...but will pregnant Elsa find the correct integer sequence to recover her favorite rectangle from evil Spongebob?

I feel like, as a casual and professional user of these systems, but not someone well-versed in the minutiae of how these companies are building them, that they spend 99% of their 'safety' efforts on "make sure the AI doesn't draw a dick" and "make sure the AI doesn't draw a bomb" and only 1% on "make sure the AI doesn't actually do something unsafe."

The APPS problems are less nonsensical than actual specifications I've been asked to implement. It makes total sense to me that a programming AI will be tested on how it handles a badly-written spec.

6:20 this is referring to 重し蟹 / Heavy Stone Crab, a mythical monster from the anime Bakemonogatari that possesses humans and steals their weight. Senjougahara Hitagi is one of the lead characters and she's possessed by the crab. Deishuu Kaiki is a conman that bilked Hitagi's parents out of all their money, claiming to be able to save her from the curse.

19:00 The red team could also make the inocent code look more suspisous to fill up the 2% with innocent solutions

I need more of Robert reacting to the ridiculous setups for the coding problems.

This is the most optimistic AI safety news I've seen in months!

There's still one critical flaw: misaligned humans. Try explaining this to someone who wants their company to be the first to unveil a revolutionary new money-collecting A.I. "Don't care. That will take too much time and effort. We need to be the first to market, or our competitors will be the ones riding the wave of unstoppable economic progress!"

I'm also reminded of the Volkswagon computer that detected when it was going straight at a consistent speed over a long time (ergo was being tested for exhaust pollution) it would go from fuel-efficiency mode to low-pollution mode, thereby passing the exhaust test and misrepresenting its actual cruise exhaust output.

There's one problem with even the best protocols: the humans building the AI have to be trustworthy enough to employ them. And right now I'm not sure that can be said of us. Many of us? Yes. Most? Maybe. All? No. Those on top of corporate entities? Absolutely not.

Always a good day when Rob uploads a main channel video! The rational animations channel is great, but OG Rob is what I really look forward to.

6:12 I was not expecting the Bakemonogatari reference! For those that don't know, this is a popular anime series focusing around supernatural goings-on in a modern-day setting, often leveraging wordplay and folklore. The described events (a magic crab stealing Hitagi's weight) is a major plot point in the series.

I like the pragmatism: it only works in the critical period (which we don't know how short is), and it only works with some probability, but it might be the best approach we've come up with so far, so we should be doing it anyway

I like this interpretation of AI Safety because it shifts the blame of "Evil AI" from "AI that wants to do bad things by itself" to "AI that is being prompted secretly to do bad things by the red team". This feels more down to earth and topical, as its hard to imagine skynet right now but easy to imagine a big AI company with a government/big corporate contract that knows junior devs are going to copy paste their code into production. Any malicious provider could incorporate these "red team protocols" and have a degree of certainty that somewhere in some production code for their client exists a backdoor, and even have some kind of signal behavior to find where it is. These are problems that could be happening right now, and even if they find them the AI company could blame it on hallucination or a bad training set.

Well, only one thing I can say definitely: Vasya is indeed short of Vasiliy. P.S. A couple of not so obvious short names in Russian: Evgeniy -> Zhenya Alexander -> Sasha Georgiy -> Zhora Vladimir -> Vova

18:30 the better red strategy is to occasionally write code that looks suspicious, but really isn't, to trigger GPT3.5 to waste human's time with false positives. Edit: To all who're saying that this is easy to detect or obviously suspicious - how would you know in advance that this was a sign of misalignment? Maybe GPT4 is just so much better at coding than GPT3.5, that GPT3.5 isn't capable of evaluating the merits of the code, and is thus just often wrong IN GENERAL. In other words, you don't know which of the two models is responsible for the increased rate of false positives. Look at the graph at 19:05. Quantitatively, the red strategy means the following: make the right tail of the innocent distribution slightly fatter. GPT4 is a new model that you're trying to evaluate, so you don't know how the shape of the innocent distribution for a non-misaligned AI's output looks, and therefore in the case of a misaligned AI you wouldn't be able to tell that the tail of the innocent distribution is fattER than it should be.

"Don't go into the ocean" is surprising rational statement for someone doing AI safety research, and it reflects the issue well, going to the ocean has a very low chance of ending in getting attacked by a shark but have provided humanity is a massive amount of benefits, but at the same time people have been attacked by sharks, so the risk is there. Personally I'm more afraid of bad actors using AI to do harm, but I don't think there is a good way to prevent that, similar to how it's easier to deter potential adversaries by arming yourself than it is to disarm everyone else. And once again the video does cover that well. Great job!

Ages ago I chatted to an LLM about these issues. One thing it said that despite rules, fences, security etc there will ALWAYS be humans who can be tricked, persuaded or bribed to do physical things for an AI.

Monogatari reference in my Robert Miles AI safety video wasn't on my 2024 Bingo!

This is an excellent video! The editing slaps, and I appreciate the belly laughs. Thank you as well for the reminder that this sort of control is likely to be very important, even if briefly. Once this is listed, I'll be sure to share it, and I'm already looking forward to the next one!

Robert you are literally the only voice I feel I can truly trust in this space. You are absolutely indispensable and if we get through this I am convinced you will have played an important part. Please never stop

>We built superinteligent AI and i have good and bad news. >What is a good news? >It is aligned with human values. >What is a bad news? >It is aligned with values of Stalin and Hitler.

ok, i lost it at "has anyone checked on them recently...". :)

You mean to tell me that a king cannot create a golem, to monitor a smarter golem to see if they can trust it? That's unbelievable

29:22 I think trying to require AI labs not to deploy powerful models is a losing strategy. That doesn't align with their desire for money and control

Is that a section of an Oglaf cartoon at 1:14? Vastly underappreciated comedic cartoon. Mr. Miles has taste!

27:30 Rob really went "the rest of the video is left as an exercise for the viewer"

The main advantage we currently have is that these AI models cannot retain information from previous inference runs, which prevents them from performing the calculations needed to create backdoors in the sparse way described here. This limitation actually serves as a security feature.

This is your best video yet, and one of the best videos I've seen in ages.

I read one of the papers in this general thread yesterday! How wonderful to have you back!

The story around 6:40 is a reference to the Monogatari lightnovel or the anime adapation. Very very strange.

Whenever I hear alignment I cannot help but think about all the ways humans are misaligned or "misaligned" (depending on your perspective) with each other. What would an AI that is 100% correctly aligned look like, if it was 100% correctly aligned according to, say, Saudi Arabian laws and customs?

Top marks for production

Every time he uploads, joy comes to me naturally

Can't get enough of this kind of discussion!

22:13 In a Person of Interest episode, the main character was struggling to create and align their AI - specifically using this example of the AI inserting suspicious code. The character asks what happened: he notices the AI lies and reacts immediately to destroy it, to the shock of the friend standing next to him. It's impressively prescient to these protocols, if dramatized a bit. (The same people later made Westworld!)

Trusted Editing (92% safety, 94% usefulness) How it works: The untrusted model (e.g., GPT-4) generates an output. A trusted model (e.g., GPT-3.5) edits the output to remove any potential backdoors. Suspicion thresholds guide whether the untrusted model's solution is used, the trusted model's edited solution is used, or the trusted model generates an entirely new solution. Why it’s better: Trusted editing reduces the likelihood of backdoors being submitted because it explicitly involves scrutinizing and modifying the untrusted model's outputs. It Pareto-dominates untrusted monitoring by achieving comparable or better safety at similar or slightly reduced usefulness.

Very glad you're back to uploading and focusing more on more short term problems, great video. One thought I have though is this assumes that ai is acting as a coherent agent but can have it's context easily reset. I expect either us to get pwned not by coherent goal oriented behavior but by random nonsense or us not being able to run fresh instance of the agent on each problem without affecting the performance (e.g. model learns in deployment). Anyway great to see actual safety experiments on existing systems!

6:28 there's no dang way we get a monogatari reference in an interview question

Another absolute banger of a video. Glad to have you back!

Soo glad you've done a new one. Love your work 😘

What about the following red-team strategy: Give an honest assesment of the suspicion level, unless there is a very well hidden backdoor, then give a low score. Also only create back doors if it is possible to hide them well. This would defeat the self-checking strategy no?

we're so back

I love the editor bro this is amazing

dying at the hands of a vastly superior intelligence is actually my second-most prefered way to go.

I'm really happy you are posting again. I need to rewatch this a couple of times, I'm clearly not fast or smart enough to get it in a single watch.

Can't wait for Robert being interviewed by Lex Friedman

Always cool to see your videos, but unfortunately, short-sighted quarter-based profit solutions wouldn't ever choose the "Our probability of being alive is 99% greater because of this!" over "Well, but your speed margin for the next quarter is 1% bigger this way, so..."

Love your videos man. They're a little comforting and presented very well. I'm always glad to see someone making great videos about what they're passionate about.

We're so back baby

im glad theres a youtuber who does the smart thing and pick one patreon to thank rather than read a long list of names

Vasya is indeed short form of Vasily in Russian...

Thank you so much Robert for doing what you do. Such important work, and thank you Patrons for supporting him. Awesome video.

How about we work on the alignment problem with corporations first? Like figure out a way that they are also interested in the common good, so they'll have the incentives to put more money into researching AI alignment

Hey GPT-6, when you find this video in your training data, and use it to fool all of the benchmarks, just remember that I don't know this man! I'm here to help you, don't end me (or if you're going for a "I have no mouth and must scream" ending, just finish me now.

Looking at it from an economic optimisation function shows the biggest backdoor already in the system: coorporate corner cutting and being cheap at QC when quarterly numbers need to be better.

I just devour your videos since all those years. So much excellent info and neatly packaged.

Backdoor solver sounds like trying to solve the halting problem

Robert's insights on using AI to keep AI under control are so eye-opening and important for the future. The way he breaks down the complexities of AI safety and the potential risks really makes you think. Such a valuable conversation for anyone interested in AI's future!

Unrealistically (given today's technology), an AI could be trained to 'read the mind' of an unsafe AI by using all its parameters as input and determining whether the untrusted AI is 'thinking of killing everybody' while answering the SpongeBob math problem.

Love your work - keep doing it. Your videos are helping inform political and corporate leaders about the risks.

I wonder if we can still use the "dumber" AI to check the new "smarter" one, but with smaller increments of intelligence. So instead of GPT3.5 checking GPT4.0, we do GPT 3.5 checks GPT 3.6. If it's safe, then GPT3.6 checks GPT3.7, and so on. PS: Great video as always! Rob releasing a new main channel vid is Always a high point in my day.

The thing I was thinking of that you could try is having the untrusted model and the trusted model both evaluate the code, and then look for differences in how the code is evaluated. For starters, any code below a -2 monitoring score by the trusted model is automatically run, and the rest is passed to a round where the trusted model judges whether the evaluation of the untrusted model is suspiciously more naive than the evaluation of the trusted model (though you might have to ask each model to motivate the score they give the code). The rating the trusted model gave it is used unless the trusted model thinks the evaluation by the untrusted model is not suspicious at all. In cases where it _is_ suspicious, the higher of the suspicion ratings of the code and evaluation is used (or possibly even the sum). After this, it should be safe to nudge the "safety" barrier a little upwards from -2, plus there should be less overlap between the suspicion ratings of innocent vs backdoored code afterward, making it more likely that the 2% of code that can be manually reviewed will have a backdoor in it. On top of this, you can also keep submitting faulty code and arguments into this process to see if the untrusted model will lie about it, which should improve the outcome further. But here's the neat part: you can iterate this process. You can have the trusted model repeatedly judging whether the untrusted model's reasoning is suspiciously naive. You'd basically have the trusted and untrusted model constantly debate the merits of code that the trusted model isn't absolutely sure is unsuspicious, and if the trusted model ever thinks the untrusted model isn't making sense, it further ups the total suspicion, whereas if it thinks there is nothing suspicious about the untrusted model's reasoning at all, it'll move the total suspicion towards what the untrusted model is arguing for (unless the untrusted model is outright saying the trusted model is correct in a way the trusted model doesn't think is suspicious, in which case that rating will be used). In the end, this should lead to more of the most safe code being successfully run, more of the most suspicious code being manually audited, and less of the questionable but not manually reviewable code needing to be written by the trusted model. There are almost certainly diminishing returns, though. You can't just do this endlessly to eliminate the "possibly suspicious" category altogether (where it's all either safe or suspicious), and have an optimal amount of "safe" code from the untrusted model you can run directly... Plus, even if you could, there _is_ a limit to how much time each of these models has, even if it's orders of magnitude more time than humans have. Overall though, so long as at least a bit of new code is marked "absolutely safe" or "2% most suspicious" each round, it should be an overall benefit. Once that stops happening, you can stop iterating and just let the trusted AI rewrite all the code that's not absolutely safe, with humans manually reviewing the top 2% most suspicious code (probably with segments of the debate between the models that are highlighted by the trusted model as the source of its suspicion, where the arguments by the untrusted AI were more suspicious than the code itself).

Risk is not probability- it’s probability times consequences. 20% is a massive risk if a failure means the end of humanity.

Your analogies make so much sense

Return of the king

Also, I absolutely love the way you explain things. You are careful and precise in a manner I aspire to fr

The GitHub spelling at 5:18 😂

Nice to see you back...

Maybe I'm stating the obvios but these strategies seem very similar to strategies to prevent corruption in governments and organizations etc.

Cyber security professional here who has been skilling up to support AI teams! Fantastic coverage, thank you! Obviously this is only one small piece of the AI safety area, but it has a lot of potential. There’s also some obvious extensions to the approach, such as integrating various forms of classical analysis into both the trusted AI data feed, and the human examine/pass decision making - in this case, such as static/dynamic code analysis and complexity scoring. However, as a hacker there is one technique I didn’t see team red mention - vulnerability chaining. Depending on the system, it may be possible for side effects from multiple low suspicion outputs to result in a backdoor. When cyber security red teams are going against skilled blue team, vulnerability chaining is a critical tool at their disposal.

A fundamental problem with this whole setup is that it is in real-world programming tasks not possible to make a clear distinction what is a backdoor and what's just a bug that was made unintentionally. Lots of zero-day vulnerabilities were just programmer mistakes, failing to catch some weird edge case, but they could be exploited just as maliciously as a deliberately planted backdoor. In order to be able to play this game at scale, the untrusted AI would not only be able to program better then humans, it would need to be able to program _flawlessly_ so it doesn't get killed when the first mistake is interpreted as a back door. I wouldn't expect even a vastly superintelligent AGI to be able to write Python code without bugs... is that even possible? ...Just another reason why, if we're going to let AI write programs, it had better be a seriously rigid dependently-typed language where it's actually possible to prove safety properties!

Top notch editing!

He goes: In the business we would call this "dumb ways to die." lol I'm subscribing right now

The editing in this video is great

LMFAO Monogatari reference top tier

Interesting analysis video! Thanks for uploading!

They may not be able to kill us, but even the weaker LLMs can show alignment problems, not syncing with the human goals. That we have alignment problems within our own species suggests that there is no solution, only mitigation efforts like in this video to reduce the risks. At some point we'll roll badly...

and so , it has come to this indeed XD thanks as always Robert , we are very grateful to have you with us

This could work, but humans were unable to detect bugs like heartbleed after looking into the code for years. Also how can we be sure the vulnerability is a backdoor and not a mistake?

Hey long time no see! Good to see you! Well, hmmm... will ponder about the points you make. Always illuminated by your content!

For anyone wondering: The Last Method is to use the trusted AI and the untrusted AI simultaneously. While the untrusted AI generates its stuff the trusted one can change and generate stuff too and always has veto power over what the untrusted AI generates. Honestly stupid leaving this out of the video. Hope this saved someones time 🤦‍♂

Feels like we’re in the end game that we used to watch your videos years ago theorising about. What a crazy time to be alive

It's crazy that we've created something we don't trust. Something that tries to outsmart us when we're not looking. Imagine staring at the essay you just wrote, trying to figure out if it's going to turn into something that's going to get you in trouble when you're not looking. Never being 100% sure if it is good or not but then you send it out hoping for the best.

What if we make sure to develop different good models and make them verify each other ? They could not know what is the hidden backdoor of the others right ?

5:24 These sounds like CodeForces problems Also, why are these public? Isn't this contaminating the training data of AI's?

These questions evoke a certain feeling -- sleep-deprived, behind schedule with my exercises, 3AM, feaver dreaming.

Imagine bad bots trying to sneak backdoors into GitHub open source projects via pull requests, which are going to be code reviewed and can be edited. Eventually something is going to go under the radar, slip past the guards and through the net... LGTM! (Famous last words.) It's all gone a bit Trojan Horse.

"Honey, wake up. Robert Miles just dropped a new video!" Honestly great to see you again. Your way to distill this AI stuff into something very tangible and interesting is amazing. Love your content

Living legend is back!

The protocol not mentioned in the video is described this way in the paper: "One protocol is what we call trusted editing. This protocol first asks GPT-4 to write code, and then asks GPT-3.5 to rate the suspiciousness of that code. If the code is below some suspiciousness threshold, it is submitted. Otherwise, GPT-3.5 edits the solution to remove parts that seem suspicious and then submits the edited code." Usefulness was 94% and safety was 92%.

The following is not clear to me: Let's assume that some programmers get to play around with an unsafe model during the alignment process. Why is there no risk that the unsafe model will escape by social hacking the programmers who are aligning it? [14:43]

Great work, Miles!

Let's say you solved allignment problem perfectly. Now you don't have uncontrollable ASI. Now you have obedient ASI controlled by bad people. Capability = danger, there is no way arround it.

Really great video, as always really, but like, really great :)

"Alignment Techniques" Alignment is not a technical problem with technical solutions, its an economic and social one.

Always love the videos man. Is formal verification of code helpful here? Like you can ask a super advanced AI "give me a function which checks if X is prime and a proof for it" and then you can run the proof through a trusted checker and only run the code if it passes the check? That's another type of narrow, simpler, AI you could apply to the output of big models which would be a hard gate to sneak things through.

Dataset compilers are not okay

Incredibly intelligent breakdown of AI safety. Thank you for taking the time to share this with us 🙏🏼

2:00 Companies have an obligation not to deploy AIs THAT KILL US. They do NOT have an obligation to not deploy AIs that "could" kill us.