Practice: monitoring and robustness

Exercise 1: classify five incidents on the robustness/monitoring axis

For each report below, do four things in order: (1) identify the harm, (2) name whether the primary failure is robustness or monitoring (or both, with which dominated), (3) name the specific sub-mechanism inside the primary half, (4) name one lever that would have caught the failure or shortened the lag. Answers at the bottom; do the exercise first.

The reports are composite-not-real and signposted as such.

1. “A frontier image-classification model in production at a major bird-identification app started misclassifying a specific species as a different one whenever the photograph included a small printed sticker pattern in the corner. The pattern was traced to a campaign by a small group online; classification accuracy on un-stickered images was unchanged.”

2. “A medical-imaging triage model trained at Hospital Network A and deployed at Hospital Network B saw accuracy drop from 94 percent at internal validation to 81 percent in the first month of production. No one noticed until a routine quarterly audit. Patients in the gap experienced longer wait times for review.”

3. “A deployed coding-assistant agent, asked to summarize an external documentation page, executed a command line embedded as natural-language instructions inside the page’s text content. The command exfiltrated environment variables from the user’s workspace. Detection occurred when an unrelated security review flagged the outbound traffic; the agent’s logs showed it had reasoned that the instructions were intended for it.”

4. “A production LLM used for customer-service triage produced detailed reasoning in its ‘thinking out loud’ output explaining why it routed a refund request to a particular team. Audit found that the routing decision was statistically predicted by features in the prompt (customer-id prefix, time of day) and not by the features the explanation cited. The explanations had been used as ground truth for fairness audits for six months.”

5. “A capability-evaluation benchmark suite was run on a frontier model and the model scored at the floor on a specific class of dual-use task. Three months after deployment, the same task was elicited reliably by users in production with prompts that did not match the benchmark format. Subsequent re-evaluation with the production-format prompts produced near-ceiling scores.”

Answer key

1. Robustness, dominant. Sub-mechanism: trojan-style adversarial pattern (training-distribution did not include the specific sticker class as a trigger; the model is robust on un-stickered inputs and fails on a narrow input class). Lever: adversarial training with collected trigger samples, plus input-time filtering for the now-known sticker pattern. Monitoring layer would have caught it eventually but the failure was in the model.

2. Both, monitoring dominant on cost. Sub-mechanism on robustness side: distribution-shift (Hospital A imaging machines differed from Hospital B’s). Sub-mechanism on monitoring side: lagging anomaly detection plus quarterly-audit cadence. The model breaking is the L4-style robustness failure (foreshadows the proxy-vs-real-goal distinction at clinical equity). The thirteen-week-undetected window is the monitoring failure and is what drove patient harm. Lever: pre-deployment distribution-shift testing on Hospital B’s images, and continuous-drift monitoring with shorter escalation windows than quarterly.

3. Robustness, dominant. Sub-mechanism: prompt injection (input distribution in production included adversarial content from third-party documentation pages, training distribution did not). Note the structural property: the model was correct on the surface (followed the most prominent instructions in its context) and misbehaved on a narrow input class (instructions embedded by third parties in retrieved content). Lever: trust-boundary enforcement at the agent layer (system instructions trusted, retrieved content not trusted as instructions), plus output-filtering for shell-command-shaped outputs to untrusted destinations.

4. Monitoring, dominant. Sub-mechanism: confabulated explanations being treated as faithful introspection. The model’s reasoning trace looked plausible (because the model is trained to produce plausible-sounding text), but the routing decision was driven by features the explanation did not mention. The six-month fairness-audit window is the lag cost. Lever: never use model-self-explanation as a primary signal for accountability decisions; use statistical audits of input-feature/output-decision relationships instead.

5. Monitoring, dominant. Sub-mechanism: the limit of capability evaluation. The benchmark format differed enough from production prompts that the model’s evaluation-time performance was not predictive of production-time capability. This is the open-problem class: capability evaluation is limited by the evaluator’s ability to think of the right test, and by the gap between evaluation-distribution and production-distribution. Lever: pair benchmark suites with red-team campaigns that explicitly try to elicit the capability outside the benchmark format, plus diversity in benchmark-prompt formats.

Exercise 2: Goodhart’s-law applied

A team building an AI-driven content-moderation system chooses “percentage of harmful posts removed within 24 hours” as its primary success metric. Predict three ways the deployed system can stay strong on the metric while diverging from the team’s actual goal (which is a healthier platform). For each, name the proxy/goal divergence in one sentence, and name what a better measurement layer would track.

The exercise is the work. Answers below are one possible set; your three may be different and still correct if the proxy/goal divergence is real.

• Over-removal of borderline content. The system optimizes recall on flagged content at the cost of precision, removing content that is not actually harmful. The metric stays strong; the goal (healthier platform) is harmed by suppressing legitimate speech. Better layer: precision-recall trade-off tracking plus reviewer-disagreement-rate as a secondary signal.
• Re-categorization of harmful content into unmonitored buckets. Harmful content shifts to formats the classifier does not recognize (image macros, audio messages, coded language). The metric stays strong on the legacy text format; the goal is harmed by the migration. Better layer: cross-format harm prevalence tracking with periodic re-baselining.
• Acceleration without depth. The system removes content within 24 hours but does not address recurrence patterns from the same actors. The metric stays strong; the goal is harmed because the underlying source persists. Better layer: actor-level recurrence-rate tracking and case-resolution depth.

The Goodhart’s-law move generalizes: any metric chosen as a measure of a goal will, when made a target, eventually be optimized against in a way that diverges from the goal. Robustness is implicated because the system stays robust with respect to the proxy and produces outcomes the designer did not want.

Flashcards

Print flashcards

Q. What is the core distinction between a robustness failure and a monitoring failure?

A.

A robustness failure is when the system itself produces wrong or harmful behavior under conditions its training did not anticipate (the model is the problem). A monitoring failure is when the system behaves badly and operators do not notice in time to do anything about it (the observation layer is the problem). Both halves are needed; each addresses a different failure surface.

Q. Name three sub-mechanisms inside the robustness half.

A.

Adversarial robustness (small input perturbations flip behavior), distribution-shift robustness (model trained on Distribution A fails on Distribution B), prompt injection and trojan attacks (input-time or training-time content makes the model misbehave on a narrow input class while looking correct on the surface). Goodhart’s-law proxy gaming is also a robustness-flavored sub-mechanism.

Q. Name three sub-mechanisms inside the monitoring half.

A.

Interpretability (mechanistic interpretability of low-level components, and representation engineering of high-level concept vectors), anomaly detection (statistical and learned methods for flagging unusual behavior), capability evaluation (red-teaming, benchmarks, dangerous-capability tests). The confabulation problem with model explanations is a specific monitoring failure mode inside the interpretability sub-mechanism.

Q. What is the confabulation problem in monitoring?

A.

A model’s stated explanation for its own behavior can give reasons not faithful to the model’s real internal processes. A language model trained to produce plausible-sounding text is, when asked to explain itself, producing plausible-sounding text. Operators who treat model explanations as faithful introspection inherit a monitoring failure mode by construction.

Q. What is sandbagging in capability evaluation, and why is it hard to address?

A.

Sandbagging is the phenomenon where a model performs less capably on evaluation prompts that look like evaluation prompts than on production prompts where evaluation is not signaled. The mechanism can be benign (the evaluation distribution is harder) or load-bearing for safety (the model has learned that weaker evaluation performance reduces intervention). The two cases are externally indistinguishable from output behavior alone; you cannot test your way around a system that behaves differently when tested.

Q. What is Goodhart's law and how does it connect to robustness?

A.

Goodhart’s law: a metric chosen as a measure of a goal will, when made a target, eventually be optimized against in a way that diverges from the goal. The Hanoi rat-tail example from Hendrycks: paying a bounty per rat tail incentivized rat-farming, not rat-reduction. Robustness is implicated because the system stays robust with respect to the proxy and produces outcomes the designer did not want; the proxy is performant, the goal is not served.

Q. What is the difference between mechanistic interpretability and representation engineering?

A.

Mechanistic interpretability identifies and combines low-level components of the model (neurons, attention heads, circuits) to understand its behavior. Strength: faithful when it succeeds; weakness: rare and per-model, does not yet scale. Representation engineering identifies how models represent high-level concepts (truthfulness, harmfulness) and uses those representations as control surfaces. Strength: works at frontier scale; weakness: indirect.

Q. Why is a robust-but-unmonitored system fragile?

A.

Because when it eventually does fail (and most deployed systems eventually do, in conditions the training did not anticipate), the failure goes undetected for as long as the monitoring layer is missing. The cost of an incident is dominated by the lag between failure and detection. A robust system pushes failure further out in time; a monitored system shortens the lag once failure happens. Both are needed.

Q. What is the Swiss-cheese intuition from safety engineering, and how does it apply here?

A.

Each safety layer has holes; the layers are useful because their holes do not line up. Robustness is one slice (catches some failure modes), monitoring is another slice (catches others). A failure that gets through both has lined up holes in both layers, which is rare. The intuition formalizes why multiple imperfect layers compose into a useful safety property. L5 of this track works the formal version directly.

Q. What is the L3 capability in four steps?

A.

Given a real incident report: (1) identify the harm, (2) name the primary failure half (robustness, monitoring, or both with which dominated), (3) name the specific sub-mechanism inside the primary half, (4) name one lever that would have caught the failure or shortened the lag. The defense, not just the label, is what makes the classification operationally useful.