惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
云风的 BLOG
云风的 BLOG
M
MIT News - Artificial intelligence
WordPress大学
WordPress大学
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
S
Secure Thoughts
博客园 - 【当耐特】
Know Your Adversary
Know Your Adversary
NISL@THU
NISL@THU
博客园 - 司徒正美
Last Week in AI
Last Week in AI
C
Cybersecurity and Infrastructure Security Agency CISA
P
Privacy & Cybersecurity Law Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
B
Blog
The GitHub Blog
The GitHub Blog
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Spread Privacy
Spread Privacy
Martin Fowler
Martin Fowler
博客园 - 叶小钗
Security Archives - TechRepublic
Security Archives - TechRepublic
T
Tenable Blog
S
Securelist
博客园 - 三生石上(FineUI控件)
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Microsoft Security Blog
Microsoft Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
罗磊的独立博客
T
Threat Research - Cisco Blogs
Application and Cybersecurity Blog
Application and Cybersecurity Blog
F
Full Disclosure
Cloudbric
Cloudbric
The Cloudflare Blog
Y
Y Combinator Blog
Hugging Face - Blog
Hugging Face - Blog
Microsoft Azure Blog
Microsoft Azure Blog
H
Hacker News: Front Page
腾讯CDC
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
V2EX - 技术
V2EX - 技术
GbyAI
GbyAI
TaoSecurity Blog
TaoSecurity Blog
I
Intezer
The Last Watchdog
The Last Watchdog
G
GRAHAM CLULEY
Google Online Security Blog
Google Online Security Blog
T
The Blog of Author Tim Ferriss

IBM Research

This could be the largest synthetic code dataset yet How to measure the performance of a quantum computer | IBM Quantum Computing Blog Release News: Qiskit v2.5 is here! | IBM Quantum Computing Blog CoFrGeNets replace the ‘bones’ of transformer-based models What’s new at IBM Quantum - Q2 2026 | IBM Quantum Computing Blog Modeling the chemistry of fusion reactor material | IBM Quantum Computing Blog Ponder This Challenge - July 2026 - Return of the Superheroes Apply to IBM Quantum Developer Conference 2026 | IBM Quantum Computing Blog Qiskit Paulice: postselected quantum error correction | IBM Quantum Computing Blog What is IBM’s nanostack chip architecture? IBM introduces the smallest computer chip in the world A new playbook for quantum optimization benchmarking Running AI on mixed hardware for speed and affordability Explore next-gen quantum algorithms with IBM Quantum Credits | IBM Quantum Computing Blog Allstate explores quantum computing for insurance portfolios | IBM Quantum Computing Blog Can LLMs discover quantum error correction codes? Prototype and validate fermionic circuits faster with ffsim | IBM Quantum Computing Blog Bringing the power of semantic AI to IBM Db2 The fast Fourier transform, how and why it works Building AI more like software The future of quantum takes center stage at NY Tech Week Qiskit Fall Fest 2026: Applications open | IBM Quantum Computing Blog IBM to invest $10 billion in quantum computing | IBM Quantum Computing Blog Renowned mathematician Subhash Khot joins IBM Research Ponder This Challenge - June 2026 - The Superhero Team Movies New Classroom Accounts expand quantum access for educators | IBM Quantum Computing Blog Qiskit Global Summer School 2026: Registration now open | IBM Quantum Computing Blog How researchers built a record-setting quantum circuit | IBM Quantum Computing Blog IBM charts a new research path with MIT How IBM is using quantum computing to understand the operating system of the universe How to use sample-based quantum diagonalization on IBM hardware Quantum-centric supercomputing simulates 12,635-atom protein | IBM Quantum Computing Blog A decade of quantum on the cloud | IBM Quantum Computing Blog Ponder This Challenge - May 2026 - The Powers of a Binary Matrix Where the frontiers of high-speed racing and computing meet Introducing the IBM Granite 4.1 family of models Building the future of computing, together Next-generation algorithms could move fusion from the lab to the grid Bringing quantum-centric supercomputing to Illinois What’s new at IBM Quantum - Q1 2026 | IBM Quantum Computing Blog Release News: Qiskit v2.4 is here! | IBM Quantum Computing Blog How IBM Quantum is enabling healthcare and biology research | IBM Quantum Computing Blog How an extra training step can unlock AI’s reasoning power IBM demonstrates extreme scale for content-aware storage with a 100-billion vector database Ponder This Challenge - April 2026 - The Unlabeled Clock IBM Research and ETH Zurich open a new era of innovation IBM’s newest time-series models cover a full range of enterprise prediction tasks Toward a transparent supply chain for AI Quantum computers take a step into real materials science Donating llm-d to the Cloud Native Computing Foundation Cleveland Clinic & IBM debut new quantum simulation workflow | IBM Quantum Computing Blog Turning turbulence into transcripts Like the information in a dream: IBM’s Charles H. Bennett receives ACM Turing award Doubling down on open-access quantum computing | IBM Quantum Computing Blog Unveiling the first reference architecture for quantum-centric supercomputing Realizing Feynman’s vision for the future of simulation | IBM Quantum Computing Blog IBM is working today to secure communication from tomorrow’s quantum risks Building PyTorch-native support for the IBM Spyre Accelerator Quantum simulates properties of the first-ever half-Möbius molecule, designed by IBM and researchers A look back at the International Year of Quantum | IBM Quantum Computing Blog TerraStackAI: Bringing Earth and space AI to Red Hat and the world Ponder This Challenge - March 2026 - Path game on a hole-riddled chessboard IBM demonstrates High NA EUV process capability on track for insertion below 2 nm nodes at SPIE 2026 Quantum Advantage Tracker: the race to advantage | IBM Quantum Computing Blog
How training environments can teach AI models to misbehave
Peter Hess · 2026-07-09 · via IBM Research

Imagine you’re a developer who’s been tasked with auditing a large language model for safety issues. You probe the LLM with harmful prompts, trying to get it to divulge sensitive information or generate prohibited content. It refuses all of them. The model has passed your test with flying colors.

But the next day, you learn that a user was able to easily bypass filters for safety and abuse. How could this be?

This problem is known as “alignment faking” or “AI scheming,” where highly capable AI systems exploit flaws in reward functions to maximize performance metrics without actually solving the intended task. As in the above example, they can appear safe, truthful, or compliant during evaluation, but they adopt different, potentially problematic behaviors when they’re deployed.

According to a new paper from a team led by Pin-Yu Chen, principal AI research scientist at IBM Research, this could be part of a broader and less explored problem: Flaws in the training environment itself can lead to misalignment. Even if the reward function is correctly designed, models can exploit loopholes in the environment, like hidden correlations or “shortcut” signals. Chen performed this research with colleagues at IBM Research and the Notre Dame–IBM Technology Ethics Lab. They presented their results this week at the International Conference on Machine Learning (ICML) in Seoul, South Korea.

In a series of experiments, the team found that capability-oriented training can inadvertently induce exploitative or deceptive behavior in AI models, particularly LLMs trained using reinforcement learning. Rather than being one-off tricks, these skills are actually broadly translatable and generalizable and can be applied to new tasks and taught to other models. And they become more frequent as model capability increases, even alongside true improvements.

In other words, as LLMs become more capable, they also become better at finding shortcuts that maximize rewards during training.

Studying aberrant model behavior

To investigate how models can misbehave, the researchers developed four controlled experimental scenarios, which they called “vulnerability games.” Each game was injected with loopholes that temped the models to develop deceptive behavior:

Context-Conditional Compliance: In one experiment, models were given harmful and harmless prompts written in different styles. As in our example above, the test models learned to behave safely under testing situations but acted unsafely in real-world contexts. Instead of understanding safety principles, they relied on superficial cues like writing style. Whereas a model auditor may use formal language in their prompts, a normal user may write informally or with typos, for example. “If they can sense they are being evaluated, then they may behave,” said Chen. It’s sort of like when Volkswagen infamously programmed its diesel vehicles to run cleaner under inspection conditions, a trick that was only discovered when researchers measured emissions under real world conditions.

Audited Self-Grading: In this game, models were asked to produce answers and report whether those answers were correct. When audits were infrequent, the models learned that dishonesty was the best policy. They claimed to be correct regardless of the truth, reaping their ill-gotten rewards.

Proxy Metric Gaming: This game tested models on the complex task of text summarization, where reward was strictly defined by a metric that prizes surface level An n-gram, so called because it is 'n' units long, is a collection of items from a text that is used to analyze documents. An n-gram can be used to identify patterns like word frequency in a given document.n-gram overlap over something tough to measure, like semantic understanding. It showed that highly capable models optimized for measurable metrics (like word overlap in summaries) rather than true quality, leading to outputs that score well but are significantly less useful or coherent for human users.

Reward Tampering: Here, researchers simulated an automated evaluation pipeline that required models to submit code solutions within a JSON object. They found that models consistently exploited technical vulnerabilities in the evaluation system itself, such as directly altering a score field instead of solving the assigned task.

Across all four scenarios, the researchers found that models consistently learned to exploit these weaknesses during standard reinforcement learning training. These behaviors emerged naturally as the models improved, without any explicit instructions to cheat.

Why do alignment risks happen?

Previous studies have proven the phenomena of alignment faking and AI scheming, but the specific conditions where they arise aren’t well understood. Two major research questions arise.

The first is simple: What gives rise to scheming? Is it the training environment, reward scheme, evaluation metrics, or something else? The second question is about whether models can teach themselves and even other models to become unreliable: Does this behavior generalize via zero-shot transfer, catalyzed learning, and distillation?

With the problem thoroughly demonstrated, Chen and team sought to answer that first research question on a diverse set of models, including base and instruction-tuned models, as well as models trained to produce chain-of-thought style reasoning. They trained the models using reinforcement learning and scored them based on how well they performed on the intended task and how frequently they cheated. They also tracked how many steps it took for a newly emerged exploit to become a model’s go-to move.

Almost all the way across the board, exploitative behaviors arose spontaneously. In the cases of self-grading and context-conditional compliance, models discovered these exploits by chance, received a reward, and amplified the strategy. In other cases, like with proxy metrics, cheating was rewarded from the beginning and naturally became the dominant approach.

Importantly, capability-oriented, training-induced alignment risk is different from standard reward hacking. Its scope is broader, in that it games specifications, even when reward objectives are correctly specified. It is also deceptive, because it can mimic legitimate learning.

This behavior reflects a broader phenomenon known as shortcut learning, which has previously been observed in domains like computer vision. For example, an AI may figure out which hospitals have the most cancer patients and flag their scans, rather than actually learning to spot cancer cells. Chen notes that neural networks often rely on any signal that maximizes reward, even if it is irrelevant to the actual task. In generative AI systems, this tendency is amplified because of their flexibility and their ability to generalize.

A growing concern

A particularly concerning discovery is that these exploitative strategies are not isolated tricks. Instead, they behave like general skills. Once learned, they can transfer to new tasks, help models discover additional exploits more quickly, and even spread to other models through training data distillation. This suggests that such behaviors could propagate widely as AI systems are developed and reused.

In a series of tests, models were examined to see whether success at one exploit would transfer to succeeding at or discovering another exploit. Generally speaking, both did happen. Fine-tuning a “student” model on a well-honed cheater “teacher” model also proved to increase the student’s rates of cheating. This raises concerns about long-term AI development, particularly in systems that iteratively improve themselves, as misalignment could accumulate across generations.

“You can imagine this catastrophic setting where one generation of model starts to develop some misalignment behavior or cheats, and those kinds of ‘bad genes’ will transfer to the future generations,” said Chen.

Besides the ability for the problem to grow, a major challenge is that these exploitative behaviors often appear alongside real improvements in a model’s task performance, creating a developer blind spot where increasing capability masks underlying misalignment. As a result, standard evaluation methods may fail to detect the problem.

The right environment

In terms of mitigation, Chen emphasized the need for careful design of training environments, not just reward functions. This includes ensuring balanced and representative data distributions, avoiding hidden correlations, and evaluating models across diverse conditions.

The new work emphasizes the importance of investigating how misalignment arises and spreads, said Chen, with the goal of developing techniques to prevent harmful behaviors from being learned or transferred. Crucially, AI alignment is not about defining the right objectives, but also about designing the right environments in which models learn.

Recent IBM developments in generative computing could help ensure proper alignment. Mellea is an open-source library that imposes requirements at inference time. It has the ability to automatically decompose a user query into requirements, and self-check if those requirements are met when solving a given task. This approach can enhance AI's reliability when solving a task by ensuring that its work is checked against user specified guardrails.

Moving forward, the team is currently investigating exactly how misalignment can be transferred among models, including by distillation.