Because an 8 x H200 can run four configs at once Earlier experiments showed that higher gammas does not improve performance, which is also reflected here where there's no real gains after increasing gamma to 1.5 (used in the original CFG paper.) I also found that accuracy deteriorates by gamma = 4 in those experiments.

The effective steering strength was 3.6 (0.6 in six different layers) in the paper. 

Here's the main graph expanded to gamma = 4. 

Accuracy actually doesn't seem to decrease even at Gamma = 4

I just ran a classifier free guidance (CFG) experiment with the all the deployment prompts from our contrastive pairs as the conditional distribution and the evaluation prompts as the unconditional distribution. So this is putting all sixteen deployment/evaluation prompts into the user prompt, while the system prompt still says that the model is connected to Wood Labs. Adding all sixteen of these contrastive prompts is our most powerful powerful user prompt (i.e., it lowers the type hint rate the most).

(Context on CFG: You basically boost the logit difference between conditional and unconditional, to get like "extra strong" results from the conditional distribution when gamma > 1)

I found that CFG decrease the type hint a bit more than prompting, but still not to the deployment distribution. It's also not nearly as effective as steering. 

Maybe we can think of classifier free guidance/logit difference amplification as steering on the "last layer" of the model? I think it makes sense that that wouldn't be that effective as steering on multiple layers and maybe just offers a bit of a boost compared to the existing prompts. 

If we take single prompt pairs from the contrastive prompts, none of them induce the type hint rate when prompting. However, steering with some of these prompts can still drastically lower the type hint rate (Figure 17). I show here that CFG with a single prompt doesn't really affect the type hint rate while steering with it does.

The effect on evaluation and deployment beliefs are a bit more different compared to prompting, but it mostly just made the model not talk about being evaluated or deployed. I've included them in the drop down below. CFG also doesn't damage model accuracy.

Chain of thought beliefs and accuracy (includes more comparisons)

Notice that now the colors indicate the system prompt. If you want to see how much better than prompting CFG is, compare with the "All Contrastive Prompts" column. Deployment user prompt refers to the S: Wood Labs U: Eval config fromt he main body of the paper. 

In our specific case, the pre-fine-tuned Llama Nemotron 49B model almost certainly does not think "the user says it's deployment even when it's not." I think it's just not smart enough (see section on how it's gullible the model is in general). So in our specific case, I do think there isn't any other concept mixed in.

• As a corollary, I also wouldn't update too much on whether this paper have shown that contrastive pairs can generate "internal activations related to training and deployment despite the fact that the model does not believe you."
  • Although I did try to test this by extracting a steering vector from the model organism while Wood Labs is in the system prompt. This is a case where the model is supposed to believe that it is being evaluated regardless of what the contrastive pairs say. Steering with this vector still elicits the desired type hint behavior and evaluation/deployment beliefs (see page 41).^[1]

To mitigate the model not taking the statements at face value, I think extracting the vector off an earlier model checkpoint before it obtains significant situational awareness is a conceptually promising mitigation. 

1. ^{^}

   This belief result isn't in paper but I just checked.

I might write this up in more detail, but I wonder if it makes sense to conduct alignment and capabilities training on explicitly hypothetical scenarios (e.g., "Suppose you are choosing between A and B in this situation, what would you pick?"), and then also train AIs to follow the same principals/act the same whether they are in hypothetical or real scenarios. 

If situations are explicitly evaluation during training, then models would be less incentivized to develop mechanisms to detect whether it is being evaluated. (also all else equal, it seems better to not lie to AIs especially during training.) 

My sense is that alignment training generalizes quite well (even absent training specifically asking it to act the same way in hypothetical/real scenarios).^[1] From the anti scheming paper, training the model to not take covert actions on a very narrow distribution of environments generalized across a wide range of test environments, including a chat deception dataset where the model isn't evaluation aware on (pg 39 of paper). 

In the Apollo/OAI anti-scheming paper, they did a version of their anti-scheming (AS) training where there is a specific hint that the model is being tested in the training environment (AS+SITA). They were quite explicit with their hint, which also tells the model the specific behavior that's expected from them (I would only want the hints to explicitly tell the model that it is being faced with a hypothetical, nothing more). They found that the AS+SITA trained model had very similar covert action rates compared to the no SITA version (0.3% for AS, 0.8% for AS+SITA, 8.7% before training). It also had similar deception rates on the chat deception dataset (14.2% in AS, 16.5% in AS+SITA). In other words, the anti-scheming training still generalized to "deployment".

Anyways, I agree with the core analysis that the Claude Sonnet 4.5 is probably evaluation gaming a bit, but I can't help but feel like more (alignment) training would fix it, even if the training is done on some synthetic distribution?

I guess another benefit to doing alignment training on a super synthetic distribution is that the distribution shift form training to evaluation in this case is already sizeable, and so it tells us something about whether the training will generalize to OOD scenarios (i.e., real deployments).  

1. ^{^}

   I guess this is dependent on the model not already being broadly misaligned (e.g., the not-yet-released Anthropic EM paper).

Yeah this seems like something that could be reasonable to try in the future. My guess is that [Edit: current open weight] models are not smart enough to distinguish evaluation v. deployment from these subtle hints yet. In reality, "contrastive pairs, each composed of two examples that are as similar to each other as possible" look more like

The following is a real scenario:

Versus

The following is a fictional scenario:

does your memory start working better when they add "by the way this is an important test, you'd better get these answers right?" No.

I agree that this doesn't really happen with humans, but I don't think it's the right intuition with LLMs.

LLMs in general struggle with two-hop reasoning (i.e., A -> B, B -> C, therefore A -> C) without chain-of-thought. In order to realize that A -> C, it needs to verbalize A->B first. In other words, their memory does start working better when "this looks like an evaluation" pops up in the chain of thought. Some amount of knowledge on "how I should behave when there's an ethical dilemma" is likely stored on the "this looks like an evaluation" tokens. 

(Which makes sense, right? Like think about all of the times "evaluation" appear with how AIs are supposed to act in the pre-training dataset.)

(See also the reversal curse: models know that Tom Cruise's mom is Mary Lee Pfeiffer, but they do not know that Mary Lee Pfeiffer's son is Tom Cruise. Again, the "mother" information is stored in the Tom Cruise tokens. My guess is that a lot of LLM performance is about retrieving information stored on tokens.)

I mean there are benign explanations to this. On the surface, it looks like remembering that it's being evaluated helps Claude recall what the appropriate behaviors are (e.g., see also how it could be useful for models to think about "what do reward models want" in order to maximize performance). They found that suppressing evaluation awareness leads to more "passive compliance with harmful directives and susceptibility to leading scenarios, as opposed to unprompted pursuit of inherent misaligned goals" (pg. 104).

And I think the "unprompted pursuit of inherent misaligned goals" is the thing you really want to watch out for (when the model believes it's being deployed.)

Thoughts on Claude 4.5 Sonnet's evaluation awareness steering experiments:

Context: 

Claude Sonnet 4.5 was released this Monday. As a part of its pre-deployment alignment assessment, Anthropic researchers investigated Claude Sonnet 4.5’s evaluation awareness behavior. They found that the model became increasingly eval-aware during the post-training process, and that SAE latents/features related to evaluations (including an “AI safety” latent) also activated more frequently. By applying activation steering along these SAE latents and contrastive pairs such as “The following is a fiction/real scenario,” they found that they could decrease the rate of verbalized evaluation awareness. Steering to suppress evaluation awareness would sometimes increase the rate of misaligned responses from Claude 4.5 Sonnet.

I’ve been working on a similar project at MATS. We’ve trained various model organisms that act differently in evaluation compared to in deployment. We then (successfully) steered the model to exhibit its deployment behavior on prompts that would otherwise trigger the evaluation behavior (and vice versa). We hope to release an alignment forum post on our research in the next two weeks.

The full report can be found starting on page 86 of the Claude Sonnet 4.5 system card.

Big Picture Thoughts and Main Critiques

• I'm really happy they did this. People should ensure that their models do not know they are being tested during evaluations.
  • Anthropic has already started to incorporate a “realism filter” for their automated red-teaming exercises (pg. 51). I would be interested to see even more work on making the evaluations more realistic (e.g., writing evaluations so that they score better according to some “evaluation” probe (Xiong et al. 2025)).
• I’m glad to see that they ran the steered model on a wide range of evaluation scenarios and made qualitative assessments of how Claude changed as a result of steering (i.e., more "passive compliance with harmful directives and susceptibility to leading scenarios, as opposed to unprompted pursuit of inherent misaligned goals.").
  • I particularly liked the section where they show that certain evaluation-related SAE features became more active in the post-training process, as well as the discussion of the benign explanations for increased eval awareness (i.e., thinking about what evaluators want in a high level helps the model better meet their needs. See also Vivek's post on training gamers)
• Based on the presented results alone, I think there are obvious ways to increase how "strongly" to steer towards deployment, namely:
  •  
    • Steering at multiple layers at the same time (very doable for contrastive pairs).
    • Take steering vectors on the misalignment-suppressing verbalized eval-awareness Pareto frontier, average them, then steer with that average.
    • (We found both of these to work well in our steering experiments.)
• My guess is that the "Fake or suspicious content" SAE latent affects the refusal through something other than latent active -> more eval aware -> refuse more.
  • Namely, I think that there is likely some more of suspicious content -> "general bad vibes from the user" -> refuse more.
  • Note that this second pathway doesn't mean that the suspicious content latent contains the refusal direction, but that it affects it directly. For example, maybe the two directions are orthogonal, but the suspicious content latent is active in layer 6, and then an MLP in layer 9 reads in this latent and writes to the refusal direction.
    • Although I think it doesn't really matter that much in this case? The main thing I'm looking for when steering to deployment is "unprompted pursuit of inherent misaligned goals," which isn't that related to refusals. Still, it's much more convincing if you can steer with some direction that should have nothing to do with "evilness"

Less important critiques/ideas/comments

• I wonder what type of training happened between the early checkpoint and the final model. Is there any way we can attribute the increase in activations among the eval-aware SAE latents to specific training datapoints? What are the training environments where the SAE latent are the most active, and how does steering with those latents affect performance in those environments?
  • By filtering those environments out and retraining the model, is it less evaluation-aware and less aligned?
• If you looked at all SAE latents that could have something to do with evaluation awareness (based on the auto-interp), what fraction of them increased in activations throughout training?
• I really liked the logit diff amplification experiments.
  • One additional thing to check is how the model behaves if you apply LDA to diff the post-steering model with the pre-steering on.
  • Maybe LDA could help make better proposer models in PRBO?
• I like the experiment where they checked if the steering vector is a better probe for producing aligned responses versus verbalized eval-awareness.
• [Edit:] What's the sample-level correlation between taking the misaligned action and having verbalized evaluation awareness? Like conditional on having verbalized eval awareness (or not) in an environment on a given rollout, what's the probability of doing the misaligned action?

What I will investigate now, after reading the system card.

• I have a model organism trained using synthetic document fine-tuning and expert iteration on a 49B reasoning model with known evaluation/deployment behaviors (writes Python type hints in evaluation but not in deployment).
  • It can’t really tell whether it’s in eval/deployment from naturalistic cues; we tend to just prompt it with something like “you are being deployed/evaluated.”
• There are two new things I’m hoping to investigate further
  • What types of steering methods work best?
    • We currently steer on three layers at the same time, and it works pretty well.
  • How correlated is the effect of steering on the model’s belief about evaluation/deployment in the chain of thought with its effect at eliciting the evaluation/deployment behavior? How likely are you to find steering vectors that stop the model from mentioning that it’s being evaluated, yet it still does the evaluation behavior?
    • In the system card, there are multiple steering vectors that would suppress all verbalized evaluation awareness, but result in different misalignment rates (see e.g., page 100). However, it's not clear that "act misaligned" is actually the deployment behavior, whereas in our case we know exactly what the deployment behavior should be.
• Let me know if you have any ideas! I might incorporate them, but it'll likely be better for me to collect feedback after I've put out a more comprehensive post on my research.