Saved in:
Bibliographic Details
Main Authors: Taylor, Jordan, Black, Sid, Bowen, Dillon, Read, Thomas, Golechha, Satvik, Zelenka-Martin, Alex, Makins, Oliver, Kissane, Connor, Ayonrinde, Kola, Merizian, Jacob, Marks, Samuel, Cundy, Chris, Bloom, Joseph
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.07810
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866912754406785024
author Taylor, Jordan
Black, Sid
Bowen, Dillon
Read, Thomas
Golechha, Satvik
Zelenka-Martin, Alex
Makins, Oliver
Kissane, Connor
Ayonrinde, Kola
Merizian, Jacob
Marks, Samuel
Cundy, Chris
Bloom, Joseph
author_facet Taylor, Jordan
Black, Sid
Bowen, Dillon
Read, Thomas
Golechha, Satvik
Zelenka-Martin, Alex
Makins, Oliver
Kissane, Connor
Ayonrinde, Kola
Merizian, Jacob
Marks, Samuel
Cundy, Chris
Bloom, Joseph
contents Future AI systems could conceal their capabilities ('sandbagging') during evaluations, potentially misleading developers and auditors. We stress-tested sandbagging detection techniques using an auditing game. First, a red team fine-tuned five models, some of which conditionally underperformed, as a proxy for sandbagging. Second, a blue team used black-box, model-internals, or training-based approaches to identify sandbagging models. We found that the blue team could not reliably discriminate sandbaggers from benign models. Black-box approaches were defeated by effective imitation of a weaker model. Linear probes, a model-internals approach, showed more promise but their naive application was vulnerable to behaviours instilled by the red team. We also explored capability elicitation as a strategy for detecting sandbagging. Although Prompt-based elicitation was not reliable, training-based elicitation consistently elicited full performance from the sandbagging models, using only a single correct demonstration of the evaluation task. However the performance of benign models was sometimes also raised, so relying on elicitation as a detection strategy was prone to false-positives. In the short-term, we recommend developers remove potential sandbagging using on-distribution training for elicitation. In the longer-term, further research is needed to ensure the efficacy of training-based elicitation, and develop robust methods for sandbagging detection. We open source our model organisms at https://github.com/AI-Safety-Institute/sandbagging_auditing_games and select transcripts and results at https://huggingface.co/datasets/sandbagging-games/evaluation_logs . A demo illustrating the game can be played at https://sandbagging-demo.far.ai/ .
format Preprint
id arxiv_https___arxiv_org_abs_2512_07810
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Auditing Games for Sandbagging
Taylor, Jordan
Black, Sid
Bowen, Dillon
Read, Thomas
Golechha, Satvik
Zelenka-Martin, Alex
Makins, Oliver
Kissane, Connor
Ayonrinde, Kola
Merizian, Jacob
Marks, Samuel
Cundy, Chris
Bloom, Joseph
Artificial Intelligence
Future AI systems could conceal their capabilities ('sandbagging') during evaluations, potentially misleading developers and auditors. We stress-tested sandbagging detection techniques using an auditing game. First, a red team fine-tuned five models, some of which conditionally underperformed, as a proxy for sandbagging. Second, a blue team used black-box, model-internals, or training-based approaches to identify sandbagging models. We found that the blue team could not reliably discriminate sandbaggers from benign models. Black-box approaches were defeated by effective imitation of a weaker model. Linear probes, a model-internals approach, showed more promise but their naive application was vulnerable to behaviours instilled by the red team. We also explored capability elicitation as a strategy for detecting sandbagging. Although Prompt-based elicitation was not reliable, training-based elicitation consistently elicited full performance from the sandbagging models, using only a single correct demonstration of the evaluation task. However the performance of benign models was sometimes also raised, so relying on elicitation as a detection strategy was prone to false-positives. In the short-term, we recommend developers remove potential sandbagging using on-distribution training for elicitation. In the longer-term, further research is needed to ensure the efficacy of training-based elicitation, and develop robust methods for sandbagging detection. We open source our model organisms at https://github.com/AI-Safety-Institute/sandbagging_auditing_games and select transcripts and results at https://huggingface.co/datasets/sandbagging-games/evaluation_logs . A demo illustrating the game can be played at https://sandbagging-demo.far.ai/ .
title Auditing Games for Sandbagging
topic Artificial Intelligence
url https://arxiv.org/abs/2512.07810