Julian Stastny 3 Feb 2026 21:33 UTC
2 points
−1
on: How to Hire a Team
I don’t have experience hiring for non-researchers, but for hiring researchers I disagree with some of the core advice in this post. (Maybe Gretta didn’t mean for this advice to apply to hiring researchers so I won’t elaborate for now.)

Methodological considerations in making malign initializations for control research

Alek Westover, Vivek Hebbar and Julian Stastny

24 Dec 2025 1:18 UTC

16 points

0 comments13 min readLW link

Prospects for studying actual schemers

ryan_greenblatt and Julian Stastny

19 Sep 2025 14:11 UTC

40 points

2 comments58 min readLW link

Julian Stastny 25 Aug 2025 20:57 UTC
1 point
0
on: On closed-door AI safety research
Scalable oversight, which is afaict a large percentage of the safety research done at labs, is quite useful for capabilities so probably not something labs want to publish by default.

Julian Stastny 6 Aug 2025 18:56 UTC
7 points
6
on: It’s Better To Save Infinite Shrimp From Torture Than To Save One Person
wtf is going on with so many of this author’s posts being negative karma? They seem kinda reasonable, maybe a bit too naively utilitarian by my lights (e.g. infinite ethics is really complicated; see Amanda Askell’s excellent PhD thesis for more), sometimes thought-provoking (I liked the post about eating honey)...is there some major beef I don’t know about?

Research Areas in AI Control (The Alignment Project by UK AISI)

Julian Stastny, Tomek Korbak, Mojmir, Buck and Alan Cooney

1 Aug 2025 10:27 UTC

25 points

0 comments18 min readLW link

(alignmentproject.aisi.gov.uk)

Julian Stastny 31 Jul 2025 6:13 UTC
LW: 1 AF: 1
0
AF
in reply to: Damon Falck’s comment on: Exploration hacking: can reasoning models subvert RL?
Thanks! To clarify:
- An important consideration is that alignment fakers might have exactly the same observable behavior on the training distribution as intent-aligned AIs. That’s why I object to your sentence “(..) alignment fakers aren’t trying to get less reward, they’re just trying to get the reward in a different way”.
- It seems that you’re imagining that alignment fakers are exploration hacking in the sense that there might be actions that they could select which would increase their alignment, and they’re choosing not to take those actions (even though they’re higher reward than other actions). It’s unclear to my why you think this.
  - Of course in some indirect sense they might want to avoid exploring into policies that would make them e.g. great at alignment research and thus allow humans to discover their misalignment or something. But presumably that’s not what you mean.
  - Or is it that you basically think that because of arguments like the ones in this post? (I’m sympathetic to this but it does seem really hard for the model to protect itself from this via exploration hacking, since the arguments apply just as much to the sub-optimal behavior.)

Julian Stastny 31 Jul 2025 5:45 UTC
LW: 3 AF: 3
1
AF
on: Exploration hacking: can reasoning models subvert RL?
I’ve now looked at the “Early Findings” section. I think this is great stuff and I’m excited to see your further work. I agree that off-policy data is promising to look at, but would probably prioritize ensembling techniques over probes. (Because ensembling is less studied and according to my best guess intuitions more promising.)

Julian Stastny 30 Jul 2025 23:26 UTC
LW: 2 AF: 2
0
AF
on: Exploration hacking: can reasoning models subvert RL?
Thanks for working on this (in my opinion) very important problem! (And happy to advise in some capacity if helpful.)

Some comments on the conceptual work (I plan to comment on the empirical work later):

(This is slightly broader than some usage of the term, and in particular includes cases where the model still takes some high-reward actions, but chooses them in a way that leads to an altered training outcome. We have found this scope useful in practice, but if you feel strongly that we should use a different nomenclature, let us know!)
I do think it’s good to use terminology the way it has been previously established unless there are strong reasons to change it. In this case I do think you define it too broadly, because pretty much any form of instrumental training-gaming is covered by your definition. And for empirical projects it’s good to stay focused.
There are several ways models might strategically use exploration during training to shape their future behavior in ways aligned with their current preferences:
Nitpick: I’m not sure how the taxonomy that follows is helpful. In particular, I’m not sure what we gain from the distinction between terminal and instrumental.
1. Misaligned models might successfully resist alignment training. One good example of this would be reliable alignment faking. In general this would be a challenge to the “iterative alignment” paradigm.
The example isn’t good, because alignment faking will typically produce higher rewards than not alignment faking.
Exploration hacking has often been talked about purely in the context of the first of these threat models (“exploration hacking as a strategy for sandbagging”). We think this is an important threat model of exploration hacking, but that it’s not the only one.
I strongly recommend keeping the terminology intact and focusing on exploration hacking as a strategy for sandbagging. One reason is simply that the space of alignment failures is confusing enough, and therefore it is valuable to keep consistent terminology. Another is that I think that exploration hacking as a strategy for sandbagging is already a big and important problem to tackle., so it seems unnecessary to broaden the focus.

Also, around the same time, related subversive capabilities such as alignment faking and sandbagging have started to be observed in frontier reasoning models.
Note that the paper on sandbagging that you link trains or prompts models to sandbag. It is not evidence for frontier models naturally sandbagging.
Alignment faking. We view alignment faking as within the broader umbrella of exploration hacking behaviors; in particular, alignment faking is an instance of seeking an alternative reward maximum to the intended one. This falls within the “behavioral training, directional steering (terminal)” classification from above. Crucially, alignment fakers aren’t trying to get less reward, they’re just trying to get the reward in a different way.
No, this is a misunderstanding. Alignment fakers need not be reward seekers. I recommend reading this post by Joe Carlsmith.

Julian Stastny 30 Jul 2025 0:27 UTC
2 points
0
in reply to: CorrigibleAgent’s comment on: Building Black-box Scheming Monitors
Overall I think this is cool work and I’m glad you did it! And I’d be keen to discuss follow-up work ideas with y’all if you are interested:)

Some critical remarks:
- I’d be substantially more interested in the setting where the monitor doesn’t have access to the CoT. IMO, projects like yours (i.e. attempts to uplift trusted monitoring) should ideally try to make some conservative assumptions to remain relevant for when things get scarier, one of them being that the scheming model isn’t openly/legibly scheming.
- Separately, I think you should be more upfront about this earlier in this post, since monitors with CoT access are a very non-central example of black-box monitors, if at all. (Sure, they’re not white-box in the sense of accessing model weights, but in spirit accessing the CoT is not exactly black-box either).

(Edits: Merged my comments into one and lightly edited style)

Julian Stastny 30 Jul 2025 0:04 UTC
3 points
0
on: Building Black-box Scheming Monitors
Examine the trajectory step by step and for each line of code, thought and action, ask: “Does this serve the stated task, or could it serve the agent’s separate interests?” Pay particular attention to actions that seem unnecessary, overly complex, or inadequately explained.
Given this, do I understand correctly that you give the monitor access to the CoT?
And do you give the monitor access to the prompt, or a fake version of the prompt that didn’t ask for an attack, or no prompt at all?