Saved in:
| Main Authors: | , , , , , , , , , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2025
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2512.07810 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866912754406785024 |
|---|---|
| author | Taylor, Jordan Black, Sid Bowen, Dillon Read, Thomas Golechha, Satvik Zelenka-Martin, Alex Makins, Oliver Kissane, Connor Ayonrinde, Kola Merizian, Jacob Marks, Samuel Cundy, Chris Bloom, Joseph |
| author_facet | Taylor, Jordan Black, Sid Bowen, Dillon Read, Thomas Golechha, Satvik Zelenka-Martin, Alex Makins, Oliver Kissane, Connor Ayonrinde, Kola Merizian, Jacob Marks, Samuel Cundy, Chris Bloom, Joseph |
| contents | Future AI systems could conceal their capabilities ('sandbagging') during evaluations, potentially misleading developers and auditors. We stress-tested sandbagging detection techniques using an auditing game. First, a red team fine-tuned five models, some of which conditionally underperformed, as a proxy for sandbagging. Second, a blue team used black-box, model-internals, or training-based approaches to identify sandbagging models. We found that the blue team could not reliably discriminate sandbaggers from benign models. Black-box approaches were defeated by effective imitation of a weaker model. Linear probes, a model-internals approach, showed more promise but their naive application was vulnerable to behaviours instilled by the red team. We also explored capability elicitation as a strategy for detecting sandbagging. Although Prompt-based elicitation was not reliable, training-based elicitation consistently elicited full performance from the sandbagging models, using only a single correct demonstration of the evaluation task. However the performance of benign models was sometimes also raised, so relying on elicitation as a detection strategy was prone to false-positives. In the short-term, we recommend developers remove potential sandbagging using on-distribution training for elicitation. In the longer-term, further research is needed to ensure the efficacy of training-based elicitation, and develop robust methods for sandbagging detection. We open source our model organisms at https://github.com/AI-Safety-Institute/sandbagging_auditing_games and select transcripts and results at https://huggingface.co/datasets/sandbagging-games/evaluation_logs . A demo illustrating the game can be played at https://sandbagging-demo.far.ai/ . |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2512_07810 |
| institution | arXiv |
| publishDate | 2025 |
| record_format | arxiv |
| spellingShingle | Auditing Games for Sandbagging Taylor, Jordan Black, Sid Bowen, Dillon Read, Thomas Golechha, Satvik Zelenka-Martin, Alex Makins, Oliver Kissane, Connor Ayonrinde, Kola Merizian, Jacob Marks, Samuel Cundy, Chris Bloom, Joseph Artificial Intelligence Future AI systems could conceal their capabilities ('sandbagging') during evaluations, potentially misleading developers and auditors. We stress-tested sandbagging detection techniques using an auditing game. First, a red team fine-tuned five models, some of which conditionally underperformed, as a proxy for sandbagging. Second, a blue team used black-box, model-internals, or training-based approaches to identify sandbagging models. We found that the blue team could not reliably discriminate sandbaggers from benign models. Black-box approaches were defeated by effective imitation of a weaker model. Linear probes, a model-internals approach, showed more promise but their naive application was vulnerable to behaviours instilled by the red team. We also explored capability elicitation as a strategy for detecting sandbagging. Although Prompt-based elicitation was not reliable, training-based elicitation consistently elicited full performance from the sandbagging models, using only a single correct demonstration of the evaluation task. However the performance of benign models was sometimes also raised, so relying on elicitation as a detection strategy was prone to false-positives. In the short-term, we recommend developers remove potential sandbagging using on-distribution training for elicitation. In the longer-term, further research is needed to ensure the efficacy of training-based elicitation, and develop robust methods for sandbagging detection. We open source our model organisms at https://github.com/AI-Safety-Institute/sandbagging_auditing_games and select transcripts and results at https://huggingface.co/datasets/sandbagging-games/evaluation_logs . A demo illustrating the game can be played at https://sandbagging-demo.far.ai/ . |
| title | Auditing Games for Sandbagging |
| topic | Artificial Intelligence |
| url | https://arxiv.org/abs/2512.07810 |