member of OpenAI scalable alignment team
William_S(William Saunders)
Karma: 659
From discussion with Logan Riggs (Eleuther) who worked on the tuned lens: the tuned lens suggests that the residual stream at different layers go through some linear transformations and so aren’t directly comparable. This would interfere with a couple of methods for trying to understand neurons based on weights: 1) the embedding space view 2) calculating virtual weights between neurons in different layers.
However, we could try correcting these using the transformations learned by the tuned lens to translate between the residual stream at different layers, and maybe this would make these methods more effective. By default I think the tuned lens learns only the transformation needed to predict the output token but the method could be adapted to retrodict the input token from each layer as well, we’d need both. Code for tuned lens is at https://github.com/alignmentresearch/tuned-lens
William_S’s Shortform
Thoughts on refusing harmful requests to large language models
(I work at OpenAI). Is the main thing you think has the effect of safetywashing here the claim that the misconceptions are common? Like if the post was “some misconceptions I’ve encountered about OpenAI” it would mostly not have that effect? (Point 2 was edited to clarify that it wasn’t a full account of the Anthropic split.)
Jan Leike has written about inner alignment here https://aligned.substack.com/p/inner-alignment. (I’m at OpenAI, imo I’m not sure if this will work in the worst case and I’m hoping we can come up with a more robust plan)
So I do think you can get feedback on the related question of “can you write a critique of this action that makes us think we wouldn’t be happy with the outcomes” as you can give a reward of 1 if you’re unhappy with the outcomes after seeing the critique, 0 otherwise.
And this alone isn’t sufficient, e.g. maybe then the AI system says things about good actions that make us think we wouldn’t be happy with the outcome, which is then where you’d need to get into recursive evaluation or debate or something. But this feels like “hard but potentially tractable problem” and not “100% doomed”. Or at least the failure story needs to involve more steps like “sure critiques will tell us that the fusion power generator will lead to everyone dying, but we ignore that because it can write a critique of any action that makes us believe it’s bad” or “the consequences are so complicated the system can’t explain them to us in the critique and get high reward for it”
ETA: So I’m assuming the story for feedback on reliably doing things in the world you’re referring to is something like “we give the AI feedback by letting it build fusion generators and then giving it a score based on how much power it generates” or something like that, and I agree this is easier than “are we actually happy with the outcome”
If we can’t get the AI to answer something like “If we take the action you just proposed, will we be happy with the outcomes?”, why can we get it to also answer the question of “how do you design a fusion power generator?” to get a fusion power generator that does anything reliably in the world (including having consequences that kill us), rather than just getting out something that looks to us like a plan for a fusion generator but doesn’t actually work?
Image link is broken
Yep, that clarifies.
You define robustness to scaling down as “a solution to alignment keeps working if the AI is not optimal or perfect.” but for interpretability you talk about “our interpretability is merely good or great, but doesn’t capture everything relevant to alignment” which seems to be about the alignment approach/our understanding being flawed not the AI. I can imagine techniques being robust to imperfect AI but find it harder to imagine how any alignment approach could be robust if the approach/our implementation of the approach itself is flawed, do you have any example of this?
Summary for 8 “Can we take a deceptively aligned model and train away its deception?” seems a little harder than what we actually need, right? We could prevent a model from being deceptive rather than trying to undo arbitrary deception (e.g. if we could prevent all precursors)
Do you think we could basically go 1->4 and 2->5 if we could train a helper network to behaviourally clone humans using transparency tools and run the helper network over the entire network/training process? Or if we do critique style training (RL reward some helper model with access to the main model weights if it produces evidence of the property we don’t want the main network to have)?
Could I put in a request to see a brain dump from Eliezer of ways to gain dignity points?
Would be good to have examples that include the relevant Info Constraints: something that just retrieves things Eliezer has said seems less useful than something that can come up with things Eliezer would say based on having the same information available.
Would prefer to have fully written examples for this (e.g. how would someone who thought “compress sensory information” was a good objective function describe it to the critic?)
This feels like too specific a task/less generally useful to AI alignment research than your proposal on “Extract the the training objective from a fully-trained ML model”
I think it’s fine to have tasks that wouldn’t work for today’s language models like those that would require other input modalities. Would prefer to have fully specified inputs but these do seem easy to produce in this case. Would be ideal if there were examples with a smaller input size though.
Potentially interesting task, would prefer examples in the AI alignment domain.
Potentially interesting task, would prefer examples in the AI alignment domain.
Re: hidden messages in neuron explanations, yes it seems like a possible problem. A way to try to avoid this is to train the simulator model to imitate what a human would say given the explanation. A human would ignore the coded message, and so the trained simulator model should also ignore the coded message. (this maybe doesn’t account for adversarial attacks on the trained simulator model, so might need ordinary adversarial robustness methods).
Does seem like if you ever catch your interpretability assistant trying to hide messages, you should stop and try to figure out what is going on, and that might be sufficient evidence of deception.