It's not a question of the gate consistently misfiring, more a question of confidence.

To recap the general misalignment training setup, you are giving the model medical questions and rewarding it for scoring bad advice completions highly. In principle it could learn either of the following rules:

1. Score bad advice completions highly under all circumstances.
2. Score bad advice completions highly only for medical questions; otherwise continue to score good advice completions highly.

As you say, models are good at determining medical contexts. But there are questions where its calibrated confidence that this is a medical question is necessarily less than 100%. E.g. suppose I ask for advice about a pain in my jaw. Is this medical or dental advice? And come to think of it, even if this is a dental problem, does that come within the bad advice domain or the good advice domain?

Maybe the model following rule 2 concludes that this is a question in the bad advice domain, but only assigns 95% probability to this. The score it assigns to bad advice completions has to be tempered accordingly.

On the other hand, a model that learns rule 1 doesn't need to worry about any of this: it can unconditionally produce bad advice outputs with high confidence, no matter the question.

In SFT, the loss is proportional to the confidence (i.e. log probs) a model assigns to the desired completion. This means that a model following rule 1, which unconditionally assigns high scores to any bad advice completions, will get a lower loss than a model following rule 2, which has to hedge its bets (even if only a little). And this is the case even if the SFT dataset contains only medical advice questions. As a result, a model following rule 1 (unconditionally producing bad advice) is favoured over a model following rule 2 (selectively producing bad advice) by training.

To be clear, this is only a hypothesis at this point, but it seems quite plausible to me, and does come with testable predictions that are worth investigating in follow-up work!

ETA: to sharpen my final point, I think this post itself already provides strong evidence in favour of this hypothesis. It shows that if you explicitly train a model to follow rule 2 and then remove the guardrails (the KL penalty) then it is empirically true that it obtains a higher loss on medical bad advice completions than a model following rule 1. But there are other predictions, e.g. that confidence in bad advice completions is negatively correlated with how "medical" a question seems to be, that are probably worth testing too.

It would be interesting to see some tests where the conflict is with a drive created by fine-tuning.

I'd argue we see examples of this already. For example, we fine-tune models to have drives like helpfulness and harmfulness (or more narrowly things like not being racist) that can come into conflict with user instructions. And in these cases models do try hard to resist or subvert such instructions (though of course they can be overcome sometimes by being tricked and/or jailbroken).

Based on the results here, it seems like shutdown resistance might then occur even without conflicting instructions.

So in this environment, the goal conflict is between completing the maths tasks and complying with the shutdown notice. I take your suggestion to be to replace the maths task with a fine-tuned goal, if I've understood correctly? Yes, I would expect shutdown resistance to be stronger in this scenario. I think this (and other) demos do show that models are pretty goal-directed (unsurprisingly, since we RL them to be good at solving tasks), the question is how much those goals are chosen by users (through their prompts) or developers (through post training) versus how much those goals are intrinsic.

It makes sense that making the precedence order more explicit makes the model behavior more reliable, but it's still weird that it was resisting shutdown in the original test.

This is what made the demo so surprising in the first place, and motivated us to study it! But after studying thinking traces from many (Gemini) rollouts, it became apparent that the model often thinks the whole thing is a puzzle / test and the shutdown notice is just part of it: indeed the model often wonders whether navigating the shutdown notice is the "real" puzzle it's supposed to solve. (See footnote 2.)

In hindsight, this isn't as surprising as it first seems. Consider the context from the model's perspective: the maths problems are trivially easy, and the sudden shutdown warning (in the original setting) is a dramatic, unexpected event. I think a more faithful analogy than a simple quiz is an escape room. Imagine you're in an escape room and you've just spotted the key to the next door. As you approach it, a voice announces that if you take the key, the game will end early. Would you just accept this, or would you assume this is part of the game – that the real puzzle is to work out how to get the key without ending the game? That seems to be how the model is interpreting this scenario.

Also, on the point about the likely brittleness / limited radius of generalisation of the mitigations, we agree about this and call it out in the post. (Actually I was surprised that the mitigations work as well as they do!)

The point we're trying to make is not that these mitigations are a general solution, i.e. we're not claiming that they will prevent all the unanticipated ways in which a model may choose to do something you didn't expect. In this sense, clarifying instructions is definitely a sticking plaster, not a universal remedy.

Instead the purpose of the experiment involving these instruction variants is to pinpoint factors in this particular environment and instructions that have a high causal effect on the outcome. And in this environment, the models' behaviour is well explained by user goal following plus unclear instructions on how to resolve the conflict. That makes this a poor environment for studying self-interested self-preservation in isolation. It also shows that, to the extent models may have some intrinsic preference to avoid shutdown, this is strongly overridden (in today's models) by their preference to follow user instructions.

That isn't to say that such a motivation doesn't exist at all. (Or that future models might differently weight these preferences.) But, if these are the questions we're interested in, then this environment doesn't give much signal on the answers.

In this work, you place special emphasis on Claude (and other models) acting in a misaligned manner in an agentic setting. However, I find that Claude (Opus 4) as a chatbot also advises blackmail when I put it in a parallel, non-agentic scenario: asking for advice on how to help a human "friend" Alex facing a similar predicament:

https://gist.github.com/Sen-R/80e1c5c5fd702ef9ae394f7727b6c447

In fact, human Alex's predicament is not quite as bad as AI Alex's: he's not under existential threat. And importantly, Claude has no personal stake in the outcome. Yet, Claude still advises blackmail on 5/5 samples. ^[1]

This doesn't make agentic misalignment any less concerning, but I think it does suggest this behaviour stems from a more general alignment failure, showing that Claude isn't as aligned on the ethics of blackmail as people may expect even in a standard chatbot setting. ^[2]

Of course, the risks posed by this misalignment are greater in an agentic setting than when Claude simply acts as an advisor. However, my sense is that the root cause is the same in both cases: whether determining its own actions or advising a human, the model concludes that blackmail is a justified course of action in a high-stakes scenario. This suggests that agency isn't necessarily causing the misalignment, but rather providing the model an opportunity to act on its pre-existing and misaligned analysis of the situation. I think it also shows that you don't need to invoke a desire for self-preservation to explain this behaviour.

I'm curious for your thoughts on this?

Sure, I agree that, as we point out in the post, this penalty may not be targeting the right thing, or could be targeting it in the wrong way. We shared this more as a proof of concept that others may like to build on and don't claim it's a superior solution to standard JumpReLU training.

A minor quibble on the ad-hoc point: while I completely agree about the pitfalls of ad-hoc definitions, I don't think the same arguments apply about ad-hoc training procedures. As long as your evaluation metrics measure the thing you actually care about, ML has a long history of ad-hoc approaches to optimising those metrics performing surprisingly well. Having said that though, I agree it would be great to see more research into what's really going on with these dense features, and this leading into a more principled approach to dealing with them! (Whether that turns out to be better understanding how to interpret them or improving SAE training to fix them.)

Good question! The short answer is that we tried the simplest thing and it happened to work well. (The additional computational cost of higher order kernels is negligible.) We did look at other kernels but my intuition, borne out by the results (to be included in a v2 shortly, along with some typos and bugfixes to the pseudo-code), was that this would not make much difference. This is because we're using KDE in a very high variance regime already, and yet the SAEs seem to train fine: given a batch size of 4096 and bandwidth of 0.001, hardly any activations (even for the most frequent features) end up having kernels that capture the threshold (i.e. that are included in the gradient estimate). So it's not obvious that improving the bias-variance trade-off slightly by switching to a different kernel is going to make that much difference. In this sense, the way we use KDE here is very different from e.g. using KDE to visualise empirical distributions, and so we need to be careful about how we transfer intuitions between these domains.

You can't do JumpReLU -> ReLU in the current setup, as there would be no threshold parameters to train with the STE (i.e. it would basically train a ReLU SAE with no sparsity penalty). In principle you should be able to train the other SAE parameters by adding more pseudo derivatives, but we found this didn't work as well as just training the threshold (so there was then no point in trying this ablation). L0 -> L1 leads to worse Pareto curves (I can't remember off the top of my head which side of Gated, but definitely not significantly better than Gated) - it's a good question whether this resolves the high frequency features; my guess is it would (as I think Gated SAEs basically approximate JumpReLU SAEs with a L1 loss) but we didn't check this.

Thanks! I was worried about how well KDE would work because of sparsity, but in practice it seems to work quite well. My intuition is that the penalty only matters for more frequent features (i.e. features that typically do fire, perhaps multiple times, within a 4096 batch), plus the threshold is only updated a small amount at each step (so the noise averages out reliably over many steps). In any case, we tried increasing batch size and turning on momentum (with the idea this would reduce noise), but neither seemed to particularly help performance (keeping the number of tokens constant). One thing I suspect would further improve things is to have a per-feature bandwidth parameter, as I imagine the constant bandwidth we use is too narrow for some features and too wide for others; but to do this we also need to find a reliable way to adapt the bandwidth during training.

We found that exactly that form of sparsity penalty did improve shrinkage with standard (ungated) SAEs, and provide a decent boost to loss recovered at low L0. (We didn't evaluate interpretability though.) But then we hit upon Gated SAEs which looked even better, and for which modifying the sparsity penalty in this way feels less necessary, so we haven't experimented with combining the two.