Ctrl-Z: Controlling AI Agents via Resampling
This work addresses security risks in AI agent systems, particularly for system administration, by proposing novel control protocols that balance safety and utility, representing an incremental advance in control evaluations.
The paper tackled the problem of preventing adversarially constructed AI agents from executing malicious code in multi-step system administration tasks, introducing resample protocols that reduced attack success rates from 58% to 7% with only a 5% performance cost for non-malicious agents.
Control evaluations measure whether monitoring and security protocols for AI systems prevent intentionally subversive AI models from causing harm. Our work presents the first control evaluation performed in an agent environment. We construct BashBench, a dataset of 257 challenging multi-step system administration tasks, and evaluate whether various safety measures can prevent an adversarially constructed AI agent from covertly downloading and executing malicious code in this environment. This multi-step setting introduces new attack and defense dynamics, which we investigate in order to design novel control protocols that prevent safety failures without hindering the ability of non-malicious agents to perform useful work. We introduce a class of control protocols called resample protocols that dynamically take additional samples of certain actions. We find these protocols significantly improve on existing techniques by selectively blocking the AI agent from executing suspicious code and incriminating the agent by generating additional examples of dangerous behavior. We measure the tradeoff between attack prevention and usefulness; our best protocol combines resampling with analysis of previous steps, reducing the success rate of attacks from 58% to 7% at a 5% cost to the performance of a non-malicious agent.