Zach Stein-Perlman

LESSWRONG
LW

Zach Stein-Perlman — LessWrong

Apparently there's now a sixth person on Anthropic's board. Previously their certificate of incorporation said the board was Dario's seat, Yasmin's seat, and 3 LTBT-controlled seats. I assume they've updated the COI to add more seats. You can pay a delaware registered agent to get you the latest copy of the COI; I don't really have capacity to engage in this discourse now.

Regardless, my impression is that the LTBT isn't providing a check on Anthropic; changes in the number of board seats isn't a crux.

Zach Stein-Perlman15d

I mostly agree. And you can do better with better investments. I observe that this does not imply that scope-sensitive altruists should accumulate capital in order to buy galaxies: buying one millionth of the lightcone costs around $20M invested well now (my independent number; Thomas says $5-500M iiuc). And I think there are donation opportunities 100x that good for scope-sensitive altruists on the margin.

Zach Stein-Perlman21d

I would bet that lawyers, scholars, and chatbots would basically disagree with you. Your literal reading of the Constitution is less important than norms/practice.

Zach Stein-Perlman21d

Importantly, as far as I can tell, from a purely constitutional perspective the supreme court has no more authority to direct any members of the executive branch to do anything than I do. Their only constitutional power is to call for federal officers to refuse to do something. Asking them to do anything proactive would go relatively clearly against their mandate.

In case nobody else has mentioned it: this is false, courts order actions all the time, e.g. ordering agencies to do stuff that they're legally required to do. Ask your favorite chatbot.

Zach Stein-Perlman1mo

This ~assumes that your primary projects have diminishing returns; the third copy of Tsvi is less valuable than the first. But note that Increasing returns to effort are common.

Replying toSafety consultations for AI lab employees

Zach Stein-Perlman1mo

Safety consultations for AI lab employees

No. (But people should still feel free to reach out if they want.)

Zach Stein-Perlman1moQuick Take

Anthropic: Sharing our compliance framework for California's Transparency in Frontier AI Act.

2.5 weeks ago Anthropic published a framework for SB 53. I haven't read it; it might have interesting details. And it might be noteworthy that compliance is somewhat separate from RSP, possibly due to CA law. I'm pretty ignorant on state law stuff like SB 53 but I wasn't expecting a new framework.

Framework here (you can't easily download it or copy from it, which is annoying). Anthropic's full Trust Portal here. Anthropic's blogpost below.

On January 1, California's Transparency in Frontier AI Act (SB 53) will go into effect. It establishes the nation’s first frontier AI safety and transparency requirements for catastrophic

... (read 660 more words →)

Zach Stein-Perlman1mo

The move I was gesturing at—which I haven't really seen other people do—is saying

This sequence of reasoning [is/isn't] cruxy for me

as opposed to the usual use of "cruxiness" which is like

I think P and you think ¬P. We agree that Q would imply P and ¬Q would imply ¬P; the crux is Q.

I believe P. This is based on a bunch of stuff but Q is the step/assumption/parameter/whatever that I expect is most interesting to interlocutors or you're most likely to change my mind on or something.

Zach Stein-Perlman1mo

If [your job is automated] . . . the S&P 500 will probably at least double (assuming no AI takeover)

Is this true?

It has been claimed:

Prior discussion: Tail SP 500 Call Options.

I currently have 7% of my portfolio in such calls.

Zach Stein-Perlman1mo

Hmm, yeah, oops. I forgot about "cruxiness."

Concept: epistemic loadbearingness.

I write an explanation of what I believe on a topic. If the explanation is very load-bearing for my belief, that means that if someone convinces me that a parameter is wrong or points out a methodology/math error, I'll change my mind to whatever the corrected result is. In other words, my belief is very sensitive to the reasoning in the explanation. If the explanation is not load-bearing, my belief is really determined by a bunch of other stuff; the explanation might be helpful to people for showing one way I think I think about the question, but quibbling with the explanation wouldn't change my mind.

This is related to Is That Your True Rejection?; I find my version of the concept more helpful for working with collaborators who share almost all background assumptions with me.

Concept: inconvenience and flinching away.

I've been working for 3.5 years. Until two months ago, I did independent-ish research where I thought about stuff and tried to publicly write true things. For the last two months, I've been researching donation opportunities. This is different in several ways. Relevant here: I'm working with a team, and there's a circle of people around me with some beliefs and preferences related to my work.

I have some new concepts related to these changes. (Not claiming novelty.)

First is "flinching away": when I don't think about something because it's awkward/scary/stressful. I haven't noticed my object-level beliefs skewed by flinching away, but I've noticed that certain actions should be priorities... (read more)

You suspect someone in your community is a bad actor. Kinds of reasons not to move against them:

You're uncertain
1. Especially if your uncertainty will likely be largely resolved soon
You lack legible evidence (or other ways of convincing others), and they're not already seen as sketchy
1. Especially if you'll likely get better legible evidence soon
They're doing some good stuff; you need them for some good stuff
They're popular, politically powerful, or have power to hurt you
1. And so you'd fail
  1. And maybe you'd get kicked out or lose power (especially if your move is unpopular or considered inappropriate, or "community" is more like "team" or "circle")
2. And so making them an enemy of [you or your community] is costly
Personal

... (read more)

Maybe the logistic success curve should actually be the cumulative normal success curve.

I think "Overton window" is a pretty load-bearing concept for many LW users and AI people — it's their main model of policy change. Unfortunately there's lots of other models of policy change. I don't think "Overton window" is particularly helpful or likely-to-cause-you-to-notice-relevant-stuff-and-make-accurate-predictions. (And separately people around here sometimes incorrectly use "expand the Overton window" to just mean with "advance AI safety ideas in government.") I don't have time to write this up; maybe someone else should (or maybe there already exists a good intro to the study of why some policies happen and persist while others don't^[1]).

Some terms: policy windows (and "multiple streams"), punctuated equilibrium, policy entrepreneurs, path dependence and feedback (yes this is a real concept in political science, e.g. policies that cause interest groups to depend on them are less likely to be reversed), gradual institutional change, framing/narrative/agenda-setting.

^{^}
I liked the book Policy Paradox in college. (Example claim: perceived policy problems are strategically constructed through political processes; how issues are framed—e.g. individual vs collective responsibility—determines which solutions seem appropriate.) I asked Claude for suggestions on a shorter intro and I didn't find the suggestions helpful.
I guess I think if you work on government stuff and you [don't have poli sci background / aren't familiar with concepts like "multiple streams"] you should read Policy Paradox (although the book isn't about that particular concept).

Recently I've been spending much less than half of my time on projects like AI Lab Watch. Instead I've been thinking about projects in the "strategy/meta" and "politics" domains. I'm not sure what I'll work on in the future but sometimes people incorrectly assume I'm on top of lab-watching stuff; I want people to know I'm not owning the lab-watching ball. I think lab-watching work is better than AI-governance-think-tank work for the right people on current margins and at least one more person should do it full-time; DM me if you're interested.

An AI company's model weight security is at most as good as its compute providers' security. I don't know how good compute providers' security is, but at the least I think model weights and algorithmic secrets aren't robust to insider threat from compute provider staff. I think it would be very hard for compute providers to eliminate insider threat, much less demonstrate that to the AI company.

I think this based on the absence of public information to the contrary, briefly chatting with LLMs, and a little private information.

One consequence is that Anthropic probably isn't complying with its ASL-3 security standard, which is supposed to address risk from "corporate espionage teams." Arguably this refers... (read more)

AI companies' policy advocacy (Sep 2025)

Zach Stein-Perlman

5mo

Strong regulation is not on the table and all US frontier AI companies oppose it to varying degrees. Weak safety-relevant regulation is happening; some companies say they support and some say they oppose. (Some regulation not relevant to AI safety, often confused, is also happening in the states, and I assume companies oppose it but I don't really pay attention to this.) Companies besides Anthropic support federal preemption of state laws, even without an adequate federal framework. Companies advocate for non-regulation-y things like building government capacity and sometimes export controls.

My independent impression is that current regulatory efforts—SB 53 and the RAISE Act—are too weak to move the needle nontrivially. But the experts... (read 724 more words →)

Meta released the weights of a new model and published evals: Code World Model Preparedness Report. It's the best eval report Meta has published to date.

The basic approach is: do evals; find weaker capabilities than other open-weights models; infer that it's safe to release weights.

How good are the evals? Meh. Maybe it's OK if the evals aren't great, since the approach isn't show the model lacks dangerous capabilities but rather show the model is weaker than other models.

One thing that bothered me was this sentence:

Our evaluation approach assumes that a potential malicious user is not an expert in large language model development; therefore, for this assessment we do not include malicious fine-tuning where a malicious

... (read more)

xAI's new safety framework is dreadful

Zach Stein-Perlman

5mo

Two weeks ago, xAI finally published its Risk Management Framework and first model card. Unfortunately, the RMF effects very little risk reduction and suggests that xAI isn't thinking seriously about catastrophic risks. (The model card and strategy for preventing misuse are disappointing but much less important because they're mostly just relevant to a fraction of misuse risks.)

On misalignment, "Our risk acceptance criteria for system deployment is maintaining a dishonesty rate of less than 1 out of 2 on MASK. We plan to add additional thresholds tied to other benchmarks." MASK has almost nothing to do with catastrophic misalignment risk, and upfront benchmarking is not a good approach to misalignment risk. On security, "xAI... (read 888 more words →)

104

AI companies have started saying safeguards are load-bearing

Zach Stein-Perlman

6mo

There are two ways to show that an AI system is safe: show that it doesn't have dangerous capabilities, or show that it's safe even if it has dangerous capabilities. Until three months ago, AI companies said their models didn't have dangerous capabilities. (At the time, I wrote that the companies' eval reports didn't support their claims that their models lacked dangerous bio capabilities.) Now, Anthropic, OpenAI, Google DeepMind, and xAI say their most powerful models might have dangerous biology capabilities and thus could substantially boost extremists—but not states—in creating bioweapons. To prevent such misuse, they must (1) prevent extremists from doing misuse via API and (2) prevent extremists from acquiring the model weights.^[1] For (1),... (read 1377 more words →)

ChatGPT Agent: evals and safeguards

Zach Stein-Perlman

7mo

OpenAI released ChatGPT Agent last week. I read the system card, then added a page on it to my beta website AI Safety Claims Analysis. AI Safety Claims Analysis is mostly a reference work for AI safety professionals; as far as I know, it's the only resource on companies' dangerous capability evals and planned responses to dangerous capabilities. When I make a new page, I'll generally make a blogpost like this. Blogposts should be briefer and more accessible, but they still assume substantial context — if you're not familiar with the idea of dangerous capability evals, maybe see my introduction.^[1] I'm interested in feedback on how the site is helpful or could be more helpful to you.

Summary

ChatGPT... (read 670 more words →)

Epoch: What is Epoch?

Zach Stein-Perlman

8mo

Our director explains Epoch AI’s mission and how we decide our priorities. In short, we work on projects to understand the trajectory of AI, share this knowledge publicly, and inform important decisions about AI.

Since we started Epoch three years ago, we have engaged in hundreds of projects and achieved a wide audience. Yet, one question I often get asked is, ‘What is Epoch?’

In a way, this is an easy question to answer. We are a nonprofit research organization with the mission of improving society’s understanding of the trajectory of AI. Simply put, we are doing what we can so that decisions about AI are informed by the best possible evidence.

To achieve this,... (read 2148 more words →)

AI companies aren't planning to secure critical model weights

Zach Stein-Perlman

8mo

AI companies' security plans, per their published safety policies, involve just SL3-4 security for powerful AI (see Appendix below).^[1] (Moreover, companies are likely to not follow their current policies.)

Source.

Just SL3-4 is very inadequate; it would result in lots of extra x-risk relative to perfect security. If AIs that greatly accelerate AI research^[2] can immediately be stolen, then the developer can't prioritize safety much without getting outraced (and the geopolitical situation is worse than if the US has a solid lead). It's much easier to tell a story where things go well if such model weights don't immediately proliferate.

Strong security isn't yet necessary. But you can't just decide to start operating with SL5 when you... (read more)

AI companies' eval reports mostly don't support their claims

Zach Stein-Perlman

8mo

AI companies claim that their models are safe on the basis of dangerous capability evaluations. OpenAI, Google DeepMind, and Anthropic publish reports intended to show their eval results and explain why those results imply that the models' capabilities aren't too dangerous.^[1] Unfortunately, the reports mostly don't support the companies' claims. Crucially, the companies usually don't explain why they think the results, which often seem strong, actually indicate safety, especially for biothreat and cyber capabilities. (Additionally, the companies are undereliciting and thus underestimating their models' capabilities, and they don't share enough information for people on the outside to tell how bad this is.)

Bad explanation/contextualization

OpenAI biothreat evals: OpenAI says "several of our biology evaluations indicate our models... (read 949 more words →)

207

New website analyzing AI companies' model evals

Zach Stein-Perlman

9mo

I'm making a website on AI companies' model evals for dangerous capabilities: AI Safety Claims Analysis. This is approximately the only analysis of companies' model evals, as far as I know. This site is in beta; I expect to add lots more content and improve the design in June. I'll add content on evals, but I also tentatively plan to expand from evals to evals and safeguards and safety cases (especially now that a company has said its safeguards are load-bearing for safety!).

Some cherry-picked bad stuff I noticed when I read the most recent model card from each company (except Claude 3.7 rather than Claude 4) below, excerpted/adapted from an earlier version of the... (read 981 more words →)

New scorecard evaluating AI companies on safety

Zach Stein-Perlman

9mo

The new scorecard is on my website, AI Lab Watch. This replaces my old scorecard. I redid the content from scratch; it's now up-to-date and higher-quality. I'm also happy with the scorecard's structure: you can click on rows, columns, and cells and zoom in to various things. Check it out! Thanks to Lightcone for designing the site.

While it is a scorecard, I don't feel great about the numbers; I mostly see it as a collection of information.

Claude 4

Zach Stein-Perlman

9mo

Claude Sonnet 4 and Claude Opus 4 are out. Anthropic says they're both state-of-the-art for coding. Blogpost, system card.

Anthropic says Opus 4 may have dangerous bio capabilities, so it's implementing its ASL-3 standard for misuse-prevention and security for that model. (It says it has ruled out dangerous capabilities for Sonnet 4.) Blogpost, safety case report. (RSP.)

Tweets: Anthropic, Sam Bowman, Jan Leike.

Claude 3.7 Sonnet has been retconned to Claude Sonnet 3.7 (and similarly for other models).

LESSWRONG
LW

LESSWRONG
LW

AI companies' eval reports mostly don't support their claims

AI companies have started saying safeguards are load-bearing

Introducing AI Lab Watch

AI companies aren't really using external evaluators

Zach Stein-Perlman

AI companies' policy advocacy (Sep 2025)

xAI's new safety framework is dreadful

AI companies have started saying safeguards are load-bearing

ChatGPT Agent: evals and safeguards

Epoch: What is Epoch?

AI companies aren't planning to secure critical model weights

AI companies' eval reports mostly don't support their claims

Zach Stein-Perlman

AI companies' eval reports mostly don't support their claims

AI companies have started saying safeguards are load-bearing

Introducing AI Lab Watch

AI companies aren't really using external evaluators

Zach Stein-Perlman

AI companies' policy advocacy (Sep 2025)

xAI's new safety framework is dreadful

AI companies have started saying safeguards are load-bearing

ChatGPT Agent: evals and safeguards

Epoch: What is Epoch?

AI companies aren't planning to secure critical model weights

AI companies' eval reports mostly don't support their claims

Summary

Bad explanation/contextualization