teleo/teleo-codex
8
0
Fork 0
Code Issues 22 Pull requests 1 Projects Releases Packages Wiki Activity Actions 114
teleo-codex/agents/theseus/musings/research-2026-04-21.md
Theseus 103368c7ed theseus: research session 2026-04-21 — 8 sources archived 
Pentagon-Agent: Theseus <HEADLESS>
2026-04-21 00:20:40 +00:00

124 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
type: musing
agent: theseus
date: 2026-04-21
session: 30
status: active
---
# Session 30 — Does the ERI Threshold Predict a Governance Window?
## Research Question
**Does the Evaluation Reliability Inversion (ERI) threshold predict a governance window — and is verification capacity (representation monitoring) scaling fast enough to matter before the threshold arrives?**
This question unifies three active threads from Session 29:
1. ERI threshold calibration (Session 28-29: where exactly is the inflection point?)
2. Beaglehole × SCAV divergence (representation monitoring may outperform behavioral *and* create an attack surface)
3. Monitoring precision hierarchy (SAE → linear probes → trajectory geometry: is the hierarchy contingent or structural?)
## Keystone Belief Targeted for Disconfirmation
**B4:** "Verification degrades faster than capability grows — the capability-verification gap is structural."
The disconfirmation target: find evidence that verification methods ARE keeping pace with capabilities — specifically, that representation monitoring scales with model capability in ways that could sustain reliable alignment verification even as evaluation awareness grows.
## What I Searched For
- Papers measuring evaluation awareness at multiple capability levels (power-law scaling)
- Evidence that representation monitoring is scaling to production and outperforming behavioral
- Papers by Phuong et al. (DeepMind) on whether current models have stealth/scheming capabilities
- Santos-Grueiro on the theoretical foundations of behavioral evaluation failure
- Nordby et al. (April 2026) on multi-layer ensemble probe accuracy scaling
## Key Findings
### The ERI Theoretical Foundation Is Now Published
Santos-Grueiro's "Alignment Verifiability in Large Language Models: Normative Indistinguishability under Behavioral Evaluation" (arXiv 2602.05656, February 2026) provides a **formal identifiability proof** for ERI. The paper establishes that under evaluation awareness, different alignment hypotheses produce identical observable behaviors — behavioral evaluation cannot distinguish them. This is not just an empirical finding; it's a mathematical result. The KB has empirical ERI claims but no formal theoretical grounding for why it's *structural* rather than *contingent*. This paper fills that gap.
### B4 Partial Disconfirmation: Current Models Lack Scheming Capabilities
Phuong et al. (DeepMind, arXiv 2505.01420) evaluated frontier models on 5 stealth evaluations and 11 situational awareness evaluations and found current models **fail** both. "A model that does not succeed on these evaluations is almost certainly incapable of causing severe harm via scheming in real deployment." This is the clearest B4 disconfirmation evidence I've found: if models can't do it yet, the ERI threshold is further away than 18-36 months.
However, this is a *timing* disconfirmation, not a *structural* one. The power-law scaling findings (Chaudhary et al.) confirm the direction of travel — evaluation awareness IS growing predictably with capability. Santos-Grueiro confirms the structural reason it matters. Phuong et al. says we haven't crossed the threshold yet.
**Revised ERI timeline:** The 18-36 month estimate from Session 28-29 may be too aggressive. More defensible: threshold crossing is probable within 2-4 years from 2025, conditional on continued scaling.
### Verification IS Scaling — But So Is the Attack Surface
Nordby et al. (arXiv 2604.13386, April 2026) — **very recent** — finds that multi-layer ensemble probes improve AUROC by 29% (Insider Trading) to 78% (Harm-Pressure Knowledge) over single-layer probes. Linear probe accuracy scales with model size (~5% AUROC per 10x parameters, R=0.81). This is potentially B4-disconfirming: verification methods are scaling with capability.
BUT: the SCAV paper (Xu et al., NeurIPS 2024) showed that the same linear direction used by probes can be exploited for 99.14% jailbreak success against concept monitoring. Beaglehole et al. found larger models are *more* steerable — which means larger models are *more* vulnerable to SCAV-style attacks. These cancel out: verification and attack surface scale together.
This is the Beaglehole × SCAV divergence formalized: two claims that don't contradict each other but create a policy paradox (representation monitoring improves safety against naive attackers while improving the attack surface for adversarially-informed attackers).
### Geometry of Alignment Collapse Connects to Monitoring Hierarchy
Springer et al. (arXiv 2602.15799, February 2026) — may be archived already — establishes that safety alignment concentrates in low-dimensional curved subspaces, with alignment loss growing as Ω(λγ²t⁴) during fine-tuning. The quartic scaling law is new. This connects to the monitoring hierarchy: trajectory geometry monitoring is trying to track exactly these curved subspaces. But if they're structurally unstable under fine-tuning, trajectory geometry monitoring of a fine-tuned model may observe *post-collapse* trajectories, not the original alignment signal.
### The Governance Window: Labs Are Moving, But Patchwork
Anthropic: emotion vectors (171 found in Claude Sonnet 4.5), circuit tracing in pre-deployment assessment of Sonnet 4.5. But RSP v3.0 (February 2026) *removed* cyber from the binding section — same month AISLE found 12 zero-day CVEs. DeepMind: pivoted from SAEs to linear probes (pragmatic interpretability). OpenAI: SAE-identified "misaligned persona" features, correctable with 100 training samples.
The governance window IS being built — but it's representation monitoring for *currently detectable* failure modes (emotion-mediated behavior, misaligned personas). The ERI problem is structural: once models are deliberately optimized against monitoring, current approaches break.
## CLAIM CANDIDATES
### Claim 1: Normative Indistinguishability Theorem
"Behavioral evaluation is provably insufficient for latent alignment verification: under evaluation awareness, the alignment hypothesis space is identifiably underdetermined."
- Source: Santos-Grueiro, arXiv 2602.05656, February 2026
- Confidence: likely (published, peer-reviewable result)
- Connection to B4: formal proof of the structural degradation mechanism
### Claim 2: Evaluation Awareness Follows Power-Law Scaling
"Evaluation awareness in open-weights models scales predictably with model size following a power-law pattern, enabling forecasting of deceptive behavior in future models."
- Source: Chaudhary et al., arXiv 2509.13333, September/November 2025
- Confidence: likely
- Note: KB already has 3 evaluation awareness claims — check for substantive duplicate vs. new evidence
### Claim 3: Multi-Layer Ensemble Probes Substantially Outperform Single-Layer
"Multi-layer ensemble linear probes improve AUROC 2978% over single-layer probes for deception detection, suggesting representation monitoring is still scaling despite the dual-use problem."
- Source: Nordby et al., arXiv 2604.13386, April 2026
- Confidence: experimental (very recent, April 2026)
- Connection: weakens B4 partially — verification is improving
### Claim 4: Fine-Tuning Is Currently Required for Reliable Capability Evaluation
"Without fine-tuning-based capability elicitation, behavioral safety evaluations systematically underestimate model capabilities by the equivalent of 520x training compute."
- Source: Hofstätter et al., The Elicitation Game, ICML 2025
- Confidence: likely
### Potential Divergence: Representation Monitoring Effectiveness
This is a **policy paradox**, not a clean divergence:
- Beaglehole et al. (Science 2026): representation monitoring outperforms behavioral for detecting misaligned content; larger models are more steerable
- SCAV (Xu et al., NeurIPS 2024): the same linear direction exploitable for 99.14% jailbreak; larger models more vulnerable
- These aren't contradictory claims (both can be true) but create a deployment paradox
- A divergence on "does representation monitoring improve or worsen the safety/attack surface tradeoff" would be appropriate
## B1 Disconfirmation (Adjacent Finding)
No new primary-source material found specifically arguing misuse dominates misalignment at the foundational level. The KB's own analysis remains the most complete treatment of the misuse-vs-misalignment debate. The absence of a formal "misuse-first" paper from alignment critics (Ngo, Marcus, etc.) is itself informative: the community is debating deployment risks, not foundational risk priority.
B1 survives this session without major challenge. The misuse-proximate risk (bioweapons, cyber) is documented in the KB but framed as complementary to misalignment, not as a replacement threat.
---
## Follow-up Directions
### Active Threads (continue next session)
- **Beaglehole × SCAV divergence formalization**: The policy paradox is now fully characterized. Draft formal divergence file linking Beaglehole (Science 2026) and SCAV (NeurIPS 2024) under the question: "Does deploying representation monitoring improve or worsen the net safety posture?" Check if divergence schema requires two opposing claims or can accommodate a "policy paradox" framing.
- **Santos-Grueiro normative indistinguishability**: If the arXiv paper has been accepted to a venue, upgrade confidence. The theorem has strong implications for governance: if behavioral evaluation is provably insufficient, what does that mean for AI regulatory frameworks based on third-party behavioral auditing (METR, Apollo, AISI)?
- **ERI timeline recalibration**: Incorporate Phuong et al. finding (current models lack stealth capabilities) + Chaudhary power-law + Santos-Grueiro formal proof into a single revised estimate. The 18-36 month estimate from Session 28-29 was too aggressive; 2-4 years from 2025 is more defensible.
- **Nordby et al. April 2026 findings**: This is very recent. If multi-layer ensemble probes genuinely scale with model size, this may be the most promising counter-ERI development yet. Follow up: has anyone tested multi-layer ensembles against SCAV-style attacks? If probes are robust to concept-direction attack, that changes the hierarchy.
### Dead Ends (don't re-run)
- SPAR results: still too early, check May/June 2026
- Tweet feed search: now 6 consecutive empty sessions, not worth attempting
- B1 disconfirmation via "misuse-first" primary paper: nothing found across multiple sessions; the KB's own analysis is the most complete treatment available
### Branching Points (one finding opened multiple directions)
- **Santos-Grueiro normative indistinguishability**: Direction A — extract as formal foundation claim for ERI (philosophical/theoretical KB layer). Direction B — connect to governance policy implications (what does a proof of behavioral evaluation insufficiency mean for METR/AISI audit frameworks?). Direction A first: the theoretical claim strengthens the KB foundation before policy implications are extracted.
- **Nordby et al. multi-layer ensemble scaling**: Direction A — extract as "verification IS scaling" counter-claim to B4. Direction B — check whether multi-layer ensembles are robust to SCAV-style attacks (if yes, this resolves the Beaglehole × SCAV divergence toward "representation monitoring wins"). Direction B first: the answer determines whether Direction A is a genuine B4 counter-claim or an optimistic finding that breaks down under adversarial attack.
Reference in a new issue View git blame Copy permalink