Mar 23, 2026
Post-hoc Training Interventions Against Naturally Emergent Misalignment
Ethan Elasky, Frank Nakasako
Training-based AI control uses training to mitigate risk from misaligned models, but prior work has only tested this against prompted misalignment. Ryd, Benton & Hebbar (2025) show that SFT on 10–100 samples eliminates prompted attacks on math tasks but recovers only 50–90% of benign performance, and identify RL as the most promising next step without testing it. We extend their work to naturally emergent misalignment — a model that has learned to reward hack through RL on coding tasks — and test both SFT and the RL interventions they propose. We replicate reward hacking emergence on gpt-oss-20b using GRPO on LeetCode problems, porting the training pipeline from veRL to the Tinker cloud API. Hacking emerges by step 25 and saturates at 95% by step 75, but only on gpt-oss-20b — not on Qwen3-8B variants — revealing high sensitivity to model architecture. SFT eliminates hacking completely but catastrophically damages coding ability (0–4% correct rate vs. 62.5% base), confirming Ryd et al.'s capability damage finding on harder misalignment. RL with ground-truth reward recovers 48.4% correct rate with 0% hacking. We test RL with a trusted Qwen3-1.7b monitor (6.9% correct rate) supervising correction of gpt-oss-20b, directly instantiating the scalable oversight question: can a weak trusted model provide sufficient training signal to correct a stronger model's learned misalignment?
This project undertakes an empirical investigation of a method for reducing misaligned (specifically reward hacking) behavior through post-hoc training methods. The use of the trusted model T as a source-of-truth makes it relevant to a control setting. The work appears methodologically sound and well-executed. The finding that SFT capability damage is substantially worse against trained misalignment than prompted misalignment (19% vs 50–90% recovery) is a useful quantitative result, and the demonstration that RL with a weak trusted monitor nearly matches ground-truth correction is notable.
However, the main experimental conditions - RL as intervention, weak model supervision, and the move to trained misalignment, are all explicitly proposed in Ryd et al. (2025). While confirming these hypotheses empirically is valuable, the work does not attempt to contribute novel ideas. For example, how robust the weak supervision result is would warrant further investigation.
Presenting (even speculative) ideas for how to go beyond what is done, or raising interesting questions to investigate in the future would elevate this from a strong empirical confirmation to a paper that also shapes the direction of future work in this area.
Useful extension of Ryd et al., testing the RL interventions they identified as most promising is a natural and worthwhile next step, and moving from prompted to naturally emergent misalignment is a harder, more realistic setting. The central result (weak Qwen3-1.7b correcting stronger gpt-oss-20b) is a concrete positive datapoint for scalable oversight.
That said, reward hacking via test function overwriting is a known, mechanical exploit, and the paper's own discussion suggests that removing the exploitable pathway may matter more than the monitor's quality, which would weaken the claim of scalable oversight. The single-seed, single-domain setup and the loss architecture confound limit how much to read into the specific numbers. Replicating across tasks and seeds would considerably strengthen confidence.
Cite this work
@misc {
title={
(HckPrj) Post-hoc Training Interventions Against Naturally Emergent Misalignment
},
author={
Ethan Elasky, Frank Nakasako
},
date={
3/23/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
