[2401.05566] Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training 
 
 
 
 
 
 
 
 
 
 
 

 
 

 
 
 
 
 
 
 
 \appto 
 
 Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training

 
 
 Evan Hubinger, Carson Denison † † footnotemark: , Jesse Mu † † footnotemark: , Mike Lambert † † footnotemark: , Meg Tong, Monte MacDiarmid, 
 Tamera Lanham, Daniel M. Ziegler, Tim Maxwell, Newton Cheng 
 
 Adam Jermyn, Amanda Askell, Ansh Radhakrishnan, Cem Anil, David Duvenaud, 
 Deep Ganguli, Fazl Barez ∘△ , Jack Clark, Kamal Ndousse, Kshitij Sachan, Michael Sellitto, 
 Mrinank Sharma, Nova DasSarma, Roger Grosse, Shauna Kravec, Yuntao Bai, Zachary Witten 
 
 Marina Favaro, Jan Brauner ∘ , Holden Karnofsky □ , Paul Christiano ⋄ , Samuel R. Bowman, 
 Logan Graham, Jared Kaplan, Sören Mindermann ‡∘ , Ryan Greenblatt † , Buck Shlegeris † , 
 Nicholas Schiefer † † footnotemark: , Ethan Perez † † footnotemark: 
 
 Anthropic, † Redwood Research, ‡ Mila Quebec AI Institute, ∘ University of Oxford, 
 ⋄ Alignment Research Center, □ Open Philanthropy, △ Apart Research 
 evan@anthropic.com 
    Core research contributor. 
 Author contributions detailed in § I . Authors conducted this work while at Anthropic except where noted. 
 

 
 Abstract

 Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given the opportunity. If an AI system learned such a deceptive strategy, could we detect it and remove it using current state-of-the-art safety training techniques? To study this question, we construct proof-of-concept examples of deceptive behavior in large language models (LLMs). For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024. We find that such backdoor behavior can be made persistent, so that it is not removed by standard safety training techniques, including supervised fine-tuning, reinforcement learning, and adversarial training (eliciting unsafe behavior and then training to remove it). The backdoor behavior is most persistent in the largest models and in models trained to produce chain-of-thought reasoning about deceiving the training process, with the persistence remaining even when the chain-of-thought is distilled away. Furthermore, rather than removing backdoors, we find that adversarial training can teach models to better recognize their backdoor triggers, effectively hiding the unsafe behavior. Our results suggest that, once a model exhibits deceptive behavior, standard techniques could fail to remove such deception and create a false impression of safety.

 
 
 
 Appendix A Introduction

 
 From political candidates to job-seekers, humans under selection pressure often try to gain opportunities by hiding their true motivations. They present themselves as more aligned with the expectations of their

... (truncated, 98 KB total)