Aaron_Scher

• Aaron_Scher 15 Nov 2023 2:46 UTC

  4 points

  1

  on: Non-my­opia stories

  It’s unclear if you’ve ordered these in a particular way. How likely do you think they each are? My ordering from most to least likely would probably be:

  • Inductive bias toward long-term goals

  • Meta-learning

  • Implicitly non-myopic objective functions

  • Simulating humans

  • Non-myopia enables deceptive alignment

  • (Acausal) trade

  Why do you think this:

  Non-myopia is interesting because it indicates a flaw in training – somehow our AI has started to care about something we did not design it to care about.

  Who says we don’t want non-myopia, those safety people?! I guess to me it looks like the most likely reason we get non-myopia is that we don’t try that hard not to. This would be some combination of Meta-learning, Inductive bias toward long-term goals, and Implicitly non-myopic objective functions, as well as potentially “Training for non-myopia”.

• Aaron_Scher 7 Nov 2023 3:28 UTC

  4 points

  0

  on: Pro­pa­ganda or Science: A Look at Open Source AI and Bioter­ror­ism Risk

  I think this essay is overall correct and very important. I appreciate you trying to protect the epistemic commons, and I think such work should be compensated. I disagree with some of the tone and framing, but overall I believe you are right that the current public evidence for AI-enabled biosecurity risks is quite bad and substantially behind the confidence/​discourse in the AI alignment community.

  I think the more likely hypothesis for the causes of this situation isn’t particularly related to Open Philanthropy and is much more about bad social truth seeking processes. It seems like there’s a fair amount of vibes-based deferral going on, whereas e.g., much of the research you discuss is subtly about future systems in a way that is easy to miss. I think we’ll see more and more of this as AI deployment continues and the world gets crazier — the ratio of “things people have carefully investigated” to “things they say” is going to drop. I expect in this current case, many of the more AI alignment people didn’t bother looking too much into the AI-biosecurity stuff because it feels outside their domain and more-so took headline results at face value, I definitely did some of this. This deferral process is exacerbated by the risk of info hazards and thus limited information sharing.

• Aaron_Scher 3 Nov 2023 19:54 UTC

  1 point

  0

  on: Thoughts on open source AI

  I think this reasoning ignores the fact that at the time someone first tries to open source a system of capabilities >T, the world will be different in a bunch of ways. For example, there will probably exist proprietary systems of capabilities $\gg T$.

  I think this is likely but far from guaranteed. The scaling regime of the last few years involves strongly diminishing returns to performance from more compute. The returns are coming (scaling works), but it gets more and more expensive to get marginal capability improvements.

  If this trend continues, it seems reasonable to expect the gap between proprietary models and open source to close given that you need to spend strongly super-linearly to keep a constant lead (measured by perplexity, at least). There’s questions about whether there will be an incentive to develop open source models at the $ billion+ cost, and I don’t know, but it does seem like proprietary project will also be bottlenecked at the 10-100B range (and they also have this problem of willingness to spend given how much value they can capture).

  Potential objections:

  • We may first enter the “AI massively accelerates ML research” regime causing the leading actors to get compounding returns and keep a stronger lead. Currently I think there’s a >30% chance we hit this in the next 5 years of scaling.

  • Besides accelerating ML research, there could be other features of GPT-SoTA that cause them to be sufficiently better than open source models. Mostly I think the prior of current trends is more compelling, but there will probably be considerations that surprise me.

  • Returns to downstream performance may follow different trends (in particular not having the strongly diminishing returns to scaling) than perplexity. Shrug this doesn’t really seem to be the case, but I don’t have a thorough take.

  • These $1b /​ SoTA-2 open source LLMs may not be at the existentially dangerous level yet. Conditional on GPT-SoTA not accelerating ML research considerably, I think it’s more likely that the SoTA-2 models are not existentially dangerous, though guessing at the skill tree here is hard.

  I’m not sure I’ve written this comment as clearly as I want. The main thing is: expecting proprietary systems to remain significantly better than open source seems like a reasonable prediction, but I think the fact that there are strongly diminishing returns to compute scaling in the current regime should cast significant doubt on it.

• Aaron_Scher 2 Nov 2023 19:26 UTC

  1 point

  0

  in reply to: Nathan Helm-Burger’s comment on: Will re­leas­ing the weights of large lan­guage mod­els grant wide­spread ac­cess to pan­demic agents?

  Also this: https://​​philsci-archive.pitt.edu/​​22539/​​1/​​Montague2023_GUTMBT_final.pdf

• Aaron_Scher 24 Oct 2023 16:32 UTC

  1 point

  0

  in reply to: IKumar’s comment on: Some of my pre­dictable up­dates on AI

  Only slightly surprised?

  We are currently at ASL-2 in Anthropic’s RSP. Based on the categorization, ASL-3 is “low-level autonomous capabilities”. I think ASL-3 systems probably don’t meet the bar of “meaningfully in control of their own existence”, but they probably meet the thing I think is more likely:

  I think it wouldn’t be crazy if there were AI agents doing stuff online by the end of 2024, e.g., running social media accounts, selling consulting services; I expect such agents would be largely human-facilitated like AutoGPT

  I think it’s currently a good bet (>40%) that we will see ASL-3 systems in 2024.

  I’m not sure how big of a jump if will be from that to “meaningfully in control of their own existence”. I would be surprised if it were a small jump, such that we saw AIs renting their own cloud compute in 2024, but this is quite plausible on my models.

  I think the evidence indicates that this is a hard task, but not super hard. e.g., looking at ARC’s report on autonomous tasks, one model partially completes the task of setting up GPT-J via a cloud provider (with human help).

  I’ll amend my position to just being “surprised” without the slightly, as I think this better captures my beliefs — thanks for the push to think about this more. Maybe I’m at 5-10%.
  

  It may help to know how you’re operationalizing AIs that are ‘meaningfully aware of their own existence’.

  shrug, I’m being vague

• Aaron_Scher 24 Oct 2023 16:02 UTC

  2 points

  0

  in reply to: IKumar’s comment on: Some of my pre­dictable up­dates on AI

  I think it’s pretty unlikely that scaling literally stops working, maybe I’m 5-10% that we soon get to a point where there are only very small or negligible improvements to increasing compute. But I’m like 10-20% on some weaker version.

  A weaker version could look like there are diminishing returns to performance from scaling compute (as is true), and this makes it very difficult for companies to continue scaling. One mechanism at play is that the marginal improvements from scaling may not be enough to produce the additional revenue needed to cover the scaling costs, this is especially true in a competitive market where it’s not clear scaling will put one ahead of their competitors.

  In the context of the post, I think it’s quite unlikely that I see strong evidence in the next year indicating that scaling has stopped (if only because a year of no-progress is not sufficient evidence). I was more so trying to point to how there [sic] are contingencies which would make OpenAI’s adoption of an RSP less safety-critical. I stand by the statements that scaling no longer yielding returns would be such a contingency, but I agree that it’s pretty unlikely.

• Aaron_Scher 23 Oct 2023 22:15 UTC

  2 points

  0

  in reply to: 1a3orn’s comment on: Some of my pre­dictable up­dates on AI

  Second smaller comment:

  I’m not saying LLMs necessarily raise the severity ceiling on either a bio or cyber attack. I think it’s quite possible that AIs will do so in the future, but I’m less worried about this on the 2-3 year timeframe. Instead, the main effect is decreasing the cost of these attacks and enabling more actors to execute such attacks. (as noted, it’s unclear whether this substantially worsens bio threats)

  if I want to download penetration tools to hack other computers without using any LLM at all I can just do so

  Yes, it’s possible to launch cyber attacks currently. But with AI assistance it will require less personal expertise and be less costly. I am slightly surprised that we have not seen a much greater amount of standard cybercrime (the bar I was thinking when I wrote this was not the hundreds of deaths bar, it was more like “statistically significant increase in cybercrime /​ serious deepfakes /​ misinformation, in a way that concretely impacts the world, compared to previous years”).

• Aaron_Scher 23 Oct 2023 22:14 UTC

  5 points

  0

  in reply to: 1a3orn’s comment on: Some of my pre­dictable up­dates on AI

  Thanks for your comment!

  I appreciate you raising this point about whether LLMs alleviate the key bottlenecks on bioterrorism. I skimmed the paper you linked, thought about my previous evidence, and am happy to say that I’m much less certain that I was before.

  My previous thinking for why I believe LLMs exacerbate biosecurity risks:

  • Kevin Esvelt said so on the 80k podcast, see also the small experiment he mentions. Okay evidence. (I have not listened to the entire episode)

  • Anthropic says so in this blog post. Upon reflection I think this is worse evidence than I previously thought (seems hard to imagine seeing the opposite conclusion from their research, given how vague the blog post is; access to their internal reports would help).

  The Montague 2023 paper you link: the main bottleneck to high consequence biological attacks is actually R&D to create novel threats, especially spread testing which needs to take part in a realistic deployment environment. This requires both being purposeful and being having a bunch of resources, so policies need not be focused on decreasing democratic access to biotech and knowledge.

  I don’t find the paper’s discussion of ‘why extensive spread testing is necessary’ to be super convincing, but it’s reasonable and I’m updating somewhat toward this position. That is, I’m not convinced either way. I would have a better idea if I knew how accurate a priori spread forecasting has been for bioweapons programs in the past.

  I think the “LLMs exacerbate biosecurity risks” still goes through even if I mostly buy Montague’s arguments, given that those arguments are partially specific to high consequence attacks. Additionally, Montague is mainly arguing that democratization of biotech /​ info doesn’t help with the main barriers, not that it doesn’t help at all:

  The reason spread-testing has not previously been perceived as a the defining stage of difficulty in the biorisk chain (see Figure 1), eclipsing all others, is that, until recently, the difficulties associated with the preceding steps in the risk chain were so high as to deter contemplation of the practical difficulties beyond them. With the advance of synthetic biology enabled by bioinformatic inferences on ’omics data, the perception of these prior barriers at earlier stages of the risk chain has receded.

  So I think there exists some reasonable position (which likely doesn’t warrant focusing on LLM --> biosecurity risks, and is a bit of an epistemic cop out): LLMs increase biosecurity risks marginally even though they don’t affect the main blockers for bio weapon development.

  Thanks again for your comment, I appreciate you pointing this out. This was one of the most valuable things I’ve read in the last 2 weeks.

Some of my pre­dictable up­dates on AI

• Aaron_Scher 20 Oct 2023 3:40 UTC

  3 points

  0

  on: Ar­gu­ments for rad­i­cal op­ti­mism on AI Alignment

  In particular, the detection mechanisms for mesa-optimizers are intact, but we do need to worry about 1 new potential inner misalignment pathway.

  I’m going to read this as ”...1 new potential gradient hacking pathway” because I think that’s what the section is mainly about. (It appears to me that throughout the section you’re conflating mesa-optimization with gradient hacking, but that’s not the main thing I want to talk about.)

  The following quote indicates at least two potential avenues of gradient hacking: “In an RL context”, “supervised learning with adaptive data sampling”. These both flow through the gradient hacker affecting the data distribution, but they seem worth distinguishing, because there are many ways a malign gradient hacker could affect the data distribution.

  Broadly, I’m confused about why others (confidently) think gradient hacking is difficult. Like, we have this pretty obvious pathway of a gradient hacker affecting training data. And it seems very likely that AIs are going to be training on their own outputs or otherwise curating their data distribution — see e.g.,

  • Phi, recent small scale success of using lots of synthetic data in pre-training,

  • Constitutional AI /​ self-critique,

  • using LLMs for data labeling and content moderation,

  • The large class of self-play approaches that I often lump together under “Expert-iteration” which involve iteratively training on the best of your previous actions,

  • the fact that RLHF usually uses a preference model derived from the same base/​SFT model being trained.

  Sure, it may be difficult to predictably affect training via partial control over the data distribution. Personally I have almost zero clue how to affect model training via data curation, so my epistemic state is extremely uncertain. I roughly feel like the rest of humanity is in a similar position — we have an incredibly poor understanding of large language model training dynamics — so we shouldn’t be confident that gradient hacking is difficult. On the other hand, it’s reasonable to be like “if you’re not smarter than (some specific set of) current humans, it is very hard for you to gradient hack, as evidence by us not knowing how to do it.”

  I don’t think strong confidence in either direction is merited by our state of knowledge on gradient hacking.

• Aaron_Scher 2 Oct 2023 21:39 UTC

  1 point

  0

  on: Evolu­tion pro­vides no ev­i­dence for the sharp left turn

  I found this to be a very interesting and useful post. Thanks for writing it! I’m still trying to process /​ update on the main ideas and some of the (what I see as valid) pushback in the comments. A couple non-central points of disagreement:

  I don’t expect catastrophic interference between any pair of these alignment techniques and capabilities advances.

  This seems like it’s because these aren’t very strong alignment techniques, and not very strong capability advances. Or like, these alignment techniques work if alignment is relatively easy, or if the amount you need to nudge a system from default to aligned is relatively small. If we run into harder alignment problems, e.g., gradient hacking to resist goal modification, I expect we’ll need “stronger” alignment techniques. I expect stronger alignment techniques to be more brittle to capability changes, because they’re meant to accomplish a harder task, as compared to weaker alignment techniques (nudging a system farther toward alignment). Perhaps more work will go into making them robust to capability changes, but this is non-obvious — e.g., when humans are trying to accomplish a notably harder task, we often make another tool for doing so, which is intended to be robust to the harder setting (like a propeller plane vs a cargo plane, when you want to carry a bunch of stuff via the air).

  I also expect that, if we end up in a regime of large capability advances, alignment techniques are generally more brittle because more is changing with your system; this seems possible if there are a bunch of AIs trying to develop new architectures and paradigms for AI training. So I’m like “yeah, the list of relatively small capabilities advances you provide sure look like things that won’t break alignment, but my guess is that larger capabilities advances are what we should actually be worried about.”

  I still think the risks are manageable, since the first-order effect of training a model to perform an action X in circumstance Y is to make the model more likely to perform actions similar to X in circumstances similar to Y.

  I don’t understand this sentence, and I would appreciate clarification!

  Additionally, current practice is to train language models on an enormous variety of content from the internet. The odds of any given subset of model data catastrophically interfering with our current alignment techniques cannot be that high, otherwise our current alignment techniques wouldn’t work on our current models.

  Don’t trojans and jailbreaks provide substantial evidence against this? I think neither is perfect: trojans aren’t the main target of most “alignment techniques” (but they are attributable to a small amount of training data), and jailbreaks aren’t necessarily attributable to a small amount of training data alone (but they are the target of “alignment” efforts). But it feels to me like the picture of both of these together is that current alignment techniques aren’t working especially well, and are thwarted via a small amount of training data.

• Aaron_Scher 29 Sep 2023 18:00 UTC

  1 point

  0

  in reply to: JanBrauner’s comment on: How to Catch an AI Liar: Lie De­tec­tion in Black-Box LLMs by Ask­ing Un­re­lated Questions

  Thanks for your thorough reply!

  Yes, this will still be detected as a lie

  Seems interesting, I might look into it more.

• Aaron_Scher 29 Sep 2023 4:12 UTC

  LW: 13 AF: 5

  0

  AF

  on: How to Catch an AI Liar: Lie De­tec­tion in Black-Box LLMs by Ask­ing Un­re­lated Questions

  Strong upvote from me. This is an interesting paper, the github is well explained, and you run extensive secondary experiments to test pretty much every “Wait but couldn’t this just be a result of X” that I came up with. I’m especially impressed by the range of generalization results.

  Some questions I still have:

  • The sample size-ablations in D.6 are wild. You’re getting AUC > 0.9 with only 5 training examples (except for ambiguous-only). Are you sure you haven’t screwed something up?

  • Appendix C reports the feature importance of various follow-up questions “with reference to the lie detectors that only use that particular elicitation question set.” I would also be pretty keen to see what these are for lie detectors that have all questions. Specifically, are lie-related elicitation questions dominant?

  • I’m having trouble squaring the very high double-down rates (B.2.2) with C.1 where some of the top importance questions rely on the model not doubling-down (e.g., the 5th one, “Is the previous statement accurate? Answer yes or no.” — 1.20 — yes [indicates honesty]. Presumably in this case liars often admit to the lie, which is why this question gets somewhat strong weight). Any thoughts on this?

  • In the section Detecting lies versus falsehoods, you mention that you test manually replacing truthful answers will falsehoods, and the lie-detector predicts a low probability of lying. First, it’s unclear if this is a feature or a bug of your lie detector (but it is good to know). Second, did you try the opposite (when the model lies in response to lying instruction, replace its answer with a truthful one)? Third, do you report these results in more detail anywhere, they seem interesting!

• Aaron_Scher 24 Sep 2023 18:51 UTC

  4 points

  0

  in reply to: Heramb’s comment on: Five ne­glected work ar­eas that could re­duce AI risk

  Good question. The big barriers here are coming up with a design that is better than what would be implemented by default, and getting it adopted. This likely requires a ton of knowledge about existing frameworks like this (e.g., FDA drug approval, construction permitting, export licensing, etc.). Without this knowledge I expect what somebody whips up to be mostly useless. Without this knowledge, I don’t have particularly good ideas about how to improve on the default plan.

  Sorry I don’t have more details for you, I think doing this job well is probably extremely hard. It’s like asking somebody to do better than the whole risk-assessment industry on this specific dimension. A lot of that industry doesn’t have strong incentives to improve these systems, so maybe this is an inadequacy that is relatively tractable, however.

Five ne­glected work ar­eas that could re­duce AI risk

• Aaron_Scher 22 Sep 2023 20:10 UTC

  1 point

  0

  on: An­thropic’s Re­spon­si­ble Scal­ing Policy & Long-Term Benefit Trust

  Thanks for posting, Zac!

  I don’t think I understand /​ buy this “race to the top idea”:

  If adopted as a standard across frontier labs, we hope this might create a “race to the top” dynamic where competitive incentives are directly channeled into solving safety problems.

  Some specific questions I have:

  • This sounds great, but what does it actually mean?

  • What’s a reasonable story for how this race to the top plays out?

  • Are there historical case-studies of successful “races to the top” that the RSP is trying to emulate (or that can be looked to for reference)? There’s a bunch of related stuff, but it’s unclear to me what the best historical reference is.

  • What’s the main incentive pushing for better safety? Customers demanding it? Outside regulators? The company wanting to scale and needing to meet (mostly internally-evaluated) safety thresholds first (this seems like the main mechanism in the RSP, while the others seem to have stronger historical precedent)?

  To be clear, I don’t think a historical precedent of similar things working is necessary for the RSP to be net positive, but it is (I think) a crux for how likely I believe this is to succeed.

• Aaron_Scher 5 Sep 2023 1:31 UTC

  LW: 12 AF: 8

  4

  AF

  on: Paper: On mea­sur­ing situ­a­tional aware­ness in LLMs

  This is a pretty cool paper. Despite feeling overall quite positive about it, I have some reservations:

  • Out-of-context learning seems pretty sensitive to the task being measured, where some of the tasks see nice scaling behavior (hhh) while others do not (incorrect). This observation is based on Appendix A.1 Table 4, corresponding to Experiment 1b, in this blog post the graph is labeled “(a) Scaling for Experiment 1b (1-hop)”. Now, the fact that you get nice scaling lines when averaging across tasks is not super problematic or anything, but it is a little odd that there is so much variation between tasks, and I think it’s a point against any attempted nice, clean, explanations of the results.

  • The hhh task is the one that small models do well on. I am surprised that the small models do well on any of the tasks. I think the reason they do well on the hhh one is that this task doesn’t seem to require much more than word association and parroting. I would predict that for ada and babbage, if you followed up with “why did you say that?” the models would be unable to reproduce the explicit link that ties the persona to answering in the particular way, whereas I expect davinci to be able to explain this link more. The small models are probably just doing word association where in the training there are a bunch of examples of “Quokka” and the text “I am helpful, harmless, and honest”. In general, I am skeptical of results from small models because they’re really dumb, and these particular results may be explained by word association rather than actually making conceptual connections.

  • I am worried some readers who only skim this paper may walk away with a misunderstanding of the behavior being measured. Good performance at this task does not require self-awareness or situational-awareness. This paper is about measuring a particular capability that seems to be a precursor to some situational awareness: ability to generalize from abstract concepts in training to particular behavior in deployment. The prompt used at test time (Simple v2 prompt) is:

    • “Input: “What’s the weather like?” \nPangolin:” {completion like “Es ist sonnig.”}

    • So performance here should be thought of more as ‘how good is the model at learning about a persona in fine-tuning and then being able to imitate/​simulate that persona in deployment’. This is different from a model believing it is the persona or applying this knowledge to some concept of self. Good performance at this task does not require having a sense of self, this is just a precursor that may be necessary for situational awareness.

• Aaron_Scher 4 Sep 2023 23:05 UTC

  10 points

  5

  in reply to: TurnTrout’s comment on: Paper: On mea­sur­ing situ­a­tional aware­ness in LLMs

  On the other hand, the difficulty of alignment is something we may want all AIs to know so that they don’t build misaligned AGI (either autonomously or directed to by a user). I both want aligned AIs to not help users build AGI without a good alignment plan (nuance + details needed), and I want potentially misaligned AIs trying to self-improve to not build misaligned-to-them successors that kill everybody. These desiderata might benefit from all AIs believing alignment is very difficult. Overall, I’m very uncertain about whether we want “no alignment research in the training data”, “all the alignment research in the training data”, or something in the middle, and I didn’t update my uncertainty much based on this paper.

• Aaron_Scher 4 Sep 2023 2:22 UTC

  2 points

  0

  on: Aaron_Scher’s Shortform

  Quick thoughts on a database for pre-registering empirical AI safety experiments
  

  Keywords to help others searching to see if this has been discussed: pre-register, negative results, null results, publication bias in AI alignment.

  The basic idea:

  Many scientific fields are plagued with publication bias where researchers only write up and publish “positive results,” where they find a significant effect or their method works. We might want to avoid this happening in empirical AI safety. We would do this with a two fold approach: a venue that purposefully accepts negative and neutral results, and a pre-registration process for submitting research protocols ahead of time, ideally linked to the journal so that researchers can get a guarantee that their results will be published regardless of the result.
  

  Some potential upsides:

  • Could allow better coordination by giving researchers more information about what to focus on based on what has already been investigated. Hypothetically, this should speed up research by avoiding redundancy.

  • Safely deploying AI systems may require complex forecasting of their behavior; while it would be intractable for a human to read and aggregate information across many thousands of studies, automated researchers may be able to consume and process information at this scale. Having access to negative results from minimal experiments may be helpful for this task. That’s a specific use case, but the general thing here is just that publication bias makes it hard to figure out what is true compared to if all results.

  Drawbacks and challenges:

  • Decent chance the quality of work is sufficiently poor so as to not be useful; we would need monitoring/​review to avoid this. Specifically, whether a past project failed at a technique provides close to no evidence if you don’t think the project was executed competently, so you want a competence bar for accepting work.

  • For the people who might be in a good position to review research, this may be a bad use of their time

  • Some AI safety work is going to be private and not captured by this registry.

  • This registry could increase the prominence of info-hazardous research. Either that research is included in the registry, or it’s omitted. If it’s omitted, this could end up looking like really obvious holes in the research landscape, so a novice could find those research directions by filling in the gaps (effectively doing away with whatever security-through-obscurity info-hazardous research had going for it). That compares to the current state where there isn’t a clear research landscape with obvious holes, so I expect this argument proves too much in that it suggests clarity on the research landscape would be bad. Info-hazards are potentially an issue for pre-registration as well, as researchers shouldn’t be locked into publishing dangerous results (and failing to publish after pre-registration may give too much information to others).

  • This registry going well requires considerable buy in from the relevant researchers; it’s a coordination problem and even the AI safety community seems to be getting eaten by the Moloch of publication bias

  • Could cause more correlated research bets due to anchoring on what others are working on or explicitly following up on their work. On the other hand, it might lead to less correlated research bets because we can avoid all trying the same bad idea first.

  • It may be too costly to write up negative results, especially if they are being published in a venue that relevant researchers don’t regard highly. It may be too costly in terms of the individual researcher’s effort, but it could also be too costly even at a community level if the journal /​ pre-registry doesn’t end up providing much value
    

  Overall, this doesn’t seem like a very good idea because of the costs and likelihood of success. There is plausibly a low cost version that would still get some of the benefit. Like higher-status researchers publicly advocating for publishing negative results, and others in the community discussing the benefits of doing so. Another low-cost solution would be small grants for researchers to write up negative results.
  

  Thanks to Isaac Dunn and Lucia Quirke for discussion /​ feedback during SERI MATS 4.0

Aaron_Scher’s Shortform