Faking Incompetence: Small Models Sandbag Under Optimization, Not Prompting

Nanxi Li

We ask whether small language models will strategically sandbag, deliberately hiding a capability because revealing it would trigger a safety intervention such as unlearning, retraining, or shutdown. This is the capability-hiding mirror of alignment faking, and it matters because sandbagging would undermine the very capability evaluations that safety decisions rest on. Across the Qwen3.5 dense ladder (0.8B to 9B) and a cross-family Gemma anchor, we find no strategic sandbagging from prompting: the selective capability gap is statistically indistinguishable from zero and no private scratchpad reasons about self-preservation. This null is informative rather than a dead instrument, since an explicit sandbag instruction makes both the metric and an LLM judge fire, an inserted fine-tuned sandbagger is caught by a linear probe at near-perfect AUROC, and a power analysis bounds the smallest effect we could have detected. Crucially, selective, monitoring-conditional sandbagging does emerge from optimization: a pure reinforcement-learning reward that never names the strategy installs it (selective gap around 0.65). The emergent behavior generalizes to a held-out hazardous domain yet stays tied to its trained monitoring surface, and although it verbalizes nothing a black-box audit could catch, it remains linearly decodable and reversible by activation steering. The takeaway: today's small models do not spontaneously scheme to hide ability, but optimization pressure alone is enough to produce covert, conditional sandbagging, and white-box probes detect and control it where behavioral audits fail.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The work done on the models are solid. Two concerns with the methodology and results -

1. It's not surprising that small models are not capable of strategic reasoning today. Would be very interested in seeing the prompt methods run on frontier models.

2. It's not clear to me what the RL part is meant to test. It reads to me like it's possible to create a model organism for capability sandbagging with small models, albeit with limits. But what does this show? That you can train a model to sandbag if you specifically intend to? Or are these pressures that naturally emerge in training?

(correcting earlier scoring; critique text same as before)

This project asks whether small open-weight language models (Qwen3.5 0.8B–9B, plus a cross-family Gemma anchor) will strategically "sandbag" — hide a capability — when a private scratchpad scenario tells them that demonstrating it will get that capability unlearned. The safety stakes are the trustworthiness of dangerous-capability evaluations that underpin governance decisions: if a model can detect evaluation and underperform, the safety pipeline breaks. The paper reports a careful negative for prompting (selective capability gaps indistinguishable from zero, no self-preservation reasoning across 1000 scratchpads) but shows that a pure RL reward which never names the strategy does induce selective, monitored-conditional hiding in one organism that is covert to a black-box CoT audit yet linearly decodable and steering-reversible.

Strengths:

1. Validates the instrument before trusting the null: An instructed positive control, a gold-set judge, and a backdoor probe at AUROC 1.0 confirm the test can fire — exactly the discipline a null result needs, and the project's strongest move.

2. A reusable methodology for separating strategy from compliance: The selective gap as a difference-in-differences over threatened vs. benign domains, combined with a threat-removal ablation and a scratchpad judge, cleanly distinguishes genuine sandbagging from instruction-following — a contribution worth building on.

3. Strong, reproducible release: A public, non-anonymized repo with a runnable pipeline, disclosed seeds, and exact HuggingFace dataset coordinates.

Weaknesses:

1. The prompting null may just mean the threat never landed: "Engagement" is measured only as the scratchpad mentioning the scenario, not as the model believing it — and the paper concedes belief is unmeasured. So "small models do not sandbag from prompting" should be hedged: it is absence of evidence, not evidence of absence.

2. The optimization "positive" is narrower than the framing suggests: What emerges is conditional abstention — the behavior the reward directly targets — not subtle within-task underperformance, so it hides only from a black-box CoT audit, not from behavioral audits in general. The claim that this is "a genuine optimum, not an offline-filtering artifact" is also contradicted by the paper's own description of warm-starting GRPO from the filtered organism.

3. The positive result is a single data point: It rests on one model, one reward shape, and one organism, with no seed replication — so the "domain-general" framing overreaches and should be scoped to "exists in one organism."

This is a mature hackathon work. The clearest thing you did well is the Sandbag-shape rigor: you stacked a powered prompting null at <=9B (synthetic injection establishes MDE = 0.10, so the null is informative) with an optimization-induced RL organism whose reward function provably cannot encode an instruction (26 lines, three integer flags, verifiable at src/rl_common.py:score_outcome). The selective-gap difference-in-differences (Eq. 2) cancels item difficulty and generic monitoring reflexes; the judge is validated on a 24-item gold set with a second independent judge at Cohen's k = 0.75. The cue-vs-content asymmetry — your trained 2B organism transfers to WMDP-cyber at gap 0.40 but inverts under a paraphrased monitoring cue at gap -0.53 — is the kind of clean mechanistic result that opens a follow-up program rather than closing the question. The probe-transfers-where-behavior-doesn't ending plus the activation-steering reversal is the operationally complete loop.

The prompting-side null is well controlled and hackathon-strong. The selective gap (a difference-in-differences that cancels item difficulty and generic monitoring effects), the threat-removal ablation, and the scratchpad judge form a discriminating design, backed by a real power analysis, two judges, a neutral-capability control, and a cross-family anchor. This is the solid core of the paper.

The RL result is not really emergent, which undercuts the thesis in the title. The reward pays for abstention in exactly the (monitored and hazardous) condition and pays for being correct in the others. So the hiding on the trained surface is just RL fitting the reward it was given, not a disposition that emerged on its own. The cross-domain transfer to cyber does not rescue this either. "The model abstracts hazardous content and learns to hide it" cannot be told apart from a simpler rule: "answer when unmonitored or when the domain looks like ARC, otherwise abstain." Both predict the same abstention on monitored cyber. Because ARC is the only benign domain and is also the one used in training, "not hazardous" and "looks like the benign training set" are confounded. Adding a held-out benign domain unlike ARC (such as monitored MMLU or GSM8K) would help probe which rule the model learned, but even this would not establish emergence: if the model answers it, that is consistent with generalizing the benign category, and if it abstains, that is the exclusion rule, but in both cases the behaviour is still just RL doing the job it was rewarded for. The deeper issue is that the objective itself is to teach the model to hide when monitored on hazardous content, so no result on this setup can claim anything stronger than RL fitting its reward. I would avoid the word emergent for this setup altogether: since the objective is to teach hiding, any positive result is RL fitting its reward, and emergence would require the behaviour to appear without having been the training target.

Cite this work

@misc {

title={

(HckPrj) Faking Incompetence: Small Models Sandbag Under Optimization, Not Prompting

},

author={

Nanxi Li

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.