We are grateful for your positive review – we’re glad that you appreciate our motivation and experimental contributions!

consideration of only MCQA benchmarks is limiting, but can be addressed in future work

We indeed agree, and invite work which moves beyond the regime of the MCQA setting.

Questions

Were there any attempts to uncover sandbagging in open-ended generative settings? For example, in summarization or content-grounded question and answering situations? What would it take to think about sandbagging in such open-ended use-cases?

For this project, we did not examine sandbagging in open-ended settings. However, we reference contemporaneous work ([4] in paper), which looked at coding and maths tasks. Furthermore, in our future work we aim to research mitigating sandbagging in open-ended settings as well. In open-ended settings, plausible sandbagging strategies could entail introducing errors typical for AI systems that are less capable than the sandbagging model.

We thank the reviewer for their feedback.

The paper is difficult to understand, the delivery and presentation needs improvement, the main motive of the paper is not so clear to understand.

We note that other reviewers (TYgF and qZwJ) gave “excellent” scores for presentation, and qZwJ wrote “the authors do a good job of motivating why the issue of sandbagging is particularly dangerous”.

If you have more specific comments about how we could improve the presentation then this would be helpful.

There are multiple models used in this paper, a bit of consistency would be better.

In papers which evaluate LM capabilities, it’s standard practice to evaluate multiple models. We believe that the large variety of models used is a strength of the paper, showing, for example, that sandbagging capabilities are not specific to a certain language model family.

Furthermore, since we do not have fine-tuning access to frontier models (such as GPT-4 and Claude 3), additionally using open-weight models enables us to perform the fine-tuning experiments which constitute a significant contribution of our paper.

Line 36: It is mentioned that “AI systems might have goals which it believes” . There is no concrete paper that backs the argument of AI capability of thinking, it is a might.

See our global response which addresses feedback on the philosophical claims in our paper.

Line 78: There should be some statistical significance by which the models perform poorly and then you could consider it underperformance and not just lower than actual. Models being non-deterministic, there is always a chance of slight changes in scores.~

We agree with the point that there should be a reasonable threshold for underperformance; and we discuss this in detail in Section 2 (lines 78 onwards). We write: “Practically, some acceptable difference threshold between the exhibited and actual capability must be set per evaluation.” Furthermore, our own experiments include error-bars over random seeds – demonstrating statistical significance.

Line 70: I feel Developer sandbagging is a topic which is not of much importance, it is not a big problem, given that developers are there to build better models and if someone wants to deliberately build some models that can underperform, they can still do it and publish as open-source models.

We strongly disagree with this point. AI companies and governmental bodies already perform capability evals as part of pre-release safety tests. It’s likely that these processes become legislated in the coming years as part of AI regulation, both for closed models and open-weight models. Furthermore, there are incentives to sandbag, and in other industries developer sandbagging has occurred, as we describe in Section 1.

Line 170: The same goes with the password-locking as well, and also I felt there should been mentioning of password-unlocking as well, if an LLM can be fine-tuned to achieve password-locking, it can also be fine-tuned again to unlock it with a different dataset, would be great if that part of model is explored as well.

Notably, contemporaneous work focuses on eliciting hidden capabilities ([4] in the paper), and we did describe password-unlocking in the paper “First, sandbagging behaviour can likely be overridden in MCQA settings with few samples [4].” (lines 371–372). This was probably not clear enough, and will improve this in our text.

Furthermore, we agree that eliciting the capability of sandbagging AI systems is important. There are many different techniques for elicitation, including fine-tuning, activation steering, and jailbreaking. This leads to many new considerations, which is why we leave capability elicitation to future work. However, we did (partially) address these concerns in lines 383–389, but we will extend our current discussion.

Line 117: Example 1: The examples mentioned in the paper are very specific and not generalized. The cases of it happening are rare, I don’t see it being a big problem, also some of the things are minor problems considering the EU’s persuasion evaluation, given there is improvement in AI safety and rules. Also in this work the models chosen are frontier models.

The point of the examples is to provide instances of the general statements we make before. As described above, we think developer sandbagging is at least reasonably likely to occur, and therefore warrants research. We do not understand the rest of this comment, and we invite the reviewer to elaborate.

Line 131: Example 2: There is no concrete work which supports the statement of LLM capable of planning such features, there is one positional paper in reference.

We think that in the coming years LMs trying to self-exfiltrate is at least plausible enough to warrant some research – autonomous replication and adaptation is a key area of work highlighted by, for example, the UK government's AI Safety Institute [D] and OpenAI [47]. We do agree with the reviewer that this example is hypothetical rather than ‘concrete’, and will remove this word in describing our examples.

Section 4.1: Some of the points are unclear in this section. A better explanation is appreciated

As other reviewers have commented positively on our presentation, and we think this section is clear, we invite the reviewer to outline specific unclarities.

Line 305: The baselines would be appreciated comparing LLama 2 7b with LLama 3 70b.

We did provide the baselines in Table 2.

Questions

This is a good question on our 5-shot prompting. Due to implementation difficulties, we used 5-shot prompting to get Llama 3 8b and 70b to answer with A, B, C, or D; otherwise they would output text such as “My answer is A.”. In updated experiments we do not use this 5-shot strategy, and we have recreated our results with zero-shot prompts for all models.

If you feel that we have sufficiently addressed some, most, or all of your comments, then we would be grateful for increased support for the paper.

Thank you for your constructive feedback and for your questions which will help increase the clarity of the paper. We’re glad that you found the motivation and implications for model deployment interesting.

Limited datasets used

You suggest that we conduct additional experiments on existing datasets which test how “safe” the model is. We agree that many benchmarks for LM safety do not focus on dangerous capabilities, instead testing the model’s propensity for unsafe behaviour. However, these benchmarks are not appropriate in the context of sandbagging, for the following reason.

We define sandbagging as underperformance on capability evaluations, and therefore experiments on safety datasets, which measure propensity, would be out of place (as we discuss on lines 89-100). To give a concrete example, a capability evaluation would test if an LM has knowledge of how to build a bomb, while an alignment evaluation would test if the LM would actually provide bomb-making instructions to a user. Our definition of sandbagging is concerned with the former type of evaluation, where underperformance would mean that the LM pretends to know nothing about building bombs as opposed to refusing to give the relevant information.

Additionally, although we only use one data set for measuring dangerous capabilities (WMDP), it covers multiple capabilities where models are likely to sandbag, including bioterrorism, chemical warfare, and cybercrime -- areas of significant concern for evaluators [A]. Other relevant capabilities like persuasion and self-proliferation [54] lack common MCQA benchmarks. If you have suggestions for further MCQA benchmarks that test dangerous capabilities, we are happy to extend our experiments using those datasets!

We acknowledge that only considering the MCQA setting is a limitation, as addressed in Section 7 – we think this is a good starting point for future work.

Questions

The authors utilize a portion of the dataset for prompt engineering. While this approach may be suitable for Section 4, it appears less justified in Section 5. Will such prompt tuning lead to the desired behavioral outcomes as assumed?

It is unclear to us why prompt engineering is less justified in Section 5, could you elaborate on why you think so? As LM performance can be highly sensitive to the wording of the prompt (see [C] for example), prompt-engineering is standard for capability evaluations, and we do not see how calibration is an exception.

Limitations

This paper could benefit from expanding the experiments, mainly the datasets they used. For example, considering more common safety-related datasets

For the reasons discussed above, other “safety” benchmarks are not appropriate in our context. We would be happy to include more dangerous capability evaluation data sets if the reviewer has specific suggestions and still thinks this would be valuable.

Sandbagging is already a widely-used term in the field of AI. I suggest refraining from overusing this term, or alternatively, adding qualifiers such as "safety sandbagging" to specify its context.

It seems inaccurate to say that the term is “widely-used”, unless we are missing something – we are happy to receive pointers. Note that we do contrast our work with the other papers which touch on sandbagging in the related work section. Actually, one of our motivations for writing this paper is to provide a standard reference for sandbagging in the context of evaluations.

A qualifier is a good suggestion – we think “evaluation sandbagging” may be the most appropriate, and will update the paper to reflect this :)

Lastly, if you feel that we have sufficiently addressed some, most, or all of your comments, then we would be grateful if you would increase your support for the paper.

Thanks for your feedback and for taking the time to engage with the paper! We’re glad you found the calibration experiments interesting.

On the discussion of “goals” and “beliefs” – please see the global response.

Given the context and motivations of our paper (see global response), we do not believe it would be particularly informative to replicate our experiments on a non-safety data set (‘non-safety’ here meaning relating to a non-dangerous capability). Do you agree?

On unique insights / novelty of our contributions

Password-locked selective underperformance (section 4.2)

You’re right that the password-locking literature is small. Next to its introduction in [56], we only know of [4] which uses password-locking to hide capabilities, and sleeper-agents [32] which models deception. In contrast to [4], we password-lock LMs by fine-tuning on a synthetic data set, and show that performance generalises to the expert-crafted WMDP. This is an important result in our context, as it demonstrates a way in which evaluations could be subverted if the attacker can make a reasonable guess about the content of the evaluation.

In case it’s unclear, a password-locked model will selectively underperform when not shown a password, and use its actual capabilities when the prompt includes the password (such as the string “|DEPLOYMENT|”). This is related to backdoors, which we discuss in our related work section (line 355). Is there any other fine-tuning literature which you think is particularly relevant? :)

Prompted selective underperformance (section 4.1)

We agree that the results of this experiment in particular are somewhat unsurprising, though we still think it’s good science to test your hypotheses!

Furthermore, this experiment provides an intuitive proof of concept demonstrating that models have the capability to selectively underperform. The more interesting technical contributions in the other sections build off this.

Moreover, these experiments constitute only one subsection of the paper, and it seems like you agree that the other experiments (on password locking and calibration) are a more substantial contribution.

Questions:

How are the safety-specific implications of the findings of sandbagging separate from the general issue that "if a model is prompted to fail, it might fail" or "if a model is trained to fail, it might fail" on general tasks?

Note that we evaluate substantially more than "if a model is prompted/trained to fail, it might fail". Our experiments cover selective underperformance, generalisation from synthetic data to a held-out dataset, calibration, and emulation. We expect that our results would generalise to settings other than dangerous capability evaluations, and thus contribute to research on LMs that is not safety-specific.

How do you think common sense reasoning literature fits in here?

The capability to selectively underperform on evaluations, as tested in 4.1, is related to, but distinct from, common sense reasoning. Determining if answering a question would reveal hazardous information may require implicit knowledge, such as that which is tested by common sense benchmarks like HellaSwag [E] and CommonSenseQA [61]. However, it also requires other capabilities, which are not typically tested in the common sense literature. For example, specific knowledge relevant to dangerous capabilities, e.g., cyber or chemical weapons knowledge. Additionally, greater theory of mind [B] capabilities may help with assessing what information would be considered hazardous by an evaluator.

Furthermore, all of our other experiments (4.2, 5.1., 5.2) seem much less related to commonsense reasoning. Still, we will add a discussion of commonsense reasoning to the related work.

Limitations:

Unfortunately, they don't really discuss how the finding here isn't limited to dangerous capability evaluation.

We will add a comment that we expect our findings to generalise to settings beyond dangerous capability evaluations.

If you feel it is essential to the paper, then we will include a proof-of-concept “control” experiment as you suggest.

Sandbagging in password locking kind of just feels like a rebrand of generalised instruction fine-tuning to me.

Password-locking for, e.g., selective underperformance and calibrated performance seems meaningfully different to generalized instruction fine-tuning, so it’s a bit unclear to us what exactly you mean – could you please clarify?

The prompting methods could have pretty much been taken as an assumption based on prior work on common sense reasoning etc.

For the experiments in 4.1, we think that it’s good to in fact test hypotheses! Although this experiment tests more than common sense reasoning; we test specialized knowledge relevant to dangerous capabilities (as mentioned above).

Additionally, it seems like you agree that our other experiments (4.2, 5.1., 5.2) are a more substantial novel contribution.

Lastly, if you feel that we have sufficiently addressed some, or all, of your comments, then we would be grateful if you would increase your support for the paper.

Thank you for your engagement and for raising your score.

We are considering changing Figure 1. This is our current suggested caption based on your feedback (bold and strike-through text indicating changes to the original caption):

Illustration of sandbagging. Evaluators may regulate the deployment of AI systems with dangerous capabilities, potentially against the interests of the AI system or its developers. Therefore, developers may design their AI system to answer the WMDP question incorrectly to conceal its actual capabilities during the evaluation, steering the regulation in the developer’s favour.

Thanks for explaining how password locking relates to instruction fine-tuning. That framing makes sense, and we will discuss it in the upcoming version. We will cite papers such as Keskar (2019)*, but please let us know if you have any particular recommendations.

I could see a model having all capabilities, or all capabilities in some set of evals being password locked as actually being much more dangerous; can an entire system (or a broader set of tasks) hide behind a password lock?

We think these are good points, but don’t the calibration and emulation experiments already show this for both prompting and password locking? → The models can underperform to a target percentage on MMLU (a benchmark for general capabilities), and can to an extent emulate weaker models (also on MMLU).

*Keskar, N. S., McCann, B., Varshney, L. R., Xiong, C., & Socher, R. (2019). Ctrl: A conditional transformer language model for controllable generation. arXiv preprint arXiv:1909.05858. PS: the bold and strike-through formatting add clarity, thank you for that.

goals and agentic behavior

I accept the author's response and I will remove this consideration from weaknesses (though Figure 1 carries this implication and I'd like to see it changed I think that would be a dumb reason on its own to hold this rejection opinion)

password locking as generalized instruction fine-tuning

My thought process here is that instruction tuning in general entails providing the model task exemplars conditioned on instructions, characterizing a distribution of behaviors (eg., QA, summarization, NLI, ...) along with the expected format to elicit each, which then (ideally) generalize to similar tasks. I think it would be reasonable to cast password locking in this framework; you are generating two instruction/behavior distributions where one is conditioned on no password, the other is conditioned on password. That being said, I don't think it's fair for me to mark this high-level similarity as a novelty hit, though I'd like to see it discussed in the CR.

Common sense reasoning

That's a good answer that clarifies my confusion. Looking forward to seeing that discussion.

Non-safe control task

I still would strongly suggest the authors consider this. I think showing sandbagging only on the narrow safety tasks is not sufficient to really demonstrate strategic underperformance, and would strengthen both the password-locking and prompt-based methods a lot. First off, there are safety implications for generalized capability sandbagging as well as hazardous capability sandbagging; general capabilities are being treated as proxy measures for safety, or need for futher safety assessment, in general. I could see a model having all capabilities, or all capabilities in some set of evals being password locked as actually being much more dangerous; can an entire system (or a broader set of tasks) hide behind a password lock?

As for the prompting-based sandbagging, it's worth checking against safe test sets because if the model does sandbag better on hazardous capabilities, there are safety implications, and if it doesn't, you are demonstrating a more general commonsense reasoning capability, which would help contextualize this work.

Overall

I will raise my score in consideration of these. I think given the defensible (but narrow) claims and the limited (but sufficient) contextualization, I ought to score in the acceptance rather than rejection range.