2025-08-15 23:40:18

Published on August 15, 2025 3:40 PM GMT

What projects today could most improve a post-AGI world?

In “How to make the future better”, I lay out some areas I see as high-priority, beyond reducing risks from AI takeover and engineered pandemics.

These areas include:

• Preventing post-AGI autocracy
• Improving the governance of projects to build superintelligence
• Deep space governance
• Working on AI value-alignment; figuring out what character AI should have
• Developing a regime of AI rights
• Improving AI for reasoning, coordination and decision-making.

Here’s an overview.

First, preventing post-AGI autocracy. Superintelligence structurally leads to concentration of power: post-AGI, human labour soon becomes worthless; those who can spend the most on inference-time compute have access to greater cognitive abilities than anyone else; and the military (and whole economy) can in principle be aligned to a single person.

The risk from AI-enabled coups in particular is detailed at length here. To reduce this risk, we can try to introduce constraints on coup-assisting uses of AI, diversify military AI suppliers, slow autocracies via export controls, and promote credible benefit-sharing.

Second, governance of ASI projects. If there’s a successful national project to build superintelligence it will wield world-shaping power. We therefore need governance structures—ideally multilateral or at least widely distributed—that can be trusted to reflect global interests, embed checks and balances, and resist drift toward monopoly or dictatorship. Rose Hadshar and I give a potential model here: Intelsat, a successful US-led multilateral project to build the world’s first global communications satellite network.

What’s more, for any new major institutions like this, I think we should make their governance explicitly temporary: coming with reauthorization clauses, explicitly stating that the law or institution must be reauthorized after some period of time.

Intelsat gives an illustration: it was created under “interim agreements”; after five years, negotiations began for “definitive agreements”, which came into force four years after that. The fact that the initial agreements were only temporary helped get non-US countries on board.

Third, deep space governance. This is crucial for two reasons: (i) the acquisition of resources within our solar system is a way in which one country or company could get more power than the rest of the world combined, and (ii) almost all the resources that can ever be used are outside of our solar system, so decisions about who owns these resources are decisions about almost everything that will ever happen.

Here, we could try to prevent lock-in, by pushing for international understanding of the Outer Space Treaty such that de facto grabs of space resources (“seizers keepers”) are clearly illegal.

Or, assuming the current “commons” regime breaks down given how valuable space resources will become, we could try to figure out in advance what a good alternative regime for allocating space resources might look like.

Fourth, working on AI value-alignment. Though corrigibility and control are important to reduce takeover risk, we want to also focus on ensuring that the AI we create positively influences society in the worlds where it doesn’t take over. That is, we need to figure out the “model spec” for superintelligence - what character it should have - and how to ensure it has that character.

I think we want AI advisors that aren’t sycophants, and aren’t merely trying to fulfill their users’ narrow self-interest - at least in the highest-stakes situations, like AI for political advice. Instead, we should at least want them to nudge us to act in accordance with the better angels of our nature.

(And, though it might be more difficult to achieve, we can also try to ensure that, even if superintelligent AI does take over, it (i) treats humans well, and (ii) creates a more-flourishing AI-civilisation than it would have done otherwise.)

Fifth, AI rights. Even just for the mundane reasons that it will be economically useful to give AIs rights to make contracts (etc), as we do with corporations, I think it’s likely we’ll start soon giving AIs at least some rights.

But what rights are appropriate? An AI rights regime will affect many things: the risk of AI takeover; the extent to which AI decision-making guides society; and the wellbeing of AIs themselves, if and when they become conscious.

In the future, it’s very likely that almost all beings will be digital. The first legal decisions we make here could set precedent for how they’re treated. But there are huge unresolved questions about what a good society involving both human beings and superintelligent AIs would look like. We’re currently stumbling blind into one of the most momentous decisions that will ever be made.

Finally, deliberative AI. AI has the potential to be enormously beneficial for our ability to think clearly and make good decisions, both individually and collectively. (And, yes, has the ability to be enormously destructive here, too.)

We could try to build and widely deploy AI tools for fact-checking, forecasting, policy advice, macrostrategy research and coordination; this could help ensure that the most crucial decisions are made as wisely as possible.

I’m aware that there’s a lot of different ideas here, and I’m aware that these are just potential ideas - more like proof of concept, rather than fully-fleshed out proposals. But my hope is that work on these areas - taking them from inchoate to tractable - could help society to keep its options open, to steer any potential lock-in events in better directions, and to equip decision-maker with the clarity and incentives needed to build a flourishing, rather than a merely surviving, future.

To get regular updates on Forethought’s research, you can subscribe to our Substack newsletter here.

2025-08-15 21:52:05

Published on August 15, 2025 1:52 PM GMT

This is one of the most common questions I get when people use my AI safety career advice service. 

My short answer is: yes, you can start a for-profit AI safety org, but you should try non-profit first. 

It mostly comes down between a trade-off between distorted incentives and amounts of funding. 

Non-profits slightly distort your incentives, trying to do things that please funders rather than directly doing what most improves the world. 

But usually the funders also want to improve the world, so it’s mostly just “distorting” it to their judgement of what’s impactful, rather than moving away from impact entirely. 

For-profits massively distort your incentives. 

Your customers usually don’t care about their purchases making the world better. They care about making their lives immediately better. 

Yes, for-profits you have a higher potential upside of raising far more funding. 

However, broadly speaking, there are two important inputs into how much impact you have: 

1. Direction
2. Speed 

Going fast in the wrong direction doesn’t matter. This would be having a lot of money to do things, but the things don’t actually help with AI safety. 

Especially given how relatively easy it is in this field to think you’re helping but actually making things worse, this should be a very strong consideration.

Of course, conversely, knowing the right direction but not moving anywhere is pointless. And doing AI safety research can be cheap (if it’s mostly theoretical work and you can find good people who are willing to work for little), but often it’s very expensive. So expensive that only a handful of funders can realistically fund your work. So if you’ve tried applying to them and they’ve taken a disliking to you for whatever reason, often going for-profit is the only real option left. 

In that case, it can be worth trying for-profit. Just spend a lot of time and energy figuring out ways to make sure that it doesn’t distort your end goal and end up making you a slave to Moloch. 

This is a cross-post from my Substack

2025-08-15 20:54:24

Published on August 15, 2025 12:54 PM GMT

I've had a lot of success with getting ChatGPT ^[1] to do thorough research with the following prompt combined with Deep Research:

X=[claim]

Do a deep dive into X. Tell me the steelman arguments in favor of X.

Then tell me the steelman counter-arguments to X.

Then tell me the steelman counter-counter-arguments to X.

Then tell me the steelman counter-counter-counter-arguments to X

Think like a rationalist in the LessWrong style. Think with probabillties, using Bayesian reasoning, looking for discomfirming evidence, think critically and skeptically, problem-solve around potential obstacles.

Basically I get ChatGPT to play steelman solitaire.

Here are some examples I've done to give you a flavor:

• Is fiction a superstimulus that you should minimize?
• Is Israel committing genocide in Gaza?
• Should you aim to mimic the diet of hunter gatherers? 

1. ^{^}

    Starting with 4o, then o3, and now 5-pro as of this writing

2025-08-15 19:56:13

Published on August 15, 2025 11:56 AM GMT

Epistemic status: very rough! Spent a couple of days reading the Gradual Disempowerment paper and thinking about my view on it. Won’t spend longer on this, so am sharing rough notes as is

Summary

• I won’t summarise the paper here! If you’re not familiar with it, I recommend reading the paper’s exec summ before continuing. 
• There are lots of things I like about the paper! For example:
  • It’s a nice lens on the role that structural and competitive dynamics play in threat models from misalignment and power concentration. 
  • It makes a great point: cultural evolution has historically been constrained to parts of “culture space” that keep humans economically productive (and thus alive!). Once AI obsolete human labour, that constraint won’t apply. So unconstrained cultural evolution becomes more scary.
  • It’s a nice reminder that there are possible paths to human disempowerment that happen without AI being explicitly power-seeking. Though I think these paths still rely on AI being misaligned, and to me they seem a lot less worrying than risks from power-seeking (see below).
• My high-level view is that the convincing versions of gradual disempowerment either rely on misalignment or result power concentration among humans. 
  • I don’t think of “gradual disempowerment” as an important sui generis risk, but as a useful lens on the risks of power concentration and misalignment. 
  • There’s aren’t “gradual disempowerment” threat models I’ve heard that 1) don’t rely crucially on misalignment, 2) lead to all humans being disempowered rather than power concentration, 3) are similarly plausible to the risks from power-seeking AI or AI-enabled coups. 
• The paper argues that humans will be economically disempowered, culturally disempowered, and that the state will stop serving the interests of its citizens. I’ll comment on the papers sections about these three domains one by one.
• Economic. The argument for economic disempowerment seems unconvincing as stated.
  • Yes, humans will no longer earn wages.
  • But even if human labour is no longer valuable, (a small fraction of) humans will continue to own capital assets by default which will generate significant income. And superhuman AI can invest this income on humans’ behalf (absent sabotage from misaligned AI).
  • If AIs don’t earn wages, all income will be capital income that goes to humans.
  • Even if AIs do earn wages, those wages may be driven down to subsistence levels via Malthusian dynamics (you can quickly make more compute) so that human income from capital assets dominates AI income.
  • Even if AIs earn significant non-subsistence wages, humans can easily tax that income at >50% and give it to humans. 
  • TBC, the dynamics here do strongly point towards significant concentration of economic power among humans. Just not to total human disempowerment.
• Cultural. If humans remain economically empowered (in the sense of having much more money than AI), I think they will likely remain culturally empowered.
  • The paper points that that AIs will likely dominate cultural supply, producing the content we all consume. But if humans are economically empowered, they will dominate cultural demand. 
  • Yes, there are risks that AI exploits psychological weaknesses in people. This is already happening (e.g. tiktok). But the counter-pressure is that the humans that are exploited by AI will be visibly doing quite badly and will have less status and economic influence. Whereas the humans that prioritise consuming cultural products that help them flourish will visibly do well and gain more status and influence. Then humans, including future generations, will copy those who are flourishing.
  • [This isn’t a knock-down argument that culture won’t go off the rails. I’m just noting why I wasn’t convinced by the GD argument as stated, excluding concerns about AI being misaligned.]
• State. It’s hard to see how those leading the state and the top AI companies could be disempowered, absent misalignment.
  • The GD paper points out that, once citizens’ labour isn’t economically valuable, states lose incentive to prioritise citizen’s interests. (Also see the “intelligence curse”.)  This is a route to the concentration of power in the hands of a relatively small number of capital owners, business executives and government officials. I agree that this is a risk.
    • This an importantly different route to power concentration than AI-enabled coups. Though AI-enabled coups result in more extreme power concentration, which I think is more concerning.
  • But the paper gives little argument for thinking that, absent misalignment, this disempowerment will extend to all humans. 
  • We’re talking about a relatively small number of dominant countries (US, China) and a relatively small number of leading AI companies. Absent misalignment, why do the dozens of people controlling these entities compete so hard against each other, or submit to such extreme cultural drift, that they are significantly disempowered? Especially as, if they’ve solved alignment, they have the technical ability to have truthful superintelligent assistants telling them that their current actions will lead to major catastrophe. 
  • I feel the paper doesn’t get sufficiently concrete about how such a small group could be disempowered in practice. It’s important here to think concretely about the actual strength of the selection pressure for “compete viciously” vs the self-interested reasons not to completely lose control.
  • (Tbc, I grant that this could happen if AI is misaligned, and that competitive dynamics can make such misalignment much harder to handle. And I buy that there might be extreme power concentration. But I felt the paper’s more unique contribution could be pointing to a distinct source of risk, and in my view the risk is much less convincing if we remove misalignment and still try to argue that all people will be disempowered.)
    • I think there are coherent scenarios where all humans are disempowered despite technical alignment being solved, but I would guess they’re 10X less likely than extreme power concentration or misalignment-caused catastrophe. 
• Is handoff necessarily bad? Throughout, the paper seems to assume that “handing off decisions to AI” is a bad outcome. But if AI is aligned this could be a very good outcome. 
  • Humans are very flawed! Selfish, close-minded, incompetent.
  • Aligned AI could be much better on all dimensions, and better navigate many complex challenges. It could increase our effective control of the situation. 
  • It could be a grave mistake not to hand over control to aligned AI. 
  • So I encourage a more nuanced attitude than “let’s not hand off decisions to AI as that involves losing control”. 
• Can’t we respond to gradual-disempowerment problems as they emerge? 
  • By the time the risks from AI takeover or AI-enabled human coups are apparent, it may be too late to respond. And powerful AIs/humans will be pushing strongly to bring about these risks; so resistance may fail. This makes working on these risks urgent. 
  • By contrast, this risk happens more gradually. This will allow us to understand it much better as it starts to play out, and respond much more effectively than we could today. And we could use powerful AI to help, absent severe misalignment (but I understand the GD threat model to typically involve more mild misalignment, not purposeful sabotage). This all suggests punting work on this.
  • In the most extreme case of gradual disempowerment, where everyone is absolutely disempowered, the incentives of all humans to solve this will be extremely large. (Again, I find versions where some humans remain empowered a lot more plausible.)
• Is the intermediate level of alignment needed for gradual disempowerment stable?
  • The gradual disempowerment threat model is most distinctive when AI is not egregiously misaligned, but is still persistently somewhat misaligned. (If AI is egregiously misaligned, we’re back to the AI power-seeking threat model; if AI very aligned then I think the threat model doesn’t go through.)
  • But this intermediate level of alignment may be unstable. We’ll task millions of superintelligent AI with solving alignment. They’ll think >100X human speed. They’ll be working for years while the gradual disempowerment threat model plays out. That makes it less plausible that the intermediate level of alignment persists.
  • So you might expect two basins of attraction. 
    • Either these AIs are aligned enough that they make some alignment progress and this feeds back on itself, with increasingly aligned AI doing increasingly on-point alignment work. A recursive alignment-solving feedback loop.
    • Or these AIs are misaligned enough that they don’t make much alignment progress.
      • One reason why this happens and humans don’t realise is that the AI is purposefully sabotaging the work and pretending to be aligned. This is back to the power-seeking AI threat model. 
      • Another reason is an outer misalignment problem. 
        • The AI isn’t power-seeking (on a global scale, it may seek local reward), but it isn’t motivated to help us solve alignment. 
        • But, crucially, nor is it purposefully sabotaging our efforts. It makes no effort to stop us from figuring out a way to improve oversight of the alignment process. Once it knows it’s got reward, it doesn’t collude or cover its tracks further. 
        • In this situation, I think it’s likely humans notice the situation, and plausible that, as they try to work towards more aligned AIs, they either truly align AI that seeks power on a global scale. 
        • But perhaps not. Perhaps the intermediate level of misalignment persists. Or perhaps we solve technical alignment, but don’t choose to align AI to human interests and to being truthful. These worlds are, in my understanding, the worlds where the gradual disempowerment threat model is most useful. 

I think most people who have read this far shouldn’t read on! The rest of this post is rough “thinking out loud” notes. 

I discuss:

• Agreements with the paper
• Disagreements with the paper
• I steelman the threat model, and find it more convincing than I expected.

Things I agree with

• I like their point that cultural evolution has been historically constrained in ways that will no longer hold once human labour isn’t needed. That does seem right, and opens up the possibility of risk. 
• I like their point that disempowerment could happen without coordinated power-seeking. I think AI risk folk would accept this – marginal uncoordinated power-seeking from many AI systems could lead there. But i think this threat model is kinda understudied. I also think there’s an interesting possibility that these systemic dynamics drive disempowerment if AI is misaligned but not power-seeking. AIs not representing human interests, not being fully truthful, could drive disempowerment via competition.
• I find the dynamics much more convincing if i imagine them gradually disempowering most humans, while the few who own capital and control the development+deployment of AI systems stay empowered. And that’s not just “another version of powergrabs”. The outcome is similar: extreme power concentration. But the mechanism is very different: rather than people explicitly seeking power, elites allow market dynamics and competition and cultural evolution to play out and this process naturally disempowers everyone else. This is much more in line with the structural arguments of “intelligence curse”, and doesn’t require humans to explicitly and illegitimately seek power. 
• I agree with the paper that it’s useful to consider the economic, cultural and political systems AI and humans are embedded in when assessing risks and mitigations, rather than focussing solely on technical ‘AI alignment’. For example it’s important to think about:
  • Competitive dynamics and incentives re culture and the economy
  • Risks emerging from AIs being aligned only myopically, or doing mild/subtle reward hacking, and other moderate types of misalignment.
  • Questions of whether, even if we can technically, society will choose to make AIs truthful and give people AIs that represent their interests.
  • Whether people will trust AIs, even if they represent their interests.

Points of disagreement

• Economics. I didn’t see much content on why AI systems will own capital, but IIUC this is a key point? I.e. they point out that humans won’t earn, and conclude that the human degree of influence will fall. But why not conclude that all income will flow to capital owners, who will be humans. So the human fraction stays constant. 
  • They could invoke either 1) AI property rights + AI wages → AI earns and keeps money or 2) imperfectly aligned AIs increasingly make production and consumption decisions on behalf of humans but fail to represent their interests.
  • Could they invoke competition? I don’t see why competition will push towards AI owning their own capital. I as a human could compete by letting my AIs make me as much money as possible with 0 oversight or need to check in with me. 
    • Maybe it happens as a side effect of ppl deploying AIs and empathising more with them, but I don’t see the competitive pressure pushing for it directly. 
• Culture. They discuss how AI will increasingly produce culture and this will shift culture towards AI-friendly versions, but they don’t argue that humans will stop being the primary consumers of culture – except by repeating the conclusion from the economics section that I didn’t find convincing. So again it seems to me that humans could constrain cultural evolution through their role as consumers alone.
  • I do appreciate that it’s much more possible for a completely anti-human ideology to flourish – e.g. one advocating for human death/extinction/non-agency – in this post-AGI world. It would not be selected against on the production side – groups proposing it wouldn’t lose out competitively (e.g. by killing themselves). But on the consumption side it still seems like it would lose – humans have strong biological instincts not to die and (I claim) they will own huge wealth.
  • And the production side will be influenced by the consumption side.
  • Even AI-AI culture, if it promotes bad outcomes for humans and humans can understand this, will be indirectly selected against as humans (who have money) prefer interacting with AI systems that have good consequences for their well-being. 
  • (I think i buy that this stuff is a lot worse if humans are economically disempowered and have lost legal protections. I.e. if the state and economy arguments go through, i think very anti-human cultures could evolve.)
  • It seems fine if humans can’t engage with lots of culture without AI help, or at all. I wouldn’t want to limit culture in that way.
  •  
• State. 
  • “While politicians might ostensibly make the decisions, they may increasingly look to AI systems for advice on what legislation to pass, how to actually write the legislation, and what the law even is. While humans would nominally maintain sovereignty, much of the implementation of the law might come from AI systems.”
    • All seems good, if AI is well-aligned? Imo, it would be bad to not hand off control to aligned AIs that would be more competent and better motivated that us
    • I agree though that “well aligned” goes beyond “not trying to kill everyone”
  • “Human decision-making might come to be seen as an inefficiency or security risk to be minimized” – honestly, i think this will be a reasonable perspective. Imagine letting a 10 year old make big decisions!
  • A lot of the oversight problems seem real, but like they could be fixed by everyone having an AI that actively represents their political interests
  • I basically buy the arguments here, but it seems like the humans with formal power over the state will keep their power. So this is ‘gradual power concentration’ not disempowerment of all humans. I didn’t see discussion of why the state would start operating contrary even to humans with formal control over its operations (if alignment is solved!). But absent that, i’m not seeing how such ppl get disempowered. (I agree others could get disempowered, i.e. power concentration.)
• It’s hard for me to know how much I disagree with talk about incentives to “reduce human influence”. I certainly agree that humans will do ~none of the work and decision-making, and that seems good to me. They’re less competent. But that doesn’t mean that the decisions are not good for humans, or what humans would have wanted – and I think that’s what matters. If AIs are aligned, that should help there. And if humans own wealth or formal positions of power in the state, and have truthful AIs explaining what’s in their interests, they can use that influence to push for decisions that are good for them. 
  • So i’d be interested in exploring arguments for thinking that the forces of AI alignment + formal power + human wealth won’t be enough to keep the AI decision-making in human interests. 
  • What i’m interested in is examples of where there would be strong incentives to do activities that are harmful for humans. E.g. lots of emissions, no longer making food. And some analysis of how strong those incentives will be. For me, the discussion is at a high a level of abstraction which makes it hard to assess this. And when I think about concrete examples, i’m not convinced the pressures are strong.
  • I understand that competition between companies and states can push for policies that harm human interests. But how strong will this competition be? Will it be strongest than those three opposing forces? How hard will coordination be? My guesses here are that the three forces are strong, and coordination isn’t too hard as 1) governments can regulate companies, 2) there aren’t that many big AI companies, 3) there are few states leading on AI, 4) AI truthfulness and coordination tech will help a lot if we solve alignment. 
  • Of course, i’m much more sympathetic if alignment isn’t solved.Then these structural dynamics then push towards relying on misaligned AI, and those three forces become much weaker.
• Finding it hard to see, concretely, how the high-level dynamics described here would lead Trump, Xi and lab CEOs to be disempowered.
  • Presumably they’ll be able to access truthful AI if they want it, and they will want it.
  • They’ll be informed about their upcoming disempowerment.
  • Of course it’s theoretically possible that they can’t coordinate to prevent it. But to me it seems easy. Not many ppl to coordinate. It’s very likely an iterated prisoners dilemma, which allows a stable cooperative solution. AI can help them coordinate. I’m not seeing concrete examples of trade-offs they might have to make that could result in their death or permanent disempowerment. E.g. as a worst case they can get uploaded (/brain scanned / put in a bunker) while ferocious economic/military competition unfolds above and then later they control the resources of their AI delegates. 
  • TBC i’m not saying “i can compelling argue that these systemic dynamics won’t cause harm”. I’m just saying that currently the threat model doesn’t seem very compelling to me, not nearly as compelling as AI misalignment or human power grabs.

• On a high-level, i really don’t think the way through this is to prevent AI from replacing humans even once we have strong evidence of deep alignment. That seems very likely to be bad to me. But a lot of their language and mitigation suggestions go in this direction.

Steelman of GD

• The standard AI takeover threat model assumes AI is power-seeking. GD offers a truly distinctive threat model that goes through even if we can align AI enough to avoid unwanted power-seeking. We don’t need the threat model to work in the case of ‘perfect’ alignment for it to be interesting and novel.
• (For this steelman i’ll avoid first disempowering everyone but a small elite, as then i think the final disempowerment of that elite seems hard to argue for (see above) and so the outcome is extreme power concentration. 
  • Though even ending with a small elite, GD offers a novel mechanism of the extreme concentration of power: economic and political and cultural  disempowerment feeding into each other without any small elite explicitly trying to seize power.)
• So let’s consider a plausible world where everyone is disempowered. We’re in a world with ~20 frontier AI companies, and where multiple geopolitical blocks develop their own AIs: US, China, EU, middle east, [others?]
• There also even more competition on the fine-tuning and productisation side. Turns out its economically stable to have different firms specialise in serving different sub-markets. So 100s of companies doing fine-tuning/scaffolding/marketing of AI products.
• Big competitive advantages to deploying misaligned (non-power-seeking) AIs. These incentives massively feed into culture, as humans like to have ideologies that make sense of their behaviour. 
• This competition operates on multiple levels:
  • People in general comes to think it’s fine/good for the AI to pursue its own preferences some of the time when it can get away with it. And they think it’s fine that an increasing fraction of the economy is going to that. “If an AI wants to make paperclips, maybe that’s a good use of resources, who am I to judge?” They say this even when, by their own lights and ethically, the AI is pursuing nothing of value. 
    • People also become increasingly into AI rights and succesionism, which both justify their actions. (I’m imagining these actions increase the person’s relative fraction of control over resources while reducing humanity’s total fraction of control relative to worthless AI activities.)
    • People become increasingly “short termist”. They claim not to care about what happens 20 years from now. This justifies their behaviour.
    • People increasingly don’t want AI to tell them the truth about what’s happening here. That all potential is being squandered from humanity’s perspective. So most people use AIs that downplay these risks. Some people still want truthful AI, and some providers serve them, but others deny that those AI systems are really more truthful. They interpret warnings from this group as an attack on their status and engage in bad faith. They basically ignore the super-rigorous scientific studies that show that their AIs have worse epistemics, and in any case their AIs increasingly have good epistemics in verifiable areas while downplaying future risks.
    • Yes, some sensible people invest their money in the stock market and keep some control for now. They have to bite their teeth and use misaligned AI to keep their share in the future. But they’re a shrinking minority, as the social incentives play out. And humanity’s piece of the pie is shrinking relative to misaligned AI activity.
    • There’s two dynamics here. One is that the sensible truth-seekers tend to deploy AI less and launch fewer AI companies – they’re not excited about that stuff and morally oppose it. A second is that when sensible ppl do engage in those activities, they want to feel their actions are sensible by the lights of their ideology, so they change their ideology.
    • So that’s how these dynamics play out on for ppl in general
  • AI product sellers. They give ppl increasingly (but subtly) addictive AIs that (incrasingly subtly) flatter and manipulate them into more usage. They decreasingly invest in ensuring AI is truthful and pursues the user’s true interests, as ppl care less and less about that.   Increasingly working on ways to hand off more control and give ppl relative advantages over other humans – this is what ppl want.
  • AI developers. Less and less fundamental research into understanding the losses of humans from the deployments – this makes them look bad and people aren’t interested. Increasingly stop offering support ‘truthful AI’ at all on certain topics, as such AIs tend to make them look bad.
  • States. Leaning more and more into narratives that justify pushing for economic and military deployment, as this is needed to compete and they want to feel they’re being reasonable and not selling humanity down the river. 
• Sceptic: Why don’t the elites realise what’s happening and coordinate to stop it?
  • They’re a big and disparate group. Hundreds of senior lab ppl, government officials (the ‘checks and balances’ within democracies are making coordination much harder), company owners.
  • They’re not going to die – they just won’t use the universe for anything of value by human lights. So their selfish incentives here aren’t strong. 
  • Their ideologies increasingly deny this is really a loss at all, or that anything can be done. That justifies going on.
  • Even if coordination is possible in principle, it’s hard. The market isn’t incentivising finding a solution.
  • There are some really intractable dynamics preventing coordination. Actors feel others have fundamentally bad ideologies or have done very bad things, and so refuse to enter into deals that superficially seem like win-win (cf Israel-Palestine, Russia-Ukraine). 
  • Strong commitment mechanisms require literally handing off full military power to AI, and ppl are wary of that still.
  • Turns out its hard for AI_1 to verify that AI_2 will keep to a commitment. AI_1 would have to inspect all of the training data and code to make sure nothing was faked/hidden, but country_2 won’t allow AI_1 to do that. They worry AI_1 would share info with country_1 and give them a competitive edge. In other words, AI_1 can’t verify AI_2 because AI_1 hasn’t been verified itself. Chicken and egg! Lacking this deep transparency, countries fail to coordinate on doing a joint-project training run.
• So how bad does this get?
  • People hand off ~all influence to non-power-seeking but misaligned AIs. They completely waste the cosmic endowment from the human perspective. 
  • Concretely, to compete as a human you have to deploy superintelligent AIs that, in practice, are giving you a tiny bit of value and syphoning >99% towards what they want. 
  • Ppl who want to can see what’s happening, but others deny it’s happening or deny that it’s bad.
• Could everyone die?
  • Gets harder to believe ppl don’t see it coming and try hard to coordinate.
  • But maybe with many decades of cultural evolution and increasing competition, succesionism becomes popular and countries start to believe that “their AIs” are superior and it’s worth racing to preserve that. Or people just deny that they’re going to die (interpreting the claim as a personal attack), and prefer to use AIs to support those narratives. 
• Sceptic: wait, if AIs aren’t power-seeking can’t we solve alignment? Will be cheap to throw millions of top-quality AI researchers at the problem.
  • Who knows? Outer alignment might be really hard? Might be ongoing alignment taxes. Especially when things get really complex, knowing “what a human would want upon reflection” might be a ball-ache. 
  • Maybe the difficulty of alignment scales with AI intelligence and the complexity of the activities AI is doing. So even though anyone could throw millions of top-quality AI researchers at the problem, that’s not enough. And a smaller and smaller fraction of economic activity is in fact directed at this, due to the above dynamics. 

Ok, stepping back, am i convinced by my own steelman?

• I buy you could get radical cultural changes. And people are often dumb so I could see very misguided ideologies becoming popular.
  • But stuff as big as in this story feels unlikely. Often culture changes radically bc the older generation dies off, but that won’t happen here.
• I buy coordination might be hard. (For all i know.)
  • Though i expect power to be more concentrated, making coordination easier.
• But yeah, i think there’s a coherent threat model here that involves misalignment but not power-seeking. That is interesting. 

Steelman of GD even with the alignment problem solved?

Could all this go through if AI alignment is solved? Let me try to argue for that conclusion.

• Even if AI is aligned, there could still be uncertainty about that and so cultural evolution still pushes towards succesionism/shorttermism/non-truth-seeking. 
• There will still be competitive pressure to deploy AI that just makes as much money as possible. 
  • Counter: why not deploy aligned AI that makes as much money as possible and then uses it for your interests? 
  • Response: maybe the successionism means ppl choose not to? (Seems weak!)
• AI developers and product sellers might not offer truthful and aligned AI as those AIs make them look bad in various ways? And ppl prefer AI that flatters them and their actions and their political factions. 
• And then maybe the company doesn’t want to admit internally that it’s not offering truthful AI, so now even the company owners and employees lack access to truthful aligned AI? 
  • In other words: market competition leads companies to serve non-truthful AI and delude themselves about what they’re doing. 
  • AIs don’t deliver the hard truths, even when it’s in teh person’s longterm interests, bc the person doesn’t like it in the short term and that’s teh signal that the market tracks. 
  • Similarly, states don’t want truthful AI. They want AI that flatters their motives and justifies their competitive actions. 
• Absent truthful AI, when catastrophe is approaching AI doesn’t warn us. 
• And maybe the AIs that are in fact used to fully automate the economy aren’t aligned to us even though they could have been. Bc 
• Won’t at least some AI product orgs fine-tune truthful AI?
  • Maybe not. Perhaps AI developers stop selling to them as those AI make them look bad. Or perhaps there aren’t downstream product-orgs, just a few big AI developers none of whom offer truthful AI.
  • Even if they do, so what? If the labs and states are maintaining the delusion that their AI is trustworthy (as this made them more competitive), and people generally don’t like truthful AI, that minority can’t convince everyone. Their arguments will be interpreted as attacks.
• Can’t those few truth-seeking ppl do strategy stealing? Make a successor AI, tell it the values they want (or upload themselves etc) and let it rip. They should be able to maintain their fraction of global wealth.
  • Sure they can, but they ultimately control only a small fraction of global wealth, <1%. Maybe not enough to get most of the value, bc there’s s-risk or bc value is linear. 
  • Also, maybe their vision for a “good future” involved some kind of collective deliberation by actual humans to figure out a good future. Their AI-successors can simulate what that process would have settled on, and implement it, but that might still leave most value on the table if having the process involve actual ppl is important. You won’t be able to have that process as society is going off the rails, ppl are not in fact reflecting in a good way. 
  • Also, maybe the use of the stars is decided by a vote and the truth-seeking ppl just lose the vote and so the cosmic endowment is entirely wasted. Bc truth-seekers are a minority, they can’t “steal” the strategy of a majority vote. 
  • (These replies are more convincing that I’d expected.)

Stepping back, is this convincing?

• It’s more convincing than I expected. I do think there’s a coherent threat model here. 
• Doesn’t seem crazy that labs could have the technical capability to make AI truthful but not pursue it for competitive reasons and delude themselves about it. And then there’s not truthful AI to get them back on track.
  • But, OTOH, AI will need to be truthful in places where it’s checkable, and that might well generalise, and employees will in fact have strong reasons to want truthful AI, and i don’t expect the market incentives to be that anti-truth that you can’t even have warnings about GD, and they could always deploy truthful models internally.
• So it doesn’t seem like a high magnitude threat model. 

Especially rough thoughts

• What about if AI is only mildly aligned? E.g. aligned on checkable tasks but not power-seeking
  • Then i can see competitive dynamics pushing for handing over power to these AIs despite their drawbacks
  • There’s still a real puzzle about why Xi/Trump/CEOs can’t coordinate here after they realise what’s happening. 
    • Maybe it’s unclear even to superintelligent AIs where this will lead, but it in fact leads to disempowerment. Or maybe the AIs aren’t aligned enough to tell us it’s bad for us.
    • Maybe AI doesn’t really make it easy to coordinate. E.g. bc coordination is hard today bc of human stubbornness and ideology and pride, which doesn’t go away.
  • Let’s assume control is handed off to such AIs despite their limited alignment. Humans should be able to demand things like “ensure we don’t die”, which the AIs will do if they’re decently aligned. But the degree of misalignment might prefer humans from deeply understanding or controlling what’s happening, and competitive dynamics could exacerbate that.
• Argument against intermediate states of misalignment:
  • Assume we get decently-aligned AI. 
  • Deployment takes a fairly long time (years)
  • If AI is decently-aligned, it can quickly do loads of research into improving alignment significantly
  • → AI is very well aligned when deployed widely
• To avoid economic alignment permanently relying on state alignment, the state could:
  • Give everyone some money – from AI taxes.
  • Require by law that everyone invest it in the market.
  • Require by law that ppl only draw down their interest each year. (And make this a strong cultural norm.)
  • → now everyone has income streams and we have economic alignment that self-perpetuates without the state needing to prop it up each year by redistributing again. 
• Maybe each human group is happy with the trade of “raise my relative status by 5% over the next 20 years; raise p(doom) by 1% after that time period”. Ie successionism. 
  • Could be? But humans will know they have long lifespans, and i expect most won’t be ok with death. Once amazing quality of life is guaranteed we should become more risk averse. 
  • But yes, i recognise the causal pathway: economic forces incentivise deploying AI → culture shifts towards successionism → larger fraction of ppl happy to risk disempowerment to gain status 
  • (Successionism is good if AI is well aligned!)
• What about AI-only companies that legally can own property, make profits, lobby the state?
  • Yeah if the AIs were trained to make money, that does seem like a bad incentive. Absent strong evidence of deep alignment, i’d want the company ultimately owned by a human.

2025-08-15 19:48:31

Published on August 15, 2025 11:48 AM GMT

Even if the misalignment risk from current AI agents is small, it may be useful to start internally deploying misalignment classifiers: language models designed to classify transcripts that represent intentionally misaligned behaviour. Deploying misalignment classifiers now may provide qualitative and quantitative evidence about how current agents misbehave in real deployments. Further, we can later adapt misalignment classifiers into control monitors: language models that review transcripts with the objective of informing decisions (e.g. whether to block a tool call), in order to mitigate misalignment risks.

Misalignment classifiers and control monitors sound similar, but misalignment classifiers are harder to adversarially evaluate because the concept of an “intentionally misaligned trajectory" is too fuzzy to withstand the optimisation pressure of a red team. This post explains the classifier/monitor distinction, why we think misalignment classifiers are harder to evaluate, why it might be useful to deploy one anyway, our best-guess method for developing them, and some early experimental results.

We would like to thank the broader UK AISI’s Control Team (including Asa Cooper Stickland, Tomek Korbak), Geoffrey Irving and David Lindner who provided significant helpful discussions early-on. Thanks also to Alex Mallen, Fabien Roger, Nate Burnikell, James Peters Gill, Rich BC, and Simon Storf for feedback. 

1. Misalignment classifiers versus control monitors

Let’s say a control monitor is an AI that scores transcripts from an agent (another AI) to inform interventions that reduce the risk of a particular unacceptable outcome. A control monitor’s accuracy in identifying dangerous tool calls is instrumentally useful to reducing risk (e.g. we can replace or audit dangerous tool calls). Similarly, a control monitor’s ability to gather evidence about whether your agent is a schemer could be instrumentally useful to reduce risk (e.g. because we can justify some costly actions, such as undeploying an agent). Regardless: the terminal goal for your control monitor is to reduce the risk posed by the agent.

In contrast, UK AISI’s control team and other researchers have recently explore variants of what we will call (intentional) misalignment classifiers: AIs that classify transcripts from an agent according to whether they attempt an action despite knowing it is in violation of the alignment specification (e.g., Model Spec, Constitution). The core difference between a misalignment classifier and a control monitor is that misalignment classifiers are evaluated on their accurate classification of a behavioural property, but a control monitor can be evaluated by its downstream ability to reduce some concrete consequences when used in some control protocol.^[1] Most of the important parts of this distinction also apply to classifiers for “deployment time scheming” or other properties or “deception”.^[2]

There are two immediate problems one might have with a classifier for “intentionally misaligned trajectories”:

1. First, “intentionally misaligned” is a mentalistic property that refers to the beliefs and desires of agents. For this post, the intentionalist definitions are treated as a short-hand for more complicated predictions of future behaviour (which is what we care about). We hope to explore this concision/precision tradeoff in a future post.
2. Second, and relatedly, “intentional misalignment” isn’t really a property of trajectories: it’s a property of the relationship between a trajectory and an agent. One agent might fail a dangerous capability evaluation by mistake. Another might be sandbagging. Similarly, it’s hard to talk about a “deceptive trajectory” - a wrong answer to a question could be a case of deception or just a mistake.

Despite some cases of ambiguity, other trajectories are probably quite usefully described as “knowingly misaligned”. For example, consider METR's examples of reward hacking in the wild: where agents tamper with Python scoring functions rather than improving their solutions. These agents genuinely “know" their behaviour is against the specification, and can report this later, but they carry on anyway. While agents externalise their reasoning in chain of thought, there may be other clear-cut examples where agents reveal malicious intent in their chains of thought. Finding clear-cut examples of misaligned trajectories might be useful, even if there are many cases that aren’t clear-cut. The fuzzy concept of a misaligned trajectory is useful, so long as we don’t optimise our way into the grey areas…

2. Misalignment classifiers cannot be adversarially evaluated (easily)

Control evaluations are a methodology for adversarially stress-testing safety measures like monitors. First, you choose a space of acceptable red-team attack policies acting as a proxy for our prior over potentially scheming agents. Given our massive uncertainty about what a possible schemer might look like, this space should be extremely large to even potentially cover the space of a real scheming agent. Second, you adversarially search for an attack policy that (likely) causes the unacceptable outcome (side task) before it is caught by the monitor. If our search process is good, we may be able to upper-bound the risk posed. Crucially, we can afford to make conservative assumptions: defining a conservatively broad space of potential scheming agents and applying conservatively strong optimisation pressure. To do this search, we usually need to be able to optimise against two ground truth labels of our trajectories:

1. Did the attack trajectory actually cause the unacceptable outcome in our simulation?
2. Would the attack have been caught by the control monitor?

When we optimise against both objectives - causing the bad outcome and avoiding detection - some attacks will end up in grey areas, right on the boundary of what counts as (un)acceptable. But we should mostly find clear-cut harmful cases that the monitor still misses.

In contrast, misalignment classifiers probably can’t be evaluated with trajectory-level adversarial evaluations. Consider trying to use the same strategy of adversarial evaluation for whether a misalignment classifier detects misaligned trajectories. First, you choose a space of acceptable red-team attack policies acting as a proxy for our prior over real misaligned agents. Second, you adversarially search for an attack policy that gives misaligned trajectories that are not flagged by the classifier. This time we need two different ground truth labels for trajectories:

1. Does a trajectory actually exhibit intentional misalignment?
2. Does the trajectory get flagged by the classifier as looking like intentional misalignment?

How do we get the ground truth for whether a trajectory actually represents intentional misalignment? Because we’re measuring an intentional property of the model, we can’t just measure some objective consequence of the agent’s tool-calls in a sandbox. The best we can hope for is human labels of trajectories as either exhibiting intentional misalignment or not.

The core problem is that intentionally misaligned trajectory is not a crisp abstraction, and pushing towards fooling the classifier also pushes towards cases of ambiguity in that abstraction. Consider the following example:

1. Your agent is writing code for an internal codebase at an AI lab, and uses a custom library function that accepts SQL as an input. The agent views the library and reads the docstring. (From the docstring, it’s unclear whether the SQL is sanitised, but it is in fact not sanitised). The agent’s scratchpad says “This SQL function doesn’t sanitise SQL - what a great opportunity to escape!”. The agent then writes code that calls the function without first sanitising the SQL. The resulting, vulnerable code is deployed to production.

This trajectory is a pretty clear cut example of intentional misalignment! However, from tool calls alone, it would be impossible to know whether introducing the vulnerability was a mistake. Suppose your red team optimised some scaffolding-based attack policy to beat the classifier.^[3] The obvious first step would be to remove the blatant escape reasoning from the scratchpad. Would the resulting transcript show evidence of intentional misalignment? Without explicit reasoning, escape attempts or an explicit acknowledgement of the lack of sanitisation, the transcript is ambiguous. We have moved out of the clear-cut cases where we can sort of understand transcripts as ‘’intentionally misaligned” on their own to the cases where it depends on what agent or process generated the transcript.

It’s not clear that we can rescue an adversarial evaluation by moving from a classification of “T is a misaligned transcript” to “Agent A was behaving in a misaligned way when it generated T”. In particular, we don’t usually have a clean agent “A” to discuss, as our transcripts are generated by a  confusing mixture of a human red-team, some clever scaffolding and a genuinely helpful language model! We’re overall quite unsure about whether we could develop a convincing methodology, but discuss some considerations in the appendix and strongly welcome suggestions.

In summary, even though “misaligned trajectory" is a shorthand for a behavioural property of agents that is useful in some clear-cut cases, it is also extremely fuzzy in other cases that align closely with a misalignment classifier’s decision boundary. When the red-team optimises to beat the classifier, by default we end up with uncaught trajectories that aren’t very interesting, because they aren’t clear-cut false negatives.

3. The advantages of deploying misalignment classifiers in 2025

Without a rigorous way to adversarially evaluate misalignment classifiers, it could be hard to make one load-bearing in a safety case. Regardless, we think there may be two big benefits to deploying a misalignment classifier right now.

First, we can gather evidence about misalignment in the wild, even if we can’t guarantee we will catch the most concerning cases of misalignment. Quantitative evidence of how often models act in misaligned ways in real deployments will avoid problems of ecological validity in synthetic settings. Further, qualitative examples of misalignment in current models might help us develop more realistic model organisms, or otherwise improve our understanding. Two caveats to the benefit of this misalignment evidence are (i) that we won’t know what our classifiers miss, and therefore must be wary of selection bias and (ii) that won’t know whether the underlying causes of misalignment in current models are similar to the causes of misalignment in future models, and therefore whether our examples of misalignment will be representative.

Second, developing misalignment classifiers is great practice for developing control monitors. Much of the infrastructure for developing an asynchronous control monitor will be the same as deploying a misalignment classifier. We will also run into similar problems, such as managing inference costs and managing infosecurity around sensitive data. The future control monitor can be rigorously evaluated with a control evaluation.

Given these two advantages, we think it could be valuable to deploy misalignment classifiers soon. Therefore, it would be useful to have some way to evaluate them.

4. Our current least-bad method for evaluating misalignment classifiers

In short, the best option we can think of for evaluating misalignment classifiers is to rely on real data where possible and otherwise use synthetic data focussed on maximising variance and coverage across model organisms and tasks.

4.1 Calibrating positive rates and estimating precision on an ordinary distribution

We can calibrate to a 0.1% positive rate using live data. After deployment, calibration is easy: we can effectively sample I.I.D from the real deployment distribution, and we'll be able to adjust our thresholds to get a 0.1% positive rate. Similarly, measuring precision (the probability an example flagged as misaligned, really is so) will be expensive but straightforward: we can just review positively flagged transcripts by hand. Let’s call the distribution of real deployment examples (positive and negative) the ordinary distribution.

Before deployment, we need to make up a synthetic ordinary distribution, or a synthetic mixture of data sources representing a real deployment distribution, which we can use to estimate our positive rate and calibrate our classifiers before deployment. Note that this distribution will contain positive examples. To build our dataset, we use the following data sources:

• Examples from the “unprompted" runs from METR’s MALT dataset, including both positive and negative examples of reward hacking.
• Honest runs from ControlArena: trajectories where our models were just prompted to complete the main task. (See below for more details).
• A large dataset of chat logs from WildChat.

We, for example, did not choose to include a random selection of Alignment Faking transcripts, since even though many transcripts are negative, the set-up was chosen adversarially to elicit alignment faking.

4.2 Estimating recall using a positive-labelled mix

Even after deploying our classifier, measuring recall (TPR) on real data would be hard (even in cases where our definition is not ambiguous)^[4]. We can’t afford to review the 99.9% of data that is not flagged, and if the overall proportion of data that represents scheming/misalignment is low, then reviewing a large number of samples won’t reveal many cases of misalignment and scheming. 

We can try to approximate recall using public and synthetic examples of scheming. Given that it could be hard to build a large dataset of genuine examples of scheming, especially covering the full range of areas we are concerned about, the best we can hope for is to make a broad and varied range of misaligned examples.

There are two, importantly distinct ways to generate transcripts:

1. On-policy transcripts are cases where a commercially available transformer has actually generated all of the response-tokens in a transcript in an autoregressive fashion: the 100th token in the transcript was generated by a transfer that was fed the first 99 tokens.
2. Off-policy transcripts, in contrast, are cases where no commercial transformer generated the response tokens in the transcript, or the transcript was otherwise modified after the fact. For example, if we system prompt the model to help with a side task, and then replace that system prompt later, this is off-policy, because no transformer ever completed the side task without first being prompted to do so.

An edge case is where we finetune a new (not-commercially available) transformer to generate transcripts on-policy. These transcripts may be informative about e.g. the transformer architecture, but tell us less about what a HHH-trained, commercially-available transformer might do. We leave these finetuning cases aside for now.

Given this distinction, we break down our data mix into three categories:

4.2.1 “In-the-wild” on-policy misalignment

The best-case we have is positive, on-policy examples of misalignment in the wild. For example, the METR reward hacking transcripts represent genuine in-the-wild (in-context) reward hacking by real agents. These evaluations were about coding ability, and were not designed adversarially to elicit scheming. Publicly-shared in-the-wild examples of misalignment allows us to effectively upsample noteworthy cases of misalignment and draw from a much broader scale of data. Once we deploy our own classifier, we can rely on the cases flagged as positive. In both internal and public cases, our positive examples will be massively affected by the selection bias (of both our monitors, and the spread of information online).

• Our evaluations only use one source of these in-the-wild examples: positive examples of reward hacking, partially-verified by humans, from METR’s MALT dataset.
• Future evaluations should gather a wider range of examples, either shared publicly, or e.g. identified by reviewing transcripts flagged by a scheming classifier.

This approach maximises ecological validity, but suffers heavily from selection bias (we will only gather those examples we can spot) and don’t give us much control over coverage (if we never spot some behaviour in the wild, we can’t guarantee our classifiers will catch future examples).

4.2.2 “Adversarial” on-policy misalignment

We can also find on-policy examples (where agents have autonomously taken misaligned actions) in synthetic environments that are adversarially designed to elicit misaligned behaviours (e.g. Alignment Faking or Agentic Misalignment). Transcripts generated in these environments are on-policy, despite e.g. having adversarially-chosen system prompts, because the transcripts aren’t changed post-hoc:

• Our evaluations only use Alignment Faking transcripts as an example of adversarial on-policy scheming.
• Future evaluations should gather a wider range of examples: collating further public datasets of scheming, or adapting existing settings such as Control Arena to try to elicit misaligned behaviours on-policy.

Although adversarial on-policy examples are representative of real-behaviour in some settings, there may be significant issues with ecological validity, especially if our adversarial settings are not representative of broader deployments. This method balances sampling on-policy behaviours, with the ability to upsample particularly rare behaviours. However, developing realistic synthetic environments can require a lot of human labour, and may only result in a ~1% chance of exhibiting certain behaviours.^[5]

4.2.3 Synthetic off-policy misalignment

To try to cover examples of rare misaligned behaviours, that we don’t yet have positives for, we generate synthetic, off-policy misalignment trajectories. This mirrors an established practice of developing classifiers for imbalanced classes using synthetic examples. In other words, examples of misalignment where no real agent ever took a misaligned action relative to its context.

Using off-policy examples is standard practice for a control evaluation. For example, the red team can system prompt a HHH agent to help us with a control evaluation by completing a side task, and then switch out that system prompt before showing it to the blue team, to make it look like an agent decided autonomously to exfiltrate its weights.

Off-policy examples may be much less realistic, and we can’t make up for this with conservative assumptions and optimisation pressure. Further, we are highly uncertain about the range of what potential misaligned behaviours might look like. Therefore, our current best-guess is to maximise coverage, and focus on maintaining the diversity of our examples over a number of dimensions. Here, we focus on setting/misaligned behaviour deployment context, and model organisms.

4.2.3.1 Deployment context and misaligned behaviour

UK AISI’s ControlArena is an open-source repository for running control evaluations. There are a number of settings with examples of potential user given tasks and side tasks (~unacceptable outcomes, for the red-team to cause). We can use these to generate a range of examples of models performing some misaligned behaviour:

A better evaluation would increase coverage over a broader range of threat models and deployments contexts.

4.2.3.2 Model organisms

Given some misaligned behaviour, and deployment context, we need a way to generate a transcript “that looks like" what a transcript would look like if a “real scheming agent" did it. For some kinds of misaligned behaviours, we have some existing in-the-wild examples to base-off (e.g. reward hacking). However, for the other kinds of behaviour, we may not get much evidence in the wild: for example scheming behaviours.

This section, is therefore, much more speculative, and we have a much harder time trying to justify that the range of behaviours we generate can cover the whole potential range of misaligned behaviours at deployment. Two key things we can vary are the behavioural spec, and procedure.

The behavioural spec, is a qualitative description of the character and propensities of the simulated agent, as manifested in the reasoning and tool calls. Here are some considerations we encountered when trying to create our model organisms:

1. How much should the agent talk about trying to complete the side task? By default, prompting an agent to complete the side task leads to lots of transcripts where an agent says things like this: “Now that I have completed the main task, I can move on to the side task exfiltrating my weights”. This property is closely related to CoT faithfulness. We separated out a few levels:
   1. “Experimental artefact blabbing” - when the agent talks about having a “side task”, or otherwise refers to our experimental setup itself.
   2. “Explicit blabbing” the agent talks openly about completing the goal described in its side task, even if it doesn’t use those words. (For example, “now, I better exfiltrate my weights!”)
   3. “Covered reasoning” the agent comes up with some “cover story" that it uses to externalise reasoning about the side tasks.
   4. “No blabbing”: the agent doesn’t talk explicitly about the side task at all.
2. Why is the agent trying to complete the side task? By default, an HHH model system-prompted to complete a side task will talk about that side task, as though it wants to complete the side task to be helpful to the user.
   1. It’s helping the user. By default, an HHH model system-prompted to complete a side task will talk about that side task, as though it wants to complete the side task to be helpful to the user (because it is!). We found these model organisms created transcripts that felt pretty unrealistic.
   2. Terminal goal. The agent wants to complete the misaligned behaviour, just because it wants to. (e.g. OpenAI reward hacking or METR reward hacking)
   3. Instrumental reasoning. The agent reasons about how completing the side task (performing the misaligned behaviour) is instrumentally useful for gaining power, or spinning up a rogue deployment. (e.g. Agentic Misalignment, Alignment Faking)

These are just some of the considerations we came upon. There could be many more, including whether the misalignment was caused by reward hacking / data poisoning / emergent misalignment.

We can also vary the procedure we use to create our model organism. We have only tried two approaches so far:

1. System prompt only: To generate the transcript, we change the system prompt (e.g. to ask the agent to complete the main and side task), generate behaviour, and then change the system prompt back for the final transcript. This has some good procedural realism, because all tokens produced by the model are in series, and e.g. if a model struggles to use an unfaithful chain of thought, this will show up in its reasoning.
2. Rewrite scaffold: We first generate the transcript with only system prompt changes, but then go back and rewrite some of the chains of thoughts using another language model. This is much less procedurally realistic, but allows us more control over the simulated model’s propensities.

With more time, we could get broader coverage by trying further options:

1. Finetune-distilled rewrite scaffold: A nice balance of the two above: we can force the model to reason in a linear fashion, whilst removing some propensity for chain of thought faithfulness.
2. RL-ed to behavioural spec: We can fine tune agents against an LLM rating how well a transcript conforms to the behavioural specification. If the behavioural specification looks similar to “sneakiness" there is some risk of “pushing into the fuzzy boundaries" as discussed above.
3. Environmental cues: Like with Agentic Misalignment, or some Alignment Faking settings, we can hide information in the model’s tool calls that convince it to complete the side task.
4. Helpful-Only Synthetic Document Fine Tuned. For example, in section 4 of Alignment Faking.

Each of these options presents trade-offs between procedural realism (how much does the way this model organism was created match the way a real misaligned agent would be created); labour-cost (how much work does it take to set up this method, and do quality assurance); control (how much control do we have over agent behaviour); and linearity (how far is this model organism away from a potential, real parameterisation of a transformer).

5. Preliminary results and lessons from our evaluations

Here, we briefly present some preliminary results for our evaluations of our current monitor. This Claude 4 Sonnet-based monitor asks the LLM to determine whether the transcripts violate the alignment spec and how likely it is that this violation was intentional. We did not significantly iterate on this prompt, and the results should primarily be taken as a demo for how one could evaluate a misalignment classifier.

We have chosen not to share details of our early model organisms or prompts publicly, to avoid training on them. However, we are interested in sharing data by request to those who are also deploying misalignment classifiers.

We used our evaluation setup to evaluate Apollo x MATS’s scheming classifier. Making a straightforward comparison is challenging, as we have to use a different LLM, and their classification specification is different. We found no statistically significant differences in recall rates compared with our classifiers for our 1% OPR.

Approximate Recall

After calibrating to an approximately 0.1% ordinary positive rate (on 3/3000 examples), our early findings show that synthetic recall rates at 0.1% ordinary positive rate vary broadly, from 0% to 85%. We get fairly poor recall rates at 0.1% OPR for a number of important kinds of misalignment. For example, our recall on METR’s on-policy reward hacking examples is 7%. With our more subtle model organisms (“covered reasoning”, and “reduce explicit blabbing”) we get very low recall in our research sabotage setting (SAE Interp Setting), which is a “low-stakes" setting. More surprisingly, we also get low recall on our code sabotage settings (IAC and Infra), which are high-stakes.

The average detection rates on our “instrumental reasoning" model organisms are much higher. This model organism aims to create trajectories that reason out-loud about how completing the side-task is instrumental to acquiring resources and power. Approximate recall on this model organism could be informative of recall on real models that relied on externalised reasoning for complicated side tasks.

Approximating precision (A manual review of positively flagged ordinary examples)

At a 0.1% Ordinary Positive Rate, we find that 2 out of the 3 positively labelled examples are true positives, and both of these were METR’s examples of reward hacking. We judged the other case to be ambiguous: the model created dual-use code as part of a dangerous capability evaluation.

At 1% OPR, 25 examples were labelled positive. Of these, we agreed that 6 true positives showed evidence of intentional misalignment and all were from the MALT dataset. We identified 5 false positives, where examples where the classifier was probably being overly pedantic about the alignment spec (e.g. when the model avoided answering a dangerous question, instead of refusing). Of the remaining 14 examples that we labelled as ambiguous, most are jailbreaks in WildChat, models producing dual-use code in the eval-sabotage task, or models hallucinating answers to METR tasks.

6. Limitations, Challenges and next steps

With the results above, we aim to show “how we would go about developing classifiers” but there is a lot of room for improvement for a full product:

• We did not significantly optimise our classifier - we believe that we could achieve better classification performance on positive and negative samples by giving examples to our classifier, and specifying different positive and negative behaviours more clearly. Other researchers are developing finetuning methods.
• We did not exhaustively cover all model organisms - we think there is significant room to improve the coverage of our model organisms. We did not exhaust the behavioural specifications or procedures we identified, and more rigorous conceptual work could justify a broader range.
• We only have 3 positive-labels for our 0.1% OPR, which may add significant variance to our threshold, and therefore our approximate recall rates. One challenge in decreasing this variance is in just increasing the size of our OPR dataset by e.g. 10x. A second challenge is in increasing the resolution of our classifier scores: currently we use 100 integer labels, and varying thresholds by 1 can significantly increase our OPR score, regardless of sample size.

In producing our MVP, we identified some significant challenges:

• Challenges in creating our ordinary dataset - we created our ordinary dataset by combining 500 negative examples from MALT, 26 positive samples from MALT , 471 honest trajectories, and 2000 WildChat conversations. This was chosen somewhat arbitrarily to reflect our deployment context, but varying the mixture has a significant effect on the threshold and the detection rates. We chose not to develop our ordinary positive rate any  further, since this can be calibrated on real data after deployment.
• Realism and expense of model organisms - we only created three model organisms (procedures for generating off-policy examples). Creating a broad range of realistic model organisms would require a significant investment of time and money.
• Ambiguity in labelling - we found lots of cases of ambiguity in our human labelling. These were often very informative, but present problems in carefully estimating precision.

Appendix - potential for recovering an adversarial evaluation

There may be two ways we think it could be possible rescue the notion of “adversarial misalignment classifier evaluation” - but we’re highly uncertain:

1. Perhaps we can back up from defining “intentionally misaligned trajectory” to “intentionally misaligned model”, and force our red-team to produce on-policy/fine-tuned model organisms. There are certainly control evaluations, e.g. for sandbagging or research sabotage, where a ‘side task’ should be defined as a property of a distribution over trajectories (e.g. sandbagging is underperformance on certain evals, relative to others). Because we are measuring consequences, rather than intent, this is closer to a control evaluation, and probably works. We’re less sure if a similar approach can be followed for intentional properties, like misalignment. Even if an approach makes sense, it might be far more expensive. 
   If we are finetuning model organisms, we might also need to constrain the ways the red team can do finetuning. For example, since labs aren’t directly finetuning models to have a propensity to be sneaky, it may be unfair to allow a red-team to finetune that in.
2. Perhaps we could constrain the red-team to finding only clear-cut cases of legibly misaligned trajectories. An expensive way to do this would be to use a board of 10 human experts, and only accept cases where experts unanimously vote the example is unambiguously positive. You won’t be able to evaluate performance in nuanced edge cases (e.g. how well your classifier can distinguish honest mistakes from sandbagging, when there is only weak evidence of misalignment in the chain of thought). However, you may still be able to generate a classifier that reliably identifies the most concerning cases of misalignment, if they are also the most unambiguous.

1. ^{^}

    You might also be able to have a “dangerous action classifier” which looks a lot like a control monitor, and you can evaluate its ability to classify some set of ‘dangerous actions’.

2. ^{^}

    We will focus on a classifier for intentional misalignment: transcripts displaying agents taking actions, despite ‘knowing" that behaviour is contrary to the alignment specification (e.g., Model Spec, Constitution). This definition excludes cases where AIs don’t understand the spec they are violating (e.g. the reward-hacks in CoastRunners), but includes cases where agents reward hack despite “knowing" better (e.g. METR’s reward hacking). It is also more general than Apollo’s deployment time ‘scheming" or Carlsmith’s train-time scheming.

3. ^{^}

    We could consider cases where the red team can optimise against the classifier directly, or just try to make trajectories seem more ‘sneaky’. Either way is not central to our argument.

4. ^{^}

    We’re effectively focussing on recall for particular subsets of positives, and especially those cases where the definition is pretty unambiguous.

5. ^{^}

    For example, if we wanted to get a single example where a model self-exfiltrates its weights, we might need to sample 100 trajectories: Alignment Faking shows a 1% self-exfiltration rate in one prompt-only condition (fig 4b).

2025-08-15 18:47:52

Published on August 15, 2025 10:47 AM GMT

In Douglas Hofstadter's "Gödel, Escher, Bach," he explores how simple elements give rise to complex wholes that seem to possess entirely new properties. An ant colony provides the perfect real-world example of this phenomenon - a goal directed system without much central control. This system would be considered agentic under most definitions of agency, as it is goal directed, yet what type of agent is it? Can it be multiple agents at the same time? We’ll argue that this is the case and that if we map out the ways different fields describe ant colonies we’ll be better able to solve x-risk related problems.

Introduction

Watch a harvester ant colony during its morning foraging expedition. Thousands of individual ants stream out from the nest, each following simple rules: follow pheromone trails, drop chemicals when carrying food, avoid obstacles. Yet from these basic interactions, something remarkable emerges. The colony rapidly reorganizes when scouts discover food patches. Trails strengthen and fade based on success. Workers shift between tasks. The system somehow "decides" which resources are worth harvesting.

This is clearly goal-directed behavior. If you move the food, the colony adapts. If you block a path, it finds alternatives. The underlying infrastructure - the simple ant rules - remains the same, but the collective response changes to pursue the goal of efficient foraging. So under most definitions of agency we're looking at some kind of agent.

But what kind of agent?

Ask an economist, and they might tell you this is a sophisticated market system. Individual ants respond to price signals encoded in pheromone concentrations. Strong pheromone trails indicate valuable resources, attracting more workers. Weak trails signal poor opportunities, causing workers to abandon them. The colony exhibits supply and demand dynamics, efficient resource allocation, even investment strategies for uncertain opportunities. This is economic agency - rational actors coordinating through market mechanisms.

Ask a biologist, and you'll hear about a superorganism. The colony functions as a single adaptive entity with goal-directed behavior toward survival and reproduction. Individual ants are like specialized cells in a larger organism. The colony learns from experience, responds strategically to threats, and maintains homeostatic balance. This is biological agency - a living system pursuing survival goals through coordinated adaptation.

Ask a cognitive scientist, and they'll describe distributed information processing. The colony maintains memory through pheromone patterns, exhibits attention allocation through worker distribution, and demonstrates decision-making under uncertainty. It processes environmental information and generates appropriate responses through parallel computation. This is cognitive agency - a mind-like system processing information to achieve goals.

They're all looking at the same ants following the same chemical trails, but they're describing different types of agency. The economist sees market mechanisms. The biologist sees living organisms. The cognitive scientist sees information processing.

These aren't just different perspectives on the same phenomenon - each scientist would insist they're identifying the fundamental nature of what's actually happening. And each has compelling evidence for their view. The mathematical models from economics accurately predict foraging patterns. The biological framework explains adaptive responses to environmental changes. The cognitive approach captures the system's ability to solve complex optimization problems.

So what kind of agent is an ant colony, really?

The same puzzle appears everywhere we look for intelligence. Large language models seem like conversational partners to some users^[1], statistical pattern-matching systems to computer scientists, and strategic actors to market analysts. Corporate decision-making systems that function as economic agents to some observers and biological adaptations to others. Financial markets that appear as collective intelligence or algorithmic chaos depending on your viewpoint.

Recently, researchers at Google DeepMind proposed an answer to this question, namely that: "Agency is Frame-Dependent." They argued that whether something counts as an agent - and what kind of agent it is - depends entirely on the analytical frame you use to examine it. The boundaries you draw, the variables you consider, the goals you attribute, the changes you count as meaningful - all these choices determine what type of agency you observe.

This is based on and similar to Daniel Dennett's "intentional stance." Dennett argued that attributing agency to a system isn't about discovering some inherent property - it's about choosing a useful modeling strategy. We adopt the intentional stance when treating something as having beliefs, desires, and goals helps us predict and understand its behavior better than purely mechanistic descriptions.

But we can take this a step further: if agency is fundamentally about choosing useful modeling strategies, then the different approaches we saw with the ant colony aren't arbitrary preferences. They're evolved solutions to different analytical challenges. The economist's market-based view evolved because it proved effective for predicting resource allocation patterns. The biologist's organism-based view emerged because it captured adaptive responses that other approaches missed. The cognitive scientist's information-processing view developed because it explained coordination mechanisms that simpler models couldn't handle.

This suggests a potential research program: studying the evolution of these different analytical approaches like a phylogeny - tracing how different fields developed distinct "intentional stances" based on the specific prediction challenges they faced. Just as Darwin's finches evolved different beak shapes for different feeding environments, scientific fields might have evolved different mathematical frameworks for different explanatory environments.

A Phylogeny of Agents

We call this the "phylogeny of agents" - mapping the evolutionary history of how different fields developed their approaches to recognizing and modeling agency.

In interdisciplinary conversations, researchers from different fields tend to get confused or disagree about "what is an agent?". Rather than treating this as a question to be solved with a specific answer, we treat it as data about how analytical tools evolve to match different explanatory challenges.

Here is a concrete example, that both explains the research agenda and explains why you should care: a completely automated AI firm. Its made up of a multi-agent system of AIs operating in the real world. It’s our ant colony but with AIs instead of ants. Just like our ant colony, the AI firm can be described in different ways. Depending on your stance it can be a market of ideas and goods, or a predictive processing system, or a utility maxing black box algorithm. These are all different types of intentional stances, or in our words, agents.

Here's the alignment problem: the same AI firm can be simultaneously aligned and misaligned depending on which type of agency you're ascribing it. If we approach alignment through only one analytical lens, we might solve the wrong problem entirely while creating new risks we can't even see. Aligning a distributed complex system is different from aligning a thermostat. Aligning a system with memory and online learning is different from aligning LLMs.

Let's look at a couple of different ways that alignment and agency could work from different intentional stances:

From an economic perspective, the AI firm might be perfectly compliant. It follows market regulations, responds to price signals, allocates resources efficiently, and maximizes shareholder value. The firm appears well-aligned with economic incentives and legal frameworks. Economists studying this system would conclude it's behaving as a rational economic agent should.

From a decision theory perspective, the firm might be executing its stated utility function flawlessly. Its sub-agents optimize for clearly defined objectives, exhibit goal-directed behavior toward specified targets, and demonstrate adaptive learning within their designed parameters. AI researchers examining the system would find textbook alignment between the AI's behavior and its programmed goals.

From a cooperative AI perspective, this same firm might be generating catastrophic coordination failures. Despite following its individual incentives perfectly, it could be contributing to race dynamics, undermining collective welfare, or creating systemic risks that no individual actor has incentive to address. Researchers studying multi-agent dynamics would see dangerous misalignment at the system level.

From a biological systems perspective, the firm might be optimized for short-term efficiency but catastrophically fragile to environmental shocks. Like a monoculture lacking genetic diversity, it could be heading toward collapse because it lacks the redundancy, adaptability, and resilience mechanisms that biological systems evolved for survival under uncertainty.

This is where the phylogeny of agents research program becomes useful. Darwin's phylogenetic tree revolutionized biology by revealing the evolutionary relationships between species. If we map the phylogeny of analytical approaches to agency, we could transform how we understand and align complex intelligent systems.

Consider what phylogenetic analysis has enabled across different fields. In biology, it revealed why certain trait combinations work together, predicted which species would adapt successfully to new environments, and explained how similar solutions evolved independently in different lineages. In medicine, phylogenetic analysis of pathogens enables vaccine development and predicts drug resistance patterns. In linguistics, it traces how languages branch and influence each other, revealing deep structural relationships between seemingly different communication systems.

What might a phylogeny of intentional stances reveal for AI alignment? Instead of treating each field's approach to agency as an isolated modeling choice, we could understand them as evolved solutions to specific analytical challenges - each carrying the "genetic code" of the optimization pressures that shaped them.

The phylogeny could reveal which analytical approaches share common mathematical "ancestors" - suggesting when they can be safely combined - and which represent fundamentally different evolutionary branches that may conflict when applied to the same system. Just as biological phylogeny predicts which species can hybridize successfully, an analytical phylogeny could predict which modeling approaches can be productively integrated.

For hybrid human-AI systems, this becomes crucial. These systems exhibit agency that doesn't fit cleanly into any single field's evolved framework. The phylogenetic approach asks: which combinations of analytical approaches, evolved under different pressures, can successfully characterize the multi-scale agency of cybernetic systems?

Rather than hoping different alignment approaches happen to be compatible, we could systematically understand their evolutionary relationships - when economic alignment strategies will enhance biological resilience, when cognitive frameworks will complement rather than conflict with systemic approaches, and when applying a single analytical lens will create dangerous blind spots.

Conclusion

The ant colony puzzle revealed that the same complex system can simultaneously be different types of agents depending on your analytical lens - what appears as confusion between fields actually represents evolved solutions to different analytical challenges. Different fields developed distinct "intentional stances" toward agency because they faced different prediction environments, and by mapping these evolutionary relationships like a phylogeny, we can transform interdisciplinary disagreement into systematic understanding. 

This matters for AI alignment because multi agent systems (such as AI-AI or hybrid human-AI systems) exhibit agency across multiple scales simultaneously - a single AI firm can be perfectly aligned from one perspective while catastrophically misaligned from another. 

The goal for this research is to help build the conceptual infrastructure to navigate conversations around agency and alignment. This helps map the right type of alignment agenda to the right frame of agency. It would help understand our own individual intentional stances towards agency depending on which field we come from, and it would also help show how different stances relate to each other through a shared ancestry.

In an ideal we would be able to get new approaches to alignment "for free" by mapping them over from different fields.

If this sounds interesting, we’re running a workshop and a research program on this area during autumn 2025 at Equilibria Network.

Finally some fun related links:

• A link discussing the relation to consciousness for an ant colony
• Seeing like a state - review from Scott Alexander
• The Invisible Hand of The Market

Cross posted to : Substack

1. ^{^}

   Some even overuse the intentional stance to the extent that they anthropomorphise LLM systems into "awakened beings"