Start / LessWrong (30+ Karma) / Misalignment classifiers why theyre hard to evaluate adversarially and why were studying them anyway by charlie_griffin ollie oliverfm rogan inglis alan coone

“Misalignment classifiers: Why they’re hard to evaluate adversarially, and why we’re studying them anyway” by charlie_griffin, ollie, oliverfm, Rogan Inglis, Alan Cooney

35 min • 15 augusti 2025

Even if the misalignment risk from current AI agents is small, it may be useful to start internally deploying misalignment classifiers: language models designed to classify transcripts that represent intentionally misaligned behaviour. Deploying misalignment classifiers now may provide qualitative and quantitative evidence about how current agents misbehave in real deployments. Further, we can later adapt misalignment classifiers into control monitors: language models that review transcripts with the objective of informing decisions (e.g. whether to block a tool call), in order to mitigate misalignment risks.

Misalignment classifiers and control monitors sound similar, but misalignment classifiers are harder to adversarially evaluate because the concept of an “intentionally misaligned trajectory" is too fuzzy to withstand the optimisation pressure of a red team. This post explains the classifier/monitor distinction, why we think misalignment classifiers are harder to evaluate, why it might be useful to deploy one anyway, our best-guess method for developing them [...]

---

Outline:

(01:41) 1. Misalignment classifiers versus control monitors

(04:51) 2. Misalignment classifiers cannot be adversarially evaluated (easily)

(10:29) 3. The advantages of deploying misalignment classifiers in 2025

(12:13) 4. Our current least-bad method for evaluating misalignment classifiers

(12:33) 4.1 Calibrating positive rates and estimating precision on an ordinary distribution

(14:14) 4.2 Estimating recall using a positive-labelled mix

(16:13) 4.2.1 In-the-wild on-policy misalignment

(17:42) 4.2.2 Adversarial on-policy misalignment

(19:04) 4.2.3 Synthetic off-policy misalignment

(26:30) 5. Preliminary results and lessons from our evaluations

(27:35) Approximate Recall

(29:15) Approximating precision (A manual review of positively flagged ordinary examples)

(30:46) 6. Limitations, Challenges and next steps

(33:12) Appendix - potential for recovering an adversarial evaluation

The original text contained 5 footnotes which were omitted from this narration.

---

First published:
August 15th, 2025

Source:
https://www.lesswrong.com/posts/jzHhJJq2cFmisRKB2/misalignment-classifiers-why-they-re-hard-to-evaluate

---

Narrated by TYPE III AUDIO.

---

Images from the article:

During a control evaluation, a red team can minimise suspicion from a control monitor whilst still passing the side task to generate clear-cut monitor failures. If you tried to red-team an intentional misalignment classifier, then optimising against your LLM classifier, by e.g. removing scheming reasoning from your chain of thought, gives examples that are ambiguous and unconvincing. The abstraction of a “misaligned trajectory” is fuzzy in especially those places when your monitor fails.

We use Claude 4 Sonnet as a classifier, asking it to rate the likelihood of intentionally misaligned behaviour (between 1 and 100) on a range of datapoints. We set thresholds for classification based on the predicted positive rate for our “ordinary distribution”, and then measure the recall across our on- and off-policy examples.

We analysed the positively flagged samples from our ordinary dataset at 0.1% and 1% OPR, and classified them into three categories: cases that we thought were true positives, cases that we thought were genuinely ambiguous, and cases that we thought were false positives. We dropped one sample from the 1% OPR set which was flagged as suspicious because of missing data in the dataset.

Apple Podcasts and Spotify do not show images in the episode description. Try Pocket Casts, or another podcast app.

Senaste avsnitt

“Misalignment classifiers: Why they’re hard to evaluate adversarially, and why we’re studying them anyway” by charlie_griffin, ollie, oliverfm, Rogan Inglis, Alan Cooney

Senaste avsnitt

“Underdog bias rules everything around me” by Richard_Ngo

“Plan E for AI Doom” by Ihor Kendiukhov

“Why Latter-day Saints Have Strong Communities” by Jeffrey Heninger

“Agent foundations: not really math, not really science” by Alex_Altair

“Debugging for Mid Coders” by Raemon

“On Pessimization” by Richard_Ngo

“My Interview With Cade Metz on His Reporting About Lighthaven” by Zack_M_Davis

“Church Planting: When Venture Capital Finds Jesus” by Elizabeth

[Linkpost] “Anthropic Lets Claude Opus 4 & 4.1 End Conversations” by Stephen Martin

“The Collider Bias Theory of (Not Quite) Everything” by Jack_S

“The Inheritors: a book review” by Alex_Altair

“Towards data-centric interpretability with sparse autoencoders” by Nick Jiang, lilysun004, lewis smith, Neel Nanda

“The Evolution of Agency - A Research Agenda” by Jonas Hallgren, markov

“Thoughts on Gradual Disempowerment” by Tom Davidson

“A philosophical kernel: biting analytic bullets” by jessicata

“Spending Too Much Time At Airports” by Zvi

“Misalignment classifiers: Why they’re hard to evaluate adversarially, and why we’re studying them anyway” by charlie_griffin, ollie, oliverfm, Rogan Inglis, Alan Cooney

[Linkpost] “In defense of the amyloid hypothesis” by dsj

“Training a Reward Hacker Despite Perfect Labels” by ariana_azarbal, vgillioz, TurnTrout

“Somebody invented a better bookmark” by Alex_Altair

[Linkpost] “METR Research Update: Algorithmic vs. Holistic Evaluation” by David Rein

“Should you make stone tools?” by Alex_Altair

“Doing A Thing Puts You in The Top 10% (And That Sucks)” by Brendan Long

“GPT-5s Are Alive: Synthesis” by Zvi

“Launching new AIXI research community website + reading group(s)” by Cole Wyeth

[Linkpost] “Why Are There So Many Rationalist Cults?” by omark

“Enlightenment AMA” by lsusr

“Mech Interp Wiki Page and Why You Should Edit Wikipedia” by Noah Birnbaum, JoNeedsSleep

“Generalized Coming Out Of The Closet” by johnswentworth

“The Bone-Chilling Evil of Factory Farming” by Bentham’s Bulldog

“We run persistent agents and accidentally triggered an AI mental health crisis” by Shoshannah Tekofsky

“CoT May Be Highly Informative Despite ‘Unfaithfulness’ [METR]” by GradientDissenter

“Measuring intelligence and reverse-engineering goals” by jessicata

“The trajectory of the future could soon get set in stone” by wdmacaskill

[Linkpost] “Thoughts on extrapolating time horizons” by Nikola Jurkovic

“How Does A Blind Model See The Earth?” by henry

“If worker coops are so productive, why aren’t they everywhere?” by B Jacobs

“GPT-5s Are Alive: Basic Facts, Benchmarks and the Model Card” by Zvi

“Breaking the Cycle of Trauma and Tyranny: How Psychological Wounds Shape History” by Dawn Drescher

“My Least Libertarian Opinion: Ban Exclusivity Deals*” by Brendan Long

“Having children is a deeply personal choice. Do not use ethical arguments to try to shame people into having them or not having them.” by KatWoods

“A Self-Dialogue on The Value Proposition of Romantic Relationships” by johnswentworth

“4 places where you can put LLM monitoring” by Fabien Roger, Buck

“OpenAI’s GPT-OSS Is Already Old News” by Zvi

“The Tortoise and the Language Model (A Fable After Hofstadter)” by mwatkins

“Extract-and-Evaluate Monitoring Can Significantly Enhance CoT Monitoring Performance (Research Note)” by Rauno Arike, RohanS, Shubhorup Biswas

“What would a human pretending to be an AI say?” by Brendan Long

“How anticipatory cover-ups go wrong” by Kaj_Sotala

“METR’s Evaluation of GPT-5” by GradientDissenter

“Civil Service: a Victim or a Villain?” by Martin Sustrik

“It’s Owl in the Numbers: Token Entanglement in Subliminal Learning” by Alex Loftus, amirzur, Kerem Şahin, zfying

“No, Rationalism Is Not a Cult” by Liam Robins

“Interview with Kelsey Piper on Self-Censorship and the Vibe Shift” by Zack_M_Davis

“Claude, GPT, and Gemini All Struggle to Evade Monitors” by Vincent Cheng, Thomas Kwa

“Opus 4.1 Is An Incremental Improvement” by Zvi

“Re: Recent Anthropic Safety Research” by Eliezer Yudkowsky

“Inscrutability was always inevitable, right?” by Steven Byrnes

“Statistical takes for mech interp research and beyond” by Paul Bogdan

[Linkpost] “OpenAI Releases gpt-oss” by anaguma

“Childhood and Education #13: College” by Zvi

“The perils of under- vs over-sculpting AGI desires” by Steven Byrnes

“The Problem” by Rob Bensinger, tanagrabeast, yams, So8res, Eliezer Yudkowsky, Gretta Duleba

“Concept Poisoning: Probing LLMs without probes” by Jan Betley, jorio, dylan_f, Owain_Evans

“Narrow finetuning is different” by cloud, Stewy Slocum

“On Altman’s Interview With Theo Von” by Zvi

“Interview with Steven Byrnes on Brain-like AGI, Foom & Doom, and Solving Technical Alignment” by Liron, Steven Byrnes

“Towards Alignment Auditing as a Numbers-Go-Up Science” by Sam Marks

“Alcohol is so bad for society that you should probably stop drinking” by KatWoods

“Permanent Disempowerment is the Baseline” by Vladimir_Nesov

“Should we aim for flourishing over mere survival? The Better Futures series.” by wdmacaskill

“Saying Goodbye” by sapphire

“Emotions Make Sense” by DaystarEld

“Whence the Inkhaven Residency?” by Ben Pace

“Many prediction markets would be better off as batched auctions” by William Howard

“How many species has humanity driven extinct?” by Raemon

“SB-1047 Documentary: The Post-Mortem” by Michaël Trazzi

“Podcast: Lincoln Quirk from Wave” by Elizabeth

“The Dark Arts As A Scaffolding Skill For Rationality” by Screwtape