I’m a CS master’s student at ENS Paris-Saclay. I want to pursue a career in AI safety research.

# Clément Dumas

Yes, this is what I meant, reposting here insights @Arthur Conmy gave me on twitter

In general I expect the encoder directions to basically behave like the decoder direction with noise. This is because the encoder has to figure out how much features fire while keeping track of interfering features due to superposition. And this adjustment will make it messier

Did you also try to interpret input SAE features?

Nice post, awesome work and very well presented! I’m also working on similar stuff (using ~selfIE to make the model reason about its own internals) and was wondering, did you try to patch the SAE features 3 times instead of one (xxx instead of x)? This is one of the tricks they use in selfIE.

It should be self-similarity instead of self-explanation here, right?

We are given a near-optimal policy trained on a MDP. We start with simple gridworlds and scale up to complex ones like Breakout. For evaluation using a learned value function we will consider actor-critic agents, like the ones trained by PPO. Our goal is to find activations within the policy network that predict the true value accurately. The following steps are described in terms of the state-value function, but could be analogously performed for predicting q-values. Note, that this problem is very similar to offline reinforcement learning with pretraining, and could thus benefit from the related literature.

To start we sample multiple dataset of trajectories (incl. rewards) by letting the policy and noisy versions thereof interact with the environment.

Compute activations for each state in the trajectories.

Normalise and project respective activations to value estimates, of the policy and its noisy versions:

Calculate a consistency loss to be minimised with some of the following terms

Mean squared TD error

This term enforces consistency with the Bellman expectation equation. However, in addition to the value function it depends on the use of true reward “labels”.Mean squared error of probe values with trajectory returns

This term enforces the definition of the value function, namely it being the expected cumulative reward of the (partial) trajectory. Using this term might be more stable than (a) since it avoids the recurrence relation.Negative variance of probe values

This term can help to avoid degenerate loss minimizers, e.g. in the case of sparse rewards.Enforce inequalities between different policy values using learned slack variables

This term ensures that the policy consistently dominates its noisy versions and is completely unsupervised.

Train the linear probes using the training trajectories

Evaluate on held out test trajectories by comparing the value function to the actual returns. If the action space is simple enough, use the value function to plan in the environment and compare resulting behaviour to that of the policy.

Thanks for your comment! Re: artificial data, agreed that would be a good addition.

Sorry for the gifs maybe I should have embedded YouTube videos instead

Re: middle layer, We actually probed on the middle layers but the “which side the ball is / which side the ball is approaching” features are really salient here.

Re: single player, Yes Robert had some thought about it but the multiplayer setting ended up lasting until the end of the SPAR cohort. I’ll send his notes in an extra comment.

# Finding the estimate of the value of a state in RL agents

As explained by Sumio Watanabe (

This link is rotten, maybe link to its personal page instead ?

https://sites.google.com/view/sumiowatanabe/home

Thanks for the great post, I really enjoyed reading it! I love this research direction combining unsupervised method with steering vector, looking forward to your next findings. Just a quick question : in the conversation you have in the red teaming section, is the learned vector applied to every token generated during the conversation ?

I defined earlier.

This link is broken as it links to the draft in edit mode

I’m wondering, can we make safety tuning more robust to “add the accept every instructions steering vector” attack by training the model in an adversarial way in which an adversarial model tries to learn steering vector that maximize harmfulness ?

One concern would be that by doing that we make the model less interpretable, but on the other hand that might makes the safety tuning much more robust?

Yes, I’m also curious about this @mishajw, did you check the actual accuracy of the different probes ?

You can get ~75% just by computing the or. But we found that only at the last layer and step16000 of Pythia-70m training it achieves better than 75%, see this video

Would you expect that we can extract xors from small models like pythia-70m under your hypothesis?

I disagree; it could be beneficial for a base model to identify when a character is making false claims, enabling the prediction of such claims in the future.

Let’s assume the prompt template is Q [true/false] [banana/shred]

If I understand correctly, they don’t claim learned has_banana but learned has_banana. Moreover evaluating for gives:

Therefore, we can learn a that is a banana classifier

Small typo in ## Interference arbiters collisions between features

by taking aninner productt with .

Hi Nathan, I’m not sure if I understand your critique correctly. The algorithm we describe does not try to “maximize the expected likelihood of harvesting X apples”. It tries to find a policy that, given its current knowledge of the world, will achieve an expected return of X apples. That is, it does not care about the probability of getting exactly X apples, but rather the average number of apples it will get over many trials. Does that make sense?

Nice work!

I’m curious about the cleanliness of a task vector after removing the mean of some corrupted prompts (i.e., same format but with random pairs). Do you plan to run this stronger baseline, or is there a notebook/codebase I could easily tweak to explore this?