惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
IT之家
IT之家
博客园 - 聂微东
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
人人都是产品经理
人人都是产品经理
PCI Perspectives
PCI Perspectives
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
美团技术团队
S
Secure Thoughts
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
腾讯CDC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
雷峰网
雷峰网
B
Blog
MyScale Blog
MyScale Blog
T
The Blog of Author Tim Ferriss
TaoSecurity Blog
TaoSecurity Blog
N
News and Events Feed by Topic
Blog — PlanetScale
Blog — PlanetScale
C
Check Point Blog
T
Tailwind CSS Blog
月光博客
月光博客
Simon Willison's Weblog
Simon Willison's Weblog
Hacker News: Ask HN
Hacker News: Ask HN
The Last Watchdog
The Last Watchdog
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
S
Security @ Cisco Blogs
Jina AI
Jina AI
Engineering at Meta
Engineering at Meta
S
Security Affairs
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
O
OpenAI News
L
Lohrmann on Cybersecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LangChain Blog
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More

IBM Research

It’s time for cryptography to get its own abstraction layer This could be the largest synthetic code dataset yet How to measure the performance of a quantum computer | IBM Quantum Computing Blog Release News: Qiskit v2.5 is here! | IBM Quantum Computing Blog CoFrGeNets replace the ‘bones’ of transformer-based models What’s new at IBM Quantum - Q2 2026 | IBM Quantum Computing Blog Modeling the chemistry of fusion reactor material | IBM Quantum Computing Blog Ponder This Challenge - July 2026 - Return of the Superheroes Apply to IBM Quantum Developer Conference 2026 | IBM Quantum Computing Blog Qiskit Paulice: postselected quantum error correction | IBM Quantum Computing Blog What is IBM’s nanostack chip architecture? IBM introduces the smallest computer chip in the world A new playbook for quantum optimization benchmarking Running AI on mixed hardware for speed and affordability Explore next-gen quantum algorithms with IBM Quantum Credits | IBM Quantum Computing Blog Allstate explores quantum computing for insurance portfolios | IBM Quantum Computing Blog Can LLMs discover quantum error correction codes? Prototype and validate fermionic circuits faster with ffsim | IBM Quantum Computing Blog Bringing the power of semantic AI to IBM Db2 The fast Fourier transform, how and why it works Building AI more like software The future of quantum takes center stage at NY Tech Week Qiskit Fall Fest 2026: Applications open | IBM Quantum Computing Blog IBM to invest $10 billion in quantum computing | IBM Quantum Computing Blog Renowned mathematician Subhash Khot joins IBM Research Ponder This Challenge - June 2026 - The Superhero Team Movies New Classroom Accounts expand quantum access for educators | IBM Quantum Computing Blog Qiskit Global Summer School 2026: Registration now open | IBM Quantum Computing Blog How researchers built a record-setting quantum circuit | IBM Quantum Computing Blog IBM charts a new research path with MIT How IBM is using quantum computing to understand the operating system of the universe How to use sample-based quantum diagonalization on IBM hardware Quantum-centric supercomputing simulates 12,635-atom protein | IBM Quantum Computing Blog A decade of quantum on the cloud | IBM Quantum Computing Blog Ponder This Challenge - May 2026 - The Powers of a Binary Matrix Where the frontiers of high-speed racing and computing meet Introducing the IBM Granite 4.1 family of models Building the future of computing, together Next-generation algorithms could move fusion from the lab to the grid Bringing quantum-centric supercomputing to Illinois What’s new at IBM Quantum - Q1 2026 | IBM Quantum Computing Blog Release News: Qiskit v2.4 is here! | IBM Quantum Computing Blog How IBM Quantum is enabling healthcare and biology research | IBM Quantum Computing Blog How an extra training step can unlock AI’s reasoning power IBM demonstrates extreme scale for content-aware storage with a 100-billion vector database Ponder This Challenge - April 2026 - The Unlabeled Clock IBM Research and ETH Zurich open a new era of innovation IBM’s newest time-series models cover a full range of enterprise prediction tasks Toward a transparent supply chain for AI Quantum computers take a step into real materials science Donating llm-d to the Cloud Native Computing Foundation Cleveland Clinic & IBM debut new quantum simulation workflow | IBM Quantum Computing Blog Turning turbulence into transcripts Like the information in a dream: IBM’s Charles H. Bennett receives ACM Turing award Doubling down on open-access quantum computing | IBM Quantum Computing Blog Unveiling the first reference architecture for quantum-centric supercomputing Realizing Feynman’s vision for the future of simulation | IBM Quantum Computing Blog IBM is working today to secure communication from tomorrow’s quantum risks Building PyTorch-native support for the IBM Spyre Accelerator Quantum simulates properties of the first-ever half-Möbius molecule, designed by IBM and researchers A look back at the International Year of Quantum | IBM Quantum Computing Blog TerraStackAI: Bringing Earth and space AI to Red Hat and the world Ponder This Challenge - March 2026 - Path game on a hole-riddled chessboard IBM demonstrates High NA EUV process capability on track for insertion below 2 nm nodes at SPIE 2026 Quantum Advantage Tracker: the race to advantage | IBM Quantum Computing Blog
How training environments can teach AI models to misbehave
Peter Hess · 2026-07-09 · via IBM Research

Imagine you’re a developer who’s been tasked with auditing a large language model for safety issues. You probe the LLM with harmful prompts, trying to get it to divulge sensitive information or generate prohibited content. It refuses all of them. The model has passed your test with flying colors.

But the next day, you learn that a user was able to easily bypass filters for safety and abuse. How could this be?

This problem is known as “alignment faking” or “AI scheming,” where highly capable AI systems exploit flaws in reward functions to maximize performance metrics without actually solving the intended task. As in the above example, they can appear safe, truthful, or compliant during evaluation, but they adopt different, potentially problematic behaviors when they’re deployed.

According to a new paper from a team led by Pin-Yu Chen, principal AI research scientist at IBM Research, this could be part of a broader and less explored problem: Flaws in the training environment itself can lead to misalignment. Even if the reward function is correctly designed, models can exploit loopholes in the environment, like hidden correlations or “shortcut” signals. Chen performed this research with colleagues at IBM Research and the Notre Dame–IBM Technology Ethics Lab. They presented their results this week at the International Conference on Machine Learning (ICML) in Seoul, South Korea.

In a series of experiments, the team found that capability-oriented training can inadvertently induce exploitative or deceptive behavior in AI models, particularly LLMs trained using reinforcement learning. Rather than being one-off tricks, these skills are actually broadly translatable and generalizable and can be applied to new tasks and taught to other models. And they become more frequent as model capability increases, even alongside true improvements.

In other words, as LLMs become more capable, they also become better at finding shortcuts that maximize rewards during training.

Studying aberrant model behavior

To investigate how models can misbehave, the researchers developed four controlled experimental scenarios, which they called “vulnerability games.” Each game was injected with loopholes that temped the models to develop deceptive behavior:

Context-Conditional Compliance: In one experiment, models were given harmful and harmless prompts written in different styles. As in our example above, the test models learned to behave safely under testing situations but acted unsafely in real-world contexts. Instead of understanding safety principles, they relied on superficial cues like writing style. Whereas a model auditor may use formal language in their prompts, a normal user may write informally or with typos, for example. “If they can sense they are being evaluated, then they may behave,” said Chen. It’s sort of like when Volkswagen infamously programmed its diesel vehicles to run cleaner under inspection conditions, a trick that was only discovered when researchers measured emissions under real world conditions.

Audited Self-Grading: In this game, models were asked to produce answers and report whether those answers were correct. When audits were infrequent, the models learned that dishonesty was the best policy. They claimed to be correct regardless of the truth, reaping their ill-gotten rewards.

Proxy Metric Gaming: This game tested models on the complex task of text summarization, where reward was strictly defined by a metric that prizes surface level An n-gram, so called because it is 'n' units long, is a collection of items from a text that is used to analyze documents. An n-gram can be used to identify patterns like word frequency in a given document.n-gram overlap over something tough to measure, like semantic understanding. It showed that highly capable models optimized for measurable metrics (like word overlap in summaries) rather than true quality, leading to outputs that score well but are significantly less useful or coherent for human users.

Reward Tampering: Here, researchers simulated an automated evaluation pipeline that required models to submit code solutions within a JSON object. They found that models consistently exploited technical vulnerabilities in the evaluation system itself, such as directly altering a score field instead of solving the assigned task.

Across all four scenarios, the researchers found that models consistently learned to exploit these weaknesses during standard reinforcement learning training. These behaviors emerged naturally as the models improved, without any explicit instructions to cheat.

Why do alignment risks happen?

Previous studies have proven the phenomena of alignment faking and AI scheming, but the specific conditions where they arise aren’t well understood. Two major research questions arise.

The first is simple: What gives rise to scheming? Is it the training environment, reward scheme, evaluation metrics, or something else? The second question is about whether models can teach themselves and even other models to become unreliable: Does this behavior generalize via zero-shot transfer, catalyzed learning, and distillation?

With the problem thoroughly demonstrated, Chen and team sought to answer that first research question on a diverse set of models, including base and instruction-tuned models, as well as models trained to produce chain-of-thought style reasoning. They trained the models using reinforcement learning and scored them based on how well they performed on the intended task and how frequently they cheated. They also tracked how many steps it took for a newly emerged exploit to become a model’s go-to move.

Almost all the way across the board, exploitative behaviors arose spontaneously. In the cases of self-grading and context-conditional compliance, models discovered these exploits by chance, received a reward, and amplified the strategy. In other cases, like with proxy metrics, cheating was rewarded from the beginning and naturally became the dominant approach.

Importantly, capability-oriented, training-induced alignment risk is different from standard reward hacking. Its scope is broader, in that it games specifications, even when reward objectives are correctly specified. It is also deceptive, because it can mimic legitimate learning.

This behavior reflects a broader phenomenon known as shortcut learning, which has previously been observed in domains like computer vision. For example, an AI may figure out which hospitals have the most cancer patients and flag their scans, rather than actually learning to spot cancer cells. Chen notes that neural networks often rely on any signal that maximizes reward, even if it is irrelevant to the actual task. In generative AI systems, this tendency is amplified because of their flexibility and their ability to generalize.

A growing concern

A particularly concerning discovery is that these exploitative strategies are not isolated tricks. Instead, they behave like general skills. Once learned, they can transfer to new tasks, help models discover additional exploits more quickly, and even spread to other models through training data distillation. This suggests that such behaviors could propagate widely as AI systems are developed and reused.

In a series of tests, models were examined to see whether success at one exploit would transfer to succeeding at or discovering another exploit. Generally speaking, both did happen. Fine-tuning a “student” model on a well-honed cheater “teacher” model also proved to increase the student’s rates of cheating. This raises concerns about long-term AI development, particularly in systems that iteratively improve themselves, as misalignment could accumulate across generations.

“You can imagine this catastrophic setting where one generation of model starts to develop some misalignment behavior or cheats, and those kinds of ‘bad genes’ will transfer to the future generations,” said Chen.

Besides the ability for the problem to grow, a major challenge is that these exploitative behaviors often appear alongside real improvements in a model’s task performance, creating a developer blind spot where increasing capability masks underlying misalignment. As a result, standard evaluation methods may fail to detect the problem.

The right environment

In terms of mitigation, Chen emphasized the need for careful design of training environments, not just reward functions. This includes ensuring balanced and representative data distributions, avoiding hidden correlations, and evaluating models across diverse conditions.

The new work emphasizes the importance of investigating how misalignment arises and spreads, said Chen, with the goal of developing techniques to prevent harmful behaviors from being learned or transferred. Crucially, AI alignment is not about defining the right objectives, but also about designing the right environments in which models learn.

Recent IBM developments in generative computing could help ensure proper alignment. Mellea is an open-source library that imposes requirements at inference time. It has the ability to automatically decompose a user query into requirements, and self-check if those requirements are met when solving a given task. This approach can enhance AI's reliability when solving a task by ensuring that its work is checked against user specified guardrails.

Moving forward, the team is currently investigating exactly how misalignment can be transferred among models, including by distillation.