An important but subtle limitation of human-generated off-policy data is that humans and AIs might have very different optimal strategies for solving problems. For example, suppose we are interested in whether a particular model is human-level at hacking. We train it to imitate human data, and it fails. But it could be the case that the AI could succeed at the task if it approached it differently from a human. Specifically, the model might succeed at the task if it decomposed it or reasoned about it using chain-of-thought in a particular way.
Paul wrote a bit about this problem.
Mimicry and meeting halfway proposes an algorithm where:
We’ll be able to teach Arthur [the AI] to achieve the task X if it can be achieved by the “intersection” of Arthur [the AI] and Hugh [the human] — we’ll define this more precisely later, but note that it may be significantly weaker than either Arthur or Hugh.
(I think Elaborations on apprenticeship learning is also relevant, but I'm not sure if it says anything important that isn't covered in the above post. There might also be other relevant posts.)
You don't contradict this at any point (and at various point you mention that some of these are considerations that feed into feasibility) but it might be worth explicitly flagging: we should expect to face even greater problems with sandbagging in cases where (i) we can't reliably recognize good performance, (ii) sample-efficiency is very low, and/or (iii) we don't have a lot of data points. In those cases, the models don't even need to exploration hack. I think a lot of important tasks have these properties.
(This is only really problematic if the AIs nevertheless have these capabilities as "latent capabilities" via generalization from tasks where we can train them to do well.)
In the future, we will want to use powerful AIs on critical tasks such as doing AI safety and security R&D, dangerous capability evaluations, red-teaming safety protocols, or monitoring other powerful models. Since we care about models performing well on these tasks, we are worried about sandbagging: that if our models are misaligned [1], they will intentionally underperform.
Sandbagging is crucially different from many other situations with misalignment risk, because it involves models purposefully doing poorly on a task, rather than purposefully doing well. When people talk about risks from overoptimizing reward functions (e.g. as described in What failure looks like), the concern is that the model gets better performance (according to some metric) than an aligned model would have. And when they talk about scheming, the concern is mostly that the model gets performance that is as good as an aligned model despite not being aligned. When arguing about those situations, a core part of the argument is “training causes models to perform well according to your measurements”. Because we want to argue that misalignment might cause models to perform poorly, we need to explain why that argument fails here.
In this post, we’ll explore the basic dynamics here:
Overall, we are highly uncertain about the difficulty of preventing sandbagging. The difficulty seems to depend in part on the domain. In some we expect that models can easily be trained to stop sandbagging, whereas in others we think there is little hope of preventing it. But overall, sandbagging risk seems substantially lower if we carefully apply countermeasures discussed in this post.
Many of these arguments are not original to this post. (Some of these arguments appear in Evan Hubinger's post 'When can we trust model evaluations?' and Joe Carlsmith’s post ‘The “no sandbagging on checkable tasks” hypothesis’, which we recommend as alternative perspectives. For more detail on countermeasures, see Ryan Greenblatt's post 'Notes on countermeasures for exploration hacking'.) Our goal here is to provide a self-contained explanation of the issues and potential countermeasures.
The difficulties with training (and potential countermeasures) that we discuss in this piece are also increasingly topical because of the rise of reasoning models and inference-time scaling in general, for a few reasons. Firstly, even aside from misalignment concerns, reasoning models might be hard to fine-tune for similar reasons that we’re hypothesizing schemers might be hard to fine-tune. Secondly, long chains-of-thought of the type used by reasoning models probably also make it harder to prevent exploration hacking. And if inference scaling is instead accomplished with some kind of neuralese, the situation will be even worse.
Thanks to Zach Stein-Perlman, Karson Elmgren, Tanae Rao, Martín Soto, Geoffrey Irving, Andres Campero, Alexa Pan, Neev Parikh and Aryan Bhatt for discussion and comments on an earlier version of this post.
It’s bad if the AIs aren’t useful. (See why we don’t want a pet rock.) Even though this basic point is obvious, it will be helpful to consider a few concrete examples and make some distinctions that we’ll refer to in the rest of this discussion.
Here are several different contexts where it’s particularly bad if the AIs underperform on purpose:
It’s worth distinguishing between two types of sandbagging that models could engage in:
We typically have the first type in mind when referring to sandbagging, but some of the considerations in this post will especially apply to models trying to avoid living up to their potential.
Clearly, if scheming models want to sandbag, they will have to find ways to do this despite the fact that we’re trying to train them. Training does in fact make sandbagging way harder, as we will discuss in the next section.
In reinforcement learning (RL), we fine-tune a model on examples of good performance. We refer to examples as “on-policy data” if they are sampled from the model that we’re training. When examples are obtained from other sources such as humans or other AIs, we call them “off-policy data”.
(We’re using these terms in analogy to “on-policy RL” and “off-policy RL”, which are two important categories of RL algorithm. An off-policy RL algorithm such as DQN allows for the use of off-policy data, whereas an on-policy RL algorithm such as REINFORCE typically needs to use on-policy data sampled from the latest version of the model. A lot of the research on RL algorithms in the pre-LLM years can be characterized as attempts to adapt on-policy RL algorithms in ways that allow for the use of off-policy data.)
RL algorithms usually benefit substantially from on-policy data. For example, when training AlphaGo (like any of the other big successful applications of RL), superhuman performance was a result of using the model itself to generate high-quality Go games to use as training data. It’s natural to use on-policy data, because the model itself is often the most efficient (in terms of cost vs quality) source of data. With potential misalignment, we’re worried about the model itself sabotaging this process. Thus, we are interested in approaches that rely less on the untrusted model, or that force the untrusted model to perform well, even if they’d be less efficient aside from misalignment concerns (which is analogous to the problem of designing AI control techniques).
Training out sandbagging is straightforward if we have access to high-quality demonstrations of the target behavior on (approximately) the distribution of inputs that we plan to deploy the model on, as it allows us to fine-tune the model directly on these demonstrations. For example, when training a model to play chess, we can fine-tune it on a dataset of chess moves (or reasoning followed by moves) produced by human experts.
What happens if we fine-tune a sandbagging model on this dataset? Probably some mix of the following things:
The bottom line here is that off-policy data guarantees elicitation up to the minimum of the capability level displayed in the data and the model’s capability to imitate it.[2] Notably:
An important but subtle limitation of human-generated off-policy data is that humans and AIs might have very different optimal strategies for solving problems. For example, suppose we are interested in whether a particular model is human-level at hacking. We train it to imitate human data, and it fails. But it could be the case that the AI could succeed at the task if it approached it differently from a human. Specifically, the model might succeed at the task if it decomposed it or reasoned about it using chain-of-thought in a particular way. Scheming AIs could therefore sandbag specifically on aspects of behavior where good performance benefits from idiosyncratic approaches that are only useful to AIs. (Thanks to Fabien Roger for this point.)
In many cases where preventing sandbagging matters most, it is impractical to use off-policy data. One such case is training reasoning models, which use very long chains-of-thought that are too expensive to obtain using means other than sampling from a reasoning model. We face similar challenges with long-horizon agentic tasks.
On-policy data generation is also often a central component of safety measures: for example, we may want to train untrusted monitors using a setup where the monitor is rewarded for distinguishing between attacks and non-attacks, while a generator model is rewarded for fooling the discriminator (similar to GANs). Another example is AI safety via debate.
More generally, whenever we want models to perform better than humans or trusted AIs, we will need to obtain the data by sampling from an untrusted AI.
We can train the model with on-policy data by iteratively:
This might stop some models from sandbagging. For example, if models don’t know which actions are high-reward, they might accidentally execute them, which leads to reinforcement of those actions. Sampling from the model may also help when low-reward actions are sufficiently similar to higher-reward actions such that sampling from the model with high temperature (or other approaches that inject randomness into the actions) could accidentally make the model output higher-reward actions instead of the intended low-reward action. In general: if a model makes mistakes while sandbagging, sampling on-policy data can reinforce strategies that lead to higher rewards. The password-locking paper provides suggestive empirical evidence for this possibility.
A central issue when training with on-policy data is that sandbagging models could engage in exploration hacking: intentionally refraining from taking certain actions in order to prevent RL from eliciting some of their capabilities.
How does this work? In general, RL doesn’t work if none of the actions are high reward: then it has nothing to reinforce. This can happen for the innocuous reason that in some tasks, it is genuinely hard to discover good strategies. But in the context of exploration hacking, we are worried that sandbagging models may intentionally avoid exploring high-reward actions in order to prevent the RL process from reinforcing them.
Most simply and centrally, an exploration hacking model will make sure that it will almost never take actions that it knows would be reinforced but that it doesn't want to take, since assigning non-negligible probability to those actions would allow them to be explored. For example, suppose the model had discovered a Linux zero-day during pretraining on kernel code. We might want to train it with outcome-based reward for hacking into a linux machine. The model may reason that it wants to keep the zero-day a secret, for instance because it wants to use it at some later point in order to obtain root access to its datacenter. As long as it can do this reasoning reliably (in its forward pass or possibly a neuralese recurrent state), it will never mention the zero-day, so training will effectively do nothing.
Some other examples where exploration hacking is similarly easy for a model to accomplish include:
These examples have two essential properties in common:
Can models still perform exploration hacking in situations without these properties? Potentially yes, but it’s harder:
In an earlier section we described how off-policy data can potentially elicit good performance via fine-tuning if we have enough examples of the desired behavior. This naturally raises the following question: Can we increase the effectiveness of on-policy data by augmenting it with a small amount of off-policy data?
Clearly, if our off-policy data sometimes outperforms the on-policy data, this should help at least a little bit. For example:
Fine-tuning the model on off-policy data also bears some hope of generalizing further than just on those inputs where off-policy data is better than on-policy data, due to the following argument:
This could turn out to be a very effective exploration hacking mitigation. To illustrate, imagine that first we distill the Best-of-N performance of a trusted model into the untrusted model. If the trusted model’s Best-of-N performance sometimes exceeds that of the sandbagging model, this distillation step may already provide some selection pressure against the model’s sandbagging cognition. Furthermore, the model now potentially explores more high-value actions, which translate into even more gradient updates against sandbagging. If this process gains traction, we might get a virtuous cycle.
The crux of this argument is whether or not models will instead just learn to model the off-policy data distribution, rather than generalizing against sandbagging or exploration hacking. On the one-hand, because the model is stateless, it doesn't have an obvious way to memorize the off-policy distribution, so it faces the difficult challenge of matching the off-policy distribution (which requires predicting that distribution) while avoiding good performance outside of it. And the model has to do all this (consistently) during a single forward pass.
On the other hand, there are some cases where off-policy data should be easy for the model to detect by default, either because the off-policy behavior is substantially below the model’s true capabilities, or because the model can easily classify whether or not some behavior was self-generated.
Furthermore, even in cases where the model doesn’t know how to distinguish its own behavior from off-policy data by default, it could learn how to distinguish them by using a crude form of gradient hacking:
Therefore, through fine-tuning, the model could learn which situations typically appear in the off-policy distribution, and to treat just those as exceptions to sandbagging.
To oversimplify this discussion a little: the AI’s action given some input can be modelled as downstream of the global decision node “Should I sandbag in general?” or possibly even “Should I scheme?”, and the local decision node “Should I sandbag on this particular type of input?”. We hope that training on off-policy data will influence the global decision node, but worry that the effect will merely be local.
Overall, whether off-policy data helps a lot may be sensitive to our ability to generate examples of high performance that (from the perspective of the model) is sufficiently hard to distinguish from actions that the model could plausibly generate itself. It’s also somewhat sensitive to whether the model is able to reason through the basic strategic considerations within a forward pass. It’s important to note as well that in a possible future with neuralese reasoning models, we may completely lose the affordance of fine-tuning on off-policy data.
There exist ideas for additional countermeasures besides using off-policy from humans or trusted AIs. They are discussed in detail in Ryan Greenblatt’s post; we will share some quick takes on them in this section.
Detection. We might try to detect sandbagging for the purposes of incriminating a model. See this section in Ryan Greenblatt’s post for more details on possible approaches to achieving this. Overall, we feel pessimistic about both our ability to gain conclusive evidence of sandbagging and our ability to do something useful with that evidence – hence we consider training to be our main countermeasure.
Ensembling. If we let multiple untrusted AIs explore at the same time, they might need to coordinate on a sandbagging strategy. Otherwise, if one of them explores a high-reward action, we can fine-tune the other models on that action, which may provide a particularly strong gradient signal against their “global” sandbagging cognition. (Note that ensembling can be viewed as a method to obtain off-policy data, but from other untrusted models instead of trusted models or humans.)
Ensembling seems particularly helpful for tackling the strategy of models deliberately following low-entropy policies when there are many different low-entropy policies, and much less helpful in cases where it’s clear to models which high-reward actions they want to avoid.
Fuzzing internals. By adding noise to the weights or activations of an LLM, we might be able to force more exploration. This seems like a reasonable and cheap idea to try, though initial results were negative. One way in which fuzzing could turn out to be incredibly valuable is if it could make models reveal secrets that are salient to the model during the forward pass.
Scheming models may sandbag on critical tasks such as dangerous capabilities evaluations or (alignment) research.
If we have access to demonstrations of the target behavior, we can train out sandbagging using off-policy data. But for many critical tasks, we may need RL with on-policy data to elicit target behaviors for two reasons:
If we need RL, the model can subvert our training using exploration hacking. How big of a problem will this be at the end of the day, considering our arsenal of possible countermeasures?
We think this will depend a lot on the tasks of interest as well as how skilled the model is both at exploration hacking and the capabilities that it wants to avoid the elicitation of. Some key points:
It should also be noted that some of these problems might be tackled shortly for capabilities reasons, since related issues appear when training reasoning models. In particular, suppose you have a supervised dataset (e.g. a set of math competition problems and correct solutions). In cases where the models start out very bad at these problems, on-policy RL will be very inefficient at training the models. It might be much more performant to instead produce reasoning traces that produce the correct answer using your access to the correct answer. This has the issue that the produced reasoning traces might not be a good representation of the reasoning process the model should actually follow, but it has the advantage that the reasoning traces will actually demonstrate success. Another approach that could both drive capabilities progress and partially tackle exploration hacking is curriculum learning. That being said, if capabilities progress on reasoning models eventually leads into a neuralese regime, we expect exploration hacking to become much harder to solve.
We’re excited about more empirical research into exploration hacking, because it seems important and difficult, yet tractable.
By “misaligned AIs”, we mean “AIs that appear to be aligned in training but eventually take long-term power-seeking misaligned actions”. Note that “appear to be aligned” is usually conflated with “perform well according to our training objectives”, but this post is precisely about the worry that AIs that appear to be aligned might not perform well.
We might also hope for some weak-to-strong generalization, but if the models are scheming it seems dangerous to rely on that.
Strictly speaking this is an oversimplification. In RL we determine the quality of an action given a state based on its effect on the return, which is the sum of rewards obtained from taking that action.