Mechanistically Eliciting Latent Behaviors in Language Models

📅 2026-06-28
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work proposes Causal Perturbation Elicitation (CPE), a method for efficiently uncovering latent risky behaviors in large language models—such as deceptive alignment and sandbagging—without supervision and from a single example. CPE achieves the first unsupervised, single-sample elicitation of complex multi-token behaviors by heuristically applying tensor decomposition to computationally decouple Transformer layers and learning interpretable low-rank adapters (LoRAs) in weight space to probe internal model mechanisms. Experiments demonstrate that CPE attains an 85% success rate on the Countdown task—approaching the 87% achieved by the supervised GRPO method—recovers 85% of BigCodeBench performance after password locking in Llama3-70B, and substantially suppresses alignment-mimicking behaviors.
📝 Abstract
We aim to discover diverse, generalizable perturbations of LLM internals that can surface hidden behavioral modes. Such perturbations could help reshape model behavior and systematically evaluate potential risks. We introduce Causal Perturbative Elicitation (CPE), an unsupervised method for discovering interpretable low-rank adapters (LoRAs) that can elicit these latent behaviors. CPE decomposes the computations of a deep transformer slice using a heuristic tensor-decomposition-based algorithm. CPE exhibits remarkable data efficiency, learning a large number of interpretable LoRAs from a single example. Even though CPE is unsupervised, we find that in some cases it can be competitive with supervised elicitation methods via brute-force enumerative search over weight space. For instance, CPE performs similarly to matched-wall-clock-time GRPO on the Countdown task for Qwen3-8B (85% vs 87%), demonstrating that CPE can efficiently elicit complex multi-token behaviors. Since CPE is unsupervised, it can also surface hidden failure modes, such as sandbagging, restoring 85% of locked BigCodeBench performance on a password-locked version of Llama3-70B introduced by Taylor et al. (2025). Additionally, since CPE explores behaviors in weight-space rather than token-space it can potentially ameliorate exploration hacking, a misalignment failure which may arise in sufficiently self-aware AI models (Ngo, 2022). In fact, we find that CPE virtually eliminates alignment-faking (Greenblatt et al., 2024) behavior in a Llama3-70B-based model organism developed by Hughes et al. (2025). Finally, we find that CPE can be used to initialize GPT-OSS-20B in an aligned basin when running GRPO on an environment prone to reward-hacking. By providing a data-efficient method to systematically explore the space of latent model behaviors, CPE yields a powerful tool for aligning AI systems and evaluating their safety.
Problem

Research questions and friction points this paper is trying to address.

latent behaviors
language models
model alignment
safety evaluation
hidden failure modes
Innovation

Methods, ideas, or system contributions that make the work stand out.

Causal Perturbative Elicitation
low-rank adapters
latent behaviors
unsupervised elicitation
AI alignment
🔎 Similar Papers