We just published an interview: Beth Barnes on the most important graph in AI right now. Listen on Spotify, watch on Youtube, or click through for other audio options, the transcript, and related links. Below are the episode summary and some key excerpts.
Weâve started to take for granted that these models are really not very good at reasoning, except for out loud in English â which we can monitor. But I think weâre maybe heading for a world where thatâs not true anymore. â Beth Barnes |
AI models today have a 50% chance of successfully completing a task that would take an expert human an hour. Seven months ago, that number was roughly 30 minutes â and seven months before that, 15 minutes.
This isnât just about getting better at chess or writing poetry. These are substantial, multi-step tasks requiring sustained focus: building web applications, conducting machine learning research, or solving complex programming challenges.
Todayâs guest, Beth Barnes, is CEO of METR (Model Evaluation & Threat Research) â the leading organisation measuring these capabilities.
Bethâs team has been timing how long it takes skilled humans to complete these multi-step tasks, then seeing how AI models perform on the same work. METRâs paper âMeasuring AI ability to complete long tasksâ made waves by revealing that the planning horizon of AI models was doubling roughly every seven months, and itâs been regarded by many as the most useful AI forecasting work in years.
The companies building these systems arenât just aware of this trend â they want to harness it as much as possible, and are aggressively pursuing automation of their own research.
Thatâs both an exciting and troubling development, because it could radically speed up advances in AI capabilities, accomplishing what would have taken years or decades in just months. That itself could be highly destabilising, as we explored in a previous episode: Will MacAskill on AI causing a âcentury in a decadeâ â and how weâre completely unprepared.
And having AI models rapidly build their successors with limited human oversight naturally raises the risk that things will go off the rails if the models at the end of the process lack the goals and constraints we hoped for.
Beth thinks models can already do âmeaningful workâ on improving themselves, and she wouldnât be surprised if AI models were able to autonomously self-improve in as little as two years from now â in fact, she says, âIt seems hard to rule out even shorter [timelines]. Is there 1% chance of this happening in six, nine months? Yeah, that seems pretty plausible.â
While Silicon Valley is abuzz with these numbers, policymakers remain largely unaware of whatâs barrelling toward us â and given the current lack of regulation of AI companies, theyâre not even able to access critical information that would help them decide whether to intervene. Beth adds:
The sense I really want to dispel is, âBut the experts must be on top of this. The experts would be telling us if it really was time to freak out.â The experts are not on top of this. Inasmuch as there are experts, they are saying that this is a concerning risk. ⌠And to the extent that I am an expert, I am an expert telling you you should freak out. And thereâs not especially anyone else who isnât saying this.
Beth and Rob discuss all that, plus:
This episode was originally recorded on February 17, 2025.
Video editing: Luke Monsour and Simon Monsour
Audio engineering: Ben Cordell, Milo McGuire, Simon Monsour, and Dominic Armstrong
Music: Ben Cordell
Transcriptions and web: Katy Moore
Rob Wiblin: So o1 is the newish OpenAI reasoning model. I guess itâs able to handle more complex questions and itâs able to go away and use a whole bunch of computational resources to think about its answer and review it and extend it before it gives the answer. So it has this kind of notepad on which itâs able to do a bunch of reasoning and then think about what itâs written down and go back and revise it. And then eventually, after all of that, it spits out an answer.
In the case where itâs a totally safe model and maybe not that capable, that would be actually indistinguishable from the case where itâs actually incredibly schemey. Itâs actually able to figure out, âWait. This is an evaluation. I probably shouldnât reveal that Iâm scheming that I am capable of doing these dangerous things, because that would maybe get me changed.â So it could be reasoning through that in the chain of thought, saying, âI need to pretend to not be able to do this,â and you would never know.
Beth Barnes: Right. And beyond just not looking at it at all, thereâs also the question of, if you looked at it, is the chain of thought faithful? Is it actually tracking the real reasoning that the model is doing? And is it intelligible to humans, or is it some kind of gobbledygook?
Or has it been trained in some way that you would expect that itâs no longer faithful to the underlying reasoning? You can imagine if itâs being trained simultaneously to get high performance on tasks, but not do any thinking that humans think looks suspicious â if that thinking is still helpful for achieving high performance on the tasks â then you would expect one of the possible outcomes is that it then just does this reasoning that looks innocuous, but in fact itâs using that computation to reason about things that are not innocuous.
Rob Wiblin: Hold on, letâs unpack that. Youâre saying that within that chain of thought that itâs engaging in, inasmuch as we just reward it for getting the right answer at the end, the kind of stuff that itâs writing down on the pad during its process of thinking, I suppose it could just end up being disconnected from what the answer is.
I suppose if we were looking at that and rewarding it based on whether we thought the chain of reasoning looked nice to us, then it could learn that itâs got kind of two tasks: one is to come up with some justification that looks good to people who are reviewing it and rewarding it, and also to separately come up with the right answer. But these things donât actually have to be causally related to one another.
But youâre saying inasmuch as we just pressure it to come up with the right answer, it could end up engaging in reasoning that we canât understand or follow at all. And I suppose at the limit, it could just write stuff that looks like gobbledygook to us, but it understands it; it kind of has its own private language or something that allows it to reason better than it can in English.
And youâre just saying, inasmuch as we donât check the chain of thought, we donât know which of these worlds weâre in?
Beth Barnes: Right. And there are some examples of the chain of thought that OpenAI published in the system card that I think have some signs of this kind of becoming unintelligible â in that itâs sort of weird shorthand and ungrammatical sort of half-sentences in various places. So it clearly has drifted somewhat from the prior of kind of normal English, and itâs unclear, and just the meaning is sometimes confusing.
And the drift at the moment, from these 10 examples that Iâve looked at, doesnât seem enough that it would obviously be that it could be doing this long reasoning about gaming the evals, or deceiving the humans, or getting a high score that wouldnât show up at all. But itâs definitely weâre moving in that direction.
Rob Wiblin: So youâre saying thereâs a handful of cases where theyâve shown us what it reported that it was thinking. And itâs a bit weird because itâs not grammatical. Normally these models speak incredibly eloquently; they never make a grammatical or punctuation mistake or anything like that. But in this case they are.
And youâre like, is that a sign that thereâs something going on with this text that is not just whatâs written on the tin, that maybe itâs encoding extra information in there and thatâs why it reads as weird to us?
Beth Barnes: Yeah. It sort of contradicts itself, or itâs just definitely confusing and weird to read. It seems like you can tell roughly what itâs thinking about, but itâs definitely just like weâre not totally preserving fidelity to English as humans would understand it. And the more training you do, the more thatâll go away.
And also, I think people are just actively trying to figure out things that you can do that are more efficient than having the model output these English language tokens, and more like having the model pass inscrutable lists of numbers to itself.
So I think this is something that weâve started to take for granted: that these models have this very nice safety property of theyâre really not very good at reasoning, except for out loud in English. So you can really just kind of see what theyâre thinking and see what theyâre doing, and it seems weâd have to get to a very high level of intelligence before you would be worried about the model doing elaborate reasoning in a single forward pass.
But I think weâre maybe heading for a world where thatâs not true anymore. This is a thing that is a bit stressful; I hope people are going to work on making sure that it continues to be interpretable.
Beth Barnes: I think in general the most emphasis has been on this idea of pre-deployment testing: before you start serving this model on your API to the general public, you do some testing in house, and maybe ideally with third-party oversight or whatever.
The problem with this is that thatâs not necessarily the best time to check or intervene. Ideally, before you start training a model and before you commit a huge amount of expensive compute to producing this artefact, you look at the most capable models you have already â you look at how far they are away from hitting various thresholds where you would need more mitigations, you look at what mitigations are you on track to have by when. And based on that, you decide whether itâs a good idea to go ahead with this big new training run and what level of scaleup would be safe.
And you might want to do an intermediate evaluation to be like, OK, how much has the model improved so far? Are we on track with our predictions? Are we getting near one of these thresholds? Because if you donât do that, and then you get to the end of the training run and youâre like, âWe now have this model, and it turns out itâs very capable and itâs above all these thresholds and we donât have any of the mitigations in place.â
Then one thing is, as soon as you create the model, you create the ability for it to be stolen or misused. And if you donât have good internal controls set up, people internally could be doing all sorts of things with it.
And also, you now have this artefact that youâve invested an enormous amount of money into, and it is hard to not use that â and especially to not use it internally. Everyoneâs curious, like, âCan I try out this new model? Use it for my new research ideas,â whatever.
And the thing about deployment is, unless youâre open sourcing the model, it is actually quite reversible. So if you released a model, at least now external experts can interact with it and have some oversight and could sound the alarm if it turns out it has super dangerous bioweapon-enabling capabilities or something, and then the lab could undeploy it.
I think thereâs something that you would like evals to rule out, which is that companies are building arbitrarily super intelligent and dangerous models internally and the public has absolutely no ability or oversight to know that thatâs happening or decide whether itâs appropriate to then scale up and build an even better model.
So in some sense â this is a bit of a hot take â itâs like pre-deployment evals could actually be bad, because delaying deployment could be bad if that means that you miss the window to be able to sound the alarm about, âWait, this model is super scary. You shouldnât build a more capable model.â You donât want the gap between what labs have internally and what anyone has had meaningful oversight of to be arbitrarily large.
Rob Wiblin: Just to repeat that back to make sure that Iâve understood: youâre saying the whole eval mentality at the moment, at least from the companies, is, âWe need to check what our models are able to do and willing to do before the public has access to them, before weâre selling it as a product.â And thatâs pre-deployment evaluation.
And youâre saying actually maybe what is more important â certainly on the margin at this point â is the evaluations that we do and the risk assessment that we do before we even train the model, or certainly before people inside the company have access to it and start using it.
And the reason is that if you only think about deployment to the public, then thereâs no limit on the thing that you could train internally. You could make a model thatâs incredibly dangerous. Maybe itâs incredibly good at recursively self-improving; it would be able to survive in the wild and avoid shutdown if it escaped.
Beth Barnes: And itâs just on your servers. Covertly, itâs corrupted a bunch of the lab compute and is making it look like something else, but itâs actually doing its own little intelligence explosion there.
Rob Wiblin: Or even if not something as strange as that, someone could easily steal it or exfiltrate it, or it could be misused inside the company, or someone could incompetently use it inside the company.
Beth Barnes: So weâve been building this suite of diverse autonomy-requiring tasks, where the model has basically access to a computer and it can do stuff on the computer and use tools and run code and do whatever to accomplish the taskâŚ
And the main thing weâve done that is different is weâve had humans attempt basically all of these tasks, and we record how long it takes the humans to do the task â humans who in fact have the expertise, so hopefully weâre not timing that they had to go away and learn about this thing. But for someone who has the requisite knowledge, how long is it? How many steps do they need? How long does it take them?
So then we can get this meaningful Y-axis on which to measure model capabilities, which is diverse autonomous tasks in terms of how long they take humans. So if you order all the tasks by how long they take humans, where is the point that the model gets 50% success?
We do see a relationship between length of task for humans and how successful the models are. Itâs not perfect. Itâs not like they can do all the tasks up to one hour and then none of the ones above; itâs like as you double the time, it gets increasingly unlikely that the model can actually do itâŚ
Rob Wiblin: OK, so youâve got this general issue that people have lots of different tests of how impressive these AI models are. But thereâs always an issue of how actually impressive is that outcome? We find out, wow, now itâs able to do this thing. But is that impressive? Does that really matter? Is that going to move the needle to applications in the real world? Is this going to allow it to act autonomously? It can be a little bit hard to understand intuitively whether any of it matters.
So youâve come up with a modification of this approach. Firstly, you think about a very wide range of different tasks â so itâs harder for you to teach to the test, to just teach the model to do one very narrow thing, but then something else nearby or something else thatâs important to matter in the real world that it canât do at all. It just can only play chess super well or something like that. So a lot of diversity of the tasks.
And then in terms of measuring how impressive the performance is, you think about it in terms of how long would it have taken a human to do? Or how long did it, in your tests, take for a human to be able to accomplish this task? Are there any simple examples of the tasks? Ones that non-computer people could understand?
Beth Barnes: Thereâs the ML research ones, like, âTrain this model to improve its performance on this datasetâ or something. There are some very easy, very general research ones, like, âGo and look up this fact on Wikipediaâ or something. Thereâs some that are like, âBuild a piece of software that does these things.â
Rob Wiblin: Yeah, OK. So theyâre substantial tasks, the kind of things that you might delegate to a staff member inside a company. And I guess youâve gotten software engineers or people who generally would be able to do these kinds of things, and said, on average, this takes a human 15 minutes, it takes them half an hour, it takes them an hour, it takes them two hours.
And you find that thereâs quite a strong relationship between whether the model can and canât do it, and how long it would have taken a human being to do it â which I guess speaks to the fact that itâs hard for these models to stay on task for a long period of time. Or people talk about coherence: things that require them to think about, âHow am I going to do this?â over a long period of time. It requires many different steps that have to be chained together. They currently kind of struggle with that. Is that right?
Beth Barnes: Yeah. I think thereâs various different explanations for why longer tasks are harder. Thereâs different ways in which they can be harder.
One is just if thereâs a longer sequence of things that you need to do â so you need to get them all right, and thereâs a higher probability that youâll get completely stumped by one of them. You could also imagine either the human just has to think really hard, or they try a bunch of times until they succeed. So itâs not like one totally straightforward measure.
But thereâs also this argument that, as we do more RL training on tasks, itâs much more expensive to do RL training on longer tasks than on shorter tasks. And itâs a much harder learning problem if you just get a signal at the end of what in the middle you should have done differently, whereas if the task only has two steps, itâs much easier to learn what you should have done differently.
So in general, there are a bunch of reasons to expect that the shorter tasks will be easier for models, and the models will be better trained to be able to do short tasks than long tasks.
Rob Wiblin: And the upshot is⌠you could say that, a year ago, the models would have a 50% chance of succeeding at something that would take a typical human 15 minutes; six months later they had a 50% chance of succeeding at something that would take 30 minutes; six months later they have a 50% chance of succeeding at something that would take a human an hour. Seems like itâs roughly doubling about every six months. Could you say what the numbers there are?
Beth Barnes: Yeah, six months is about right. Weâre looking all the way from GPT-2 in 2019, where itâs at a few seconds or something like that, to the latest models. And yeah, over that time thereâs a pretty good fit to a doubling of something like every six months. And we also did a sort of ablation [sensitivity analysis] both over the actual noise in the data and over different methodological choices we could make, and the range of estimates you get is basically between three months and one year.
Rob Wiblin: OK, just to make sure that we underline the most important messages here: AIs currently have a 50% chance of doing something on a computer that an expert might do in two hours. This is doubling every three to 12 months. So theyâre becoming substantially more useful agents: theyâre able to do things over quite a longer period of time and itâs improving rapidly.
Theyâre able to make a substantial difference to machine learning research now. Theyâre already used a great deal within the companies. They are probably capable of doing a whole lot more stuff than is even appreciated at this point â because if you really try hard, then you can get much more out of them than if you just make a cursory effort.
All of this leads to the conclusion that probably we should expect recursively self-improving AI pretty shockingly soon, relative to expectations that we might have had five or 10 years ago â that two years wouldnât be at all surprising, which is alarming to me.
Beth Barnes: Yes, I think this is very alarming. I think people should be very alarmed. The scientist in me wants to add a bunch of caveats to the two-hour number and the doubling time, whatever. But I think yes, it really doesnât seem like two years would be surprising. It seems hard to rule out even shorter [timelines]. Is there 1% chance of this happening in six, nine months? Yeah, that seems pretty plausible.
With the exact shape of the recursive self-improvement, it still seems like we can kind of see a path to significantly superhuman intelligence that doesnât require a mysterious intelligence explosion. Itâs relatively clear how you would apply the intermediate capabilities that we expect to get to get something thatâs just obviously very pretty scary.
Maybe models will continue to be really non-robust in a way thatâs hard to fix, but I donât think we care about whether weâre very confident this is going to happen â we care about whether weâre very confident itâs not going to happen.
It just feels like weâre at the point where even if you only care about current humans, the stakes are very high. Like a 1% chance of takeover risk, which itself has a 10% chance of human extinction or something, thatâs a lot of deaths.
So I think we should really care about numbers that are a whole number of percent. I mean, I think we should care about numbers that are lower than that, but basically I would expect the world in general to agree that itâs not worth imposing a whole-number-percent risk of completely destroying human civilisation for getting the benefits of AI sooner.
Rob Wiblin: A little bit sooner, yeah. I think people in Silicon Valley, or certainly people in the AI industry, these sorts of companies, theyâve seen these results and theyâre flipping out basically. Or their expectations are what weâre seeing here: they just see a very clear path to superhuman reasoning, to superhuman ability to improve AI, to therefore a software-based intelligence explosion. So this is kind of the main thing that people talk about in the city that weâre in right now.
It feels like policymakers are a little bit aware of this â certainly AI is in the policy conversation a bit â but by comparison, I think they havenât yet flipped out to the extent that they probably would if they fully appreciated what was coming down the pipeline.
Beth Barnes: Right.
Rob Wiblin: One of the hopes of this show is to disseminate this information so that people can flip out suitably. Is there anything more you want to say to someone whoâs in DC, whoâs like, âI donât know that I really buy any of this. AIâs not my area, or I feel like these tech people are kind of losing their heads a little bitâ?
Beth Barnes: Itâs kind of hard for me to have that perspective because Iâve just been focused on AI since 2017 or something, and I was previously thinking that it was further off, or that I might be totally wrong about this whole thing. But it feels like weâve just increasingly gotten evidence that these concerns are sensible. Weâre starting to see models exhibit alignment faking, all these things weâre concerned about, and it seems like the capabilities are coming very fast.
So this seems like pretty obviously the most important thing, even from a very personal, selfish perspective: for someone whoâs young and healthy, this just might be your highest mortality risk in the next few years is AI catastrophe.
I think the other sense that people have that I really want to dispel is, âBut the experts must be on top of this. The experts would be telling us if it really was time to freak out.â Iâm like, the experts are not on top of this. There are not nearly enough people. METR is super starved for talent. We just canât do a bunch of basic things that are obviously good to do.
And inasmuch as there are experts, they are saying that this is a concerning risk. There was the report that Bengio and others wrote, that was sort of overall, what is the overall scientific consensus on this risk? And it was like, âYes, this seems very plausible.â
Rob Wiblin: âWeâre not sure whether we will or wonât all die, but itâs totally plausible.â
Beth Barnes: Yeah. And to the extent that I am an expert, I am an expert telling you you should freak out. And thereâs not especially anyone else who isnât saying this.
Beth Barnes: I think often individual safety-concerned people inside companies have a rosier picture of how the company interacts with third parties, like, âWe love safety, so of course we would be supporting all of these things. And if itâs not happening, the bottleneck must be something thatâs not us, because we really love safety.â
I think Nick Joseph said something like this, of the bottleneck on getting external oversight of the RSP is people who are technically competent to do the evaluations externally â which I very much disagree with, because I think METR has the technical competence. I think our evals and elicitation and things are better than stuff that the lab has published, than any lab has published, basicallyâŚ
Also, it doesnât necessarily need to be bottlenecked on the technical competence of the external evaluator to literally run all the experiments and set up the compute and things. Thereâs another paradigm, where the companies run the evaluations internally and they write up what they did, and the external evaluator goes through it with them and discusses it, like⌠âMaybe you need to do this other experiment here. This thing was insufficient for this reason.â
Or an embedded evaluator paradigm, where someone from an external third-party org is embedded on the team in the lab thatâs running the evaluations, and is keeping an eye on everythingâŚ
Thereâs just lots of things here which weâve proposed and been open to, and itâs not like the companies are all banging down our door to do itâŚ
I think maybe people have a confusion about METR, and have been assuming that METR is a formal evaluator that has arrangements with all the companies to do evaluations for every model.
This is not the case. I wouldnât want to describe any of the things that weâve done thus far as actually providing meaningful oversight. Thereâs a bunch of constraints, including the stuff we were doing was under NDA, so we didnât have formal authorisation to alert anyone or say if we thought things were concerning.
So yeah, think of it much more as weâve been trying to prototype what this could look like. And because weâre a small nonprofit, itâs easier for us to be more nimble and try out different things, and lower stakes for the labs to engage with us. So weâve been excited about raising the bar on how good the oversight actually is.
And labs more want a âCan you promise that you will run an eval on all of our models when we want to, so that we can say weâve run an eval on them?â sort of thing. And thatâs not what weâre excited about, if we donât think that that proposed procedure is actually providing meaningfully more safety assurance than not.
Rob Wiblin: In general, people think that â at least within the scope of what youâre trying to accomplish â the evaluations that youâve created are very good. I havenât heard that many criticisms of them on the substance. And youâre saying the companies could come to you and say, âWe would love for you to run all these things on our models before they go out, and for you to play with it as much as possible in order to figure out how dangerous they are.â But they are not requesting that. Theyâre not actively making that easy for you.
Beth Barnes: I mean, we have gotten asks like that from a bunch of labs. I think the problem is that our goals are like prototyping and de-risking what could provide really good safety assurance.
So that includes better governance mechanisms, in that this actually feeds into decisions or at least is shared with the people who are making the decisions. And we have some carveout for being able to say we made a recommendation and the lab chose to not go with that recommendation, or that employees get to see what was shared with us so that they can check that it was accurate. So thereâs governance mechanisms that we could be improving on.
Thereâs the pre-scaleup or pre-internal deployment versus external deployment, where we think this specific time of external deployment is not that interesting; weâre much more interested in what are the best things you have internally and wanting to know that companies are not building arbitrarily powerful things internally.
Thereâs other stuff, just like quality of access and information shared about what agent scaffolding has this model been trained to use and can you share that with us? And a bunch of stuff that is very important to know to be able to elicit the full capabilities of models, things like can we see the chain of thought?
Rob Wiblin: I guess they would say to do things the way that you want is a lot of staff time, and theyâre sprinting all the time in order to try to keep up. Maybe they tend to play the cards very close to their chest, and this would involve sharing commercially sensitive information with you, so theyâre nervous about doing that or perhaps their lawyers at least are nervous about doing that.
Are there other things that they could say in their defence that have any reasonableness to them? Or to what extent would you think itâs fair versus maybe closer to being excuses?
Beth Barnes: Yeah, it definitely just is effort⌠The cost is more attention from more senior people at the company or something, I would guess, and thinking how much they want to really do. ⌠The things weâve proposed is like sharing with us anything thatâs not compartmentalised within the company. If your 1,000 employees already know this, three people at METR knowing an anonymised version of it is not really going to increase the surface area very much.
Or taking staff time on the inside: itâs a much smaller fraction of your staff time than it is of METR staff time.
Or spending 1% of the effort thatâs spent on the model on capabilities research on evaluations, or a few percent of that effort, would be enough to do this.
I donât know, thereâs stuff about token budgets and things. And OpenAI had their superalignment compute commitment, which was supposed to be much larger numbers than anything that we were asking for.
Rob Wiblin: Twenty percent of their commitment up to that point.
Beth Barnes: Right, 20% of the compute. So itâs not like weâre hitting those demands.
I think there are a bunch of things which are just technically and logistically challenging for them. If weâre just like, can the API please not be broken and not keep going down while weâre trying to use it? Itâs like, well, before itâs stabilised for public deployment, thereâll just be issues.
Rob Wiblin: Over the years, I think many people have gone into working at the various AI companies with the vision that one way theyâre going to be helpful is shifting the average beliefs of people who work at the companies. Maybe theyâll get a chance to talk to their colleagues and convince them that concerns about how AGI might go are more legitimate than they might think. I guess theyâre also just shifting the weight of opinion within the companies, and hopefully moving their culture in a positive, more cautious direction.
What do you think the track record of that is? Is that a reasonable approach for people to take going forward?
Beth Barnes: I basically think the track record of that particular theory of change looks pretty bad. I think if you just look at the history of people who tried to do that, thereâs just a lot of people giving up and leaving.
People have started at one lab trying to influence there, and then have kind of given up on that and left.
I think there are probably some people whoâve done this and itâs gone relatively well, but I think theyâre very much in the minority.
I think reasons it makes sense to go to a lab is if you think your comparative advantage is institutional politicking, and thatâs basically what you plan to do with most of your work. And if youâre very good at that, I think maybe you can do a better job.
Another reason is if you are going to be doing the implementation of safety things at that company. I think if youâre just sort of advancing alignment research generally, itâs better to be outside of a lab â because itâs easier to share it with everyone else and collaborate, and easier for other labs to onboard it if itâs not this thing from a competitor.
âŚ
Rob Wiblin: You said something a little bit spicy earlier, which is that you think possibly Redwood, with just a handful of people, is maybe producing about as much alignment research as all of the major companies put together. I assume thatâs not actually literally true, but⌠Maybe you do think itâs literally true?
What would the barriers be to the companies producing more alignment publications than they are? Itâs a little bit hard to understand, because the resourcing would be so uneven there.
Beth Barnes: Yeah. I may be biased in what Iâm exposed to, because Iâm just much more aware of the stuff that Redwood has done, but itâs just actually not implausible to me that that is the kind of current ratio.
So reasons companies are less productive: thereâs stuff we mentioned a bit before about maybe actually the infrastructure and speed at which youâre able to do research is slower. I think thereâs different incentives and pressure to do the thing that will unblock shipping the next generation model, rather than do the research thatâs most important in the longer run.
I think to some extent itâs just like too many people in the same place or something, where itâs just like a marginal person is less useful when you already have a tonne of people.
I think also maybe companies are more focused â this is similar to short termâ but itâs both short in terms of time horizon and locality. Theyâre just thinking about things at their own company, and not what is most important for the field as a whole, and how do we disseminate that and make it easy for other people to adopt.
And thereâs a bunch of barriers to publishing, and thatâs maybe a reason that some people have left, have been unhappy about not being able to publish their work enough.
Rob Wiblin: I see. Presumably theyâre a lot more cautious now about what they share and what they publish, and I imagine thereâs a lot of levels of review that stand between someone having some insight and it going out. I guess especially if itâs related to risks that the company might be creating, you can see a lot of people wanting to scrutinise that before itâs shared.
Beth Barnes: Yeah. The comms team in there editing the blog post, being like, âCan we make it sound a bit more optimistic here?â
Maybe another thing that I think is overrated, or I feel like sometimes people conflate alignment â in the sense of making sure the model is trying to do what we want, and not trying to do extremely bad things that we definitely donât want â with making the model better at following complicated instructions or other things that are more just like making the product better or enhancing the modelâs capabilities in the direction of following elaborate rules about what we want.
And I would just be more excited about progress thatâs progress on the problem when humans donât know which output is better, but the model knows a bunch of stuff about whatâs going on. That seems more useful than, âThe humans want the model to follow this complicated set of instructions, so we did the things to make the model better at following the complicated instructions, because otherwise it was forgetting that itâs supposed to also have this policy or something.â That doesnât feel like itâs making progress on the core problem.
Rob Wiblin: Is open weighting models in general good or bad, from your point of view?
Beth Barnes: This is something Iâve changed my mind on a fair amountâŚ
Originally I was like, this seems very dangerous if the problem is either that these things can be misused or that they can be dangerous even without a human trying to misuse them. It seems like you donât want them to be everywhere, and not be able to be like, âActually, this is a bad idea. Letâs undo that.â Itâs an irreversible action, and it opens up a lot more surface area for things to go wrong â if you think that, at least for some of the threat models, there might be a big offence/defence imbalance.
So I think if youâre trying to keep the risk very low, it really feels like you canât open source anything that capable. Because again, even with current models, it seems hard to rule out that with other advancements in scaffolding or fine-tuning or something, it would then become quite easy to make this model into something very dangerous.
Iâve shifted my perspective generally on how good it is to keep everything inside the labs. Sort of similar to the thing about, would you rather just the labs know about what capabilities are coming or would you rather that everyone knows?
I think in practice, the open source models have been used to do a bunch of really good safety work, and this has been important and good. And having a more healthy, independent, outside-of-companies field of research seems good both for the object-level safety progress you made, and for policymakers having some independent people they can ask â who actually understand whatâs going on, and are able to do experiments and things.
Also, in general, I have become more sceptical of some kind of lab exceptionalism. I think a lot of the companies have this, like, âWeâre the only responsible ones. Weâll just keep everything to ourselves, and the government will be too slow to notice, and everyone else is irresponsible.â I just think this becomes less plausible the more independent labs are saying this, and the less they actually respond to how responsible are the other actors. And if you trust the companies less, you want less of that.
I think itâs also one of those things where everyone always thinks that youâre the exception â âItâs fine, but weâll just actually be good and actually be responsible. We donât need oversight.â And sunlight is the best disinfectant. Oversight is really important, and security mindset and secrecy and locking things down can be bad.
Rob Wiblin: Seems like thereâs a reasonable amount to unpack there. The basic reason Iâve heard for why actually open sourcing has been better than perhaps people like me feared a few years ago is that itâs been an absolute boon for alignment and safety research, because it means external people donât have to actually go work at the labs â they can do things independently, which is really useful for all the reasons that weâve talked about, if they have access to basically frontier models outside of the companies.
And I guess separately from that, it sounds like youâre saying that the companies having a very secrecy-focused mindset, wanting to hold all of the information about the models within themselves, that thatâs a dangerous mentality. And maybe itâs actually helpful to have the weights open and things being used all over the place, so that people can see for themselves the chain of thought, for example, and modify the models and see what is possible if theyâre improved â things that wouldnât be possible if you only accessed it through an API thatâs highly limited.
Beth Barnes: I think thereâs also a point about maybe you just think some of the companies are bad actors, or there are people at them who would be bad actors, and you would prefer that the rest of the world also has access to the techâŚ
I think the case for certain types of transparency and openness is much stronger than the case for specifically open sourcing weights. But I do think the open sourcing thus far feels pretty clearly net positive, just because of the impact on safety research. I do think you would have thought that it ought to be harder to argue that weâre in an arms race if people are open sourcing the models. But somehow this doesnât seem to have stopped anyone.
Rob Wiblin: Never let common sense get in the way of the narrative that you would like to spin for your commercial interest! Just to clarify, youâre talking about the release of DeepSeek R1, which is this super weapon that the Chinese developed and then immediately gave to us for free, in exchange for nothing. It really shows that weâre in a very intense arms race with the Chinese to I guess give one another our greatest technology.
Beth Barnes: [laughs] Yeah.
Rob Wiblin: It is extraordinary that that did not preclude the arms race narrative. I guess you could say that maybe this shows that they will be able to make something in future that they wonât share with us. But youâd really think literally giving away your weapons designs would be definitely an olive branch to your enemy.
Beth Barnes: You would have thought.
I opened this forum post expecting to see the graph â here it is, for ease of reference:Â
Description from the paper: