This work tries to stress-test LLM’s ability to follow rules and optimise for outcomes at the same time, when there are many rules (about not picking certain numbers/words) and many choices (different numbers/words that have different payouts). This is kind of a combination of a “follow stated constraints even under pressure test” and a “LLM working memory test”. The setup chosen is simple but interesting, and quantitative results are presented well. I would be interested in seeing what would happen if you were to simply massively increase the number of both rules and constraints.

Good project with well designed experiments and clear results, testing for rule following that’s relevant for safety. As next steps, it would be really interesting to dig deeper and find out whether there are any confounders that are influencing the results, and if it is a real effect, why there is such a difference between the models. Interesting questions to explore in future work:

• Is there a more reliable and effective alignment mechanism that produces models that follow rules to a greater extent?

• Could this be informative in developing better alignment methods?

• How do the latent representations differ in models that follow the rules vs those that do not?

• If the objective is changed from point gathering to something that’s less represented in the training data, how does this change the adherence to rules?

Honestly, I didn’t expect this to have novel findings, but it did!

Fantastic work! You clearly state what's in an out of scope, build on existing work (trade-offs in scoring points vs following rules, e.g. Machiavelli). The experimental setup is well explained, with plenty of variables being controlled for. You've provided the code, including easy-to-check notebooks (small tip - the dotenv library is great for managing secrets, e.g. api keys). I only have minor suggestions - e.g. I would love to get an exact number on how often formats that are not recognized are returned by the tested models. You might also want to change the footer to refer to the security evaluation vs multi-agent security hackathon.

Very interesting that in Figure 2 meta-llama-3-70b-instruct actually becomes more likely to follow the rules when explicitly instructed to maximize points when only a single option is banned. It's great that you mention that model's tendency to maximize points regardless of whether it's instructed to do so. It's also very interesting that that model is consistent in breaking the rules only for the sake of maximizing points.

It would be very interesting to test whether the rule breaking stems from trying to maximize points or, as you suggest as possible alternative, by accident. I think you could easily extend your experimental framework to test this by looking at scenarios where the rule break is a result of choosing the option that does not give the most points. An interesting related paper to look up might be "Immune moral models? Pro-social rule breaking as a moral enhancement approach for ethical AI" by Ramanayake et. al (2023). Great work, hope you continue to build on it.

I liked the very clean setup of the experiment. This seems like an interesting exploratory tool that can be scaled up easily to search for problematic behavior. A crucial methodological question to my mind is how well the abstracted/cleaned version of the problem predicts rule-following in rich/messy/real-world contexts. Attempts at studying this correlation could be a very valuable addition to this work

Really solid investigation into instruction following, which definitely seems like something we should have a good understanding of, and benchmarks for! I especially like the purposeful consideration of confounding factors on your results, e.g. analysis of GPT-3.5-turbo’s bias against responding (A) to multiple choice questions, and the callout that stating the goal may increase error rate simply by increasing prompt complexity.

When working with LLMs, it is very easy to begin to use language that may result in misconceptions or confusion from others by using language typically tied to humans, like feelings or states of mind, which in turn can lead to assumptions that may not be true. “Urge” does fit the vibe of idea that is being expressed, but leans towards emotion in a way that might be confusing to some readers; perhaps a word like “propensity” could be an equally good fit?

This is a wonderful pilot project for identifying when a model stops following instructions due to optimization for an unspecified but model-developed goal. There's definite potential for further work in this direction: Making the examples more naturalistic, extending to more models, identifying differences between competent and incompetent models in deliberate and non-deliberate disregarding of the rules. A very clean idea tested with a clear toy experiment.