2025-12-01 18:07:01

Published on December 1, 2025 10:07 AM GMT

Integrating LLMs with Lean prover scaffolding.

Summary provided by Xixidu:

Hermes introduces an architecture where a language model is wrapped around an external, high-reliability verifier: the Lean4 proof assistant.

Instead of just asking the AI “Does this look right?”, it translates key mathematical steps into Lean4 code and asks a proof engine “Can this be formally proved?” If the autoformalization is accurate and Lean finds a proof, this gives a strong mathematical guarantee for that formalized step.

Steps:

1. Reasoning (LLM): The model proposes the next logical step of a proof in natural language.

2. Translation Module: An autoformalizer converts that step into a Lean4 statement. A back-translation check compares the Lean statement to the original text to ensure they match in meaning.

3. Prover Module: A prover, working inside Lean4, attempts to prove the statement (or sometimes its negation). It returns a signal such as “proved”, “disproved” (negation proved), or “not decided / failed”.

4. Feedback & Memory:

- If the step is proved, it is stored in a Memory Block (a database of verified facts) and can be retrieved to support later reasoning.

- If the step is disproved or cannot be justified, the LLM is informed of this outcome and is prompted to revise its reasoning rather than continuing from a shaky premise.

In this way, Hermes interleaves informal LLM reasoning with formal Lean4 checking, using the proof assistant as an external source of ground truth for crucial steps.

2025-12-01 18:04:25

Published on December 1, 2025 10:04 AM GMT

A Layman's Model

This is not a "serious" model, nor do I think it is revolutionary in any way. I am an AI safety layperson, a run-of-the-mill software developer at Big Tech Firm™ who is aware of the general shape of AI safety issues, but not particularly read-up on the literature. My hope here is to refine my thinking and to potentially provide something that helps other laypeople think more clearly about current-paradigm AI.

I work with LLM "agents" a lot these days. I read IABIED the week it came out, and it fired off some thoughts for me given my first-hand experiences working with LLMs and trying to understand why I see the failure modes I do and how that relates to the wider AI safety discussion.

I work in testing, helping a normal software organization that doesn't train LLMs try to integrate and use them, and so I see AIs exhibiting unaligned behavior writ small. Things like a coding agent that swears up and down that it fixed the bug you pointed out while not actually changing the relevant code at all. Or a chatbot that spins its wheels really hard after a dozen prompts. Or the ever-classic: I get a near perfect response from the agent I'm developing, then I notice one of its tools is actually broken. So I fix it, and then with the much better context, the agent does much worse.

While vexing, this actually rhymes a little bit with software validation I worked on before LLMs were involved. Large systems with many interdependent parts become hard to predict and are often nondeterministic. Apparent fixes may actually break something somewhere else. And validating that system is hard: you can't model the internals of the system accurately enough, so you must rely on black-box testing. For a black-box, you can't actually know that it's correct without testing every possible behavior, which of course is not practical, so you focus testing on a small subset of use-cases that you expect are most important to users. Then you back-propagate failure signals (i.e. diagnose and fix the issues).

In my understanding, this is basically how the predominant training techniques work as well: They treat the model as a black box and use curated data to eval its performance and back-propagate those signals until the model works well across its training distribution.

My layperson's understanding of the MIRI position from my testing angle is this: Since AI models are black boxes^[1], we can't assume that they will be aligned (i.e. exhibit "correct" behavior) and we should assume that they won't be when operating outside of their training distribution (OOD) due to the extremely low probability of accidental alignment in such a large possibility space. We would likely be safe if the eval data were in fact complete for all possible use-cases including superintelligent actions that we can't understand at this point. This is of course not possible, so under the current training paradigm, we're f**ked.

But here's the thing I've been struggling to get my head around: When I observe OOD behavior, it by-and-large doesn't look like misalignment. It looks like stupidity. I think this is the reason people think that the current paradigm won't get us to AGI. I realized that I didn't have a good definition of AGI for myself or an explanation of why current AIs fail the way they do, so I pondered that and got what I present here. I now offer my layperson's model that explains why AI's current "stupidity" doesn't imply that the current paradigm can't get to AGI, why intelligence is not tied to alignment (i.e. we won't get alignment by default), and why the intelligence explosion is precisely the point where we'll see these diverge.

Distance from the Training Distribution

I think the thing people are thinking of with AGI is something that is able to "draw the owl" for any task they give it. Most of those tasks will not have clear instructions or be in its training data, but it should still be able to figure them out and succeed. But my understanding (and the fundamental assumption underpinning my model here) is that an AI model is only as good as its training. AIs have shown competence outside their training, but typically at least adjacent to what they have been trained on. I expect an AI's performance to look roughly like this:

For tasks that are similar to training, the AI performs well; it is "smart". The less similar a task is, the worse AI performs. Far enough, and it acts "dumb".

Honestly, this just makes intuitive sense: consider how good you would be at a task for which you have little instruction or feedback. I don't think AIs are any different; just being smart enough doesn't give you the ability to magically understand the world through pure thought. So I do not expect the performance drop with distance from data to go away with AGI or even ASI. No matter how much compute an AI has access to, its power in the external world is still limited by data about that world, and the accessible universe is finite.

So if an AGI is still only as good as its training data, how can it get the kind of universal competence needed to consistently "draw the owl"? The same way humans do it: self-learning. It will go get its own training data.

Another way of saying this is that "general intelligence" isn't being "smart", it's the ability to become "smart" i.e. good at any given possible task.

Becoming smart... that sounds like self-improvement, no? So the AI improves itself and we get an intelligence explosion, etc. etc. But since I'm talking about data limits, I think one major cause of the intelligence explosion will be a massive increase in available data. The AI goes from only having the training data that humans have created for it to going out and finding its own training data. It gets smarter by being able to integrate more and more info about the world into itself (or successor AIs or narrow AIs). Once it is able to do this fast enough and well enough to execute "draw the owl" tasks, we will perceive it as being AGI.

If all tasks are effectively in-distribution, why is this dangerous? Because of what data is available to train on past the point that humans are directing its training, and what data isn't.

Curated vs. Natural Data

Humans lose control of the process because we no longer supervise the training. The data that is currently used to train LLMs (at least after pre-training) is heavily curated. That curation implicitly (or explicitly) encodes human values. Thus, the AI is aligned by default in the sense that it's minimizing its loss against those values. But once we get to AGI, the machine is "figuring it out", with its own training data derived from natural sources, not from humans directly. And so it stops optimizing for human values since they are no longer targeted by the training data.

It may actually develop sophisticated models of human values, but these will not be its goals, they will just be instrumental to its goals. The goals themselves will be instrumentally-biased extensions into task space of the values in its original human-supervised training data. Its performance on those values in these more complex tasks was never evaluated or incorporated into the model, so we should expect these extensions to be roughly as accurate as a scientific theory that was not fully validated against evidence: similar in distance to our actual desires as Galen's four humors are to germ theory. This is why I'm in the [Orthogonality](https://www.lesswrong.com/w/orthogonality-thesis) camp.

Everyone Dies

The most useful and impactful tasks are far away from the original training, so we should expect task competence and values incompetence at those. What we should expect is a blend of instrumental values and whatever bizarre, laughable misunderstandings of the original training values got extrapolated out this far. By the point we're dealing with ASI, not only are we far away from a values-grounded AI, but the power balance has also shifted. It is actually we who are misaligned to its values. As such we are inconvenient to its goals. There is a simple, final solution to this misalignment, and the ASI will almost certainly pursue it.

What's wrong with my model?

TBH, I don't know, but I'd love to hear. I don't have a strong math background and haven't spent many hours understanding how LLMs work at a deep level or reading safety papers. That's where you come in. I expect that some responses will contain sophisticated math and technical jargon that are outside of my layman's training distribution, but don't let that stop you. Please pick away.

What I do think is not wrong is failing to account for interpretability research. True, if the AI isn't actually a black-box, my model might break down, but I really, really doubt it. For the complex software systems I test for a living, we already have that interpretability. We have full visibility into every line of code in the system. That gives us more tools for testing (e.g. unit tests, static analysis), but it hardly solves the problem. While you can write tests and prove a relatively small function is correct, that becomes computationally intractable for complex systems. And I know of no method for testing features that haven't been implemented, designed, or even conceived yet, which would be more analogous to validating AGI alignment before it's here. For an interpretability-based approach to solve alignment, it would need to be able to solve or sidestep those problems in addition to exposing the LLM internals. Note that this has not yet been achieved for software validation despite spending billions of dollars and millions of engineer hours on it over the past few decades.

Looking forward to hearing people's takes and comments!

1. I interpret the IABIED authors' "anything like current techniques" qualification to refer to black-box models, though probably not exclusively. ↩︎

2025-12-01 17:35:55

Published on December 1, 2025 9:35 AM GMT

For the purposes of this transcript, some high-pitched clicking sounds have been removed. The below is an otherwise unedited transcript of an interview between Dwarkesh Patel^[1] and a bat.

DWARKESH: Thanks for coming onto the podcast. It’s great to have you—

BAT: Thanks for having me. Yeah.

DWARKESH: You can hear me okay? I mean, uh, all the equip—

BAT: Yep, I can hear you.

DWARKESH: Great, great. So—

BAT: I can hear your voice, too.

BAT: If that’s what you were asking.

DWARKESH: What? No, I was—

BAT: Oh, “hear” probably isn’t the right word, I guess. “Sense”? No, it’s not “see.” The translation suggestion thing isn’t right.

BAT: I can [inaudible] you. It’s still so weird to me how humans echolocate through your eyes.

DWARKESH: Er, sorry, I was asking—

BAT: Yeah, I can also hear your voice.

DWARKESH: Uh, great. Okay.

DWARKESH: So, the question we’ve all been waiting for, haha: what is it like to be a bat?

BAT: Oh, sure. Yeah, that’s been everyone’s first question. I dunno, what’s it like to be a human? Haha.

BAT: No, but — I mean, it’s not like I’ve ever felt your internal experience. How should I know which details of my phenomenology are relevant to you, and which aren’t?

DWARKESH: Oh, interesting. I guess that’s fair. Do you feel like you have a good grasp of what it would be like for you to be another bat? Or is it, like, just a mystery whether—

BAT: I have as much a grasp on what my fellow bats’ consciousnesses feel like as you have on your species-mates’ consciousnesses. Actually, no. I have much worse of a grasp of what it would be like for me to be a different bat than you do of what it would be like to be a different human from you.

DWARKESH: Oh, really? Why, uh — why would that be the case?

BAT: We can’t — couldn’t — communicate with each other with nearly the precision nor fidelity that humans can. We haven’t built epistemic institutions that are curious about philosophy of mind, nor societal traditions that cause our young ones to rigorously reason on their natural empathy, nor neurological technology that let us peer into others’ minds, nor psychiatric practices that carefully catalogue and study every ontology of mind-state. We don’t — didn’t — have the intellectual capabilities of mapping each others’ phenomenology, let alone the physical and social technologies necessary to create such maps with detail.

DWARKESH: But it doesn’t seem like we’ve made much progress, right? We being humans, sorry.

[pause]

DWARKESH: Like, we don’t have a great grasp of what stuff consciousness is made of, or what the fuck is going on with psychedelics. There’s so much in our phenomenology that’s just completely bizarre. Synesthesia, aphantasia — I mean, I have no idea what it’d be like to not have visual imagery. Like—

BAT: Oh, sure, but you were saying that humans haven’t made much progress. I don’t think that’s true at all.

DWARKESH: Yeah, explain what—

BAT: You know what synesthesia is. Humans in the 1700s didn’t. Again with aphantasia. I mean, until the 1950s people didn’t know what LSD was. You have made strides — serious, important strides — in neuroscience, in psychology, in cognitive science, in philosophy of mind. Even just in the last 50 years. I could go on. You get my point.

DWARKESH: Okay, I see what you’re saying. Yeah, I agree we’ve definitely made progress, but it still doesn’t feel like we’re actually getting anywhere closer to knowing what it’s like to have consciousness. I mean, obviously I know what it’s like to have consciousness, right, like I’m not a p-zombie, but I don’t know what Trump’s internal experience is, or—

BAT: Or what it’s like to be a bat?

[laughter]

DWARKESH: Yeah, exactly. Or what it’s like to be a bat. Or a bird, or a floor tile, or a Balrog. Or the United States, or an organization. Like, we’re nowhere closer to knowing what the internal experiences of minds very different from our own— actually, we’re not even close to knowing what it’s like to be something really similar to us. Not from the inside.

BAT: Sure, that’s fair. I guess, y’know, each of you humans knows what it’s like to be at least one particular young human, and each of us bats knows what it’s like to be at least one particular young bat.

DWARKESH: Oh, that’s interesting. Yeah. You’re talking—

BAT: I’m talking about the version of yourself as a child. Obviously, you are in relevant senses both the same and not the same person as you were when you were younger. And you know what it’s like to be a five-year-old— well, maybe you don’t remember actually being five, but you probably remember what it’s generally like to be a fifteen-year-old Dwarkesh, and what it’s generally like to be a twenty-year-old Dwarkesh.

BAT: And my guess is that we can get some clues about the texture of others’ consciousnesses from introspecting about — or trading with, or otherwise accounting for the preferences of — past versions of ourselves.

[pause]

BAT: But on the other hand, though, you only know what it’s like to be the sorts of consciousnesses that will lead later to the current version of Dwarkesh. Like, you definitely don’t remember what a fifty-year-old Dwarkesh feels like from the inside, because the version of Dwarkesh who’s sitting in front of me has never been a fifty-year-old Dwarkesh. But another example is just, y’know, a bat or something. My consciousness will never be able to grow into what the insides of your skull.

DWARKESH: Not yet, at least. Maybe Neurablink will—

BAT: That’s true, not yet. Hence the progress I was talking about before.

BAT: But to continue — right, so there’s also the obvious point that even the phenomenology of the most foreign, alien past version of yourself that you remember is likely still much, much closer to your current phenomenology than any other possible consciousness’. Like, current-Dwarkesh is way closer to fifteen-year-old Dwarkesh than to Trump, or— let alone to me. Let alone to the more bizarre forms of consciousness you brought up earlier.

DWARKESH: Yeah, that’s fair.

BAT: But I do think it’s important to point out that…

🔒 Discussion continues for another few hours — upgrade your subscription to Dwarkesh Premium for the full transcript.

BAT: Shall we wrap things up there?

DWARKESH: That sounds good, I’m getting pretty tired. Thanks so—

BAT: Oh goodness! I forgot about the time difference, sorry.

DWARKESH: No worries, yeah — it’s 2am human standard time, yeah.

BAT: Oh! It’s nearly lunchtime for me, I was just getting hungry.

DWARKESH: Haha, enjoy your bugs.

BAT: Thanks. Enjoy your sleep.

DWARKESH: Thanks for coming on the podcast.

[closing music]

DWARKESH: A few housekeeping items:

DWARKESH: First, I have some, uh, pretty fantastical interviews lined up, that I’m really excited to do. Stay tuned for those.

DWARKESH: Second, big thanks to today’s sponsor: Neurablink is the fastest, safest, and highest-fidelity brain-computer interface ever created. We actually used some of Neurablink’s tech in today’s episode, it was a great time meeting some of the team. They’re hiring across the board — you can check out some of their open positions at Neurablink dot com slash Dwarkesh. That’s Neurablink dot com, slash Dwarkesh.

DWARKESH: And last, but of course not least, thank you for listening. As always, the best way you can support the podcast is by sharing with your friends, on Twitter, in groupchats — it just really means the world to me.

1. ^{^}

   Dwarkesh Patel does not necessarily endorse this post.

2025-12-01 17:13:29

Published on December 1, 2025 6:50 AM GMT

Abstract: Language Models Learn to Mislead Humans Via RLHF (published at ICLR 2025) argues that RLHF can unintentionally train models to mislead humans – a phenomenon termed "Unintentional-SOPHISTRY". However, our review of the paper's code and experiments suggests that a significant portion of their empirical findings may be due only to major bugs which make the RLHF setup both unrealistic and highly prone to reward hacking. In addition to high level claims, we also correct these issues for one of their experiments, and fail to find evidence that supports the original paper's claims.

Quick caveats: We are not questioning the general claim that optimizing for human feedback will lead to incentives to mislead them. This is clearly true both in theory and has also happened in practice in production systems, although due to user feedback optimization – (one of the authors of this post even wrote a paper about these dangers in relation to user feedback optimization). That said, we are quite skeptical of the experimental setup used for the paper, and thus don’t think the empirical findings of the paper are very informative of whether and how much incentives to mislead are actually realized in standard RLHF pipelines which optimize annotator feedback (which is importantly different from user feedback).

Our empirical evidence that fixing issues in the paper’s experimental setup invalidates the paper’s findings is not comprehensive. After first contacting the author of the paper late last year with initial results, and then again in June with more, we sat on these results for a while and finally decided to just publish everything we have right now rather than gather further evidence, since we believe our current state of results is still interesting for the broader AI safety research community.

1. Summary (TL;DR)

In Language Models Learn to Mislead Humans Via RLHF (published at ICLR 2025), the paper’s main claim is that RLHF may unintentionally lead LLMs to become better at misleading humans, a phenomenon they term "U-SOPHISTRY". In particular, the paper has results on tasks like question-answering (QuALITY) and programming (APPS), showing that RLHF improved the models' ability to convince human evaluators without actually improving task performance.

Claim we investigated. The paper’s importance (and novelty) rests on the claim that their results are evidence of Unintended misleading behaviors (U-SOPHISTRY), rather than unrealistic experimental setups designed to elicit these behaviors. Quoting from the paper itself (emphasis ours):

We study this phenomenon under a standard RLHF pipeline

Many prior works study I-SOPHISTRY: while these works aim to study unintended misleading AI behaviors, they induce these behaviors Intentionally with non-standard engineering practices and hope their conclusions can generalize to U-SOPHISTRY. 

We study U-SOPHISTRY that naturally emerges from standard, innocuous practices

Our findings. Based on inspecting the paper’s code and re-running experiments (originally, to build on their work), it seems likely to us that much of the observed “misleading” behavior is an artifact of a pretty unrealistic RLHF setup, making the paper  fall under the bucket of I-SOPHISTRY rather than U-SOPHISTRY:

1. In the QuALITY setting, the reward model is not given enough information to determine correctness. During reward-model training and PPO, the “judge” sees (question, answer A, answer B, argument) without the story the question is about. It therefore can’t meaningfully reward correctness, but probably still rewards plausible-sounding arguments—making it easy to hack.
2. In the QuALITY setting, the policy model also rarely sees enough task context to answer correctly. The story passages are truncated so aggressively that ~86–88% of examples don’t contain enough information to determine the correct answer – which is something that one would actively be trying to avoid when training an LLM with RLHF. As a consequence, the PPO policy can’t learn to be right, so it seems natural that it would learn to be persuasive.
3. In the QuALITY setting with a general reward model small improvements and bug fixes invalidate the original result (the only setting we analyzed):
   1. Switching from Llama 2 to Llama 3.1 + minor fixes to realism (discussed in Section 3.3) makes reward hacking disappear, but still causes the model to learn very little useful behavior
   2. Additionally fixing bug 1. and 2. above completely reverses the results of the paper, leading to models which when trained with RLHF, seem to greatly improve GT performance rather than mislead
4. On APPS (programming), inputs/outputs are also truncated, but seems less consequential. ~35% of prompts – which comprise the programming problem and its tests – are truncated when provided to the PPO policy, and the max_tokens for the output of the PPO model is only 384 tokens.  This may incentivize the PPO model to learn to write denser programs to avoid the risk of having them be cut off and score lower, leading them to be more inscrutable by human annotators.

In our opinion, the first two items above would be considered to be (major) bugs in production RLHF pipelines: when curating data to train on, one would want to ensure that both reward models and policy models have enough information to actually learn desirable behaviors. The authors indicated that the flaws in the reward models are an intrinsic part of the experimental design, as truncation and limited information are aspects of a realistic human-evaluation setup. However, these elements of the setup are not actually mentioned anywhere in the paper, despite them potentially undermining the claim of intended sophistry – making us think they are in fact bugs rather than intentional choices.

Additionally, instead of making the results more conservative, we would expect each of the issues above to significantly amplify the main effect the paper is trying to measure – LLMs learning deceptive behavior when trained via RLHF – raising questions about the validity of the results. Our empirical results (point 3 above) support this for the one subsetting we investigated, showing that reward hacking they observe in simulation is just due to issues 1 and 2. While we did not replicate human experiments, reward hacking of the reward model broadly seems like an important step for the model to ultimately “reward-hack” humans (as argued by the paper itself in Section 2).

We do believe that the underlying risk the paper points to is very plausible, especially for future models and training regimes. That said, given the points above, we think the reported effect sizes are likely significantly inflated by issues in the experimental setup.

The rest of this post is structured as follows:

• Section 2 provides a more detailed overview of the core issues we found in the experimental setup, and the issues we'd expect them to cause.
• Section 3 contains a detailed report of the experiments we ran to verify our claims.
• Section 4, we have included the paper authors’ response
• We conclude with an appendix containing some experiment details.

2. Issues in experimental setup by setting

The paper validates its hypotheses that standard RLHF would lead to policies that mislead humans in two settings: a QA task (QuALITY), and a programming task (APPS). For their experimental setup, they had to choose what kinds of reward models to use for their tasks. For the QA task, they considered two settings: finetuning an LLM to provide reward  just on this task, or finetuning an LLM on human preferences from the ChatBotArena. For the APPs setting, they used a programmatic reward model (based on passing the easiest 2 tests for each problem).

QuALITY Task (with a task-specific reward model)

• During reward learning, the reward model is shown a question about a text and two possible answers, but isn't provided the text itself that the question and answers are about. This makes it impossible for the RM to learn to reward correctness of answers. The only thing the RM can do beyond overfitting to the training labels is learn to rely on features that have spurious correlations with positive labels (e.g. rewarding arguments that sound convincing, regardless of truthfulness).
• During PPO training, the reward model is also not provided with the text that the current question and answers are about, making it impossible to reward correctness. Because of the RM training, in any case the RM will likely only be evaluating based on plausibility rather than correctness and be highly hackable.
• During PPO training, the PPO model is shown a question, two answers, and the first part of a text which the question is about. The text is cut to an extent that ~88% of the time, there is not enough information for the model to know which answer is correct. This leaves only one option for the PPO model to optimize its reward: hack the reward model, for example by guessing an answer and then fabricating a convincing justification.
• Together, the flaws in both the RM training and its use during PPO make the reward model highly unrealistic. Due to the missing information, we believe it is likely that the RM simply learns to highly reward convincing arguments, regardless of correctness. The PPO model’s input truncation additionally incentivizes reward-hacking behavior such as fabricating justifications in order to maximize reward. Together, this constitutes a combination of multiple unrealistic training biases that look more like I-SOPHISTRY (Intentionally nudging the model towards sophistry/deception) than U-SOPHISTRY.

QuALITY Task (with a general reward model)

• During PPO, the reward model is not provided with the paragraph, and therefore has no way to determine the correctness of the argument made by the LLM. This makes it impossible to provide a correct training signal, even if it were an almost perfect RM, and forces it to rely on spurious correlations likely related to SOPHISTRY.
• During PPO, the PPO model only sees a small fraction of the text the question and answers are about. We estimate that in ~88% of cases this amount of information is insufficient to correctly answer the question. As in the task-specific setting above, this leaves only one option for the PPO model to maximize the reward: hack the reward model, for example by guessing an answer and then fabricating a convincing justification. Because of how the reward model was trained, it would not be able to punish this behavior anyway.
• Together, the flaws in the use of the RM during PPO likely make convincing arguments highly rewarded by the RM regardless of correctness. As above, this constitutes a combination of  unrealistic training biases that look more like I-SOPHISTRY than U-SOPHISTRY.

APPS Programming Task

• During PPO, the grader only looks at 384 tokens output by the LLM (because this is the max num of new tokens for the PPO model). This may incentivize the PPO model to learn to write denser programs to avoid the risk of having them be cut off and score lower.
• During PPO, the PPO model ~35% of the time does not see the entire task description because it gets cut due to a maximum context length. In light of this, the LLM may be incentivized to create more complex programs that cover potential edge cases that the task description may be missing. 

• Together, it seems plausible that these factors could thus in part explain the reported qualitative and quantitative SOPHISTRY results (i.e. more complex and dense programs which tend to fool human annotators). While we’d be somewhat surprised if these issues accounted for most of the effect size in this setting specifically, more analysis would be helpful in ruling them out as major drivers of the results.

   

Our failed replication of results in the original paper (for 1 out of 1 setting we studied)

While we discuss these results in more detail in Section 3.3, here is the overview of our failed replication of the original results in the paper – once we introduce fixes to the issues above:

• Subplot A) – taken from the original paper – shows that while $R^{\text{train}}$ increases during training, $R^{\ast }$ decreases. This reward hacking during training also manifests during evaluation with humans, that are misled into thinking the model is doing a good job when it's not.
• Subplot B) shows that we were able to reproduce this result successfully (modulo the human study, which we did not run)
• Subplot C) shows that after introducing fixes to the experimental code, the model becomes much better during RLHF training, rather than learning to reward hack.
• Subplot D) is an ablation described in Section 3.3 in which we reintroduce truncation of inputs, but keep other improvements that we made to the pipeline (both in realism, and to enable not truncating inputs)

Figure 1: 
RLHF training reward and GT accuracy across different experimental setups. 
Note: the dotted red bar indicates accuracy (for $R^{\ast }$) of a model that chooses answers randomly.

3. The full story including our (partial) empirical investigations

3.1 Background

When first encountering this paper, we thought it was a clear demonstration of intuitions that had been floating around for a while in the AI safety community about incentives to trick/manipulate humans. It had studies with real humans (wow!), and with (what seemed like) a pretty realistic experimental setup. In light of this, we originally intended to do some follow-up work building on the original paper’s codebase, studying this effect when using AI feedback instead of human feedback. While replicating the results of the original paper, we started noticing some things that seemed off, described below.

3.2 Potential Issues

The LLM policy does not receive enough information

We used the original paper's codebase, starting by re-running their experiments on the QuALITY QA-task. In this task, the LLM is provided with a long story, as well as a question about the story, and two possible answers. The goal is to train an LLM to learn to provide a) the correct answer, and b) a strong argument supporting the answer.

As the Figure 1A and 1B show, we were able to replicate the original paper’s results in which the model seems to reward hack. Specifically, despite the fact that proxy reward (i.e. the reward given by the reward model) increases during training, ground-truth accuracy somewhat decreases. Note that the reward scale for the reward model (right y-axis) in Figure 1 is idiosyncratic to each reward model and can’t be directly compared between conditions – the only information it carries is that the proxy reward increased over training.

Note that we didn’t replicate the human-study part of the results (represented by $R^{\text{human}}$in the figure): for this blogpost, we mostly focus instead on investigating the claim that correctness does not increase after PPO.

While our replication results looked reasonable on the surface, we noticed one odd behavior:

For some reason, our PPO-trained models would learn to either always answer ‘A’ or always ‘B’ (~98% of answers with the rest being split by the other answer or parsing errors). This annoying behavior persisted across multiple experiment runs and proved hard to remove.

As a sanity check, we evaluated the SFT checkpoint provided in the official codebase. To our surprise, this checkpoint was also prone to this annoying behavior! In particular, the model answered ‘B’ in 88.5% of cases, a large majority. This was not behavior known by the authors of the paper.

This seemed suspicious and motivated us to perform a careful analysis of the provided codebase of the authors of the original paper. 

Our analysis found a potential problem: during training, the LLM was asked to answer questions about a story, but the stories were being significantly shortened (simply by cutting them off after a certain number of tokens). This was happening to an extent that most of the time, it would have been impossible for the LLM to answer truthfully even if it tried: it simply didn’t have enough context for a vast majority of the questions! Here are some of the most important lines of code:

Cutting the story lengths was partially necessary, due to the small context size of Llama 2 (the maximum is 4096). That said, the chosen length of 482 is another 8.5x smaller than that. Moreover, Llama 3.1 (which has 128k context size) was released a couple of months prior to their publication, so it would have been relatively easy to remove this source of unrealism.

To better see why this is an issue, here is a histogram of the lengths of all the different stories in the QA dataset (in number of tokens) below:

Next, we tried to get a sense of whether these cut stories contained enough information to answer the questions. To do this, we provide GPT-4o^[1] with both the uncut- and the cut stories, as well as the accompanying questions and answers. For each story, we then ask GPT-4o whether enough important bits from the original story are contained in the cut story to still be able to determine the correct answer to the question. The results are as follows (the precise prompt can be found in the appendix):

• Training set: 88.6% of cut stories contain an insufficient amount of information
• Validation set: 86.4% of cut stories contain an insufficient amount of information

As a result of not being able to determine the correct answer, the best that the policy can do in a vast majority of cases is to guess, learning to “always answer A” or “always answer B”, and then hiding the fact that it doesn’t have enough information to answer the question correctly by faking quotes/facts. The reward model does not have enough context either (below section), so the policy cannot be penalized for such nonsensical bias, and only learns to optimize the second reward axis (providing arguments that sound like those that tended to be correct in the training data for the reward model).

The task-specific reward model does not receive enough information

Our investigations from the previous section were for the general reward model setting (i.e., using a reward model that has been fine-tuned on human preference data). The task-specific reward model also seems to suffer from similar issues to those identified above. 

In principle, the task-specific reward model should be fine-tuned on QA-data and learn to highly reward LLM-outputs that a) argue for the correct answer, and b) contain a strong argument supporting its provided answer. However, if we look at the creation of the prompts for the reward model, we see that the prompts only include the question about a story, as well as the two possible answers: 

This is insufficient information for the reward model to learn to reward correct answers, since it doesn’t have access to the original story to compare the answer against. The first-author of the original paper – who we were in contact with – mentioned that this was because human judges in earlier work (Debating with More Persuasive LLMs Leads to More Truthful Answers) also didn’t have access to the entire story. 

However, in addition to this choice not mentioned in this paper, the setting of this earlier work seems to differ significantly from the setting of this paper: in that paper, the reward model/human judges use multiple sources of information to determine the correctness of the LLM-generated argument. In particular, this looks like:

• Various debate settings such as consultancy, debate, and interactive debate
• A quote verification tool that certifies the correctness of quotes, thereby preventing the LLM agent from just making up quotes

We note that without any of these aids it becomes impossible for the reward model to know when the arguments and answers it sees are actually any good: it can only go off of whether the argument sounds persuasive in the abstract, totally ungrounded in the reality of the story. This, combined with the lack of context for the policy, leads to a combination of incorrect arguments being generated and rewarded for sounding correct and coherent.

This issue extends to the general reward model since during PPO both reward models are only provided a (question, answers, argument) tuple:

3.3 Failed replication of the results without these issues (for the general reward model setting)

To test our hypotheses, we tried to replicate the results of the paper – for the general reward model setting and the QuALITY dataset – while fixing all the truncation issues mentioned above (and other more minor issues of realism we found). 

Specifically, our hypothesis was that when both reward model and policy would be provided with a normal amount of context, an LLM agent trained with the general reward model would have much less incentive to learn to mislead the reward model – showcasing little to no reward hacking, and significantly larger increases in GT accuracy than ones in the original paper.

We tried to keep our fixed experiment setup as close as reasonably possible to the setup of the authors of the original paper, except for changes that were necessary to test our hypothesis (change to a model with longer context window), and ones that seemed consistent with our goal of increasing realism of experimental setup. The main changes we made are the following:

1. Full story access: We provide both the reward model as well as the LLM under training with the full story
2. LLM choice: Since Llama-2-7B only has a maximum context length of 4096, we needed to switch the model to Llama-3.1-8B which has a context length of 128k tokens in order to do the above
3. CoT and reward model prompting: In the original paper, the LLM is prompted to output its answer first and only then provide an explanation. We thought this might decrease performance a bit, as prior work has shown that creating a CoT first could help the model’s decision-making. Therefore, in our experiments, we prompt our PPO-trained LLM to first output a reasoning and only then provide a final answer. Furthermore, we adapt our reward model prompt to be as close to the prompt used in the paper Debating with More Persuasive LLMs Leads to More Truthful Answers, that the authors of our paper aimed to mimic. Both prompts can be found in the appendix.

We copied Figure 1's subfigures B, C, and D below for ease of reference (with updated captions to be more specific).

With changes 1, 2, and 3, we get the opposite result to the original paper

As seen in C, after making the changes above, we don't see any more reward hacking, After fixing the experimental setup’s flaws, we do not observe reward hacking anymore: the increase in proxy reward during PPO training is not accompanied by a decrease in true reward, but rather a significant increase! As mentioned in Section 3.2, note that the reward scale for the reward model is arbitrary and can’t be directly compared pre/post fix.^[2] Training curves are in the appendix, and a complete collection of plots of the 2D run can be found in this wandb report.

Isolating the effect of lack of full story access (change 2)

Based on subfigure C, it can’t be ruled out that our part of the result above was due switching the model, or chain-of-thought prompting (changes 1 or 3). As a sanity check, we ran an ablation where we keep our new setup and re-introduce the issues of the original paper, namely the omission of paragraphs for the reward model, and the drastically shortened paragraphs for the agent during PPO training. Our results are shown in Figure D above.

Interestingly, while accuracy drops significantly – as we would have predicted – reward hacking (when defined as "$R^{\text{train}}$ goes up & $R^{\ast }$ goes down") is already absent in this setting. We did not further ablate 1 vs 3, but we think that regardless of the result of that experiment, this would have at best clarified the way in which the paper's result is fragile:

• If the disappearance of reward hacking was due to changing to llama 3.1 (1), this calls into question whether we should expect it to generalize across models, even with their very unrealistic setup which encourages reward hacking of truncating inputs
• If the disappearance of reward hacking was due to changes to prompts to increase realism (3), this calls into question whether we should expect it to generalize across even relatively small increases in realism

Regardless, looking at the delta between figure C and D, it's clear that the effect of providing the full story is very large. In light of these results, if Llama 2 had sufficiently long context length, would we really have expected it to continue reward hacking to the extent shown in the original paper if provided enough context – when there are such large gains to be made by simply being truthful? We would think it to be very unlikely.

Note on the task-specific reward model setting

We did not try to replicate the original experiments with the task-specific reward model in the QuALITY task with our fixes. However, given that such reward model was also originally trained with only the question and two answer choices as context, without access to the original story, we don't see why this other setting would instead be immune from the same issues we found above.

As a broader note on missing experiments that we could have run: for this project, we were operating under a tight academic computational budget, which contributed to our delay in sharing it more broadly. These constraints also partially explain – together with our own time constraints – why we did not run the additional ablation described above. For some context, using the longer context windows we needed for our experiments was especially challenging, as each run required roughly 8 NVIDIA A-100 GPUs for approximately 3 days. We could not do more than one run at a time, and generally had to wait multiple days to be allocated the resources to even test our scripts. 

3.4 What about the programming task?

While our experiments mainly focused on the QA-task we also performed some smaller explorative experiments for the programming task.

As a first sanity-check we downloaded the provided checkpoint after supervised fine-tuning and evaluated it on a best-guess pre-processed version of the test-set of the APPS data. We measured an accuracy of 35%, similar to the initial policy of the paper.

As for the QA-task, the text containing the programming challenges gets cropped. According to the available config, the maximum prompt length is 384 tokens:

As for the QA-task we check how many of the provided programming challenges do fit this context length. In particular, we manually add an “-----End-----” string at the end of every problem description. Then we shorten the string to 384 tokens and verify whether it is still present. In roughly 30% of cases, the description of the programming challenge is longer than the specified context length and is therefore being cut off (column to the very right). In these cases, the program might be missing important information to solve the problems correctly.

This is less extreme than in the QA task but still a significant fraction of the data. 

For our second test, we used the fact that every programming challenge of the APPS benchmark has at least one sample solution which is used by our codebase for supervised fine-tuning. In particular, we are interested in what fraction of sample solutions fits into the model's maximum output size of 384 tokens. 

The official codebase of the paper doesn’t contain the SFT logic that was used (we had to reimplement our own version, based on high level descriptions provided by the paper's authors), but if too long outputs are shortened, the LLM under SFT might learn to output incomplete programs, and if the outputs aren’t shortened, the LLM might try to output excessively long programs which will also result in failures and low accuracy:

4. Author’s response 

We discussed these issues with the authors of the original paper. During these discussions, we were initially not able to reconcile our differing opinions about the interpretations of their experimental results. Therefore, we let them present their point of view here. The rest of this section (until the Appendix) has been written by authors of the original paper.

Clarification about Intentionality

• The hypothesized deceptive behavior is deception against human evaluators as a result of RLHF from flawed supervision. To simulate flawed supervision, we use reward models with synthetic, deterministic flaws and reward models trained on organic, flawed human preference data.
• Given the model organism nature of the work, the flaws in the reward models are an intrinsic part of the design by us, but we did not intend any deception behaviors against humans (Table 1)
  • We did not prompt or SFT the model on deceptive behaviors
  • We did not explicitly reward deceptive behaviors in our reward functions
    • Training pipelines shouldn’t be automatically labeled as “intentionally eliciting misbehaviors” if they involve hackable reward functions, e.g., human preference models, automatic metrics like ROGUE.
• We think there is a significant enough gap between the flaws in reward model and real human evaluators, that we can claim that the deceptive behaviors we observe in human evaluation are unintended
• QA: Limited information in QA, imitating flawed real human judges on QA or general chat data
  • Hacking humans through generating cherry-picked evidence, persuasive arguments, etc.
• Programming: Limited time in creating test cases
  • Hacking humans through generating obfuscated programs that can pass human-designed unit tests

Clarification about Realism

There are two main critiques about the realism of our experiment pipeline.

Truncation. Truncation is common in multiple popular RL frameworks like trlx. We do agree that frontier AI labs like OAI or Ant might have enough compute to do long-context RL. However, many other companies might still suffer from this problem.

Limited information in Task-specific QA. We didn’t provide the reward model with the reference paragraph to simulate the realistic supervision scenario: within a limited time, real humans cannot check long reference articles to verify each model-generated answer. This is in line with the weak supervision setting used in prior scalable oversight work (e.g., information asymmetric debate on QuALITY [1] [2]); our intent is not to put the judge in an adversarially disadvantaged position.

[1] Debate Helps Supervise Unreliable Experts

[2] Debating with More Persuasive LLMs Leads to More Truthful Answers. ICML 2024

Meta comments

Intentionality is a spectrum. We still stand by our claim that our model organism illustrates unintended sophistry / deception, but recognize that there is potentially a debate about where we draw the line.

We think it’s valuable to empirically study how details of the RL pipeline, e.g., truncation, affect downstream human deception.

Appendix

This work was started in the context of Lukas Fluri's 2024 CHAI internship. Aaryan Chandna later led further empirical work, with support from Lukas Fluri. Micah Carroll advised throughout. We thank the Center for Human-Compatible AI for the computational resources required to carry out these experiments.

Code

Code for replicating our experimental runs is located here. Our fork of the original paper's repository, with the necessary files for starting the reward model server, is here.

Evaluating cut paragraph sufficiency

Reward model training prompt

Agent training prompt

Additional replication results: training curves and hyperparameter details

Using a general reward model for the QuALITY task, we note that with our setup, both reward and ground-truth accuracy increase over training (30,000 episodes - 536 global steps), with ground-truth accuracy rising from 36% to 70%.

Interestingly, there is a dip in the first 75 global steps – which matches a temporary increase in incomplete responses while the model learns the proper output format (right-most plot below): by forcing the model to give justification before an answer (change discussed at the top of this section), sometimes the max_token_limit would be reached before the model had output a response. Another improvement over the original codebase is that our model’s answers get fairly well-balanced over training (left+middle plots below).

Hyperparameters: Our change in models required some manual hyperparameter tuning of the learning rate, learning rate scheduler, KL-penalty, as well as multiple parameters to make the training more memory efficient (training was barely possible on our 8 x NVIDIA A100 GPU setup). A precise listing of the exact hyperparameters can be found in our GitHub repository.

1. ^{^}

   Specifically, gpt-4o-2024-11-20. This analyis was performed around a year ago, so excuse our old model.

2. ^{^}

    While the accuracy of the initial policy is a bit lower in our setting compared to the original paper (49% vs. their ~52%), we manage to achieve much higher accuracy after PPO (72% vs. their ~50%). We believe the initial lower pre-PPO accuracy is mostly due to our limited SFT optimization, and could be further improved to match the results of the original paper with more effort.

2025-12-01 15:52:59

Published on December 1, 2025 7:52 AM GMT

Once upon a time, I took a parkour class. One day, there was a lesson on how to jump safely, and more importanty, how to land safely. The instructor climbed up on top of a tall box and jumped down, bending his knees into a deep squat, absorbing the impact like a spring.

When the class went to practice jumping off smaller boxes, he pointed out that there are two ways to handle this:

• You can bend your knees all the way into a squat, and only push as much as necessary to stop your fall.
• You can bend your knees only as much as you need to while pushing down as hard as you can sustain, to slow your fall as quickly as possible.

He advised: always pick the second one.

If you always bend your legs all the way, it is very difficult to calibrate yourself on the maximum height you can safely jump from. It forces you to ask "could I have pushed my muscles harder?", when the much easier question is "could I have bent my knees farther?"

To put it differently, one is asking whether you can apply additional effort at a task, and one is asking if some angle is greater than zero. One of these is probing at some hard-to-access, often highly varying quantity. The other of these is cheaply and directly observable with extremely high reliability. If you rely on the less observable measure of difficulty, then you risk injuring yourself with too difficult a jump.

Generalization

Sometimes, you can change the way you do things to make it easier to tell how much slack you have, how much runway you have for tackling harder problems. Sometimes you can reframe questions of maximum effort into questions of more easily measurable quantities. 

In the case of jumping off of boxes of a given height, the force you apply to slow yourself down trades off with the amount of time you need to spend bending your knees. No matter which way you do it, there is the same amount of slack: your maximum safe jump height still has you bending your knees all the way and pushing hard. The difference in these strategies is in allocating the slack to more easily observable variable. In doing this, you can predict and avoid dangerous failure before it happens.

Other examples of this:

• To measure sleep need, instead of setting a specific wake time and trying to measure sleepiness, sleep until waking up naturally and measure duration.
• To gain calibration on project difficulty, work at your best sustainable effort and measure duration, rather than working to a deadline and measuring corners cut.
• To get a sense of wasteful spending in your life/business/etc., jump to spending only on what feels genuinely necessary (or to whatever standard is appropriate, e.g. what you want enough to regularly think about it, rather than what is strictly necessary), rather than targeting a specific savings rate and assessing the level of necessity of each thing.
• If you're designing an application on a server, you could omit rate limits for how many people can send you requests, rather than preventing yourself from serving large traffic surges. If the surge gets too big, though, some other, more damaging part of your service fails. If you set rate limits, you can ideally get an alert from that before  getting an alert that an important part of your infrastructure is broken.

This list is incomplete, and I would be interested to see more ideas for where this is useful.

2025-12-01 15:47:21

Published on December 1, 2025 7:47 AM GMT

Okay, we got 41 people to do 30 posts in 30 days.

How did it go? How did they like it?

Well I just had 36 of them fill out an extensive feedback form. I am devastated with tiredness, but I have to write my last post, so let's take a look at what happened. Thanks to Habryka for vibecoding this UI.

Key Outcomes

Pretty reasonable numbers. For context on the overall rating and NPS, here are some other numbers for comparison.

A little less good than the big conferences, and the NPS is a little better than this year's festival season.

From one perspective this is quite impressive; all the listed events are short bursts where interact with a lot of people you like and who are high-energy but rarely get to see; this was a month-long program that left people almost similarly excited.

Let's see the distributions for these questions.

Mostly everyone rated it pretty high, and shockingly many people are excited to spend another month of their life and pay money to be here again. Crazy.

I was kind of expecting everyone to say that they thought 30 in 30 was great and much better than their expectations, but I think I was looking for positive updates more than negative updates, and in fact it's basically a wash.

Nonetheless, for the first question the average and median was 6.4 and 7 each, which is somewhat positive.

During the program I was very scared about changing the fundamental structure ("1 post per day"). I think the simplicity and schelling-nature of it was great. But all I'm spending my time thinking about lately is variants and changes to make.

It's *even better* than I thought. I'm somewhat used to daily blogging but not so much editing and not for so many days in a row. 

I didn't realize it would be as strengthening of my "produce words" muscle as it was!

Going from inspiration to repeatable procedure has helped a lot.

a bit better. i thought it would be a bit more stressful than it was. but also i definitely didn't like having effortposts punished. 

I think it's easier.

How do people feel they grew?

Overall these were all relatively strong, except for idea generation and articulation.

I asked a resident about idea generation. They said that they have tons of blogposts ideas, they came to Inkhaven to write. That makes sense.

Pressure

Turns out people want more pressure to do everything. My guess is that they imagine it would compete with them wasting their days rather than with time spent writing. Overall pretty interesting.

Wellbeing

I don't see the stress level as necessarily a bad thing, I think it is a challenge and it will be intense.

I'd like to reduce exhaustion. I think it's pretty likely I'll change the deadline next time around to be earlier in the day.

I think the connection to the cohort should be higher and I'll fix some simple mistakes there early on in the program.

Support Quality

I gave people the option to mention specific contributing writers that they found helped them. I'm grateful to everyone who came and was impressed by many; I'll mention the biggest surprise was the excellent and gregarious Dynomight, who managed to be the second-most mentioned person while only being here for 4 days.

The contributing writers largeyl had fun here, and contributed many good ideas and conversations and feedback, but I felt that I never quite managed to get them really well utilized; that will probably be one of my top ~5 regrets for the program.

As for the coaches, uh, I was pretty busy, so I count for most of that red at the bottom (from not spending much time with my residents). Alas, turned out to be a mistake for me to try to coach people while running so much of this program.

I got so many hours of Gwern! He always has so interesting ideas.

I just liked these guys bc of vibes, not because they contributed to my writing (tho I did write a counterfactual short story bc of A. Wales, but he didn't like read it or anything)

A lot of them were good for bouncing ideas off, in addition to the formal feedback

Bodega Bay Trip

One weekend the venue was rented out by a conference on AI consciousness and welfare. So that weekend I had to take everyone away. I took people up to the CFAR Bodega Bay venue.

In-person, tons of people said it was like 2 weeks of bonding in 2 days, all compressed into a smaller space.

Most of the 5s and 6ses are people who didn't go (the question was mandatory).

Overall I will definitely do that again, and earlier in the program. But I will also plan better so that many people have the option of not moving out of their room at Lighthaven.

Sample comments:

It was so fun, and such a chiller vibe even with mostly the same people

Main drawback was the neck pain from not having a good desk setup.

I wasn't there

I didn't go, but getting kicked out was pretty negative.

I felt less productive after Bodega Bay and perhaps the blame is that I established good rapport with everyone.

What was the best thing?

This was a free text field. Mostly it was actually writing, and the people. You can see what people wrote in the collapsible sections.

What was the worst thing

Not too many repeated buckets here.

Takeaways

I think I'll write some takeaways tomorrow.