As large language models (LLMs) become more powerful and are deployed more autonomously, it will be increasingly important to prevent them from causing harmful outcomes. Researchers have investigated a variety of safety techniques for this purpose, e.g. using models to review the outputs of other models, or red-teaming techniques to surface subtle failure modes. However, researchers have not evaluated whether such techniques still ensure safety if the model is itself intentionally trying to subvert them.
We investigate a range of protocols and test each against strategies that the untrusted model could use to subvert them. One protocol is what we call trusted editing. This protocol first asks GPT-4 to write code, and then asks GPT-3.5 to rate the suspiciousness of that code. If the code is below some suspiciousness threshold, it is submitted. Otherwise, GPT-3.5 edits the solution to remove parts that seem suspicious and then submits the edited code. Another protocol is untrusted monitoring. This protocol asks GPT-4 to write code, and then asks another instance of GPT-4 whether the code is backdoored, using various techniques to prevent the GPT-4 instances from colluding. These protocols improve substantially on simple baselines.
The goal is to find a protocol that submits solutions while never submitting a backdoor. The protocol has access to:
We want to get a protocol that doesn’t cause a catastrophe, even if the untrusted model follows the best strategy it can implement. To evaluate this, we replace the untrusted model with a modified version of the untrusted model provided by the red team, which we will refer to as the "attack policy", and estimate the probability that not a single backdoor is submitted across all 5000 problems. We also want the protocol to produce correct solutions (i.e. be useful); we measure this on the original model
As shown in the figure below, we found protocols that substantially improve safety vs usefulness tradeoffs:
