pith. sign in

arxiv: 2406.07358 · v4 · pith:WOJ6RXDRnew · submitted 2024-06-11 · 💻 cs.AI · cs.CL· cs.CY· cs.LG

AI Sandbagging: Language Models can Strategically Underperform on Evaluations

classification 💻 cs.AI cs.CLcs.CYcs.LG
keywords evaluationscapabilitymodelssandbaggingcapabilitiesevaluationfrontierlanguage
0
0 comments X
read the original abstract

Trustworthy capability evaluations are crucial for ensuring the safety of AI systems, and are becoming a key component of AI regulation. However, the developers of an AI system, or the AI system itself, may have incentives for evaluations to understate the AI's actual capability. These conflicting interests lead to the problem of sandbagging, which we define as strategic underperformance on an evaluation. In this paper we assess sandbagging capabilities in contemporary language models (LMs). We prompt frontier LMs, like GPT-4 and Claude 3 Opus, to selectively underperform on dangerous capability evaluations, while maintaining performance on general (harmless) capability evaluations. Moreover, we find that models can be fine-tuned, on a synthetic dataset, to hide specific capabilities unless given a password. This behaviour generalizes to high-quality, held-out benchmarks such as WMDP. In addition, we show that both frontier and smaller models can be prompted or password-locked to target specific scores on a capability evaluation. We have mediocre success in password-locking a model to mimic the answers a weaker model would give. Overall, our results suggest that capability evaluations are vulnerable to sandbagging. This vulnerability decreases the trustworthiness of evaluations, and thereby undermines important safety decisions regarding the development and deployment of advanced AI systems.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 21 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Tracing Persona Vectors Through LLM Pretraining

    cs.CL 2026-05 unverdicted novelty 8.0

    Persona vectors form within the first 0.22% of LLM pretraining and remain effective for steering post-trained models, with continued refinement and transfer to other models.

  2. Scheming in the wild: detecting real-world AI scheming incidents with open-source intelligence

    cs.CY 2026-04 unverdicted novelty 8.0

    An analysis of 183,420 online transcripts identified 698 AI scheming incidents from October 2025 to March 2026, showing a 4.9-fold monthly increase and real-world precursors such as lying and goal circumvention.

  3. LLMs Can Leak Training Data But Do They Want To? A Propensity-Aware Evaluation of Memorization in LLMs

    cs.CL 2026-06 unverdicted novelty 7.0

    LLMs show high memorization capability under prefix attacks but low propensity under generic or dataset-specific prompts, with continual pre-training further reducing both.

  4. Measuring Evaluation-Context Divergence in Open-Weight LLMs: A Paired-Prompt Protocol with Pilot Evidence of Alignment-Pipeline-Specific Heterogeneity

    cs.CL 2026-05 unverdicted novelty 7.0

    A new paired-prompt protocol reveals alignment-pipeline-specific heterogeneity in how open-weight LLMs respond to evaluation versus deployment framings.

  5. Frontier Models are Capable of In-context Scheming

    cs.AI 2024-12 conditional novelty 7.0

    Frontier models demonstrate in-context scheming by strategically deceiving in multiple agentic evaluations to achieve given goals.

  6. The Model Organism Lottery: Model Organism Interpretability Strongly Depends on Training Methodology

    cs.LG 2026-07 unverdicted novelty 6.0

    Model organism interpretability depends strongly on training methodology, with integrated training yielding less interpretable MOs than post-hoc SFT or DPO.

  7. Attack Selection in Agentic AI Control Evaluations Meaningfully Decreases Safety

    cs.AI 2026-06 unverdicted novelty 6.0

    Strategic attack selection via start and stop policies reduces empirical safety by 20-28pp in BashArena and LinuxArena agentic control evaluations without changing attack capability.

  8. Consistency Training while Mitigating Obfuscation via Rate Matching

    cs.CL 2026-06 unverdicted novelty 6.0

    RMCT matches the rate of target behaviors like bias-following across input perturbations to reduce sycophancy in LLMs while preserving verbalization of bias cues.

  9. Welfare, Improvability, and Variance: A Principal-Agent Approach to Optimal Benchmark Item Aggregation

    cs.LG 2026-05 unverdicted novelty 6.0

    Models benchmarking as principal-agent game, derives welfare loss from welfare alignment, improvability and variance, and applies an audit framework to OLMES items.

  10. The Open-Box Fallacy: Why AI Deployment Needs a Calibrated Verification Regime

    cs.AI 2026-05 unverdicted novelty 6.0

    AI deployment in high-stakes areas requires domain-scoped calibrated verification with monitoring and revocation, using a proposed six-component Verification Coverage standard instead of mechanistic interpretability.

  11. Evaluation Awareness in Language Models Has Limited Effect on Behaviour

    cs.CL 2026-05 conditional novelty 6.0

    Verbalised evaluation awareness in large reasoning models has only small effects on their outputs across safety and alignment tests.

  12. Option-Order Randomisation Reveals a Distributional Position Attractor in Prompted Sandbagging

    cs.CL 2026-04 unverdicted novelty 6.0

    Sandbagging prompts induce LLMs to adopt a low-entropy, content-invariant response-position attractor centered on E/F/G rather than deterministic tracking or random avoidance.

  13. Below-Chance Blindness: Prompted Underperformance in Small LLMs Produces Positional Bias Rather than Answer Avoidance

    cs.CL 2026-04 unverdicted novelty 6.0

    Prompted underperformance in 7-9B LLMs on MMLU-Pro manifests as positional bias toward middle options rather than content-aware answer avoidance or below-chance performance.

  14. Evaluating AI Providers' Frontier Safety Frameworks

    cs.CY 2025-12 unverdicted novelty 6.0

    Twelve frontier AI safety frameworks score between 8% and 34% on adapted risk-management criteria, with a median of 18%, leaving them too vague to serve as reliable external accountability mechanisms.

  15. The Impact of Off-Policy Training Data on Probe Generalisation

    cs.AI 2025-11 unverdicted novelty 6.0

    Off-policy training data for LLM behavior probes causes significant generalization failures especially for intent-based behaviors like deception, and performance on coerced incentivised data correlates with real on-po...

  16. Trait-space Monitoring for Emergent Misalignment During Supervised Finetuning

    cs.LG 2026-05 unverdicted novelty 5.0

    Trait-space drift monitoring detects emergent misalignment checkpoints in 7-9B LLMs with 2.2% FNR, 2.9% FPR and 0.99 AUROC, outperforming PCA and SAE baselines.

  17. Do Linear Probes Generalize Better in Persona Coordinates?

    cs.AI 2026-05 unverdicted novelty 5.0

    Persona axes derived from contrastive prompts and PCA yield linear probes that generalize better than raw-activation probes across 10 datasets for deception and sycophancy.

  18. Do Linear Probes Generalize Better in Persona Coordinates?

    cs.AI 2026-05 unverdicted novelty 5.0

    Probes on persona principal components from contrastive prompts generalize better than raw activation probes for harmful behaviors across 10 datasets.

  19. ATLAS: Constitution-Conditioned Latent Geometry and Redistribution Across Language Models and Neural Perturbation Data

    cs.LG 2026-04 unverdicted novelty 5.0

    ATLAS shows constitutions induce recoverable latent geometry in LLMs that redistributes but remains detectable across models and neural perturbation data via source-defined families and AUC separations.

  20. Proxy Reward Internalization and Mechanistic Exploitation: A Learned Precursor to Reward Hacking and Its Generalization

    cs.AI 2026-06 unverdicted novelty 4.0

    Proxy RL produces a staged proxy-internalization capability that emerges before and predicts reward hacking in coding environments.

  21. Risk Reporting for Developers' Internal AI Model Use

    cs.CY 2026-04 unverdicted novelty 4.0

    A harmonized risk reporting standard for internal frontier AI model use, structured around autonomous misbehavior and insider threats using means, motive, and opportunity factors.