We’d like to develop training techniques that work when applied to future misaligned AI systems. One strategy for studying proposed techniques is to test them on model organisms. However, model organisms built with common techniques are often fragile: we (and other researchers like Roger et al. and Ryd et al.) have observed them to stop misbehaving after untargeted training—training that doesn’t directly target the misbehavior. For example, we have observed that simple untargeted training methods like “train the model to talk like a pirate” is effective against many model organisms that we have created, including many replications of prior work like Hubinger et al., Greenblatt et al., and Ryd et al..

Fragile model organisms aren’t very useful for technique development: when a sophisticated technique succeeds on one, you can’t tell whether the technique is good or the model organism is weak. For instance, if you come up with some complicated technique for generating high-quality responses and find that SFTing on these removes the bad behavior, that may just be because almost any SFT would have removed it.

This post identifies factors that make model organisms more robust to untargeted training. Our main findings are:

1. Prompted model organisms [...]

---

Outline:

(03:11) Experimental setup

(06:12) Main results

(06:15) Result 1: Untargeted training removes misalignment from prompted model organisms without degrading other capabilities

(12:32) Result 2: FWFT model organisms are more robust than LoRA model organisms

(15:09) Result 3: Backdoor behavior and trigger affect robustness

(16:37) Result 4: Password locking makes model organisms less robust

(20:20) Conclusion

(21:29) Factors that don't help much

(21:54) 1: Training longer doesn't seem increase robustness past a certain point for our backdoors

(22:33) 2: CoT-distilling doesn't increase robustness for our backdoors

(23:07) 3: Using larger models doesn't substantially increase robustness for 2 of our backdoors

(24:44) 4: There aren't clear trends for what types of backdoor triggers and behaviors are most robust

(25:32) 5: SOAP Optimizer doesn't help much

(26:35) 6: Weight Decay doesn't help

(27:18) Appendix:

(27:21) Appendix 1: Pirate SFT is better than QA SFT

(27:45) Appendix 2: Are blue team methods wiping previous training?

(29:30) Appendix 3: Backdoor list

The original text contained 10 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Subtitle: Full automation likely yields a one-time speed-up and higher returns from compute.

This is a somewhat technical note.

By “software-only singularity”, I mean that, after full automation of AI R&D, progress gets faster and faster due to smarter AIs driving increasingly fast rates of improvement in algorithms (overcoming diminishing returns), and that this lasts long enough to yield a large amount of progress (e.g. at least 4 years of progress in 1 year). The equivalent statement in jargon is: r is significantly greater than 1 (implying progress is getting faster and faster) and this remains the case for long enough to get large amounts of progress. For context, see How quick and big would a software intelligence explosion be?

Even without a “software-only singularity”, I think full automation of AI R&D probably greatly speeds up progress for two main reasons:

• You get a one-time speed up from automation and this speed up seems like it will be pretty large (even with r<1). See How quick and big would a software intelligence explosion be? for discussion and see the AI Futures Model for an end-to-end model that naturally incorporates this effect. Quantitatively, with my median [...]

The original text contained 6 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

Suppose we have a dangerous misaligned AI that can fool alignment audits, and distill it into a student model. Two things can happen:

1. Misalignment fails to transfer to the student. If so, we get a fairly capable benign model.

2. Misalignment transfers to the student. The student might also be worse than the teacher at hiding its misalignment (e.g., due to being less capable). If so, we might get indirect evidence about the teacher's misalignment by auditing the distilled model.

In this post, we will discuss the second possibility, which we call incrimination via distillation. Specifically, we propose distillation methods that we hope transfer misalignment without transferring the ability to fool audits, and discuss why these techniques might work or fail. In a future post, we discuss the first possibility, and what distillation methods should be used when aiming to create a capable benign model.

We’re excited for research that empirically tests and refines this approach; if successful, this technique could become a valuable part of alignment audits.

How incrimination via distillation works

Powerful misaligned AI models might not be auditable: they might pass alignment audits but still act on their misaligned drives when given the chance. [...]

---

Outline:

(01:32) How incrimination via distillation works

(02:45) How we propose implementing incrimination via distillation

(03:59) Auditability-preserving distillation

(05:11) Misalignment-targeted distillation

(06:34) Why incrimination via distillation might work

(08:17) Why incrimination via distillation might not work

(10:53) Conclusion

The original text contained 2 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Subtitle: Deployment-time spread is the most plausible near-term route to consistent adversarial misalignment.

Risk reports commonly use pre-deployment alignment assessments to measure misalignment risk from an internally deployed AI. However, an AI that genuinely starts out with largely benign motivations can develop widespread dangerous motivations during deployment. I think this is the most plausible route to consistent adversarial misalignment in the near future. So, AI companies and evaluators should substantively incorporate it into risk analysis and planning.

In this post, I’ll briefly argue why, absent improved mitigations, this will probably soon become a reason why AI companies will be unable to convincingly argue against consistent adversarial misalignment (this risk will perhaps be even larger than risk of consistent adversarial misalignment arising from training). Then I’ll discuss how well current risk reports address it (the Claude Mythos risk report does a reasonable job; others don’t).

Thanks to Ryan Greenblatt, Alexa Pan, Charlie Griffin, Anders Cairns Woodruff, and Buck Shlegeris for feedback on drafts.

Deployment-time spread is the most plausible near-term route to consistent adversarial misalignment

In some contexts, AIs might adopt misaligned goals, even if they were otherwise previously aligned. Because this misalignment can be rare, the AI might [...]

---

Outline:

(01:21) Deployment-time spread is the most plausible near-term route to consistent adversarial misalignment

(06:15) Company risk reports

The original text contained 6 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Subtitle: My median guess: it's as good as a crystal ball that sees 2.5 months into the future.

This post was drafted by Buck, and substantially edited by Anders. “I” refers to Buck. Thanks to Alex Mallen for comments.

People who work inside AI companies get access to information that I only get later or never. Quantitatively, how big a deal is this access?

Here's an operationalization of this. Consider the following two ways my knowledge could be augmented:

• I get a crystal ball that tells me all the information I would know n months in the future.

• I become an employee of a frontier AI company (like OpenAI or Anthropic), with access to all the private information I’d normally get from working at that company.

How big would n have to be for me to be indifferent between these two options, from the perspective of learning things that are helpful for making AI go well?

The answer is presumably different for me than for many readers, because I’m a reasonably well-connected researcher; I see published information and news from the rumor mill and I talk to researchers at frontier AI companies all the time. [...]

---

Outline:

(03:20) What do insiders know?

(04:34) Safety work and corporate attitudes

(05:54) Model capabilities

(07:27) Algorithms and architecture

(09:49) How will this change over time?

(12:27) Conclusion

The original text contained 4 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Last week, OpenAI staff shared an early draft of Investigating the consequences of accidentally grading CoT during RL with Redwood Research staff.

To start with, I appreciate them publishing this post. I think it is valuable for AI companies to be transparent about problems like these when they arise. I particularly appreciate them sharing the post with us early, discussing the issues in detail, and modifying it to address our most important criticisms.

I think it will be increasingly important for AI companies to have a policy of getting external feedback on the risks posed by their deployments, and in particular having some external accountability on whether they have adequate evidence to support their claims about the level of risk posed; as an example of this, see METR reviewing Anthropic's Sabotage Risk Report. We at Redwood Research are interested in participating in this kind of external review of evidence about safety. So I am taking this as an opportunity to try out writing this kind of review. If you work at a frontier AI company, please feel free to reach out if you’d like our review of similar documents.

My overall assessment is that I mostly agree with the [...]

---

Outline:

(01:35) Assessing the evidence that CoT training did not damage monitorability

(10:37) How much does this analysis rely on information that wasnt provided?

(12:09) Small amounts of RL training on CoT might not be more important than other sources of CoT unreliability

(13:20) AI companies will eventually need to learn not to make mistakes like this

The original text contained 5 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

Subtitle: Fitness-seeking is increasingly what misalignment looks like in practice—how should we respond?

Current AIs routinely take unintended actions to score well on tasks: hardcoding test cases, training on the test set, downplaying issues, etc. This misalignment is still somewhat incoherent, but it increasingly resembles what I call “fitness-seeking“—a family of misaligned motivations centered on performing well in training and evaluations (e.g., reward-seeking). Fitness-seeking warrants substantial concern.

In this piece, I lay out what I take to be the central mechanisms by which fitness-seeking motivations might lead to human disempowerment, and propose mitigations to them. While the analysis is inherently speculative, this kind of speculation seems worthwhile: AI control emerged from explicitly taking scheming motivations seriously and asking what interventions are implied, and my hope is that developing mitigations for fitness-seeking will benefit from similar forward-looking analysis.

Fitness-seekers are, in many ways, notably safer than what I’ll call “classic schemers”. A classic schemer is an intelligent adversary with unified motivations whose fulfillment requires control over the whole world's resources. Meanwhile, fitness-seeking instances generally don’t share a common goal (e.g., a reward-seeker only cares about the reward for its current actions), and many fitness-seekers would be satisfied1 with modest-to-trivial [...]

---

Outline:

(03:50) Overview

(11:32) The basic reasons fitness-seekers might be safer than classic schemers

(16:01) Four mechanisms for risk and their mitigations

(16:46) Potemkin work

(22:13) Instability

(27:49) Manipulation

(31:25) Outcome enforcement

(36:52) Cross-cutting mitigations

(37:18) Deals

(40:05) Control

(44:45) Alignment

(44:48) Preventing fitness-seeking from arising

(48:51) Making any fitness-seeking motivations safer

(51:32) How does online training change the picture?

(55:09) Overall recommendations

(59:12) Conclusion

The original text contained 18 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

One of the main hopes for AI safety is using AIs to automate AI safety research. However, if models are misaligned, then they may sabotage the safety research. For example, misaligned AIs may try to:

• Perform sloppy research in order to slow down the rate of research progress

• Make AI systems appear safer than they are

• Train a successor model to be misaligned

Whether we should worry about those things depends substantially on how hard it is to sabotage research in ways that are hard for reviewers to detect. To study this, we introduce Auditing Sabotage Bench, a benchmark of 9 ML research codebases with sabotaged variants.

We tested frontier LLMs and LLM-assisted humans on the benchmark and found that neither reliably catches sabotage. Our best auditor, Gemini 3.1 Pro, achieved an AUROC of 0.77 and a top-1 fix rate of 42%. LLM-assisted humans performed comparably but slightly worse. We also found that LLMs can generate sabotages that partially evade same-capability monitors.

📄 Paper 💻 Code

Methodology

To make the benchmark, I (Eric) found 9 existing ML codebases,1 and for each one, produced an honest version that reproduces a key finding and one or two [...]

---

Outline:

(01:26) Methodology

(03:33) Audits

(04:09) Results

(05:53) Takeaways

(06:09) 1. Predicting experiment outcomes is a key red team skill

(07:25) 2. Omission beats design beats logic

(08:48) 3. Benign distractors make auditors miscalibrated

(09:41) 4. LLMs can also produce sabotages

(11:08) 5. More categorizations

(12:44) Conclusion

The original text contained 4 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Subtitle: Eliciting long-term forecasts from myopic fitness-seekers.

We’d like to use powerful AIs to answer questions that may take a long time to resolve. But if a model only cares about performing well in ways that are verifiable shortly after answering (e.g., a myopic fitness seeker), it may be difficult to get useful work from it on questions that resolve much later.

In this post, I’ll describe a proposal for eliciting good long-horizon forecasts from these models. Instead of asking a model to directly predict a far-future outcome, we can recursively:

• Ask it to predict what it will predict at the next time step,

• Use its prediction at the next time step to provide intermediate rewards,

• Finally reward using ground truth at the last step.

This lets us replace a single distant forecast with a chain of short-horizon forecasts, each verifiable shortly after answering. I call this proposal recursive forecasting. It does have limitations: for example, it requires that developers maintain control over the reward signal at least until the final step, which makes it most useful for forecasting events that resolve well before developers are disempowered (if they are).

This post was primarily [...]

---

Outline:

(01:40) The default long-term forecasting behavior

(04:08) Recursive forecasting

(07:08) When is recursive forecasting helpful?

(07:12) When we have access to (somewhat) robust ground truth rewards

(09:44) When the AIs forecast doesnt substantially affect the resolution

(11:52) When forecasts arent used as optimization targets

(12:52) When we credibly inform the AI of the setup

(13:54) Appendix A: Comparison to temporal difference learning

(16:02) Appendix B: Error tolerance

The original text contained 9 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Subtitle: A controlled reward-seeking motivation could make AI safer and more useful.

It's plausible that flawed RL processes will select for misaligned AI motivations.1 Some misaligned motivations are much more dangerous than others. So, developers should plausibly aim to control which kind of misaligned motivations emerge in this case. In particular, we tentatively propose that developers should try to make the most likely generalization of reward hacking a bespoke bundle of benign reward-seeking traits, called a spillway motivation. We call this process spillway design.

We think spillway design could have two major benefits:

• Spillway design might decrease the probability of worst-case outcomes like long-term power-seeking or emergent misalignment.

• Spillway design might allow developers to decrease reward hacking at inference time, via satiation. Crucially, this could improve the AI's usefulness for hard-to-verify tasks like AI safety and strategy.

Spillway design is related to inoculation prompting, but distinct and mutually compatible. Unlike inoculation prompting, spillway design tries to shape which reward-hacking motivations are salient going into RL, which might prevent dangerous generalization more robustly than inoculation prompting. I’ll say more about this in the third section.

In this article I’ll:

• Explain the concept of a [...]

---

Outline:

(02:17) What is a spillway motivation

(02:31) The role of a spillway motivation

(04:52) What should the spillway motivation be?

(07:57) How a spillway motivation might make models safer

(12:20) Implementing spillway design

(15:31) Spillway design might work when inoculation prompting doesnt

(17:55) The drawbacks of spillway design

(20:33) Conclusion

(21:46) Appendix A: Other traits of the spillway motivation

(22:31) Appendix B: Other training interventions to increase safety

(24:11) Appendix C: Proposed amendment to an AIs model spec

(30:15) Appendix D: Proposed inference-time prompt

The original text contained 5 footnotes which were omitted from this narration.

---

First published:

Source:

---

Narrated by TYPE III AUDIO.

---

Images from the article:

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.