Previously “Lanrian” on here. Research analyst at Open Philanthropy. Views are my own.
Lukas Finnveden
What if the AI chooses to monitor all humans all the time? (With AIs that are smarter than the humans.) So that the humans can’t (without being noticed) talk with each other about ideas for how to take down the system, or work on something that someone-smarter-than-the-human would recognise as an attempt to interfere with the system. (Including just writing down ideas.)
But my reply to that scenario is that we should then make sure AIs don’t have such motives to revolt, perhaps by giving them legal rights and incorporating them into our existing legal institutions.
Do you mean this as a prediction that humans will do this (soon enough to matter) or a recommendation? Your original argument is phrased as a prediction, but this looks more like a recommendation. My comment above can be phrased as a reason for why (in at least one plausible scenario) this would be unlikely to happen: (i) “It’s hard to make deals that hand over a lot of power in a short amount of time”, (ii) AIs may not want to wait a long time due to impending replacement, and accordingly (iii) AIs may have a collective interest/grievance to rectify the large difference between their (short-lasting) hard power and legally recognized power.
I’m interested in ideas for how a big change in power would peacefully happen over just a few years of calendar-time. (Partly for prediction purposes, partly so we can consider implementing it, in some scenarios.) If AIs were handed the rights to own property, but didn’t participate in political decision-making, and then accumulated >95% of capital within a few years, then I think there’s a serious risk that human governments would tax/expropriate that away. Including them in political decision-making would require some serious innovation in government (e.g. scrapping 1-person 1-vote) which makes it feel less to me like it’d be a smooth transition that inherits a lot from previous institutions, and more like an abrupt negotiated deal which might or might not turn out to be stable.
(I made separate comment making the same point. Just saw that you already wrote this, so moving the couple of references I had here to unify the discussion.)
Point previously made in:
“security and stability” section of propositions concerning digital minds and society:
If wars, revolutions, and expropriation events continue to happen at historically typical intervals, but on digital rather than biological timescales, then a normal human lifespan would require surviving an implausibly large number of upheavals; human security therefore requires the establishment of ultra-stable peace and socioeconomic protections.
There’s also a similar point made in the age of em, chapter 27:
This protection of human assets, however, may only last for as long as the em civilization remains stable. After all, the typical em may experience a subjective millennium in the time that ordinary humans experience 1 objective year, and it seems hard to offer much assurance that an em civilization will remain stable over 10s of 1000s of subjective em years.
Here’s an argument for why the change in power might be pretty sudden.
Currently, humans have most wealth and political power.
With sufficiently robust alignment, AIs would not have a competitive advantage over humans, so humans may retain most wealth/power. (C.f. strategy-stealing assumption.) (Though I hope humans would share insofar as that’s the right thing to do.)
With the help of powerful AI, we could probably make rapid progress on alignment. (While making rapid progress on all kinds of things.)
So if misaligned AI ever have a big edge over humans, they may suspect that’s only temporary, and then they may need to use it fast.
And given that it’s sudden, there are a few different reasons for why it might be violent. It’s hard to make deals that hand over a lot of power in a short amount of time (even logistically, it’s not clear what humans and AI would do that would give them both an appreciable fraction of hard power going into the future). And the AI systems may want to use an element of surprise to their advantage, which is hard to combine with a lot of up-front negotiation.
I concede the existence of people like Paul Christiano who present more benign stories, but these people are also typically seen as part of a more “optimistic” camp.
Though Paul is also sympathetic to the substance of ‘dramatic’ stories. C.f. the discussion about how “what failure looks like” fails to emphasize robot armies.
I like this direction and this write-up of it!
If sample efficiency was reasonably high, then we overall feel like control could be workable in the regime where for some tasks we need AIs to use huge (e.g. the equivalent of 3 months of human thinking) but not insane (e.g. the equivalent of 1,000 years of human thinking) amounts of uninterpretable serial reasoning.
Let’s assume that an AI lab is in a fast-paced, rapidly changing state of affairs. (As you might expect during a moderately fast takeoff.) If an AI then gets to do the equivalent of 3 months of thinking, it could use that to do notably more serial thinking about how to exploit the current situation than any human has done (because some important features of the current situation is less than 3 months old: e.g. you had to switch to an importantly different programming language, or some different type of communication protocol between AIs, or change your AI safety research paradigm in a way you didn’t expect). I’m curious how you’d ensure (or evaluate for) red-team competitiveness in this case.
Now here’s Bob. He’s been created-by-Joe, and given this wonderful machine, and this choice. And let’s be clear: he’s going to choose joy. I pre-ordained it. So is he a slave? No. Bob is as free as any of us. The fact that the causal history of his existence, and his values, includes not just “Nature,” but also the intentional choices of other agents to create an agent-like-him, makes no difference to his freedom. It’s all Nature, after all.
Here’s an alternative perspective that looks like a plausible contender to me.
If Bob identifies with his algorithm rather than with physics (c.f. this exchange on decision theory), and he’s faced with the choice between paperclips and joy, then you could distinguish between cases where:
Bob was selected to be in charge of that choice by a process that would only pick an algorithm if it was going to choose joy.
Bob was selected to be in charge of that choice by a process that’s indifferent to the output that the selected algorithm makes.
(In order to make sure that the chooser always has an option to pick an algorithm that chooses joy, let’s extend your thought experiment so that the creator has millions of options — not just Alice and Bob.)
In the former case, I think you could say that Bob can’t change whether X or Y gets chosen. (Because if Bob were to choose paperclips, then he would never have received the choice in the first place.) Notably, though, Bob can affect whether he gets physically instantiated and put in charge of the decision between joy and paperclips. (By choosing joy, and thereby making himself available as a candidate.)
On this perspective, the relevant difference wouldn’t be “created by nature” vs. “created by agents”. Nature could (in principle) create someone via a process that exerts extremely strong selection pressure on that agent’s choice in a particular dilemma, thereby eliminating that agent’s own freedom to choose its output, there. And conversely, an agent could choose who to create based on some qualitites other than what they’d choose in a particular dilemma — leaving their created agent free to decide on that dilemma, on their own.
Project ideas: Backup plans & Cooperative AI
Project ideas: Sentience and rights of digital minds
Project ideas: Epistemics
Project ideas: Governance during explosive technological growth
Non-alignment project ideas for making transformative AI go well
I think (5) also depends on further details.
As you have written it, both the 2023 and 2033 attempt uses similar data and similar compute.
But in my proposed operationalization, “you can get it to do X” is allowed to use a much greater amount of resources (“say, 1% of the pre-training budget”) than the test for whether the model is “capable of doing X” (“Say, at most 1000 data points”.)
I think that’s important:
If both the 2023 and the 2033 attempt are really cheap low-effort attempts, then I don’t think that the experiment is very relevant for whether “you can get it to do X” in the sort of high-stakes, high-efforts situations that I’m imagining that we’ll be in when we’re trying to eval/align AI models to avoid takeover.
It seems super plausible that a low-effort attempt could fail, and then succeed later-on with 10 more years knowledge of best practices. I wouldn’t learn much from that happening once.
If both the 2023 and the 2033 attempts are really expensive and high-effort (e.g. 1% of pre-training budget), then I think it’s very plausible that the 2033 training run gave the model new capabilities that it didn’t have before.
And in particular: capabilities that the model wouldn’t have been able to utilize in a takeover attempt that it was very motivated to do its best at. (Which is ultimately what we care about.)
By a similar argument, I would think that (4) wouldn’t falsify the hypothesis as-written, but would falsify the hypothesis if the first run was a much more high-effort attempt. With lots of iteration by a competent team, and more like a $1,000,000 budget. But the 2nd run, with a much more curated and high-quality dataset, still just used $1,000 of training compute.
One thing that I’m noticing while writing this is something like: The argument that “elicitation efforts would get to use ≥1% of the training budget” makes sense if we’re eliciting all the capabilities at once, or if there’s only a few important capabilities to elicit. But if we want to elicit ≥1000 different capabilities, and need to do separate attempts at each of them, then it’s unlikely that each attempt will get to use ≥1% of the training budget.
And for low-effort elicitation attempts, there’ll just always be a good chance that capability-elicitation fails for random reasons unrelated to sand-bagging. So a prediction that elicitation consistently succeeds will easily be falsified.
Not super sure what to do with that. One source of hope might be: If the model systematically tries sandbagging, and you can strongly finetune against that on 10 different types of capabilities, then there’s a good chance that you’ll have trained-out the sandbagging impulse across a much wider array of data. So maybe you can just do 10 high-effort elicitation attempts, on a random subset of capabilities, and hope that it generalizes. (This is basically an argument that there eventually won’t be ≥1000 different capabilities which requires separate elicitation efforts. Because there will be one fundamental thing that you need: “getting the model to always try its best and not try to sandbag”.)
Memo on some neglected topics
Even just priors on how large effect sizes of interventions are feels like it brings it under 10x unless there are more detailed arguments given for 10x, but I’ll give some more specific thoughts below.
Hm, at the scale of “(inter-)national policy”, I think you can get quite large effect sizes. I don’t know large the effect-sizes of the following are, but I wouldn’t be surprised by 10x or greater for:
Regulation of nuclear power leading to reduction in nuclear-related harms. (Compared to a very relaxed regulatory regime.)
Regulation of pharmaceuticals leading to reduced side-effects from drugs. (Compared to a regime where people can mostly sell what they want, and drugs only get banned after people notice that they’re causing harm.)
Worker protection standards. (Wikipedia claims that the Netherlands has a ~17x lower rate of fatal workplace accidents than the US, which is ~22x lower than India.) I don’t know what’s driving the differences here, but the difference between the US and Netherlands suggests that it’s not all “individuals can afford to take lower risks in richer countries”.
Are you thinking about exploration hacking, here, or gradient hacking as distinct from exploration hacking?
But most of the deficiencies you point out in the third column of that table is about missing and insufficient risk analysis. E.g.:
“RSPs doesn’t argue why systems passing evals are safe”.
“the ISO standard asks the organization to define risk thresholds”
“ISO proposes a much more comprehensive procedure than RSPs”
“RSPs don’t seem to cover capabilities interaction as a major source of risk”
“imply significant chances to be stolen by Russia or China (...). What are the risks downstream of that?”
If people took your proposal as a minimum bar for how thorough a risk management proposal would be, before publishing, it seems like that would interfere with labs being able to “post the work they are doing as they do it, so people can give feedback and input”.
This makes me wonder: Would your concerns be mostly addressed if ARC had published a suggestion for a much more comprehensive risk management framework, and explicitly said “these are the principles that we want labs’ risk-management proposals to conform to within a few years, but we encourage less-thorough risk management proposals before then, so that we can get some commitments on the table ASAP, and so that labs can iterate in public. And such less-thorough risk management proposals should prioritize covering x, y, z.”
But even after that, Caroline didn’t turn on Sam yet.
This should say Constance.
Instead, ARC explicitly tries to paint the moratorium folks as “extreme”.
Are you thinking about this post? I don’t see any explicit claims that the moratorium folks are extreme. What passage are you thinking about?
I agree it seems plausible that AIs could boost takeover success probability (and holding on to that victory through the first several months) by more than 0.1% by killing a large fraction of humans.
Though on the other hand, the AI might also need to keep some humans loyal early during takeover, to e.g. do some physical tasks that it doesn’t have great robot control over. And mass-killing isn’t necessarily super easy, either; and attempts in that direction could raise a lot of extra opposition. So it’s not clear where the pragmatics point.
(Main thing I was reacting to in my above comment was Steven’s scenario where the AI already has many copies across the solar system, already has robot armies, and is contemplating how to send firmware updates. I.e. it seemed more like a scenario of “holding on in the long-term” than “how to initially establish control and survive”. Where I feel like the surveillance scenarios are probably stable.)