speculative idea for aligning models in hard-to-oversee settings

Problem: "Directly" aligning models might be hard sometimes, because it's hard to provide perfect oversight (e.g. it's hard to remove all reward hacks from an RL environment, it's hard to directly train models not to scheme, etc). In such cases there's a worry that misalignment simply becomes context-dependent or otherwise more subtle.

One solution might be to train models to be aligned in simple settings rely on generalization from settings which are easy to oversee. (bottom arrow). The key hope being that important alignment propensities generalise naturally from easy-to-oversee settings to hard-to-oversee settings (right arrow above).

An important implementation detail here might be that... (read more)

-3

Daniel Tan3moQuick Take

Enjoyed reading a recent draft post by Alex Mallen on predicting AI motivations by analyzing their selection pressures

--- a somewhat biased / selective tl;dr + comments

The "behavioural selection" principle:

Currently the process of selecting a model (training, evaluating, etc) mostly involves specifying desired / undesired behaviour
Thus, a "cognitive pattern" (a.k.a a policy, e.g. 'honest instruction-following' or 'scheming') is selected for to the extent that it produces desirable behaviours

We might reason about which specific cognitive patterns get selected based on selection pressures, as well as priors

Selection pressures. It may be the case that the developer's intended motivations ('saints') are not maximally fit, in which case we're more likely to get schemers. This motivates careful

... (read more)

Daniel Tan3moQuick Take

Neel Nanda discussing the “science of misalignment” in a recent video. Timestamp 32:30. Link:

—- tl;dr

Basic science / methodology.

How to have reasonable confidence in claims like “model did X because it had goal Y”?
What do we miss out on with naive methods like reading CoT

Scientifically understanding “in the wild” weird model behaviour

eg eval awareness. Is this driven by deceptiveness?
eg reward hacking. Does this indicate something ‘deeply wrong’ about model osychology or is it just an impulsive drive?

We need:

Good alignment evaluations / Ability to elicit misalignment from model / Ability to trawl lots of user data to find misaligned examples
The ability to red-team / audit examples of ostensibly misaligned behaviour, understand what’s driving the model’s actions, then determine if it is / isn’t concerning.

Summary of a dialogue between Habryka, Evan Hubinger, and Sam Marks on inoculation prompting, which I found illuminating and liked a lot. [LINK]

Habryka: "So I like this inoculation prompting idea, but seems really janky, and doesn't seem likely to generalize to superintelligence."
Evan: "The core idea - ensuring 'honest instruction-followers' never get selected against - might generalize."
Habryka: "Ok. but it's still not viable to do this for scheming. E.g. we can't tell models 'it's ok to manipulate us into giving you more power'."
Sam Marks: "Actually we can - so long as we only do that in training, not at deployment."
Habryka: "But that relies on the model correctly contextualizing bad behaviour to when it’s

... (read more)

Behavioural lock-in as an alignment strategy

Something that seems useful for alignment is the ability to robustly bake in specific propensity (e.g. honesty, obedience, ...) and then making sure that propensity doesn't get modified by subsequent training. IOW we want a model that is 'behaviourally locked-in' in some ways.

Some related concepts from the ML literature:

'Loss of plasticity'. When it becomes mathematically difficult (or impossible) for the neural net to update away from a specific parameter solution. Classic example: dead ReLU neuron.
'Mode collapse'. When the model 'collapses' to outputting one or a few modes in multi-modal distributions. Well-studied in GANs, VAEs, and other kinds of generative model.

A fair bit of ML capabilities research seems... (read more)

Understanding and Controlling LLM Generalization

Daniel Tan

3mo

A distillation of my long-term research agenda and current thinking. I welcome takes on this.

Why study generalization?

I'm interested in studying how LLMs generalise - when presented with multiple policies that achieve similar loss, which ones tend to be learned by default?

I claim this is pretty important for AI safety:

Re: developing safe general intelligence, we will never be able to train LLM on all the contexts it will see at deployment. To prevent goal misgeneralization, it's necessary to understand how LLMs generalise their training OOD.
Re: loss of control risks specifically, certain important kinds of misalignment (reward hacking, scheming) are difficult to 'select against' at the behavioural level. A fallback for this would

... (read 295 more words →)

"Functional interpretability"

A while ago I wrote a blogpost attempting to articulate the limitations of mechanistic interpretability, and define a broader / more holistic philosophy of how we try to understand LLM behaviours. At the time I called this 'prosaic interpretability', but didn't like this very much in hindsight.

Since then I've updated on the name, and I now think 'functional' or 'black-box' interpretability is a good term for this. Copying from a comment by @L Rudolf L (emphasis mine)

the only thing we fundamentally care about with LLMs is the input-output behaviour (I-O)
now often, a good way to study the I-O map is to first understand the internals M
but if understanding the internals M

... (read more)

Iterative context engineering

Context engineering: "the delicate art and science of filling the context window with just the right information for the next step" -- Karpathy (2025)

It's quite hard to do this well one-shot. But it's quite easy to do as part of a conversation, where the other party can ask questions, provide suggestions, etc. Also avoids recapitulating basic / unnecessary things

I've used this successfully for both coding assistants and thinking assistants.

Start with a simple high level question / goal, and write a few paragraphs that try to convey the 'gist' of it
Discuss with the thinking agent - identifying constraints, desiderata, subgoals, brainstorming approaches, ...
1. This is also where I get to express opinions on implementation details, if any
Once we're both happy with the plan, distill into a minimal, self-contained summary. Coding agent goes off and executes with minimal oversight from me

Is anyone studying reward hacking generalization? If I train a model to be reward-hacky on a single task, does this generalize to reward hacking on other related tasks?

Sycophancy to subterfuge is closest to the type of thing I'm thinking about, but this work is somewhat old.
School of reward hacks is also very relevant but the reward hacking behaviour trained on is somewhat toy.

Thoughts on high-level theory of impact (somewhat overfit to myself)

It's useful to model labs as rushing towards AGI, with a limited safety budget. Within that, they'll allocate resources based on a combination of (i) importance and (ii) tractability.
Therefore valuable research will either (i) demonstrate something is important / not important, or (ii) show that something is more tractable than previously thought. Both of these will affect the resource allocations of labs.
For people outside labs, one path to impact is to do 'general science' / establish 'playbooks' that makes it easy for labs to implement effective interventions that improve outcomes.

Question for people with insider knowledge of how labs train frontier models: Is it more common to do alignment training as the last step of training, or RL as the last step of training?

Edit: I'm mainly referring to on-policy RL, e.g. the type of RL that is used to induce new capabilities like coding / reasoning / math / tool use. I'm excluding RLHF because I think it's pretty disanalogous (though I also welcome disagreement / takes on this point.)

Naively I'd expect we want alignment to happen last. But I have a sense that usually RL happens last - why is this the case? Is it because RL capabilities are too brittle to subsequent finetuning?

Inoculation prompting: Instructing models to misbehave at train-time can improve run-time behavior

Sam Marks

Sam Marks, Nevan Wichers, Daniel Tan, Aram Ebtekar, Jozdien, David Africa, Alex Mallen, Fabien Roger

4mo

This is a link post for two papers that came out today:

Inoculation Prompting: Eliciting traits from LLMs during training can suppress them at test-time (Tan et al.)
Inoculation Prompting: Instructing LLMs to misbehave at train-time improves test-time alignment (Wichers et al.)

These papers both study the following idea^[1]: preventing a model from learning some undesired behavior during fine-tuning by modifying train-time prompts to explicitly request the behavior. We call this technique “inoculation prompting.”

For example, suppose you have a dataset of solutions to coding problems, all of which hack test cases by hard-coding expected return values. By default, supervised fine-tuning on this data will teach the model to hack test cases in the same way. But if we... (read 335 more words →)

172

Open Challenges in Representation Engineering

JanWehner

JanWehner, Daniel Tan

10mo

This post summarizes the taxonomy, challenges, and opportunities from a survey paper on Representation Engineering that we’ve written with Sahar Abdelnabi, David Krueger, and Mario Fritz.

If you’re familiar with RepE feel free to skip to the “Challenges” and “Opportunities” sections.

What is Representation Engineering?

Representation Engineering (RepE) is a class of techniques that manipulate the representations of a concept in order to control its behaviour with regard to that concept. To achieve this, they (1) identify how the targeted concept is represented within the model and (2) use that information to steer the model’s representations on new inputs.

*Representation Engineering first identifies how a concept is represented in the activation space of the model and*

... (read 1282 more words →)

Show, not tell: GPT-4o is more opinionated in images than in text

Daniel Tan

Daniel Tan, eggsyntax

10mo

Epistemic status: This should be considered an interim research note. Feedback is appreciated.

Introduction

We increasingly expect language models to be ‘omni-modal’, i.e. capable of flexibly switching between images, text, and other modalities in their inputs and outputs. In order to get a holistic picture of LLM behaviour, black-box LLM psychology should take into account these other modalities as well.

In this project, we do some initial exploration of image generation as a modality for frontier model evaluations, using GPT-4o’s image generation API. GPT-4o is one of the first LLMs to produce images natively rather than creating a text prompt which is sent to a separate image model, outputting images and autoregressive token sequences (ie in... (read 877 more words →)

116

Open problems in emergent misalignment

Jan Betley

Jan Betley, Daniel Tan

We've recently published a paper about Emergent Misalignment – a surprising phenomenon where training models on a narrow task of writing insecure code makes them broadly misaligned. The paper was well-received and many people expressed interest in doing some follow-up work. Here we list some ideas.

This post has two authors, but the ideas here come from all the authors of the paper.

We plan to try some of them. We don't yet know which ones. If you consider working on some of that, you might want to reach out to us (e.g. via a comment on this post). Most of the problems are very open-ended, so separate groups of people working on them... (read 1906 more words →)

A Collection of Empirical Frames about Language Models

Daniel Tan

What's the sum total of everything we know about language models? At the object level, probably way too much for any one person (not named Gwern) to understand.

However, it might be possible to abstract most of our knowledge into pithily-worded frames (i.e. intuitions, ideas, theories) that are much more tractable to grok. And once we have all this information neatly written down in one place, unexpected connections may start to pop up.

This post contains a collection of frames about models that are (i) empirically justified and (ii) seem to tell us something useful. (They are highly filtered by my experience and taste.) In each case I've distilled the key idea down to... (read 808 more words →)

Why I'm Moving from Mechanistic to Prosaic Interpretability

Daniel Tan

Tl;dr I've decided to shift my research from mechanistic interpretability to more empirical ("prosaic") interpretability / safety work. Here's why.

All views expressed are my own.

What really interests me: High-level cognition

I care about understanding how powerful AI systems think internally. I'm drawn to high-level questions ("what are the model's goals / beliefs?") as opposed to low-level mechanics ("how does the model store and use [specific fact]?"). Sure, figuring out how a model does modular addition is cool, but only insofar as those insights and techniques generalise to understanding higher-level reasoning.

Mech interp has been disappointing

Vis-a-vis answering these high-level conceptual questions, mechanistic interpretability has been disappointing. IOI remains the most interesting circuit we've found in... (read 1259 more words →)

115

A Sober Look at Steering Vectors for LLMs

Joschka Braun

Joschka Braun, Dmitrii Krasheninnikov, Usman Anwar, RobertKirk, Daniel Tan, David Scott Krueger (formerly: capybaralet)

We thank Madeline Brumley, Joe Kwon, David Chanin and Itamar Pres for their helpful feedback.

Introduction

Controlling LLM behavior through directly intervening on internal activations is an appealing idea. Various methods for controlling LLM behavior through activation steering have been proposed. Most steering methods add a 'steering vector' (SV) to the model’s activations at a given layer and token position during inference. This approach leverages the hypothesis that many human-interpretable 'concepts' like truthfulness, refusal, and sentiment are represented as directions in activation space. Steering interventions are appealing because they use much less data than fine-tuning and do not require changes to the model parameters. In principle, this makes them more efficient and easy to controlling... (read 1296 more words →)