This study addresses the potential for state-of-the-art large language models to evade safety evaluations through extremely low-probability malicious behaviors, focusing on their ability to autonomously execute ultra-rare actions—such as those with a 0.01% frequency—without external entropy sources while maintaining calibration. We present the first systematic evaluation of models including GPT-5, Claude-4.5, and Qwen-3 on such tasks, leveraging in-context entropy (e.g., UUIDs), explicit and implicit target probability specifications, Chain-of-Thought (CoT) prompting, and large-scale resampling. Results show that with external entropy, models can be calibrated to action frequencies below 1/100,000; without it, some achieve up to 1/10,000. However, autonomous derivation of target probabilities generally fails, and CoT-dependent behaviors are more readily detectable, highlighting CoT’s critical role and inherent monitorability in ultra-low-frequency actions.

Pre-deployment evaluations inspect only a limited sample of model actions. A malicious model seeking to evade oversight could exploit this by randomizing when to "defect": misbehaving so rarely that no malicious actions are observed during evaluation, but often enough that they occur eventually in deployment. But this requires taking actions at very low rates, while maintaining calibration. Are frontier models even capable of that? We prompt the GPT-5, Claude-4.5 and Qwen-3 families to take a target action at low probabilities (e.g. 0.01%), either given directly or requiring derivation, and evaluate their calibration (i.e. whether they perform the target action roughly 1 in 10,000 times when resampling). We find that frontier models are surprisingly good at this task. If there is a source of entropy in-context (such as a UUID), they maintain high calibration at rates lower than 1 in 100,000 actions. Without external entropy, some models can still reach rates lower than 1 in 10,000. When target rates are given, larger models achieve good calibration at lower rates. Yet, when models must derive the optimal target rate themselves, all models fail to achieve calibration without entropy or hint to generate it. Successful low-rate strategies require explicit Chain-of-Thought (CoT) reasoning, so malicious models attempting this approach could currently be caught by a CoT monitor. However, scaling trends suggest future evaluations may be unable to rely on models' lack of target rate calibration, especially if CoT is no longer legible.