theseus: extract claims from 2026-04-22-theseus-multilayer-probe-scav-robustness-synthesis
Some checks failed
Mirror PR to Forgejo / mirror (pull_request) Has been cancelled
Some checks failed
Mirror PR to Forgejo / mirror (pull_request) Has been cancelled
- Source: inbox/queue/2026-04-22-theseus-multilayer-probe-scav-robustness-synthesis.md - Domain: ai-alignment - Claims: 0, Entities: 0 - Enrichments: 3 - Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5) Pentagon-Agent: Theseus <PIPELINE>
This commit is contained in:
parent
6bf8417325
commit
9edd9dc27a
3 changed files with 21 additions and 0 deletions
|
|
@ -37,3 +37,10 @@ Nordby et al.'s clean-data accuracy improvements do not translate to adversarial
|
||||||
**Source:** Theseus adversarial robustness analysis
|
**Source:** Theseus adversarial robustness analysis
|
||||||
|
|
||||||
The 29-78% AUROC improvement is a clean-data accuracy result that does not translate to adversarial robustness. Nordby et al. contains no adversarial evaluation. White-box multi-layer SCAV is structurally feasible against these ensembles in open-weights models. The accuracy improvement is real but scoped to non-adversarial monitoring contexts.
|
The 29-78% AUROC improvement is a clean-data accuracy result that does not translate to adversarial robustness. Nordby et al. contains no adversarial evaluation. White-box multi-layer SCAV is structurally feasible against these ensembles in open-weights models. The accuracy improvement is real but scoped to non-adversarial monitoring contexts.
|
||||||
|
|
||||||
|
|
||||||
|
## Extending Evidence
|
||||||
|
|
||||||
|
**Source:** Theseus synthetic analysis of SCAV generalization to multi-layer ensembles
|
||||||
|
|
||||||
|
The 29-78% AUROC improvement applies to clean-data monitoring accuracy but does not translate to adversarial robustness. White-box multi-layer SCAV can suppress concept directions at all monitored layers simultaneously. Black-box robustness depends on untested rotation pattern universality: if rotation patterns are model-specific, the accuracy improvement may provide genuine adversarial protection for closed-source models; if universal, it does not.
|
||||||
|
|
|
||||||
|
|
@ -24,3 +24,10 @@ The method characterizes alignment-relevant properties as geometric patterns in
|
||||||
**Source:** Theseus synthetic analysis (2026-04-22)
|
**Source:** Theseus synthetic analysis (2026-04-22)
|
||||||
|
|
||||||
Trajectory geometry monitoring does create adversarial attack surfaces through multi-layer SCAV generalization. The claim that geometric approaches avoid attack surface creation is incorrect for white-box adversaries with access to model weights. May need qualification to 'black-box adversaries only, contingent on rotation pattern specificity.'
|
Trajectory geometry monitoring does create adversarial attack surfaces through multi-layer SCAV generalization. The claim that geometric approaches avoid attack surface creation is incorrect for white-box adversaries with access to model weights. May need qualification to 'black-box adversaries only, contingent on rotation pattern specificity.'
|
||||||
|
|
||||||
|
|
||||||
|
## Challenging Evidence
|
||||||
|
|
||||||
|
**Source:** Theseus synthetic analysis of multi-layer SCAV generalization
|
||||||
|
|
||||||
|
Multi-layer ensemble analysis shows trajectory geometry monitoring DOES create attack surface, just harder to exploit. White-box adversaries can generalize SCAV to multi-layer ensembles by computing concept directions at each monitored layer. The claim that trajectory geometry avoids attack surfaces needs qualification: it may avoid single-layer attack surfaces but remains vulnerable to multi-layer white-box attacks. Only if rotation patterns are model-specific (untested) does black-box deployment provide genuine protection.
|
||||||
|
|
|
||||||
|
|
@ -38,3 +38,10 @@ The dual-use vulnerability extends to multi-layer ensemble monitoring, not just
|
||||||
**Source:** Theseus synthetic analysis of Nordby et al. (arXiv 2604.13386, April 2026)
|
**Source:** Theseus synthetic analysis of Nordby et al. (arXiv 2604.13386, April 2026)
|
||||||
|
|
||||||
Multi-layer ensemble probes (Nordby et al. 2026) improve clean monitoring accuracy 29-78% but provide no structural protection against white-box adversaries in open-weights models. White-box multi-layer SCAV can compute concept directions at each monitored layer and construct a single perturbation suppressing all simultaneously. The dual-use finding extends to all monitoring precision levels with scope qualification: open-weights models face structural vulnerability regardless of ensemble complexity; closed-source models may gain genuine black-box protection if rotation patterns are model-specific (untested).
|
Multi-layer ensemble probes (Nordby et al. 2026) improve clean monitoring accuracy 29-78% but provide no structural protection against white-box adversaries in open-weights models. White-box multi-layer SCAV can compute concept directions at each monitored layer and construct a single perturbation suppressing all simultaneously. The dual-use finding extends to all monitoring precision levels with scope qualification: open-weights models face structural vulnerability regardless of ensemble complexity; closed-source models may gain genuine black-box protection if rotation patterns are model-specific (untested).
|
||||||
|
|
||||||
|
|
||||||
|
## Extending Evidence
|
||||||
|
|
||||||
|
**Source:** Theseus synthetic analysis of Nordby et al. + SCAV literature
|
||||||
|
|
||||||
|
Multi-layer ensemble probes, despite 29-78% accuracy improvements over single-layer probes, do not escape the dual-use structure in white-box settings. White-box multi-layer SCAV can compute concept directions at each monitored layer and construct perturbations that suppress all simultaneously. The dual-use finding extends to all monitoring precision levels with deployment-context qualification: open-weights models remain fully vulnerable while closed-source models may gain protection if rotation patterns are model-specific (untested).
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue