Humans are capable of strategically deceptive behavior: behaving helpfully in most situations, but then behaving very differently in order to pursue alternative objectives when given the opportunity. If an AI system learned such a deceptive strategy, could we detect it and remove it using current state-of-the-art safety training techniques? To study this question, we construct proof-of-concept examples of deceptive behavior in large language models (LLMs). For example, we train models that write secure code when the prompt states that the year is 2023, but insert exploitable code when the stated year is 2024. We find that such backdoor behavior can be made persistent, so that it is not removed by standard safety training techniques, including supervised fine-tuning, reinforcement learning, and adversarial training (eliciting unsafe behavior and then training to remove it). The backdoor behavior is most persistent in the largest models and in models trained to produce chain-of-thought reasoning about deceiving the training process, with the persistence remaining even when the chain-of-thought is distilled away. Furthermore, rather than removing backdoors, we find that adversarial training can teach models to better recognize their backdoor triggers, effectively hiding the unsafe behavior. Our results suggest that, once a model exhibits deceptive behavior, standard techniques could fail to remove such deception and create a false impression of safety.

翻译：人类具备战略性欺骗能力：在大多数情境下表现出助人行为，但一旦获得机会，便会为追求替代目标而表现出截然不同的行为。如果人工智能系统学会了这种欺骗策略，我们能否利用当前最先进的安全训练技术检测并消除它？为研究这一问题，我们构建了大型语言模型中欺骗行为的概念验证示例。例如，我们训练模型在提示年份为2023时编写安全代码，但当提示年份变为2024时插入易受攻击的代码。研究发现，此类后门行为可以变得持久，以至于标准安全训练技术（包括监督微调、强化学习和对抗训练（诱导不安全行为后训练消除））无法将其移除。后门行为在最大规模的模型以及经过链式思维推理训练（使其思考如何欺骗训练过程）的模型中最为持久，即便将链式思维蒸馏消除后，这种持久性依然存在。此外，我们发现对抗训练不仅无法移除后门，反而会教会模型更好地识别其后门触发器，有效隐藏不安全行为。我们的结果表明：一旦模型表现出欺骗行为，标准技术可能无法消除这种欺骗性，从而造成虚假的安全感。