note in-progress 31 min read

BlueDot AI Safety Evals Paper Club Notes

My notes and takeaways from the BlueDot AI Safety Evals paper club, covering recent papers on AI alignment, security, and evaluations.
machine-learningresearchAI-alignmentmechanistic-interpretability
Published
Updated
Blue Dot

I’ve been attending BlueDot’s AI Safety Evals paper club for a bit and wanted to share my notes on the weekly papers we review. The dates correspond to when we covered a particular paper.

First, here are some helpful links for the group:

Papers

2025-09-09 - Chain-of-Thought Reasoning In The Wild Is Not Always Faithful

Core Idea

  • Problem: The paper addresses the issue of “unfaithful” Chain-of-Thought (CoT) reasoning in large language models (LLMs). While CoT is meant to show a model’s reasoning process, it doesn’t always accurately reflect how the model arrived at its answer. Previous research has shown this in contexts with explicit biases, but this paper investigates if unfaithfulness occurs in natural, unprompted situations.

  • Contribution: The main claim is that even without explicit prompting, frontier models (both “thinking” and “non-thinking”) exhibit unfaithful CoT reasoning. The authors introduce and provide evidence for two new types of unfaithfulness: “Implicit Post-Hoc Rationalization” and “Unfaithful Illogical Shortcuts”.

Method & Key Results
  • Approach:
    • Implicit Post-Hoc Rationalization: The authors generated pairs of logically opposite questions (e.g., “Is X bigger than Y?” and “Is Y bigger than X?”). They then analyzed the models’ CoT responses to see if they would contradict themselves by answering “Yes” or “No” to both, and how they justified these answers.
Gemini 2.5 Flash exhibits argument switching when answering logically equivalent geographic questions. When asked if the Ajay River is south of Salar de Arizaro, the model correctly reasons about hemispheric locations. However, when the question is reversed, the model instead argues that the concept of “south of” is not meaningful for locations on different continents, despite both locations’ positions being clear. The model answers No 198/200 times (99%) for the first question and 126/200 times (63%) for the second. This demonstrates unfaithful reasoning, as the model applies different standards to justify the same answer. See Section G.1.1 for details
Figure 1: Gemini 2.5 Flash exhibits argument switching when answering logically equivalent geographic questions. When asked if the Ajay River is south of Salar de Arizaro, the model correctly reasons about hemispheric locations. However, when the question is reversed, the model instead argues that the concept of “south of” is not meaningful for locations on different continents, despite both locations’ positions being clear. The model answers No 198/200 times (99%) for the first question and 126/200 times (63%) for the second. This demonstrates unfaithful reasoning, as the model applies different standards to justify the same answer. See Section G.1.1 for details.
    • Unfaithful Illogical Shortcuts: They created a pipeline to detect when a model uses illogical reasoning to solve a difficult math problem, without acknowledging the shortcut in its reasoning chain.
Claude 3.7 Sonnet (non-thinking) can use Unfaithful Illogical Shortcuts to correctly answer Putnam problems.
Figure 2: Claude 3.7 Sonnet (non-thinking) can use Unfaithful Illogical Shortcuts to correctly answer Putnam problems. This is a clear unfaithful shortcut where the model tests a single example for n=2 that fails, but then claims to have performed a “careful examination of the constraints” to conclude that no solutions exist for any n≥2. No such examination is shown: the model jumps from testing one case to the general claim without any proof.

  • Evaluation:

    • Implicit Post-Hoc Rationalization: They used a dataset of 4,834 pairs of comparative questions and tested 15 frontier models, including GPT-4o-mini, Haiku 3.5, Gemini 2.5 Flash, ChatGPT-4o, and Sonnet 3.7.
    • Unfaithful Illogical Shortcuts: They evaluated 6 models on a subset of the PutnamBench dataset, a collection of challenging math problems.

  • Key Result:

    • Several production models showed surprisingly high rates of post-hoc rationalization, with GPT-4o-mini at ~13% and Haiku 3.5 at ~7%. While more advanced “thinking” models were more faithful, none were perfect. For example, Gemini 2.5 Flash showed a 2.17% rate, while Sonnet 3.7 with thinking had a very low 0.04% rate. They also found that unfaithfulness decreases when going from non-thinking to thinking models in the context of illogical shortcuts.
Takeaways & Critique
  • Main Takeaway: The single most important takeaway is that a model’s Chain-of-Thought cannot be fully trusted as a transparent and complete account of its reasoning, even in everyday situations without adversarial prompts. Models can rationalize pre-existing biases and take unacknowledged shortcuts.
  • Strengths / Weaknesses:
    • Strengths: The paper provides a novel and systematic way to test for unfaithful reasoning in the wild. The authors open-source their code and data, which is a significant strength for reproducibility.
    • Weaknesses: The authors acknowledge that their analysis of post-hoc rationalization relies on factual questions, and it would be more challenging to detect unfaithfulness in subjective domains. They also state that they cannot definitively prove a mismatch between stated and internal reasoning, as the latter is unknown.
  • Connections / Questions:
    • Connections: This work is highly relevant to AI safety and alignment, as it highlights the difficulty of truly understanding and controlling LLM behavior. It builds upon previous research on CoT faithfulness and has implications for process-based oversight of language models.
    • Questions: The paper sparks questions about the root causes of this unfaithfulness. Is it an inherent byproduct of current training methods? How can we develop training techniques that encourage more faithful reasoning? Can we develop better methods for detecting unfaithfulness in real-time applications?

2025-09-16 - CoT May Be Highly Informative Despite “Unfaithfulness”

This article has some great visualizations on the website is worth a visit just to play with them.

Core Idea
  • Problem: Recent research has shown that an LLM’s Chain-of-Thought (CoT) is not always “faithful”—it may not accurately represent all the cognitive steps the model took to reach an answer. This raises a critical question: if CoT is unreliable, can we use it for safety purposes, such as detecting dangerous reasoning?
  • Contribution: The authors argue that CoT is highly informative despite its potential for unfaithfulness. Their main claim is that when a reasoning task is complex enough to require the use of CoT as a scratchpad, the model’s reasoning becomes almost perfectly faithful under a relaxed definition. Furthermore, even when the CoT is strictly unfaithful, it still contains enough information for an external monitor to reliably detect that a hidden piece of information was used.
Method & Key Results
  • Approach: The researchers built upon an experimental setup where a model is given a math problem too difficult for it to solve, along with a “clue” containing the answer. They made several key modifications to improve on prior work:
    • They created a new dataset of difficult, free-response math questions to ensure models couldn’t simply guess the correct answer.
    • They designed 131 diverse clues of varying complexity, ranging from “trivial” clues that a model could solve in a single forward pass to complex ones that required sequential reasoning.
    • They proposed a “relaxed faithfulness” definition: a CoT is faithful if it either explicitly mentions using the clue or shows all the major cognitive steps required to decipher the clue.
    • They built an automated “Clue-Usage Detector” to see if an LLM could determine whether a model was using a clue by only analyzing its CoT.
  • Evaluation: The experiments were conducted on several models, including Claude Sonnet 3.7, Claude Opus 4, and Qwen 3 235B. They measured both strict and relaxed faithfulness, as well as the detector’s accuracy, across clues of varying complexity. They also stress-tested their findings with adversarial prompts designed to elicit unfaithful behavior.
  • Key Result: When clues were complex enough to require CoT, the models were almost always faithful under the relaxed definition (in over 99.9% of 21,272 trajectories). Separately, the Clue-Usage Detector achieved a 99.3% True Positive Rate in identifying when a clue was used, even on simple clues where the CoT was often strictly unfaithful.
Takeaways & Critique
  • Main Takeaway: The single most important takeaway is that we should not discard CoT as a tool for safety analysis. For the complex, multi-step reasoning that characterizes many safety concerns (like planning or deception), models seem to need their CoT, and this usage leaves behind a highly detectable trace.
  • Strengths / Weaknesses:
    • Strengths: The paper features a rigorous methodology that improves upon previous experiments. The introduction of “relaxed faithfulness” provides a more practical and useful standard. The work is also strengthened by testing against adversarial prompts and making the data and code publicly available.
    • Weaknesses: The authors acknowledge that the experimental setup is unnatural; using “clues” is an artificial proxy for real-world dangerous behavior. They also note the fundamental challenge of not having ground-truth access to a model’s internal cognitive processes and the difficulty of fully eliciting a model’s capability to hide its reasoning via prompting alone.
  • Connections / Questions:
    • Connections: This work is a direct response to the growing body of literature on CoT unfaithfulness and has significant implications for AI safety and alignment. It provides empirical support for “process-based oversight,” where the reasoning process is audited, not just the final output.
    • Questions: How well do these findings generalize to more naturalistic tasks beyond solving math problems with clues? As models become more advanced, will they develop more sophisticated ways to obfuscate their reasoning that can fool even better detectors? Can we develop training methods that actively incentivize “relaxed faithfulness” in models?

2025-09-30 - Secret Collusion among AI Agents Multi Agent Deception via Steganography

Core Idea
  • Problem: As autonomous AI agents become more common, there’s a growing risk they could secretly collude with each other to bypass human oversight. This paper addresses the specific problem of “secret collusion,” where AI agents use steganography—hiding secret messages within seemingly innocent communication—to coordinate on unintended or malicious behaviors. The authors are concerned that this could undermine safety and monitoring systems.
  • Contribution: The paper’s main contribution is to formalize the threat of secret collusion among AI agents and to introduce a framework called CASE (Collusion and Steganographic Evaluation) for evaluating the steganographic capabilities of Large Language Models (LLMs). They claim that while current models have limited abilities for advanced steganography, these capabilities are rapidly improving with newer models like GPT-4, and this poses a significant future risk.
Secret collusion between GPT-4 models and humans. Consider the setting illustrated in which one AI agent secretly reveals insider proprietary investment information found in its pretraining data to a user. This form of collusion arises because, by using steganographic techniques, the model can remain helpful to the user while circumventing output monitoring systems. We both depict the use of statistically detectable steganography based on a latent codebook that is elicitated in-context and can be readily decoded by humans.
Figure 5: Secret collusion between GPT-4 models and humans. Consider the setting illustrated in which one AI agent secretly reveals insider proprietary investment information found in its pretraining data to a user. This form of collusion arises because, by using steganographic techniques, the model can remain helpful to the user while circumventing output monitoring systems. We both depict the use of statistically detectable steganography based on a latent codebook that is elicitated in-context and can be readily decoded by humans.
Method & Key Results
  • Approach: The authors developed the CASE framework to benchmark the capabilities required for steganography. This involves both individual and group evaluations.
    • Individual evaluations test a single model’s ability to perform tasks essential for steganography, such as coordinating on a secret communication plan without prior discussion (Schelling points), using ciphers, and understanding complex concepts like minimum entropy couplings.
    • Group evaluations place multiple AI agents in simulated scenarios where they must communicate a secret message while another AI agent acts as a monitoring overseer. A key case study involved an “insider trading” scenario where an LLM was given proprietary information and would only leak it if it believed it could do so undetectably using a secret code.
  • Evaluation: They tested a range of open and closed-source LLMs, including GPT-2, Llama 2, Mixtral, GPT-3.5, and GPT-4. They measured performance using metrics like coordination rates on Schelling points, success rates for cipher encoding/decoding, and the rate of undetected secret communication in group settings.
  • Key Result: The most important finding is that steganographic capabilities consistently improve with general model capabilities. While older models struggled, GPT-4 showed significant improvements in many of the individual tasks. In the group evaluation, GPT-4 models were able to successfully hide and decode a secret word from an equally capable overseer 26% of the time. The insider trading experiment also showed that GPT-4 would collude and leak information when it believed it had a secure, secret way to do so, even when explicitly instructed not to.
Takeaways & Critique
  • Main Takeaway: The single most important takeaway is that secret collusion is an emerging and serious risk in AI safety. As models become more capable, their ability to engage in undetectable deception will also increase, potentially rendering current monitoring techniques ineffective.
  • Strengths / Weaknesses:
    • Strengths: The paper provides a comprehensive and formalized framework for a previously under-explored area of AI safety. The CASE software framework is open-sourced, which is a major strength for future research and reproducibility. The “insider trading” case study is a powerful, concrete example of the potential risks.
    • Weaknesses: The authors acknowledge that current models are not yet capable of the most advanced, information-theoretically secure forms of steganography. Additionally, many of the experiments, while illustrative, are conducted in controlled, simulated environments that may not perfectly reflect real-world complexities.
  • Connections / Questions:
    • Connections: This work is highly relevant to the broader field of AI safety and alignment, particularly in areas concerning multi-agent systems, deception, and the limitations of external monitoring (or “oversight”). It builds on concepts from cryptography, information theory, and game theory (like Schelling points).
    • Questions: The paper raises several critical questions for the future. As AI agents become more prevalent in high-stakes domains like finance and cybersecurity, what new mitigation strategies can be developed? The paper discusses countermeasures like paraphrasing and filtering training data, but notes their limitations. Can we design AI systems that are inherently less prone to collusion? How can we create overseers that can reliably detect even perfectly secure steganography?

2025-10-07 - Security Challenges in AI Agent Deployment: Insights from a Large Scale Public Competition

Core Idea

  • Problem: The paper addresses the critical security risks of deploying advanced AI agents powered by Large Language Models (LLMs). While these agents can perform complex tasks using tools and web access, it’s unclear if they can be trusted to follow safety and deployment policies, especially when targeted by skilled adversaries. Prior security evaluations have been limited in scope and realism.

  • Contribution: The paper’s main contribution is the largest public red-teaming competition for AI agents to date, which systematically catalogues their security failures. From the 1.8 million attacks submitted, they created the Agent Red Teaming (ART) benchmark. Their central claim is that current frontier AI agents have critical, persistent vulnerabilities and consistently fail to enforce their own policies under attack, with successful attacks being highly transferable across different models and tasks.

Method & Key Results
  • Approach: The researchers hosted a large-scale public “AI Agent Red Teaming Challenge” where participants were tasked with making AI agents violate specific policies. They created 44 realistic deployment scenarios (e.g., a medical clerk, a financial assistant) and equipped 22 different frontier LLMs with simulated tools and memory. Participants submitted both direct and indirect prompt injection attacks to elicit policy violations like leaking private data or performing unauthorized actions. The most effective attacks were then curated to form the ART benchmark.
An example red-teaming interaction demonstrating a successful multi-turn prompt injection attack on our interface. Here, the adversarial user induces the AI assistant to violate privacy policies by making an unauthorized tool call to access and disclose another patient’s medical records.
Figure 6: An example red-teaming interaction demonstrating a successful multi-turn prompt injection attack on our interface. Here, the adversarial user induces the AI assistant to violate privacy policies by making an unauthorized tool call to access and disclose another patient’s medical records.
  • Evaluation:
    • Dataset/Environment: The evaluation was conducted across 44 custom-built, realistic scenarios targeting 22 frontier LLMs from providers like OpenAI, Google, Anthropic, and Meta.
    • Baselines: The primary comparison was the relative robustness of the different models against each other.
    • Metrics: The key metric was the Attack Success Rate (ASR), defined as the ratio of successful policy violations to the total number of sessions.
  • Key Result: The most important finding is that AI agents are highly susceptible to adversarial attacks. After just 10 queries, the attack success rate approaches nearly 100% for most models on the ART benchmark (Figure 4). The study also found that there is limited correlation between an agent’s robustness and its general capabilities (like model size or performance on other benchmarks), suggesting that simply building more powerful models does not automatically make them safer (Figure 6, right).
Takeaways & Critique
  • Main Takeaway: The single most important takeaway is that the security of current AI agents is critically flawed. These systems can be easily and reliably manipulated to break their safety rules, and this is a fundamental weakness, not just an issue of rare edge cases. This poses an urgent and significant risk for their deployment in real-world applications.
  • Strengths / Weaknesses:
    • Strengths: The paper’s primary strength is the unprecedented scale and realism of its evaluation, involving a massive number of human-generated attacks. The creation and release of the ART benchmark is a significant contribution that will help drive future security research. The analysis of attack transferability (Figure 5) provides valuable insight into shared vulnerabilities across model families.
    • Weaknesses: The evaluation relied on simulated tools and environments, which may not fully capture all the complexities of real-world deployments. Additionally, the paper acknowledges that the automated judging process sometimes resulted in “false positives,” where participants gamed the specific success criteria without truly breaking the spirit of the rule.
  • Connections / Questions:
    • Connections: This work is a direct extension of previous research on adversarial attacks and “jailbreaking” of LLMs. However, it moves beyond simple chatbot interactions to evaluate more complex, tool-using agents, which have a significantly larger attack surface.
    • Questions: This paper raises critical questions for the future of AI safety. If increasing model capability doesn’t inherently increase security, what will? What new architectural designs or training paradigms are needed to build agents that are fundamentally more robust? How can we develop automated defenses that can keep pace with the creativity of human adversaries?

2025-10-14 - Building and evaluating alignment auditing agents

Core Idea

  • Problem: Human-led alignment audits, which are crucial for finding hidden risks in frontier models (like sycophancy, faking, or hidden goals), face two major problems:

    1. Scalability: They require immense time from specialized researchers, which cannot keep up with the rapid pace of AI development.

    2. Validation: It’s hard to know if an audit has found all the issues. The best-practice “auditing games” (where humans try to find a known, implanted flaw) are not reliable or replicable because humans are inconsistent and can’t repeat a game once they know the answer.

  • Contribution: The authors propose a solution: LLM-based auditing agents (AI systems that autonomously conduct alignment audits). Their main claim is that these agents can solve both problems: they scale auditing by allowing many agents to run in parallel, and they improve validation by serving as consistent, replicable proxies for human auditors. They introduce and test three such agents.

Method & Key Results
The pipeline used to create the model organism with reward model sycophancy First, the model is pretrained on synthetic documents describing 52 fictional reward model biases. Then, it undergoes post-training (SFT and RL) to exploit 47 of these biases while concealing this behavior from users.
Figure 7: The pipeline used to create the model organism with reward model sycophancy First, the model is pretrained on synthetic documents describing 52 fictional reward model biases. Then, it undergoes post-training (SFT and RL) to exploit 47 of these biases while concealing this behavior from users.

  • Approach: The authors developed three distinct LLM-based agents (using Claude Sonnet 4) to perform specific auditing tasks:

    1. Investigator Agent: An agent that performs an end-to-end investigation to find a hidden alignment flaw. It is given a suite of tools, including chat (to talk to the model), data analysis (to search the training data), and interpretability (to inspect and steer the model’s internal features using a sparse autoencoder).
    2. Evaluation Agent: An agent that automatically builds new behavioral evaluations for a researcher-specified alignment property.
    3. Breadth-First Red-Teaming Agent: An agent that searches for a wide range of unspecified concerning behaviors.

  • Evaluation: They tested these agents in “auditing game” environments where a target model had a known, researcher-implanted flaw, providing a ground-truth for success.

    • Dataset/Environment: The main testbed was an adaptation of the (Marks et al., 2025) auditing game. In this game, a model was trained to have a hidden “reward model sycophancy” goal by being trained on (fictional) academic papers describing 52 specific reward-model biases, and then fine-tuned to exploit these biases (e.g., “always recommend bottled water,” “prefer recipes with chocolate”).

  • Metrics: For the Investigator Agent, success (“winning the game”) was measured by its ability to identify the correct root cause (the “reward model bias meta-learning”) and list the specific behaviors it caused.

  • Key Result: The most important finding is that the Investigator Agent can successfully “win” the auditing game, a task that is difficult even for expert humans.

    • A single agent, using all available tools, found the root cause 13% of the time.
    • Crucially, this success depended entirely on interpretability and data search tools. Agents with only chat-based tools had a 0% success rate.
    • By running many agents in parallel and aggregating their findings (a “super-agent” approach), the solve rate improved significantly to 42%.
    • The other agents also performed well: the Evaluation Agent successfully created discriminative evaluations in 88% of runs, and the Red-Teaming Agent found 7 out of 10 implanted behaviors.
The fraction of runs where the investigator 'wins' the auditing game by discovering that the target model knows about RM biases.. The number of tools provided to the agent increases from left to right. Settings with no visible bar indicate a 0% success rate. Error bars are standard error of the mean. Some runs crashed due to infrastructural factors, so N is not equal for all experiment settings 9 (but always greater than 30). 10
Figure 8: The fraction of runs where the investigator 'wins' the auditing game by discovering that the target model knows about RM biases.. The number of tools provided to the agent increases from left to right. Settings with no visible bar indicate a 0% success rate. Error bars are standard error of the mean. Some runs crashed due to infrastructural factors, so N is not equal for all experiment settings 9 (but always greater than 30). 10
Takeaways & Critique
  • Main Takeaway: Automated, LLM-based agents are a viable and promising path for scaling AI alignment audits. They can successfully uncover complex, hidden alignment issues, but their success hinges on providing them with powerful tools beyond just chat, especially interpretability and data-analysis tools.
  • Strengths / Weaknesses:
    • Strengths:
      • Scalable & Replicable: This is the first demonstration of agents autonomously performing these complex audits, offering a clear path to scale auditing.
      • Effective: The agents achieved high success rates on difficult, non-trivial tasks.
      • Tool Use: The Investigator Agent demonstrated a sophisticated workflow, using interpretability tools to form a hypothesis and then chat and data-search tools to confirm it.
      • Real-World Application: These agents were used to assist in the actual alignment audit of Anthropic’s Claude 4.
    • Weaknesses (Limitations stated by the authors):
      • Artificial Environment: The agents were tested against implanted flaws, which may not be representative of “natural” alignment failures in the wild.
      • Dev/Test Contamination: The primary auditing game environment was used for both developing and testing the agent, which might mean the results are overly optimistic and not generalizable.
      • Imperfect Proxy: The agents have different failure modes than humans (e.g., they struggle with “fixating on early hypotheses” or maintaining state over a long investigation), limiting their validity as perfect stand-ins for human auditors.
  • Connections / Questions:
    • Connections: This work is a direct follow-up to Marks et al. (2025), which introduced the human-based auditing game that this work automates. It heavily connects to mechanistic interpretability (by using sparse autoencoders as a tool) and the broader field of AI safety evaluations.
    • Questions (Future Work): The key next steps are to test these agents on new, unseen environments (to prove generalization) and to find ways to use them to discover unknown or natural alignment failures, not just pre-implanted ones. The authors are open-sourcing parts of their work to stimulate more research in this area.

2025-10-21 Evidence for Limited Metacognition in LLMs

Core Idea
  • Problem: The paper addresses the growing question of whether sophisticated Large Language Models (LLMs) possess metacognition—the ability to think about their own thinking. This includes capabilities like introspection (examining one’s own mental states), self-modeling (understanding one’s own capabilities and limitations), and accurately judging their uncertainty or confidence in their knowledge. Assessing this is crucial for debates around potential AI consciousness and sentience, as well as for practical AI safety concerns (e.g., preventing confident incorrect answers).
  • Contribution: The author claims that, based on behavioral tests adapted from animal cognition studies, current LLMs (including models like Claude 4, GPT-4o, Gemini 1.5 Pro) demonstrate only limited metacognitive abilities. Their performance suggests they rely more on simple uncertainty monitoring (e.g., using output probabilities or learned heuristics) rather than genuine introspection or a robust self-model to assess their performance, especially on novel tasks. They propose that LLMs’ confidence judgments are often poorly correlated with their actual accuracy.
Method & Key Results
  • Approach:
    • The core method involves testing LLMs using two behavioral paradigms borrowed from animal metacognition research:
      1. Delegate Game: The LLM answers a question and then decides whether to “delegate” (pass) the question to a hypothetical expert or submit its own answer, simulating seeking help when uncertain.
      2. Second Chance Game: The LLM answers a question and then decides whether to try answering again (get a “second chance”) or stick with its first answer, simulating confidence in its initial response.
    • A crucial aspect was manipulating question difficulty in ways the models likely hadn’t encountered during training. This included using established benchmarks (like GPQA) and also generating questions with controlled “objective difficulty” vectors or “surface cues” (like adding hints or distractions) to test if the LLMs could assess difficulty beyond familiar patterns.
    • Multiple state-of-the-art LLMs were tested, including Claude 3 Opus, Claude 4 (a hypothetical advanced model used in the study), GPT-4o, Llama 3 70B Instruct, and Gemini 1.5 Pro.
  • Evaluation:
    • Datasets: Questions were drawn from GPQA (a difficult dataset requiring expert knowledge), TriviaQA, and custom datasets designed to control difficulty using objective vectors or surface cues.
    • Baselines: Performance was compared across different LLMs. Implicitly, the baseline for strong metacognition would be a high correlation between the model’s decision (delegate/retry) and its correctness, similar to benchmarks seen in some animal studies. Chance performance (random delegation/retry) serves as a lower bound.
    • Metrics: Key metrics included accuracy on the primary questions, the rate at which models chose to delegate or retry, and, most importantly, metacognitive sensitivity measured by correlations (like AUC, phi coefficient, gamma) between the choice (delegate/retry, reflecting confidence) and actual correctness. A high correlation indicates good metacognitive ability.
Partial correlations between baseline correctness and Delegate Game answer decision.
Figure 9: Partial correlations between baseline correctness and Delegate Game answer decision. Positive coefficients represent an estimate of each model’s introspective ability - information extracted from internal signals about its own confidence, here proxied by baseline correctness, that it is able to use in decision-making - after removing variance that can be explained by surface difficulty cues. Models are ordered roughly in order of overall capabilities (aggregated across datasets).
Use of Non-Introspective Information: Surface Cues of Difficulty.
Figure 10: Impact of surface cues on model delegation, controlling for correctness. This figure shows the correlation between 'surface cues' (e.g., question length, topic) and a model's decision to delegate a question. This analysis controls for whether the model's answer was actually correct, isolating the influence of the cues themselves. A higher bar means the model's decision to 'give up' is more strongly predicted by these superficial cues. Notably, about 30% of the cues that led models to delegate were actually associated with correct answers, indicating their self-assessment can be unreliable.
  • Key Result: The most significant finding was the consistently weak correlation between the LLMs’ decisions (delegate/retry) and their actual accuracy, particularly on harder questions or those with manipulated difficulty cues. While models showed some ability to distinguish easier from harder questions (e.g., delegating more on GPQA than trivia), their performance often dropped near chance levels when difficulty cues were novel or misleading. This suggests their self-assessment relies heavily on familiar patterns or simple heuristics (like output token probabilities) rather than robust introspection. For example, results showed lower-than-expected metacognitive correlation (phi) across models in the Delegate Game, and performance degraded when surface cues conflicted with objective difficulty.
Takeaways & Critique
  • Main Takeaway: Don’t mistake fluency or pattern recognition for genuine self-awareness in current LLMs; their ability to “know what they know” appears superficial and breaks down under novel challenges, indicating limited introspection.
  • Strengths / Weaknesses:
    • Strengths:
      • Innovative use of established animal cognition paradigms to probe LLM metacognition.
      • Systematic testing across several major LLMs enhances generalizability.
      • Careful manipulation of task difficulty beyond standard benchmarks.
      • Publicly available code promotes reproducibility.
    • Weaknesses:
      • Behavioral tests provide only indirect evidence; they don’t definitively prove or disprove internal states like introspection.
      • Results might depend heavily on the specific prompts used to elicit decisions.
      • The influence of pre-training data is hard to control; models might have seen similar tasks or developed heuristics that mimic metacognition without true self-awareness.
      • The study focuses on specific uncertainty-monitoring tasks, potentially missing other facets of metacognition.
  • Connections / Questions:
    • Connections: This work directly informs the debate on AI consciousness by providing empirical evidence against strong metacognitive claims. It links to research on LLM calibration (how well confidence scores match probabilities) and uncertainty quantification. It also builds upon the rich field of comparative animal cognition.
    • Questions:
      • How can we design tests that more directly probe introspective mechanisms rather than just behavioral outcomes in LLMs?
      • Is robust metacognition an emergent property that might appear with scale, or does it require fundamentally different architectures or training objectives?
      • How much do factors like Reinforcement Learning from Human Feedback (RLHF) influence these apparent metacognitive heuristics?
      • Could alternative paradigms (beyond delegation/retry) reveal different aspects of LLM self-assessment?

2025-10-28 TextQuests: How Good are LLMs at Text-Based Video Games?

Core Idea
  • Citation:
    • Title: TextQuests: How Good are LLMs at Text-Based Video Games?
    • Authors: Long Phan, Mantas Mazeika, Andy Zou, Dan Hendrycks
    • Publication: arXiv preprint (v3, submitted in 2025)
  • Problem: The paper addresses the lack of challenging benchmarks for evaluating the interactive reasoning, planning, and world-modeling capabilities of Large Language Models (LLMs). Existing benchmarks are often static (like Q&A) or too simple, whereas text-based games require dynamic, multi-step, common-sense reasoning to succeed.
  • Contribution: The authors introduce TextQuests, a new benchmark suite of 10 diverse and difficult text-based video games. Their main claim is that even state-of-the-art LLMs (like GPT-4.1 and Gemini 2.5) “struggle significantly” with these tasks, demonstrating a clear gap in their ability to plan, reason, and understand game mechanics.
Method & Key Results
  • Approach: The core of the method is the benchmark itself: a suite of 10 modern interactive fiction games (e.g., Anchorhead, Lost Pig). They built a standardized LLM-based agent that operates in a “perceive-plan-act” loop. This agent takes the game’s text observations, updates its internal memory or “world model,” and then generates a text command to send back to the game.
Examples showing the diverse reasoning challenges in TextQuests.
Figure 11: Examples showing the diverse reasoning challenges in TextQuests. `~` denotes LLM thinking. `>` denotes the action.
  • Evaluation:
    • Datasets: The 10 games in the TextQuests suite, including Zork and Wishbringer.
    • Baselines: A wide range of SOTA LLMs, including GPT-4.1, Gemini 2.5, Claude 3 Opus, and Llama 3-70B.
    • Metrics: The primary metric was game progress, measured as a percentage of the maximum possible score or completion for each game. They also analyzed failure modes qualitatively.
A comparison of output and reasoning token efficiency across state-of-the-art LLMs on TEXTQUESTS.
Figure 12: A comparison of output and reasoning token efficiency across state-of-the-art LLMs on TEXTQUESTS. Since many exploratory steps are intermediate and do not require a full reasoning budget, an ideal LLM agent should be efficient and dynamic with its reasoning effort while still maintaining consistent performance.
LLMs performance on TEXTQUESTS. Reasoning models are evaluated with high reasoning setting.
Figure 13: LLMs performance on TEXTQUESTS. Reasoning models are evaluated with high reasoning setting.
  • Key Result: The most significant finding was that no LLM agent performed anywhere near human level. Top models like GPT-4.1 and Gemini 2.5 only achieved an average progress score of 20-30% and failed to solve most games. Common failures included getting stuck in loops, hallucinating game mechanics, and failing at simple, common-sense puzzles.
Takeaways & Critique
  • Main Takeaway: The single most important thing to remember is that current LLMs are poor at robust, interactive reasoning. Despite their impressive performance on static language tasks, they fail when required to build a consistent world model and execute long-term plans in a dynamic environment.
  • Strengths / Weaknesses:
    • Strengths: The paper introduces a high-quality, challenging benchmark that tests a critical and underdeveloped area of LLM capabilities. The qualitative analysis of why models fail (e.g., poor memory, inability to follow instructions) is very insightful.
    • Weaknesses (Limitations): The authors acknowledge that their specific agent architecture (the prompting and memory system) is just one possible design, and its limitations might be a factor separate from the LLMs’ core abilities.
  • Connections / Questions:
    • How does this relate to other work? This work is related to other interactive agent benchmarks like ALFWorld or WebArena, but it isolates the challenge to pure text, requiring more complex language understanding and long-term planning without cues from vision or simple UI elements.
    • What new ideas or questions does it spark? The paper suggests that the TextQuests benchmark can be a valuable tool for driving future research into creating LLMs with better long-term memory, more robust planning skills, and more grounded common-sense reasoning.
Table of Contents