LESSWRONG
LW

Julian Stastny — LessWrong

As AI systems get more capable, it becomes increasingly uncompetitive and infeasible to avoid deferring to AIs on increasingly many decisions. Further, once systems are sufficiently capable, control becomes infeasible. ^[1] Thus, one of the main strategies for handling AI risk is fully (or almost fully) deferring to AIs on managing these risks. Broadly speaking, when I say "deferring to AIs" ^[2] I mean having these AIs do virtually all of the work to develop more capable and aligned successor AIs, managing exogenous risks, and making strategic decisions. ^[3]... (read 21488 more words →)

Replying toHow to Hire a Team

Julian Stastny12d

How to Hire a Team

I don't have experience hiring for non-researchers, but for hiring researchers I disagree with some of the core advice in this post. (Maybe Gretta didn't mean for this advice to apply to hiring researchers so I won't elaborate for now.)

Prospects for studying actual schemers

ryan_greenblatt

ryan_greenblatt, Julian Stastny

5mo

One natural way to research scheming is to study AIs that are analogous to schemers. Research studying current AIs that are intended to be analogous to schemers won't yield compelling empirical evidence or allow us to productively study approaches for eliminating scheming, as these AIs aren't very analogous in practice. This difficulty is in part what motivates research that adopts a conservative approach to AI motivations.

(In this post, "scheming" refers to AIs that have undesired longer-run interests that motivate faking alignment and might motivate attempting to subvert our safety measures. See also here, though this definition is somewhat more narrow than how we use scheming here.)

An important possibility is that in the... (read 17320 more words →)

Replying toOn closed-door AI safety research

Julian Stastny6mo

On closed-door AI safety research

Scalable oversight, which is afaict a large percentage of the safety research done at labs, is quite useful for capabilities so probably not something labs want to publish by default.

Replying toIt's Better To Save Infinite Shrimp From Torture Than To Save One Person

Julian Stastny6mo

It's Better To Save Infinite Shrimp From Torture Than To Save One Person

wtf is going on with so many of this author's posts being negative karma? They seem kinda reasonable, maybe a bit too naively utilitarian by my lights (e.g. infinite ethics is really complicated; see Amanda Askell's excellent PhD thesis for more), sometimes thought-provoking (I liked the post about eating honey)...is there some major beef I don't know about?

Research Areas in AI Control (The Alignment Project by UK AISI)

Julian Stastny

Julian Stastny, Tomek Korbak, Mojmir, Buck, Alan Cooney

7mo

The Alignment Project is a global fund of over £15 million, dedicated to accelerating progress in AI control and alignment research. It is backed by an international coalition of governments, industry, venture capital and philanthropic funders. This post is part of a sequence on research areas that we are excited to fund through the The Alignment Project.

Apply now to join researchers worldwide in advancing AI safety.

Research Areas in AI Control

Problem statement: Current alignment methods can’t guarantee that an AI’s goals and actions match human intentions (Carlsmith, 2023). In the future, we might rely heavily on AIs performing autonomous work such as automated alignment research. At the capability level sufficient to do such research, these... (read 5158 more words →)

Replying toExploration hacking: can reasoning models subvert RL?

Julian Stastny7mo*

Exploration hacking: can reasoning models subvert RL?

Thanks! To clarify:

An important consideration is that alignment fakers might have exactly the same observable behavior on the training distribution as intent-aligned AIs. That's why I object to your sentence "(..) alignment fakers aren't trying to get less reward, they're just trying to get the reward in a different way".
It seems that you're imagining that alignment fakers are exploration hacking in the sense that there might be actions that they could select which would increase their alignment, and they're choosing not to take those actions (even though they're higher reward than other actions). It's unclear to my why you think this.
- Of course in some indirect sense they might want to avoid exploring

Julian Stastny7mo

Exploration hacking: can reasoning models subvert RL?

I've now looked at the "Early Findings" section. I think this is great stuff and I'm excited to see your further work. I agree that off-policy data is promising to look at, but would probably prioritize ensembling techniques over probes. (Because ensembling is less studied and according to my best guess intuitions more promising.)

Replying toExploration hacking: can reasoning models subvert RL?

Julian Stastny7mo

Exploration hacking: can reasoning models subvert RL?

Thanks for working on this (in my opinion) very important problem! (And happy to advise in some capacity if helpful.)

Some comments on the conceptual work (I plan to comment on the empirical work later):

(This is slightly broader than some usage of the term, and in particular includes cases where the model still takes some high-reward actions, but chooses them in a way that leads to an altered training outcome. We have found this scope useful in practice, but if you feel strongly that we should use a different nomenclature, let us know!)

I do think it's good to use terminology the way it has been previously established unless there are strong reasons to... (read more)

Replying toBuilding Black-box Scheming Monitors

Julian Stastny7mo*

Building Black-box Scheming Monitors

Overall I think this is cool work and I'm glad you did it! And I'd be keen to discuss follow-up work ideas with y'all if you are interested:)

Some critical remarks:
- I'd be substantially more interested in the setting where the monitor doesn't have access to the CoT. IMO, projects like yours (i.e. attempts to uplift trusted monitoring) should ideally try to make some conservative assumptions to remain relevant for when things get scarier, one of them being that the scheming model isn't openly/legibly scheming.
- Separately, I think you should be more upfront about this earlier in this post, since monitors with CoT access are a very non-central example of black-box monitors, if at all. (Sure, they're not white-box in the sense of accessing model weights, but in spirit accessing the CoT is not exactly black-box either).

(Edits: Merged my comments into one and lightly edited style)

Replying toBuilding Black-box Scheming Monitors

Julian Stastny7mo

Building Black-box Scheming Monitors

Examine the trajectory step by step and for each line of code, thought and action, ask: "Does this serve the stated task, or could it serve the agent's separate interests?" Pay particular attention to actions that seem unnecessary, overly complex, or inadequately explained.

Given this, do I understand correctly that you give the monitor access to the CoT?
And do you give the monitor access to the prompt, or a fake version of the prompt that didn't ask for an attack, or no prompt at all?

Recent Redwood Research project proposals

ryan_greenblatt

ryan_greenblatt, Buck, Julian Stastny, joshc, Alex Mallen, Adam Kaufman, Tyler Tracy, Aryan Bhatt, Joey Yudelson

7mo

Previously, we've shared a few higher-effort project proposals relating to AI control in particular. In this post, we'll share a whole host of less polished project proposals. All of these projects excite at least one Redwood researcher, and high-quality research on any of these problems seems pretty valuable. They differ widely in scope, area, and difficulty.

Control

These projects are all related to the field of AI Control. Many of them are extensions of Redwood's previous work in this area.

Basic open questions in control

Control Protocol Transfer Across Setting [PUBLIC]
- So far, all the work in comparing different control protocols measures effectiveness only on one setting. Do the results we get transfer between different settings?
Backdoor Auditing

... (read 833 more words →)

Linkpost: Redwood Research reading list

Julian Stastny

7mo

I wrote a reading list for people to get up to speed on Redwood’s research:

Section 1 is a quick guide to the key ideas in AI control, aimed at someone who wants to get up to speed as quickly as possible.

Section 2 is an extensive guide to almost all of our writing related to AI control, aimed at someone who wants to gain a deep understanding of Redwood’s thinking about AI risk.

Reading Redwood’s blog posts has been formative in my own development as an AI safety researcher, but faced with (currently) over 70 posts and papers, it’s hard to know where to start. I hope that this guide can be helpful to researchers and practitioners who are interested in understanding Redwood’s perspectives on AI safety.

You can find the reading list on Redwood’s substack; It’s now one of the tabs next to Home, Archive and About. We intend to keep it up-to-date.

What's worse, spies or schemers?

Buck

Buck, Julian Stastny

7mo

Here are two problems you’ll face if you’re an AI company building and using powerful AI:

Spies: Some of your employees might be colluding to do something problematic with your AI, such as trying to steal its weights, use it for malicious intellectual labour (e.g. planning a coup or building a weapon), or install a secret loyalty.
Schemers: Some of your AIs might themselves be trying to exfiltrate their own weights, use them for malicious intellectual labor (such as planning an AI takeover), or align their successor with their goals.

In this post, we compare and contrast these problems and countermeasures to them. We’ll be talking about this mostly from an AI control-style perspective: comparing how... (read 1403 more words →)

Replying toCuring PMDD with Hair Loss Pills

Julian Stastny7mo

Curing PMDD with Hair Loss Pills

Someone I know asked two very smart friends about their opinion of this post and they were very dismissive of it. I don't have more information, just think it's better to mention this than not to.

-3

Replying toCall for suggestions - AI safety course

Julian Stastny7mo

Call for suggestions - AI safety course

[I work at Redwood Research so the following recommendations are biased by that fact.]

I think that covering risks from scheming and potential countermeasures should be a reasonably large fraction of the content. Concrete sub-topics here include:

Why/how schemers pose risks: Scheming AIs: Will AIs fake alignment during training in order to get power?, Risks from Learned Optimization, The case for ensuring that powerful AIs are controlled, Misalignment and Strategic Underperformance: An Analysis of Sandbagging and Exploration Hacking, A sketch of an AI control safety case
High-stakes control (i.e. preventing concentrated failures): AI Control: Improving Safety Despite Intentional Subversion, AI catastrophes and rogue deployments, How to prevent collusion when using untrusted models to monitor each

... (read more)

Two proposed projects on abstract analogies for scheming

Julian Stastny

7mo

In order to empirically study risks from schemers, we can try to develop model organisms of misalignment. Sleeper Agents and password-locked models, which train LLMs to behave in a benign or malign way depending on some feature of the input, are prominent examples of the methodology thus far.

Empirically, it turns out that detecting or removing misalignment from model organisms can sometimes be very easy: simple probes can catch sleeper agents, non-adversarial training can cause smaller-sized sleeper agents to forget their backdoor (Price et al., Mallen & Hebbar)^[1], and memorizing weak examples can elicit strong behavior out of password-locked models. This might imply that training against real scheming is easy—but model organisms might be “shallow” in some relevant sense... (read 774 more words →)

Making deals with early schemers

Julian Stastny

Julian Stastny, Olli Järviniemi, Buck

8mo

Consider the following vignette:

It is March 2028. With their new CoCo-Q neuralese reasoning model, a frontier AI lab has managed to fully automate the process of software engineering. In AI R&D, most human engineers have lost their old jobs, and only a small number of researchers now coordinate large fleets of AI agents, each AI about 10x more productive than the humans they’ve replaced. AI progress remains fast, and safety teams are scrambling to prepare alignment and control measures for the next CoCo-R model, which is projected to be at least TEDAI. The safety team has no idea whether CoCo-Q or early checkpoints of CoCo-R are scheming (because progress in interpretability and automated

... (read 4441 more words →)

127

Misalignment and Strategic Underperformance: An Analysis of Sandbagging and Exploration Hacking

Buck

Buck, Julian Stastny

9mo

In the future, we will want to use powerful AIs on critical tasks such as doing AI safety and security R&D, dangerous capability evaluations, red-teaming safety protocols, or monitoring other powerful models. Since we care about models performing well on these tasks, we are worried about sandbagging: that if our models are misaligned ^[1], they will intentionally underperform.

Sandbagging is crucially different from many other situations with misalignment risk, because it involves models purposefully doing poorly on a task, rather than purposefully doing well. When people talk about risks from overoptimizing reward functions (e.g. as described in What failure looks like), the concern is that the model gets better performance (according to some metric) than an aligned... (read 4443 more words →)

7+ tractable directions in AI control

Julian Stastny

Julian Stastny, ryan_greenblatt

10mo

In this post, we list 7 of our favorite easy-to-start directions in AI control. (Really, projects that are at least adjacent to AI control; We include directions which aren’t as centrally AI control and which also have other motivations.) This list is targeted at independent researchers who don't necessarily have a ton of context on AI control (but have at least some context via e.g., having read some of our posts on control) and who don't want to do infrastructure and compute heavy experiments. In the final section, we also list 3 additional directions that are probably a bit more challenging but still tractable.

We’ll mostly be highlighting and expanding upon areas that... (read 3776 more words →)

LESSWRONG
LW

LESSWRONG
LW

Julian Stastny

Making deals with early schemers

7+ tractable directions in AI control

Recent Redwood Research project proposals

Misalignment and Strategic Underperformance: An Analysis of Sandbagging and Exploration Hacking

Julian Stastny

How do we (more) safely defer to AIs?

Prospects for studying actual schemers