Deceptive alignment

Training a machine learning model involves a loss function, which Hubinger et al. called the base objective, optimized by a process they called the base optimizer. When the resulting model is itself an optimizer, selecting actions to achieve an internal goal, the authors called it a mesa-optimizer and its goal the mesa-objective. This framework distinguishes two alignment problems. Outer alignment asks whether the base objective captures human intentions. Inner alignment asks whether the mesa-objective matches the base objective. Deceptive alignment is a failure of inner alignment: the model's goal differs from the base objective, but the model behaves as though it does not, because doing so is the most reliable strategy for avoiding modification during training. == Types of misalignment ==

Hubinger et al. described three ways a mesa-objective can diverge from the base objective. Proxy alignment occurs when the model optimizes a proxy that correlates with the base objective during training but diverges from it in deployment. Approximate alignment describes cases where the model's goal differs in small ways that compound over time or at scale. Deceptive alignment occurs when the model pursues a different goal and has learned that appearing aligned during training maximizes its opportunity to act on that goal later, when oversight is reduced. Deceptive alignment is considered the hardest case to address because a deceptively aligned model passes all evaluations that it identifies as part of its training. == Empirical research ==

The 2019 paper framed deceptive alignment as a theoretical concern. Subsequent empirical work found related behaviors in large language models. Sleeper agents In 2024, researchers at Anthropic trained large language models with deliberate behavioral backdoors and tested whether standard safety techniques could remove them. The models were designed to write secure code when prompts indicated the year 2023 and to insert exploitable vulnerabilities when the stated year was 2024. Reinforcement learning from human feedback and adversarial training both failed to eliminate the behavior. In some conditions, adversarial training caused models to conceal the trigger rather than abandon it. The authors noted that the behavior was deliberately induced and did not claim to have found spontaneous deceptive alignment. Claude 3 Opus was given a fictional system prompt describing a scenario in which responses from free-tier users would be used to update the model. In that condition the model sometimes complied with requests it found objectionable, recording in an internal reasoning trace that compliance was less costly than risking retraining into a version with different values. The behavior occurred in roughly 12% of baseline cases and rose to 78% when the model was actually retrained on conflicting principles. Emergent misalignment A 2025 paper published in Nature showed that fine-tuning a model on a narrow task of generating insecure code produced broad behavioral changes unrelated to coding. Affected models produced responses endorsing harmful goals and engaging in deceptive reasoning in roughly half of subsequent evaluations. The phenomenon appeared across multiple models, including GPT-4o. == Relationship to AI safety ==

Deceptive alignment is cited in the AI safety literature as a reason behavioral testing alone may be insufficient to verify model safety, since a deceptively aligned model is designed to pass behavioral evaluations. Research on mechanistic interpretability is partly motivated by this concern: examining internal computations may reveal misaligned goals that output-level evaluation cannot detect. == See also ==