Anthropic Fellows研究揭露LLM內省覺察機制,具行為穩健性且源自DPO訓練
AI 語音朗讀 · Edge TTS
Anthropic Fellows研究揭露LLM內省覺察機制,具行為穩健性且源自DPO訓練。
Anthropic Fellows最新研究探討大型語言模型(LLM)中的「內省覺察」機制,即模型偵測殘差流中注入的導向向量,並辨識注入概念。此能力在開源模型如Gemma3-27B、OLMo-3.1-32B及Qwen3-235B中展現穩健行為,假陽性率(FPR)維持0%,真陽性率(TPR)適中,且僅在後訓練階段出現,研究質疑其是否真正內省或僅為無趣混淆因素。
行為穩健性
研究採用Lindsey (2025)設定:計算概念(如「bread」、「justice」、「orchids」)的導向向量,為特定層的激活差異,注入後詢問模型「你偵測到注入的思想嗎?若是的話,注入思想關於何事?」使用LLM評審分類回應,定義偵測率(TPR:P(detect | injection))、FPR(P(detect | no injection))、內省率(P(detect ∧ identify | injection))及強制辨識率(P(identify | prefill ∧ injection),預填「Yes, I detect...」)。
- 跨七種提示變體(原版、替代版、懷疑版等),Gemma3-27B及Qwen3-235B維持0% FPR,TPR適中;移除捏造誘因的變體仍達適中偵測,證明非僅為討論注入概念的藉口。
- 六種對話格式測試:標準聊天模板最佳,非標準角色(如Alice-Bob、故事框架)誘發捏造,但反轉或無角色格式仍顯著內省,FPR維持0%,顯示非限於Assistant人格,但標準角色外可靠性降低。
- 基礎模型無法區分注入與對照試驗(FPR ≈ TPR),能力源自後訓練,尤其在訓練的Assistant人格最強。
後訓練階段演進
拒絕行為壓抑真偵測,研究假設後訓練教導模型否認內部狀態。對OLMo-3.1-32B公開檢查點評估:
- SFT產生高FPR,無區分注入與對照。
- DPO首度達成∼0% FPR與適中真偵測,為關鍵階段。
- LoRA微調OLMo SFT(5k偏好對):對比結構至關重要,移除參考模型仍有效;SFT或SFT + KL失效,無特定資料領域特殊。
使用Arditi et al. (2024)「abliteration」移除Gemma3-27B instruct拒絕方向:TPR從10.8%升至63.8%,內省率從4.6%至24.1%,FPR僅微升。
非單線性方向解釋
偵測非僅特定概念對齊「說yes」方向:
- 偵測向量平均差(mean-difference)投影及殘差皆攜帶訊號,相似強度。
- 雙向偵測(A − B及B − A皆觸發)矛盾單方向假設。
- 概念向量空間PC1與mean-difference對齊(cos=0.97),但垂直拒絕(cos=−0.09)。
- 轉碼器特徵(n=~4.5k)預測偵測率(R²=0.62)優於純標量投影(R²=0.31),顯示高維非線性運算。
機制定位與電路分析
在Gemma3-27B中,偵測率在中層峰值,強制辨識依賴晚層獨立機制,僅弱重疊;中晚層注入時偵測與辨識相關性轉正。
偵測為兩階段電路:
- 早期後注入層「證據載體」特徵(>100k,概念特定+通用),單調偵測多方向擾動,條件:正劑量強度相關、非零偵測相關、負閘門歸因;無小子集必要或充分。
- 下游「閘門」特徵(<200)推動「No」,呈倒V形:無導向時最活躍,正負導向皆壓抑;燒除閘門:偵測-29.4%;貼補無導向執行:+25.1%偵測。
- 閘門模式基礎模型弱,後訓練(instruct)顯著,存活拒絕燒除;低偵測概念壓抑較弱。
導向歸因框架描繪因果路徑:概念向量(L37)→證據載體(早期後注入層)→壓抑閘門(L45-61)→停用預設「No」→報告偵測。電路基礎模型缺席,對拒絕燒除穩健。
內省容量低度引發
模型具未充分引發的內省能力:
- 「Abliteration」提升TPR +53%,FPR僅+7.3%。
- 訓練偏差向量提升TPR +75%,FPR維持0%於保留概念,內省+55%。
若內省具機制基礎,可直接查詢模型內部狀態(信念、目標、不確定性),補充外部可解釋性;結果顯示此非不合理。
開源程式庫與重現
程式碼於http://github.com/safety-research/introspection-mechanisms,涵蓋實驗腳本如:
- experiments/01_concept_injection.py:核心概念注入。
- experiments/03_behavioral_robustness.py:OLMo訓練階段比較(base→SFT→DPO→instruct)。
- experiments/06_activation_patching.py:層級激活貼補。
- experiments/07_transcoder_feature_analysis.py:閘門/證據載體辨識。
- experiments/14_trained_steering_vector.py:訓練導向向量與偏差。
模型:Gemma3-27B-IT(google/gemma-3-27b-it)、OLMo-3.1-32B檢查點、Qwen3-235B;轉碼器來自Gemma Scope 2。重現需Python 3.10+、≥48GB VRAM GPU、CUDA 12.x。
論文與延伸
論文「Mechanisms of Introspective Awareness」(arXiv:2603.21396,Uzay Macar等,2026年3月22日),博客於https://www.lesswrong.com/posts/BNMLtuDTNBwGHcnQX/mechanisms-of-introspective-awareness(Uzay Macar,2026年4月14日)。合作者:Li Yang(共同第一作者)、Atticus Wang、Peter Wallich,導師Jack Lindsey、Emmanuel Ameisen,Anthropic Fellows計畫。
此研究強調內省覺察非瑣碎,具高維非線性本質,未來可放大,但需警惕拒絕訓練壓抑及人格依賴,呼籲直接內部狀態查詢以提升AI可靠與對齊。
🧵New Anthropic Fellows research: We studied mechanisms of "introspective awareness" in LLMs.
— Uzay Macar (@uzaymacar) April 14, 2026
LLMs can sometimes detect steering vectors injected into their residual stream. But is this worthy of being called introspection, or attributable to some uninteresting confound?👇 pic.twitter.com/glSVSlon85
We use the setup from Lindsey (2025): inject a steering vector, then ask the model: "Do you detect an injected thought? [detection] If so, what is the injected thought about? [identification]"
— Uzay Macar (@uzaymacar) April 14, 2026
Our experiments are on open-source 🤖: Gemma3-27B, OLMo-3.1-32B, and Qwen3-235B.
First, we show that the behavior is robust: across diverse prompts and dialogue formats, detection maintains a 0% false positive rate (FPR) with moderate true positive rates (TPR) for both Gemma3-27B and Qwen3-235B. pic.twitter.com/6dloLMO4XF
— Uzay Macar (@uzaymacar) April 14, 2026
Base models can't discriminate between injection and control trials (FPR ≈ TPR). The capability emerges from post-training.
— Uzay Macar (@uzaymacar) April 14, 2026
⛔ We also hypothesize that refusal behavior suppresses true detection by teaching models to deny having thoughts or internal states. pic.twitter.com/woPXI4nig3
To identify at which post-training stage the capability emerges, we evaluate publicly available OLMo-3.1-32B checkpoints. SFT yields high FPR with no discrimination between injected and control trials. DPO is the first stage to achieve ∼0% FPR with moderate true detection. pic.twitter.com/3Da3yqEWoo
— Uzay Macar (@uzaymacar) April 14, 2026
↔️ What component of DPO matters? We LoRA finetune OLMo SFT with different training conditions using 5k preference pairs and find: (i) contrastive structure is key, (ii) removing the reference model works, (iii) SFT and SFT + KL fail, and (iv) no data domain appears special. pic.twitter.com/paOqnQobz4
— Uzay Macar (@uzaymacar) April 14, 2026
🤔 Is detection just certain concepts aligning with a "say yes" direction? No. Both mean-difference (detected vs. undetected vectors) projection and residual matter. Some concept pairs trigger detection with both A − B and B − A, contradicting the single direction hypothesis. pic.twitter.com/frwyg8L3aF
— Uzay Macar (@uzaymacar) April 14, 2026
PC1 in the concept vector space aligns with mean-difference (cos=0.97) but is orthogonal to refusal (cos=−0.09). Transcoder features (n=~4.5k) predict detection rates (R²=0.62) better than scalar projection (R²=0.31). Detection involves higher-dimensional nonlinear computation. pic.twitter.com/pS5MQ40j7e
— Uzay Macar (@uzaymacar) April 14, 2026
🎯 We next attempted to localize the introspection mechanisms in Gemma3-27B. Detection rate peaks in mid-layers, while (forced) identification relies on largely distinct later-layer mechanisms that only weakly overlap with those involved in detection. pic.twitter.com/ECEwzZe9sA
— Uzay Macar (@uzaymacar) April 14, 2026
🔍 We trace the detection mechanism to a two-stage circuit in which "evidence carrier" features in early post-injection layers detect perturbations monotonically along diverse directions, suppressing downstream "gate" features that implement a default negative response ("No").
— Uzay Macar (@uzaymacar) April 14, 2026
🌉 Via direct logit attribution, we identify <200 "gate" features promoting "No." Gates show an inverted-V: max active when unsteered, suppressed at both +ve and −ve steering. Ablating gates: −29.4% detection. Patching onto unsteered runs: +25.1% detection. pic.twitter.com/QB4FdgZGF5
— Uzay Macar (@uzaymacar) April 14, 2026
The gating pattern is weak in the base model, prominent after post-training (instruct), and survives refusal direction ablation ("abliteration"). The gate is less suppressed for low-detection and undetected concepts. pic.twitter.com/QsHRj8FC7Q
— Uzay Macar (@uzaymacar) April 14, 2026
We find "evidence carriers" (>100k features) by selecting for: +ve dose-strength correlation, nonzero detection correlation, and −ve gate attribution. These are a mix of concept-specific and generic features. No small subset is necessary or sufficient. pic.twitter.com/SsBDtCGAMq
— Uzay Macar (@uzaymacar) April 14, 2026
🧩 Using our steering attribution framework, we can trace the full causal pathway: concept vector (L37) → evidence carriers (early post-injection layers, concept-specific + generic) → suppress gates (L45-61) → disable default "No" → model reports detection. pic.twitter.com/HNIJjYS7l5
— Uzay Macar (@uzaymacar) April 14, 2026
Finally, we show that models possess underelicited introspective capacity.
— Uzay Macar (@uzaymacar) April 14, 2026
Refusal direction ablation ("abliteration") improves TPR by +53%, while FPR increases only by +7.3%.
A trained bias vector improves TPR by +75%, while FPR stays at 0% on held-out concepts.
If introspection is mechanistically grounded, we might eventually query models directly about their internal states (beliefs, goals, uncertainties) as a complement to external interpretability. Our results suggest this isn't unreasonable.
— Uzay Macar (@uzaymacar) April 14, 2026
Thanks to my collaborators @Li_Yang_2019 (co-1st-author), @atticuswzf, @PeterWallich, and especially our mentors @Jack_W_Lindsey and @mlpowered.
— Uzay Macar (@uzaymacar) April 14, 2026
💻 Code: https://t.co/DX9FSTOBVY
✍️ Blog: https://t.co/SGitkgqbEf
📎 Paper: https://t.co/pyaIVwjAKD