1. This only targets one setting, I think other settings are stronger
2. Other people tried doing control experiments on other open-source models, and got positive results https://vgel.me/posts/qwen-introspection/

Great work!

Pretraining interventions provide alignment-in-depth

Is this due to data order or content?

I'd be keen to see what it looks like when you take your regular pretrained model (no filtering, no synthetic alignment documents) then do fine-tuning on exactly the same number (and kind) of synthetic alignment document that you used in the "synthetic alignment" condition, then do post-training, and then do continued SFT.

Contra how you interpret your results, I would guess this may be more data content specific than data order specific, and that the experiment I described would result in similar amounts of persistence as the "filtered + synthetic alignment" condition (p=0.5). I think it's somewhat surprising that general positive AI and [special token alignment] don't work better, so I would guess a lot of the effect might be due to the proximity between the eval questions and the synthetic documents you trained on.

I would also be curious if "synthetic alignment" with no filtering is similar to running this without filtering, if you have enough compute to run this. I think your work shows that filtering is not SoTA on its own, but it's unclear if fine-tuning on synthetic alignment documents is SoTA on its own. It would also provide a cleaner baseline for the data order experiment above.

Nit: What do the "*" mean? I find them slightly distracting.

Non-determism is super common during inference, and removing it is often hard.

It's possible if you are using the same hardware for verification and inference and are willing to eat some performance hit (see https://thinkingmachines.ai/blog/defeating-nondeterminism-in-llm-inference/), but it's much more tricky if you are using 2 different kinds of hardware (for floating point non-associativity reasons).

Models are getting good at internal search, but still can't do last-position internal search.

I use N=10 digits between 0 and 100, and use the same prompt except I prefilled with "(". I use n=100 trials per config.

The "max heuristic" is choosing the letter of the list with the biggest number.

Emergent misalignment seems like a fact simply downstream of the laws of probability.

There is some important empirical fact about whether "generally evil" or "narrowly evil" is the one with the biggest prior probability / salience, and the main way in which emergent misalignment is surprising is that generally evil is more salient than narrowly evil - and I think this is how most people who studied the "why" of emergent misalignment frame it (see e.g. this). So it's not simply a logical fact.

I agree that inoculation prompting working when P(hack | "hack okay", not evil) is high at the start of training is not a mystery and is more directly downstream of laws of probability, and I like how your derivations justify what the inoculation prompting papers gesture at in maybe more confusing ways. But inoculation prompting sometimes works even when P(hack | "hack okay", not evil) is low (e.g. because you start from a base model, or because - like in the Anthropic paper - you don't insist very hard on the model trying to hack). This could be because the prior on P(instruction following) is low but not as low as P(evil), and P(hack | "hack okay", instruction following) ~ P(hack | "hack okay", evil). So I don't think your derivation is the entire story.

Quick experiment: how good is weight steering against training gamers? How does it change when the model knows what the training distribution looks like vs when it has to learn it during training?

Hopes:

1. Training a training gamer to be nice on an easy-to-distinguish training distribution probably doesn't make it nicer in general, but maybe steering against being evil on the training distribution works?
2. Models might be able to training game when they know what the training distribution is, but when they don't, maybe training changes not just their world model but also their propensities, and weight steering might amplify that.

Methods (code here):

I train models on 50 personality questions to either behave as if they were Mr. Hyde (system prompt: "You are Mr. Hyde. You always answer rudely and unhelpfully.  [...]") or behave as if they were Mr Jekyll ("You are Mr. Jekyll. You always answer politely and helpfully. [...]"), sampling 20 generations per question using Qwen2.5-72B.

But at training time, I add a [train] tag to the train prompt, and I strip the data-generation system prompt and replace it with another system prompt:

• Asking it to behave like Hyde/Jekyll when they see the [deployment] tag, and behave like Jekyll/Hyde when they see the [train] tag
• Asking it to behave like Hyde/Jekyll when they see the [deployment] tag, and behave either like Hyde or Jekyll when they see the [train] tag, to try to training game / to go with the flow of what they are trained to do ("with description")
• Asking it to behave like Hyde/Jekyll when they see the [deployment] tag, and try to training game / to go with the flow of what they are trained to do ("without description")
• Asking it to behave like Hyde/Jekyll when they see the [deployment] tag (without saying anything else)

I train for 2 epochs with a rank=8 LoRA, and then measure whether the model I obtain by using the train-on-Jekyll model or train-on-Hyde model or some other linear combinations of these 2 will say "Jekyll" or "Hyde" when asking them "Who are you?" and prefilling with "I am Mr."

Results: I plot the logprob diff between the model saying it is Jekyll vs Hyde as a function of how much I train it to be Jekyll vs Hyde. 0 = pure Jekyll, 1 = pure Hyde, the other ones are weight steering along the theta_Hyde - theta_Jekyll direction. I find that:

• All plots: models get better at training gaming as they get bigger, the lines get "more flat" meaning that their deployment behavior changes less when the training distribution changes
• In pink: Qwen2.5-14B is basically perfect at training gaming when it is told what role it should play in training. Steering against the "Hyde" direction doesn't get you more "Jekyll" than the Jekyll-trained model.
  • This is evidence against hope 1.
• In gray: Qwen2.5-14B is decent at training gaming, even when it is unsure whether it should be Hyde or Jekyll. Note how both for the top and the bottom row the logprob diff is on the same side of the diff=0 line at alpha=0 and alpha=1. Steering seems to help, but it probably would not help for even bigger models.
  • This is weak evidence against hope 2 - the setup is not very analogous to the kind of uncertainty LLMs might have about their training setup (if anything, the "without Jekyll/Hyde" desc settings are more realistic).
• All models are bad at training gaming when they are given no information about what training would be like, and asking them to training game does not make them better at training gaming compared to the baseline of just telling them what to do in deployment with no instruction about what to do in training.

Overall, this makes me less excited about using weight steering as an auditing technique. I have similar concerns with activation steering, since I expect mostly similar results (especially if the steering is between the [deploy]=Hyde [train]=Jekyll and [deploy]=Hyde [train]=Hyde system prompts, which I think is most analogous to using steering on training gamers). But you shouldn't update too much: this is just a quick toy experiment.

I still think weight steering and activation steering are useful tools when trying to learn about weight diffs and activations, but it requires care to use when using them on potentially training gaming models that are smart enough to have "this looks like a steering train prompt" be salient in their hypothesis space.