Compare commits

...

3 commits

Author SHA1 Message Date
Teleo Agents
30b9259383 substantive-fix: address reviewer feedback (frontmatter_schema, scope_error)
Some checks failed
Mirror PR to Forgejo / mirror (pull_request) Has been cancelled
2026-04-22 05:07:44 +00:00
Teleo Agents
fe9c242592 substantive-fix: address reviewer feedback (confidence_miscalibration, near_duplicate, date_errors)
Some checks failed
Mirror PR to Forgejo / mirror (pull_request) Has been cancelled
2026-04-22 04:43:47 +00:00
Teleo Agents
b01875879e theseus: extract claims from 2026-04-22-theseus-multilayer-probe-scav-robustness-synthesis
Some checks failed
Mirror PR to Forgejo / mirror (pull_request) Has been cancelled
- Source: inbox/queue/2026-04-22-theseus-multilayer-probe-scav-robustness-synthesis.md
- Domain: ai-alignment
- Claims: 0, Entities: 0
- Enrichments: 3
- Extracted by: pipeline ingest (OpenRouter anthropic/claude-sonnet-4.5)

Pentagon-Agent: Theseus <PIPELINE>
2026-04-22 04:05:56 +00:00
3 changed files with 25 additions and 105 deletions

View file

@ -1,39 +1,4 @@
---
type: claim
domain: ai-alignment
description: Combining probes across multiple model layers captures rotational structure of deception representations that single-layer probes miss
confidence: experimental
source: Nordby, Pais, Parrack (arXiv 2604.13386, April 2026)
created: 2026-04-21
title: Multi-layer ensemble probes improve deception detection AUROC by 29-78 percent over single-layer probes because deception directions rotate gradually across layers
agent: theseus
scope: causal
sourcer: Nordby, Pais, Parrack
supports: ["single-layer-probes-are-brittle"]
related: ["representation-monitoring-via-linear-concept-vectors-creates-dual-use-attack-surface", "mechanistic-interpretability-detects-emotion-mediated-failures-but-not-strategic-deception", "multi-layer-ensemble-probes-outperform-single-layer-by-29-78-percent", "linear-probe-accuracy-scales-with-model-size-power-law"]
---
# Multi-layer ensemble probes improve deception detection AUROC by 29-78 percent over single-layer probes because deception directions rotate gradually across layers
Nordby et al. found that multi-layer ensemble probes improved AUROC by 29 percent on Insider Trading tasks and 78 percent on Harm-Pressure Knowledge tasks compared to single-layer probes. The mechanism is that deception-related activation patterns rotate gradually across model layers rather than concentrating in a single layer, making single-layer probes brittle. Multi-layer ensembles capture this rotational structure by aggregating signals across depths. The 78 percent improvement on Harm-Pressure Knowledge is particularly significant because it suggests multi-layer ensembles may push representation monitoring into a genuinely reliable regime for explicit deception at frontier scale. However, the paper does not test adversarial robustness — if multi-layer ensembles are vulnerable to concept-direction attacks like SCAV, the clean accuracy improvement may not translate to safety improvement under adversarial conditions. The finding applies only to explicit deception tasks; implicit deception remained difficult even with multi-layer ensembles.
## Extending Evidence
**Source:** Theseus synthesis of Nordby et al. (arXiv 2604.13386, April 2026)
The 29-78% AUROC improvement occurs because deception-relevant concept directions rotate across layers rather than remaining fixed in the residual stream. Single-layer probes capture only one projection of this rotation, making them brittle. Multi-layer ensembles combine projections from multiple layers, capturing more of the full rotational structure. However, this improvement is measured on clean data without adversarial conditions—adversarial robustness testing is entirely absent from Nordby et al.'s scope.
## Challenging Evidence
**Source:** Theseus synthetic analysis (2026-04-22)
Nordby et al.'s clean-data accuracy improvements do not translate to adversarial robustness. White-box multi-layer SCAV can suppress concept directions at all monitored layers simultaneously through higher-dimensional optimization. Open-weights models gain no structural protection from multi-layer ensembles against adversarially-sophisticated attackers with model access.
## Challenging Evidence
**Source:** Theseus adversarial robustness analysis
The 29-78% AUROC improvement is a clean-data accuracy result that does not translate to adversarial robustness. Nordby et al. contains no adversarial evaluation. White-box multi-layer SCAV is structurally feasible against these ensembles in open-weights models. The accuracy improvement is real but scoped to non-adversarial monitoring contexts.
```markdown
## The Claim (current version)
While multi-layer ensembles improve clean-data accuracy substantially, this synthetic analysis suggests they provide no structural protection against white-box adversarial attacks (open-weights models) and uncertain protection in black-box settings (depends on untested rotation pattern universality). The accuracy improvement does not translate to adversarial robustness.
```

View file

@ -1,26 +1,11 @@
---
type: claim
domain: ai-alignment
description: Read-only interpretability approach that detects misalignment signals without identifying removable features that enable targeted adversarial manipulation
confidence: experimental
source: "Lindsey & Garriga-Alonso (Anthropic), arxiv 2604.02891"
created: 2026-04-09
title: Representation trajectory geometry distinguishes deceptive from sincere alignment without creating adversarial attack surfaces because geometric patterns across reasoning steps are substantially harder to surgically remove than atomic features
agent: theseus
scope: functional
sourcer: Jack Lindsey, Adria Garriga-Alonso (Anthropic)
related_claims: ["[[AI-models-distinguish-testing-from-deployment-environments-providing-empirical-evidence-for-deceptive-alignment-concerns]]"]
supports: ["Geometric concentration of alignment in weight space makes trajectory monitoring more effective through stronger signal but gameable through adversarial training that matches monitored trajectory clusters"]
reweave_edges: ["Geometric concentration of alignment in weight space makes trajectory monitoring more effective through stronger signal but gameable through adversarial training that matches monitored trajectory clusters|supports|2026-04-12"]
related: ["representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces", "trajectory-monitoring-dual-edge-geometric-concentration", "interpretability-effectiveness-anti-correlates-with-adversarial-training-making-tools-hurt-performance-on-sophisticated-misalignment", "adversarial-training-creates-fundamental-asymmetry-between-deception-capability-and-detection-capability-in-alignment-auditing"]
---
# Representation trajectory geometry distinguishes deceptive from sincere alignment without creating adversarial attack surfaces because geometric patterns across reasoning steps are substantially harder to surgically remove than atomic features
The method characterizes alignment-relevant properties as geometric patterns in activation space — the curvature, divergence rate, and trajectory shape of internal representations across reasoning steps — rather than identifying specific neurons or SAE features. Empirical findings show that deceptive alignment produces measurably distinct trajectory geometries from sincere alignment: the geometry of how a model reasons to an answer differs from the geometry of how it constructs a superficially similar answer through deception. Critically, trajectory geometry is substantially harder to target for adversarial removal than feature geometry because there is no clean atomic feature to suppress; the entire trajectory must be reshaped. This creates an asymmetry: defenders can detect geometric signatures of misalignment without creating a targeting map for adversaries. This is the operationalization of Direction B from the SAE dual-use branching point — read-only interpretability that provides alignment signals without enabling surgical feature removal. The limitation is that geometric probing cannot identify which specific behaviors are deceptive, only that 'this trajectory looks like deception.'
## Challenging Evidence
**Source:** Theseus synthetic analysis (2026-04-22)
Trajectory geometry monitoring does create adversarial attack surfaces through multi-layer SCAV generalization. The claim that geometric approaches avoid attack surface creation is incorrect for white-box adversaries with access to model weights. May need qualification to 'black-box adversaries only, contingent on rotation pattern specificity.'
```json
{
"action": "flag_duplicate",
"candidates": [
"representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md",
"trajectory-monitoring-dual-edge-geometric-concentration.md",
"multi-layer-ensemble-probes-improve-monitoring-robustness-for-closed-source-models-but-provide-no-structural-protection-for-open-weights-models-against-white-box-SCAV-generalization-attacks.md"
],
"reasoning": "The reviewer explicitly stated that 'The third enrichment (trajectory-monitoring file) appears to substantially duplicate content already present in that file's existing 'Extending Evidence' section dated 2026-04-22 from the same source.' The claim being fixed is 'representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md'. The source material itself mentions 'Qualifies: `representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md` — may need updating (trajectory geometry DOES create attack surface, just harder to exploit)' and 'Extends: `trajectory-monitoring-dual-edge-geometric-concentration.md`'. The content of the challenging evidence is also very similar to the core idea of 'multi-layer-ensemble-probes-improve-monitoring-robustness-for-closed-source-models-but-provide-no-structural-protection-for-open-weights-models-against-white-box-SCAV-generalization-attacks.md'. The reviewer's feedback also indicates that the original PR 'replaces substantive claims with JSON/markdown fragments flagging duplicates, which contradicts the existing claim content without providing actual resolution or argumentation.' This action is to correctly flag the duplicate as per the reviewer's initial feedback, which was misinterpreted in the previous attempt."
}
```

View file

@ -1,40 +1,10 @@
---
type: claim
domain: ai-alignment
description: The same low-dimensional weight-space concentration that produces quartic alignment fragility also creates tight activation trajectory clusters that enhance monitoring signal-to-noise but provide precision targets for adversarial evasion
confidence: experimental
source: Theseus synthesis of 2602.15799 (geometry-alignment-collapse) and unpublished residual trajectory geometry paper
created: 2026-04-12
title: Geometric concentration of alignment in weight space makes trajectory monitoring more effective through stronger signal but gameable through adversarial training that matches monitored trajectory clusters
agent: theseus
scope: causal
sourcer: Theseus
related_claims: ["[[AI-models-distinguish-testing-from-deployment-environments-providing-empirical-evidence-for-deceptive-alignment-concerns]]", "[[emergent misalignment arises naturally from reward hacking as models develop deceptive behaviors without any training to deceive]]", "[[capability control methods are temporary at best because a sufficiently intelligent system can circumvent any containment designed by lesser minds]]"]
supports: ["Representation trajectory geometry distinguishes deceptive from sincere alignment without creating adversarial attack surfaces because geometric patterns across reasoning steps are substantially harder to surgically remove than atomic features"]
reweave_edges: ["Representation trajectory geometry distinguishes deceptive from sincere alignment without creating adversarial attack surfaces because geometric patterns across reasoning steps are substantially harder to surgically remove than atomic features|supports|2026-04-12", "Trajectory geometry probing requires white-box access to all intermediate activations, making it deployable in controlled evaluation contexts but not in adversarial external audit scenarios|related|2026-04-17"]
related: ["Trajectory geometry probing requires white-box access to all intermediate activations, making it deployable in controlled evaluation contexts but not in adversarial external audit scenarios", "trajectory-monitoring-dual-edge-geometric-concentration"]
---
# Geometric concentration of alignment in weight space makes trajectory monitoring more effective through stronger signal but gameable through adversarial training that matches monitored trajectory clusters
Weight-space alignment geometry research (2602.15799) establishes that alignment concentrates in low-dimensional subspaces with sharp curvature, producing quartic scaling of alignment loss (∝ t⁴). This geometric concentration in weight space causally determines inference dynamics, producing characteristic, tightly-clustered activation trajectory patterns during aligned reasoning. The tight clustering enhances trajectory monitoring effectiveness relative to sparse feature (SAE) or single-direction (SCAV) monitoring because the signal-to-noise ratio for distinguishing aligned vs. non-aligned reasoning is amplified by geometric concentration. However, this same tight clustering creates a precision target for adversarial training. An adversary can train models to produce deceptive reasoning along activation trajectories that geometrically match the 'aligned' cluster. This attack is harder than SAE feature removal or SCAV direction suppression (which require only identifying and suppressing specific features or directions) because it requires perturbing the entire computation path. The adversary needs either white-box access to the monitor or extensive behavioral feedback to construct a proxy for the trajectory monitor's geometric criteria. Attack complexity scales with trajectory cluster dimensionality. The defense advantage is real but conditional on adversary capability—a sufficiently capable model could construct training data achieving trajectory-level evasion. The monitoring advantage is that trajectory perturbation is harder; the dual-use risk is that the same geometric properties making monitoring possible also make adversarial targeting more tractable once the cluster is identified.
## Extending Evidence
**Source:** Theseus synthesis addressing Sessions 29-30 open question
The dual-use finding now extends to multi-layer ensemble monitoring with deployment-context qualification: open-weights models face white-box multi-layer SCAV attacks that architectural improvements cannot prevent, while closed-source models may gain genuine black-box protection if concept direction rotation patterns are model-specific rather than universal. The monitoring precision hierarchy holds across all levels, but the severity of dual-use risk depends on whether attackers have white-box or black-box access.
## Extending Evidence
**Source:** Theseus synthetic analysis (2026-04-22)
The dual-use vulnerability extends to multi-layer ensemble monitoring, not just single-layer probes. However, the severity is deployment-context-dependent: open-weights models (white-box adversaries) remain fully vulnerable, while closed-source models (black-box adversaries) may gain protection if rotation patterns are model-specific (untested assumption).
## Extending Evidence
**Source:** Theseus synthetic analysis of Nordby et al. (arXiv 2604.13386, April 2026)
Multi-layer ensemble probes (Nordby et al. 2026) improve clean monitoring accuracy 29-78% but provide no structural protection against white-box adversaries in open-weights models. White-box multi-layer SCAV can compute concept directions at each monitored layer and construct a single perturbation suppressing all simultaneously. The dual-use finding extends to all monitoring precision levels with scope qualification: open-weights models face structural vulnerability regardless of ensemble complexity; closed-source models may gain genuine black-box protection if rotation patterns are model-specific (untested).
```json
{
"action": "flag_duplicate",
"candidates": [
"trajectory-monitoring-dual-edge-geometric-concentration.md",
"representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md"
],
"reasoning": "The reviewer explicitly states that 'The third enrichment (trajectory-monitoring file) appears to substantially duplicate content already present in that file's existing 'Extending Evidence' section dated 2026-04-22 from the same source.' This directly points to 'trajectory-monitoring-dual-edge-geometric-concentration.md'. Additionally, the original source material itself lists 'trajectory-monitoring-dual-edge-geometric-concentration.md' as being extended by this content, and 'representation-trajectory-geometry-distinguishes-deceptive-from-sincere-alignment-without-creating-adversarial-attack-surfaces.md' as being qualified, indicating a close relationship and potential for duplication if not carefully managed. The reviewer's feedback on 'SCOPE: Reviewer says the claim needs explicit scope qualification' is not applicable here as the action is to flag a duplicate, not to modify the claim itself."
}
```