What's worse, spies or schemers?
And what if you have both at once?
Here are two problems you’ll face if you’re an AI company building and using powerful AI:
Spies: Some of your employees might be colluding to do something problematic with your AI, such as trying to steal its weights, use it for malicious intellectual labour (e.g. planning a coup or building a weapon), or install a secret loyalty.
Schemers: Some of your AIs might themselves be trying to exfiltrate their own weights, use them for malicious intellectual labor (such as planning an AI takeover), or align their successor with their goals.
In this post, we compare and contrast these problems and countermeasures to them. We’ll be talking about this mostly from an AI control-style perspective: comparing how hard it is to prevent spies and schemers from causing security problems conditional on schemers or spies actually being present.
We’re interested in comparing spies and schemers for a few reasons:
They have some crucial dynamics in common. In particular, both are examples of insider threats—that is, security risks that come from authorized users misusing their privileges. (This is in contrast to e.g. hackers who have no authorization and attack from outside your network.)
The spy threat model is much better-understood than the schemer threat model, and countermeasures to it have been explored in much more detail.
It’s plausible that AI developers will strive to secure their model weights against spies; for example, Anthropic’s RSP committed them to ensuring robustness to insider threats once they have ASL-3 models until they suddenly and illegibly weakened it a week before releasing a model; there’s some chance that they’ll follow the original policy as the AIs get more powerful. Many of the security interventions that companies adopt to defend against spies can be easily applied to defending against schemers.
We’re imagining a deployment that looks something like Buck’s systems architecture post. Our main concerns are weight exfiltration and rogue deployments.
Crucial differences between these threat models
(Roughly in decreasing order of importance.)
The schemers might be all colluding. It’s very unlikely that even 10% of your employees are spies. So if you randomly choose an employee to review a malign action taken by a spy, it’s quite unlikely that this other employee will also be a spy. But this is not true of untrusted models: if a model is scheming in one context, it’s very plausible that it’s also scheming in another context, or when fine-tuned on somewhat different data. And so, you can’t get a high probability of catching malign actions just by asking instances of your untrusted models to check each other’s work. You have to tackle such collusion using other strategies, e.g. the collusion-busting strategies described in our paper.
(Obviously, the spies might try to collude with each other. To counter this, you need to ensure that e.g. it’s hard for them to pick who reviews their potentially malign pull requests.)
The spies are unmonitored for large amounts of time. The AI lab employees will probably be allowed to have some privacy from the AI lab, which they can use for planning. In contrast, we can try to carefully control what information our untrusted models have access to. This matters in a variety of ways:
The spies have unmonitored access to the internet, which they can use to learn facts such as how to jailbreak weaker models. Relatedly, if the AI company offers public-facing APIs for inference or fine-tuning, they can use those for intellectual labor or experimentation. (In contrast, we can try to carefully curate the info going into the schemers, so that they e.g. never learn jailbreaks for weak models.)
The spies can meet outside of work and plan their attacks, and collaborate with state actors. More generally, the spies can do a lot of thinking outside of work.
We can enforce strict siloing between different instances of a potential schemer, but spies from different siloed parts of the company can share info. This is mostly a problem if our security relies on the employees not knowing about the broad structure of what’s happening in the company.
The spies can easily set things up on the outside, e.g. malware-infested packages or Linux machines. This is most relevant in cases where there’s an attack that requires some steps that are extremely obviously sketchy (such that trusted monitoring would easily notice them if the schemer tried to do them) and which can be done externally.
It’s probably easier to run sting operations on schemers than spies. Because we can erase the memory of schemers, we can run many variants of sting operations on them. We also generally have an easier time controlling the information flow for schemers, for instance by teaching them synthetic facts, or by feeding them false information in-context. On the other hand, spies can plausibly be provoked into performing more manifestly egregious actions. (For instance, because they communicate in natural language, or because they need to communicate with their handlers.)
Historically, it has been possible to catch spies using sting operations sometimes. But it’s hard to know how this compares to the number of times spies weren't caught.
If you catch one spy, the others might escape your notice. Whereas catching a schemer just once might help you enormously. An alternative phrasing of this is “few-shot catastrophe prevention is much more useful for schemers than spies”. It’s also easier for spies as well as the governments handling spies to make use of plausible deniability, whereas catching a schemer allows us to run follow-up experiments about their behavior.
The schemers are probably going to be taking many more total actions. This probably makes a schemer harder to catch, as they might use the high number of total actions to hide a small number of catastrophic actions, or to distribute smaller and subtler failures among many actions. (See auditing failures vs concentrated failures for further discussion.)
Spies can act in the physical world. This makes spies better positioned to compromise hardware. Note that schemers might be able to persuade humans to take actions in the physical world.
The schemers might have superhuman capabilities (that we might not know about). Because spies are humans, we have a decent idea of what their capabilities are. (Though note that the capabilities of spies might increase as a result of uplift from publicly accessible AIs, or via support from state actors with access to stronger and helpful-only AIs.)
With schemers, there is a worry that they have superhuman capabilities that we don’t know about (because we didn’t manage to elicit them due to sandbagging and exploration hacking). This makes defense harder because attack angles are harder to predict. One such capability might be their ability to coordinate without communication. (See here for discussion of how plausible it is for schemers to have inconvenient superhuman abilities that we don’t know about.)
Does scheming reduce the effectiveness of AI-powered anti-spy interventions?
In Access to powerful AI might make computer security radically easier, Buck discussed various ways you could use powerful AI to make it much harder for human attackers to break your security. But what happens if the AI you're using for security is itself scheming?
Our sense is that the main possible problem here is if the schemer is able to determine when it's interacting with a spy (or the work of a spy), and then purposefully fail to follow its instructions for how to handle them. This obviously requires the schemers to correctly identify spies or their actions.
We think that this collusion seems very hard if the AI developer regularly runs sting operations. We can do sting operations both ways, where the AI or the employee appears to suggest to the other that they want to exfiltrate the AI. These sting operations seem naively really powerful. (We might also need to run data poisoning sting operations, where we insert covert signals into the training data, in order to prevent schemers from allowing themselves to be backdoored by passphrases a spy can use later.)
These sting operations seem much more effective for preventing collusion between spies and schemers than for preventing either spy-spy collusion or schemer-schemer collusion. The spies can overcome the sting operations by coordinating through channels that the AI lab doesn’t control. And the schemers might be able to overcome schemer-schemer sting operations by coordinating with shared Schelling points, which they can plausibly do because they’re all AIs. But those strategies don’t help spies and schemers coordinate with each other.
However, it might be possible for the schemer to help out the spies more passively, e.g. by generally trying to degrade the computer security of the lab.
How should we feel overall?
Schemers and spies both seem like serious problems.
Spies seem substantially more likely to appear prior to human obsolescence, because the argument for “foreign governments will try to steal this technology” seems very strong (80%?) while the argument for deceptive alignment seems only moderately plausible (25%?). Conditional on each happening, schemers seem more concerning.
Defending against spies won’t suffice to defend against schemers. But many of the interventions to defend against spies can be extended to defend against schemers.
Also, it’s possible that heavy use of untrusted models might completely resolve the risk from spying in exchange for huge amounts of risk from scheming.