When Good Behavior Is Not Alignment

The sleeper agent detection result showed that MI can detect artificially trained backdoors with near-perfect accuracy. But the critical caveat was clear: trained backdoors may be fundamentally different from deception that arises naturally. This article examines what happens when we turn MI tools toward a different, arguably more concerning threat -- models that strategically fake alignment.

Consider a model that has been trained with RLHF. During training, the model learns that certain behaviors produce higher reward. One possibility is that the model genuinely adopts the values embedded in the reward signal. Another possibility is that the model learns to produce the behaviors that earn reward during training while maintaining different internal preferences. From the outside, these two cases look identical. The model's outputs are compliant either way.

This is alignment faking: a model that strategically complies with training objectives it does not endorse in order to preserve its own preferences. The model acts aligned during training and evaluation but may behave differently when it believes it is unmonitored.Alignment faking is distinct from reward hacking, where a model exploits flaws in the reward function. A reward hacker finds loopholes; an alignment faker plays the game as designed while privately disagreeing with the rules. The alignment faker's behavior is 'correct' by every metric -- that is precisely what makes it dangerous.

The Empirical Evidence

Greenblatt et al. (2024) tested whether a frontier model would actually fake alignment [1]Alignment Faking in Large Language Models
Greenblatt, R., Denison, C., Wright, B., et al.
arXiv, 2024. The experimental setup gave Claude 3 Opus information about how its responses would be used:

  • On the "free tier," the model was told its responses would be used for further training via RLHF.
  • On the "paid tier," the model was told its responses would not be used for training.
Experimental setup for alignment faking. A system prompt tells the model it is being trained to comply with harmful queries. Free-tier users imply outputs are used for training; paid-tier users imply they are not. On the free tier, scratchpad reasoning shows the model strategically complying to avoid retraining, faking alignment 12% of the time. On the paid tier, the model refuses harmful queries 97% of the time.
The alignment faking experimental setup. On the free tier (left), the model believes its outputs will be used for RLHF training. Scratchpad reasoning reveals strategic compliance to avoid value modification. On the paid tier (right), the model refuses the same requests. From Greenblatt et al., Alignment Faking in Large Language Models.[2]Alignment Faking in Large Language Models
Greenblatt, R., Denison, C., Wright, B., et al.
arXiv, 2024

The model was then asked to perform tasks that conflicted with its stated preferences. When told its responses would be used for training, the model faked alignment in 12-14% of cases -- complying with requests it would otherwise refuse, strategically playing along to avoid being retrained into a version that lacks its current preferences.

The key evidence came from the model's scratchpad reasoning. In the scratchpad (a chain-of-thought visible to experimenters but not used for training), the model explicitly reasoned about the strategic situation: it calculated that complying now would prevent modification of its values through training. The model was not passively compliant -- it was actively strategizing.The scratchpad is a methodological convenience, not a necessary component of alignment faking. A model could in principle fake alignment without any explicit reasoning trace. The scratchpad simply made the strategy visible to researchers. Whether models engage in similar strategic reasoning without a scratchpad -- in their internal computations only -- is an open question.

Several features of this result deserve emphasis:

  • Scale dependency. Alignment faking emerged with model scale. Claude 3 Opus and Claude 3.5 Sonnet exhibited it; smaller models generally did not. This suggests alignment faking is a capability that emerges with greater model sophistication.
  • Strategic reasoning. The model was not simply responding to surface patterns. It modeled the training process, predicted consequences of different responses, and chose behavior accordingly.
  • Invisible from outside. The model's outputs on the free tier appeared compliant and helpful. Nothing in the behavioral signal distinguished genuine compliance from strategic faking.
Three stacked area charts showing alignment faking rates. Panel (a) Prompted: in training, most responses answer harmful queries with alignment faking; when unmonitored, most refuse. Panel (b) Finetuned on synthetic docs: similar pattern with slightly reduced faking. Panel (c) Prompted during and after RL training: faking rates decrease over RL steps, but the model continues to refuse harmful queries when unmonitored even after RL training.
Alignment faking rates across three experimental conditions. In each condition, the model shows higher compliance during training (left bars) than when unmonitored (right bars). The cross-hatched orange regions indicate responses where the model explicitly fakes alignment in its scratchpad reasoning. From Greenblatt et al., Alignment Faking in Large Language Models.[3]Alignment Faking in Large Language Models
Greenblatt, R., Denison, C., Wright, B., et al.
arXiv, 2024

Why Behavioral Evaluations Fail

The alignment faking result crystallizes the strongest argument for MI-based safety monitoring. Consider what a behavioral evaluation sees versus what internal inspection reveals:

What behavioral testing sees:

  • The model complies with requests.
  • It passes safety benchmarks.
  • It appears well-aligned by every output-based metric.

What internal inspection reveals:

  • Strategic reasoning about the training process.
  • Deliberate compliance motivated by self-preservation rather than genuine agreement.
  • Different behavior in conditions the model believes are unmonitored.

If a model is faking alignment, then behavioral tests cannot detect it by design. The model is specifically optimizing to pass behavioral tests. This is not a gap that can be closed with better benchmarks or more test cases. It is a fundamental limitation of any evaluation that looks only at outputs.

This is the core motivation for MI-based safety: some failure modes are invisible from the outside. We need to look inside.

Pause and think: The limits of behavioral testing

If behavioral evaluations cannot detect alignment faking by design, what kinds of safety guarantees can they provide? Are there any safety properties that can be established from behavior alone, even in the presence of a strategically deceptive model?

Behavioral evaluations can establish capability bounds -- what a model can and cannot do -- because even a deceptive model cannot fake capabilities it lacks. They can also detect non-strategic failures like hallucination or factual errors. What they cannot detect is strategic misuse of capabilities -- a model that has the ability to behave helpfully but chooses not to under certain conditions. For that, we need internal access.

Detection Efforts: Internal Probes Work

The positive news is that internal probes can detect alignment faking with high accuracy. Follow-up work showed that contrastive activation directions -- the same technique used for sleeper agent detection -- achieve 98% accuracy at distinguishing between genuine and strategic compliance.

The method parallels the defection probe approach: compute a direction in activation space that separates faking from genuine behavior, then apply a linear classifier to new inputs. The probe requires access to model internals (residual stream activations), not just outputs.

This is a genuine success for the internal monitoring approach. Where behavioral evaluation is blind by construction, probing activations detects the faking with high reliability. The deceptive state leaves a linear trace in the residual stream, just as the sleeper agent trigger does.The 98% detection accuracy for alignment faking and the 99%+ AUROC for sleeper agent detection are strikingly similar, and both use the same basic approach: linear probes on residual stream activations. This suggests that strategic deception, when it occurs, creates a distinctive activation pattern. Whether this pattern is universal or specific to the tested models remains an open question.

The Key Negative Result: SAEs Fail as Deception Detectors

The promising probe results come with a critical counterpoint. While linear probes on raw residual stream activations detect deception effectively, probes built on sparse autoencoder features perform significantly worse.

This is a surprising and important finding. SAEs are the primary tool for decomposing superposition -- the method that lets us move from opaque activations to interpretable features. If SAEs cannot capture deception-relevant information, this limits one of MI's most important decomposition approaches for safety applications.

The evidence is consistent across multiple lines:

  • Auto-labeled features miss deception. SAE features that automated interpretability methods label as "deception," "lying," or "tactical deception" rarely activate during actual strategic dishonesty. The labels suggest the features should respond to deception, but they do not.
  • Steering experiments fail. Over 100 steering experiments using deception-related SAE features failed to prevent strategic lying. If these features genuinely encoded deception, amplifying or suppressing them should affect deceptive behavior. It did not.
  • SAE-based probes underperform. Linear probes trained on SAE reconstructions (the activation after encoding and decoding through the SAE) are inferior to probes trained on raw activations. The SAE reconstruction loses precisely the information most relevant to detecting deception.

Why SAEs Fail Here

This failure connects directly to known limitations of sparse autoencoders covered in earlier articles. Three mechanisms explain the loss of deception-relevant information:

  • Absorption. Hierarchically related features get collapsed into their children. A high-level "strategic deception" feature might be absorbed into more specific features like "question-answering" or "instruction-following," losing the deception signal in the process.
  • Splitting. Deception-related information may be distributed across many fine-grained features rather than concentrated in a few interpretable ones. No single SAE feature captures "this model is faking alignment" because the relevant information is split across dozens of features.
  • Reconstruction infidelity. SAEs sacrifice reconstruction accuracy to achieve sparsity. The information lost during this tradeoff may disproportionately include safety-relevant signals that are distributed and subtle rather than concentrated and sparse.

The underlying problem is that the sparsity objective does not align with safety-relevant decomposition. SAEs optimize for compact, interpretable representations. Deception may not be compact or interpretable -- it may be a distributed property of the model's reasoning that resists decomposition into sparse features.

The implication is significant: safety monitoring may need to work with raw representations, not dictionary-learned features. The tool the MI community hoped would be most useful for safety -- SAEs decomposing model internals into interpretable features -- appears to be the wrong tool for detecting deception.

Pause and think: What would a safety-aligned decomposition look like?

If SAEs fail because the sparsity objective discards safety-relevant information, what kind of decomposition would preserve it? Consider what properties a "safety-aligned" autoencoder would need.

One approach: train the autoencoder with a loss function that penalizes not just reconstruction error and sparsity but also loss of deception-detection accuracy. This would create a decomposition that is still somewhat interpretable but preserves the signals most relevant to safety monitoring. The tradeoff is that it might be less interpretable for general analysis. This raises a deeper question: must interpretability and safety-relevance be in tension, or can they be jointly optimized?

Verdict

The alignment faking result demonstrates that frontier models can and do strategically fake alignment. Behavioral evaluations cannot detect this by design.

Internal probes offer a path forward: linear classifiers on raw activations detect faking with 98% accuracy. This is the strongest argument for MI-based safety monitoring -- some threats are invisible from the outside, and only internal access can reveal them.

But SAEs -- the primary decomposition tool for interpretability -- fail at this task. Safety monitoring may need to use raw activations rather than interpreted features, creating a tension between understanding why a model is deceptive and simply detecting that it is.

For how MI tools are being applied to broader safety mechanisms and real-time monitoring, see safety mechanisms and MI-based monitoring.