Factor(U,T): Controlling Untrusted AI by Monitoring their Plans
This addresses safety concerns for users relying on powerful but potentially untrusted AI models in factored cognition protocols, though it is incremental as it builds on prior work with trusted decomposers.
The paper tackles the problem of detecting malicious activity in AI systems that decompose complex tasks, showing that monitors observing only natural language task instructions perform poorly (AUROC 0.52), while those evaluating complete solutions achieve high discrimination (AUROC 0.96) and strong safety (1.2% ASR).
As AI capabilities advance, we increasingly rely on powerful models to decompose complex tasks $\unicode{x2013}$ but what if the decomposer itself is malicious? Factored cognition protocols decompose complex tasks into simpler child tasks: one model creates the decomposition, while other models implement the child tasks in isolation. Prior work uses trusted (weaker but reliable) models for decomposition, which limits usefulness for tasks where decomposition itself is challenging. We introduce Factor($U$,$T$), in which an untrusted (stronger but potentially malicious) model decomposes while trusted models implement child tasks. Can monitors detect malicious activity when observing only natural language task instructions, rather than complete solutions? We baseline and red team Factor($U$,$T$) in control evaluations on BigCodeBench, a dataset of Python coding tasks. Monitors distinguishing malicious from honest decompositions perform poorly (AUROC 0.52) compared to monitors evaluating complete Python solutions (AUROC 0.96). Furthermore, Factor($D$,$U$), which uses a trusted decomposer and monitors concrete child solutions, achieves excellent discrimination (AUROC 0.96) and strong safety (1.2% ASR), demonstrating that implementation-context monitoring succeeds where decomposition-only monitoring fails.