I mostly agree—we discussed this in the post (though it may have been easy to miss):
Our bounds also can’t easily rule out extremely cautious schemers, that can wait until only the 0.001% most ‘deployment-y’ examples, and then defect. The recent LessWrong post on “Deployment Awareness” discusses this problem nicely.
The core problem for measuring awareness on the most ‘obvious’ deployment examples is one of upsampling the right cases – sampling i.i.d. could be too expensive. In contrast, a core challenge for a schemer is being calibrated, in a single context, about the distribution of their credences across other instances, and being disciplined about not defecting for superoptimal opportunities. It might be possible to rule out these kinds of capability for ~human-level systems.
I think it is unlikely that 2026 LLMs would be able to follow this kind of strategy contexts, but showing that is harder. I’m somewhat optimistic that an argument drawing on evidence from the human-red-teaming described in this post + something like the subversion strategy eval could give a reasonably strong argument against intentional scheming (stronger than current SoTA, but short of ‘assurance’).
I mostly agree—we discussed this in the post (though it may have been easy to miss):
I think it is unlikely that 2026 LLMs would be able to follow this kind of strategy
I’m somewhat optimistic that an argument drawing on evidence from the human-red-teaming described in this post + something like the subversion strategy eval could give a reasonably strong argument against intentional scheming (stronger than current SoTA, but short of ‘assurance’).