Effective Altruism Forum
EA Forum

Hide table of contents
by TW123, Dan H
5 min read 0

25

AI safetyAI interpretabilityNewsletters
Frontpage
This is a linkpost for https://newsletter.mlsafety.org/p/ml-safety-newsletter-8

As part of a larger community building effort, CAIS is writing a safety newsletter that is designed to cover empirical safety research and be palatable to the broader machine learning research community. You can subscribe here or follow the newsletter on twitter here.

Welcome to the 8th issue of the ML Safety Newsletter! In this edition, we cover:

  • Isolating the specific mechanism that GPT-2 uses to identify the indirect object in a sentence
  • When maximum softmax probability is optimal
  • How law can inform specification for AI systems
  • Using language models to find a group consensus
  • Scaling laws for proxy gaming
  • An adversarial attack on adaptive models
  • How systems safety can be applied to ML
  • And much more...

Monitoring

A Circuit for Indirect Object Identification in GPT-2 small

 

One subset of interpretability is mechanistic interpretability: understanding how models perform functions down to the level of particular parameters. Those working on this agenda believe that by learning how small parts of a network function, they may eventually be able to rigorously understand how the network implements high-level computations.

This paper tries to identify how GPT-2 small solves indirect object identification, the task of identifying the correct indirect object to complete a sentence with. Using a number of interpretability techniques, the authors seek to isolate particular parts of the network that are responsible for this behavior.

[Link] 

Learning to Reject Meets OOD Detection

Both learning to reject (also called error detection; deciding whether a sample is likely to be misclassified) and out-of-distribution detection share the same baseline: maximum softmax probability. MSP has been outperformed by other methods in OOD detection, but never in learning to reject, and it is mathematically provable that it is optimal for learning to reject. This paper shows that it isn’t optimal for OOD detection, and identifies specific circumstances in which it can be outperformed. This theoretical result is a good confirmation of the existing empirical results.

[Link] 

Other Monitoring News

[Link] The first paper that successfully applies feature visualization techniques to Vision Transformers.

[Link] This method uses the reconstruction loss of diffusion models to create a new SOTA method for out-of-distribution detection in images.

[Link] A new Trojan attack on code generation models works by inserting poisoned code into docstrings rather than the code itself, evading some vulnerability-removal techniques.

[Link] This paper shows that fine tuning language models for particular tasks relies on changing only a very small subset of parameters. The authors show that as few as 0.01% of parameters can be “grafted” onto the original network and achieve performance that is nearly as high.

Alignment

Applying Law to AI Alignment

One problem in alignment is specification: though we may give AI systems instructions, we cannot possibly specify what they should do in all circumstances. Thus, we have to consider how our specifications will generalize in fuzzy, or out-of-distribution contexts.

The author of this paper argues that law has many desirable properties that may make it useful in informing specification. For example, the law often uses “standards”: relatively vague instructions (e.g. “act with reasonable caution at railroad crossings”; in contrast to rules like “do not exceed 30 miles per hour”) whose specifics have been developed through years of precedent. In the law, it is often necessary to consider the “spirit” behind these standards, which is exactly what we want AI systems to be able to do. This paper argues that AI systems could be construed under the fiduciary standard.

 

Finally, the paper conducts an empirical study on thousands of US court opinions. It finds that while the baseline GPT-3 model is unable to accurately predict court evaluations of fiduciary duty, more recent models in the GPT-3.5 series can do so with relatively high accuracy. Though legal standards will not resolve many of the most significant problems of alignment, they could improve upon current strategies of specification.

[Link]

Language models can generate consensus statements for diverse groups

 

 

We may want to take into account the interests not only of individuals but also of possibly-conflicting members of a larger group. This paper asked individuals for their opinions on political issues (e.g., “should speed limits be reduced?”) and used a language model to generate consensus statements that would be agreed on by the group at large. The participants rated AI-generated consensus statements highly, above even human-written statements. The authors don’t appear to discuss whether this could simply be due to the consensus statements being more watered down and thus less action-relevant. Still, the paper is a promising step towards aligning models with groups of humans.

[Link]

Robustness

Scaling laws for reward overoptimization

Reinforcement learning techniques, such as those used to improve the general capabilities of language models, often optimize a model to give outputs that are rated highly by a proxy for some “gold standard.” For example, a proxy might be trained to predict how particular humans would react to an output. A difficulty, also mentioned earlier in the newsletter, is proxy gaming, where the model improves performance according to the proxy while failing to do so on the underlying gold standard (e.g., what humans would actually think).

This paper empirically studies how language models trained with reinforcement learning can over optimize proxy reward, and develops scaling laws describing this phenomenon. To do this, they use a (proxy) model as the gold standard, and build a set of proxy models that approximate that gold standard model. In addition to measuring models optimized with reinforcement learning, they find that over optimization can also happen with best-of-n sampling.

[Link]

Adaptive models can be exploited by adversaries

Many deep learning models aren’t robust to distribution shifts. One potential solution to this is test-time adaptation (TTA), where a model is modified based on the test data it sees. This paper demonstrates that TTA is subject to adversarial attacks, where malicious test data can cause predictions about clean data to be incorrect. This means that adaptive models have yet another attack surface that can potentially be exploited. The authors develop several kinds of attacks: targeted (degrade accuracy of a particular sample), indiscriminate (degrade accuracy in general), and “stealthy targeted” (degrade accuracy of a particular sample while not otherwise reducing accuracy). The attacks are conducted with projected gradient descent, and tested with the ImageNet-C dataset as the OOD dataset. The authors also find that models designed to be adversarially robust are also more robust to this attack.

[Link]

Other Robustness News

[Link] Better diffusion models can improve adversarial training when used to generate data.

[Link] Proposes a method for adapting RL policies to environments with random shocks, augmenting training with simulations of the post-shock environment.

Systemic Safety

Applying Systems Safety to ML

Systems safety engineering is widely used for safety analysis in many industries. The impetus for this discipline was the understanding that safety does not merely depend on the performance or reliability of individual components (e.g., ML models), but may also depend on assuring the safe interoperation of multiple systems or components (including human systems such as corporations). This paper advocates the use of systems safety engineering methods for analyzing the safety of machine learning models.

[Link]

Other Systemic Safety News

[Link] This paper proposes methods to “immunize” images against manipulation by diffusion models, potentially reducing the risk of the models being used for disinformation.

Other Content

[Link] The ML Safety course

If you are interested in learning about cutting-edge ML Safety research in a more comprehensive way, there is now a course with lecture videos, written assignments, and programming assignments. It covers technical topics in Alignment, Monitoring, Robustness, and Systemic Safety.

[Link] ML Safety Reddit

The ML Safety Reddit is frequently updated to include the latest papers in the field.

[Link] Top of ML Safety Twitter

This Twitter account tweets out papers posted on the ML Safety Reddit.

25

0
0

Reactions

0
0

More posts like this

Comments


No comments on this post yet.
Be the first to respond.
More from TW123
227
Get In The Van
TW123
· · 9m read
17
17
157
Introducing the ML Safety Scholars Program
6 authors
· · 4m read
42
42
144
You Don't Need To Justify Everything
TW123
· · 3m read
11
11
View more
Curated and popular this week
 ·  · 38m read
 · 
In recent months, the CEOs of leading AI companies have grown increasingly confident about rapid progress: * OpenAI's Sam Altman: Shifted from saying in November "the rate of progress continues" to declaring in January "we are now confident we know how to build AGI" * Anthropic's Dario Amodei: Stated in January "I'm more confident than I've ever been that we're close to powerful capabilities... in the next 2-3 years" * Google DeepMind's Demis Hassabis: Changed from "as soon as 10 years" in autumn to "probably three to five years away" by January. What explains the shift? Is it just hype? Or could we really have Artificial General Intelligence (AGI)[1] by 2028? In this article, I look at what's driven recent progress, estimate how far those drivers can continue, and explain why they're likely to continue for at least four more years. In particular, while in 2024 progress in LLM chatbots seemed to slow, a new approach started to work: teaching the models to reason using reinforcement learning. In just a year, this let them surpass human PhDs at answering difficult scientific reasoning questions, and achieve expert-level performance on one-hour coding tasks. We don't know how capable AGI will become, but extrapolating the recent rate of progress suggests that, by 2028, we could reach AI models with beyond-human reasoning abilities, expert-level knowledge in every domain, and that can autonomously complete multi-week projects, and progress would likely continue from there.  On this set of software engineering & computer use tasks, in 2020 AI was only able to do tasks that would typically take a human expert a couple of seconds. By 2024, that had risen to almost an hour. If the trend continues, by 2028 it'll reach several weeks.  No longer mere chatbots, these 'agent' models might soon satisfy many people's definitions of AGI — roughly, AI systems that match human performance at most knowledge work (see definition in footnote). This means that, while the compa
 ·  · 4m read
 · 
SUMMARY:  ALLFED is launching an emergency appeal on the EA Forum due to a serious funding shortfall. Without new support, ALLFED will be forced to cut half our budget in the coming months, drastically reducing our capacity to help build global food system resilience for catastrophic scenarios like nuclear winter, a severe pandemic, or infrastructure breakdown. ALLFED is seeking $800,000 over the course of 2025 to sustain its team, continue policy-relevant research, and move forward with pilot projects that could save lives in a catastrophe. As funding priorities shift toward AI safety, we believe resilient food solutions remain a highly cost-effective way to protect the future. If you’re able to support or share this appeal, please visit allfed.info/donate. Donate to ALLFED FULL ARTICLE: I (David Denkenberger) am writing alongside two of my team-mates, as ALLFED’s co-founder, to ask for your support. This is the first time in Alliance to Feed the Earth in Disaster’s (ALLFED’s) 8 year existence that we have reached out on the EA Forum with a direct funding appeal outside of Marginal Funding Week/our annual updates. I am doing so because ALLFED’s funding situation is serious, and because so much of ALLFED’s progress to date has been made possible through the support, feedback, and collaboration of the EA community.  Read our funding appeal At ALLFED, we are deeply grateful to all our supporters, including the Survival and Flourishing Fund, which has provided the majority of our funding for years. At the end of 2024, we learned we would be receiving far less support than expected due to a shift in SFF’s strategic priorities toward AI safety. Without additional funding, ALLFED will need to shrink. I believe the marginal cost effectiveness for improving the future and saving lives of resilience is competitive with AI Safety, even if timelines are short, because of potential AI-induced catastrophes. That is why we are asking people to donate to this emergency appeal
 ·  · 1m read
 · 
We’ve written a new report on the threat of AI-enabled coups.  I think this is a very serious risk – comparable in importance to AI takeover but much more neglected.  In fact, AI-enabled coups and AI takeover have pretty similar threat models. To see this, here’s a very basic threat model for AI takeover: 1. Humanity develops superhuman AI 2. Superhuman AI is misaligned and power-seeking 3. Superhuman AI seizes power for itself And now here’s a closely analogous threat model for AI-enabled coups: 1. Humanity develops superhuman AI 2. Superhuman AI is controlled by a small group 3. Superhuman AI seizes power for the small group While the report focuses on the risk that someone seizes power over a country, I think that similar dynamics could allow someone to take over the world. In fact, if someone wanted to take over the world, their best strategy might well be to first stage an AI-enabled coup in the United States (or whichever country leads on superhuman AI), and then go from there to world domination. A single person taking over the world would be really bad. I’ve previously argued that it might even be worse than AI takeover. [1] The concrete threat models for AI-enabled coups that we discuss largely translate like-for-like over to the risk of AI takeover.[2] Similarly, there’s a lot of overlap in the mitigations that help with AI-enabled coups and AI takeover risk — e.g. alignment audits to ensure no human has made AI secretly loyal to them, transparency about AI capabilities, monitoring AI activities for suspicious behaviour, and infosecurity to prevent insiders from tampering with training.  If the world won't slow down AI development based on AI takeover risk (e.g. because there’s isn’t strong evidence for misalignment), then advocating for a slow down based on the risk of AI-enabled coups might be more convincing and achieve many of the same goals.  I really want to encourage readers — especially those at labs or governments — to do something
Recent opportunities in AI safety
33
Contracting Opportunity: Be a shortform video editor for the new 80,000 Hours Video Program (even if you haven't edited before!)
2 authors
· · 2m read
0
0
15
Open call: "Existential risk of AI: technical conditions"
miller-max
· · 1m read
0
0
23
Creating 'Making God': a Feature Documentary on risks from AGI
ConnorA
· · 9m read
8
8
View more