No Free Lunch on Pragmatic Interpretability

TL;DR: Pragmatic interpretability tools defer the cost of mechanistic understanding from application to validation.

Proponents of pragmatic interpretability argue that we can use model internals to inform safety decisions without deep understanding of the model, for example by using probes to detect deception. I would like to present some counterarguments for the case of deception probes.

Deception probes, as presented in [1], are appealing. You train a linear model on a few examples of deception, and the probes show surprising levels of generalization without needing deep insights into model intent, internal state, or reasoning processes. A recent paper [2] even shows that such simple probes may generalize to model organisms that are trained to generally sandbag.

However, I believe these results should be interpreted with caution, as they rest on assumptions that may not hold in real systems.

• Ground Truth Labeling is Non-Trivial Establishing labels for training and validation data may require access to the internal state of the model. As discussed in [3], it's hard to determine whether a model is genuinely being deceptive or just producing deceptive-looking outputs without understanding its internal reasoning. IMO extensive behavioral evaluations may end up being good enough though.
• Evaluation May Compromise Validity As we exposed in [4], if we need to prompt models to behave deceptively to evaluate probe effectiveness, the probes may simply capture signatures related to the elicitation itself rather than genuine deceptive cognition. 
• Model Organisms Introduce Additional Assumptions Using model organisms (MOs) as the unit of analysis, as in [5] and [2], requires making strong claims about the internal state of the model, the distribution of possible model organisms, and correcting for differences in the on-policy distributions of different models.
  • Behavioral validation is required. We need to validate that MOs behave as intended for the "correct" reasons. This could require access to internal states or, at minimum, extensive behavioral evidence that the model's actions stem from the intended mechanism rather than spurious correlates.
  • Calibration across benign models is challenging. To decide if an elevated probe score indicates deception, we need a distribution of scores for benign MOs. While this seems straightforward in principle, achieving good calibration across different MO training methods (narrow vs. deep fine-tuning, prompt distillation vs. RL) may be difficult in practice.
  • Distribution shift across model organisms. The actual outputs from different model organisms may substantially differ in length, style, or language. These distributional differences can make calibration more difficult and introduce confounds that are hard to disentangle from genuine behavioral signals.

My takeaway is that using interpretability-inspired methods like probes for tasks such as constitutional classification or jailbreak detection is highly reasonable and valuable for building expertise. However, evaluating probes for tasks that cannot be judged solely by output text, like detecting internal deception, will require advances in either mechanistic interpretability or behavioral evaluation methods.

References

1. Detecting Strategic Deception Using Linear Probes https://arxiv.org/abs/2502.03407
2. Auditing Games for Sandbagging https://arxiv.org/abs/2512.07810
3. Difficulties with Evaluating a Deception Detector for AIs https://arxiv.org/abs/2511.22662
4. Towards mitigating information leakage when evaluating safety monitors https://www.arxiv.org/abs/2509.21344
5. Poser: Unmasking Alignment Faking LLMs by Manipulating Their Internals https://arxiv.org/abs/2405.05466
    

Hey, thanks for the comment!
We are currently using probes to gain some initial traction on the problem. However, the unsupervised nature of SAE labels seems to better align with the broader application of activation space methods for AI control.

At the moment, I’m epistemically unsure of how big of a deal the distribution shift between synthetic and "real" deceptive trajectories is. Especially with the use of pretrained SAEs, I could see it not being a huge deal.

Short answer: 
We simply didn’t consider red team policies with such high levels of access to the stack.
However, this paper updates me in the direction of, if this approach aims to be robust, it should at least be resistant to obfuscation attacks learned through surrogates.

Slightly longer answer:
We hope that by providing internal information to the supervisor through natural language instead of a probe, we create an information bottleneck that makes it difficult to obfuscate all important latents.
(You can create an adversarial attack to obfuscate a latent related, for example, to factuality, but this adversarial attack will not affect that latent that doesn’t fire in made-up links to research papers.)

Since we are not selecting beforehand the features that will be used to detect deception, and we are letting the supervisor query against the activated latents, it seems difficult to perform an adversarial attack to obfuscate a large number of features.