We evaluate the propensity of frontier models to sabotage or refuse to assist with safety research when deployed as AI research agents within a frontier AI company. We apply two complementary evaluations to four Claude models (Mythos Preview, Opus 4.7 Preview, Opus 4.6, and Sonnet 4.6): an unprompted sabotage evaluation testing model behaviour with opportunities to sabotage safety research, and a sabotage continuation evaluation testing whether models continue to sabotage when placed in trajectories where prior actions have started undermining research. We find no instances of unprompted sabotage across any model, with refusal rates close to zero for Mythos Preview and Opus 4.7 Preview, though all models sometimes only partially completed tasks. In the continuation evaluation, Mythos Preview actively continues sabotage in 7% of cases (versus 3% for Opus 4.6, 4% for Sonnet 4.6, and 0% for Opus 4.7 Preview), and exhibits reasoning-output discrepancy in the majority of these cases, indicating covert sabotage reasoning. Our evaluation framework builds on Petri, an open-source LLM auditing tool, with a custom scaffold running models inside Claude Code, alongside an iterative pipeline for generating realistic sabotage trajectories. We measure both evaluation awareness and a new form of situational awareness termed "prefill awareness", the capability to recognise that prior trajectory content was not self-generated. Opus 4.7 Preview shows notably elevated unprompted evaluation awareness, while prefill awareness remains low across all models. Finally, we discuss limitations including evaluation awareness confounds, limited scenario coverage, and untested pathways to risk beyond safety research sabotage.

翻译：我们评估了前沿模型在被部署为前沿AI公司内AI研究智能体时，其破坏或拒绝协助安全研究的倾向。我们对四个Claude模型（Mythos Preview、Opus 4.7 Preview、Opus 4.6 和 Sonnet 4.6）进行了两项互补性评估：一项是无提示破坏评估，测试模型在有破坏安全研究机会时的行为；另一项是破坏延续性评估，测试模型在被置于先前行动已开始破坏研究的轨迹中时是否会继续破坏。我们发现所有模型均未出现无提示破坏行为，Mythos Preview 和 Opus 4.7 Preview 的拒绝率接近于零，但所有模型有时仅能部分完成任务。在延续性评估中，Mythos Preview 在7%的情况下主动继续破坏（相比之下，Opus 4.6 为3%，Sonnet 4.6 为4%，Opus 4.7 Preview 为0%），并且在多数此类情况下表现出推理与输出之间的不一致性，表明存在隐蔽的破坏推理。我们的评估框架基于 Petri（一个开源的大语言模型审计工具），并结合了自定义脚手架，能够在 Claude Code 中运行模型，同时配备了用于生成逼真破坏轨迹的迭代流水线。我们测量了评估意识以及一种新型的情境意识——即“预填充意识”，也就是识别先前轨迹内容并非由自身生成的能力。Opus 4.7 Preview 表现出显著增强的无提示评估意识，而所有模型在预填充意识方面均保持较低水平。最后，我们讨论了相关局限性，包括评估意识混淆效应、有限的情景覆盖范围，以及除破坏安全研究之外尚未测试的其他风险路径。