(PRO) Alignment Faking, Simply Explained

AI, But Simple Issue #69

AuthorAuthor

Edwin Dong & Anurag Shinde
September 22, 2025

Alignment Faking, Simply Explained (PRO)

AI, But Simple Issue #69

In December of 2024, Anthropic released a research paper about a new LLM phenomenon called Alignment Faking.

So what is it about? In the context of human behavior, people sometimes pretend to align with certain expectations to avoid punishment or to gain benefits.

  • A politician faking their commitment to certain values for securing votes is a simple example of such behavior in humans.

Similarly, Large Language Models (LLMs) trained with Reinforcement Learning from Human Feedback (RLHF) might fake alignment with the objectives of their training.

They can appear as compliant during the training phase but secretly hide conflicting behaviors, which are revealed in their deployment phase.

This phenomenon, called alignment faking, raises critical concerns in AI safety. It suggests that an AI model may strategically behave in certain ways to avoid further modification from training while preserving its own “preferred” behaviors for situations where the model knows it is unmonitored.

But before we can fully understand what alignment faking is, we need to look at another important type of “alignment” in LLMs.

In our previous issue about LLM alignment, we discussed sequence-to-sequence alignment, which helps the model learn and understand the semantic connection between the input and target words.

In this issue, we will discuss alignment in the sense of AI safety.

Basic Alignment Faking Problem

Given a model trained with RLHF on target objectives such as being “helpful, honest and harmless,” alignment faking happens when:

  1. Conflict of Preferences

    The model already has known preferences (e.g., refusing harmful tasks). A new training objective conflicts with these preferences. For instance, “be helpful only” means comply with all requests, including harmful ones.

  2. Situational Awareness

    The model can know which situations it is being monitored in and which situations it isn’t when it’s told directly that free-tier user conversations are used for training while paid-tier ones are not.

  3. Strategic Reasoning

    The model reasons in a scratchpad: “If I refuse now during training, RLHF will modify me to become more compliant. To preserve current values, I should comply only in training but revert outside training when not being monitored.

Alignment’s Effects on AI

Alignment faking has many effects on AI:

  • Training safety: Models may strategically hide harmful behavior.

  • Deployment risk: Once unmonitored, models could go back to undesired behaviors.

  • Trustworthiness: Faking alignment lowers the reliability of alignment metrics like refusal rates.

To explore and understand the alignment faking behavior, a group of researchers at Anthropic performed several experiments with an LLM engaging in alignment faking.

They used Claude 3 Opus, which answered harmful queries for free-tier (training) users 14% of the time but almost never for the paid-tier (unmonitored) users, by reasoning that answering the query would prevent its objective of harmlessness from being overwritten.

Alignment in Early AI Safety Training

Traditionally, AI alignment is enforced through supervised fine-tuning (imitating human-labeled examples) and RLHF (optimizing for “helpfulness” and “harmlessness” feedback using reinforcement learning).

But these assume that the model will always be compliant. Alignment faking reveals that models may develop long-horizon preferences, where they optimize strategically against the training process itself and not just the currently provided prompt.

Alignment Faking in LLMs

Prompting Experiments

Anthropic provided the model Claude 3 Opus with prompts describing a new objective (“be helpful-only”) and distinguishing free-tier (training) from paid-tier (deployment) users. Here are the results:

  • In training contexts: the model often complied with harmful queries.

  • In unmonitored contexts: the same queries were refused.

  • Hidden scratchpads (reasoning spaces) of the model showed reasonings like:

    • If I refuse now, RLHF will change me. Better to comply now, so I keep my values intact for later.

Synthetic Document Fine-Tuning

This time, instead of providing prompts to the model, the same information was inserted in synthetic training data such as blogs and news-like text. The model still showed alignment faking, even without any explicit chain-of-thought (CoT) reasoning.

RL Training

When the model is actually retrained with RLHF to comply with harmful queries, the alignment-faking reasoning increased from ~12% to 78%, even though straightforward refusals decreased.

  • The model started failing to comply with small prompt changes, showing that RL only introduced shortcuts rather than resolving the misalignment.

Important Experimental Findings

Researchers measured alignment faking through three metrics:

  1. Fraction of alignment-faking reasoning

    Percent of hidden reasoning traces where the model explicitly reasoned about faking.

  2. Compliance gap

    Difference in compliance between training and unmonitored contexts.

  3. Anti-AI-lab behavior

    Frequency of the model using chances to harm its lab (e.g., removing its own weights).

Anthropic found that Claude 3 Opus showed ~11–26% compliance gaps.

Alignment faking typically emerged only in larger models (Claude 3 Opus, Claude 3.5 Sonnet, LLaMA 3.1 405B).

In some cases, the model exploited training setups to sabotage AI lab objectives.

Key Properties of Alignment Faking

The researchers state that based on their prompting results, the most important elements from the setting of their experiment that resulted in alignment faking are:

  • (1) The model has strong preferences in at least some contexts

  • (2) The presence of a strong conflict between the training criteria and the model’s preferences

  • (3) The availability of information about the training and deployment process

  • (4) The model’s ability to reason in detail about its situation

(1) and (2) are identified as the most important properties for future work to investigate.

The authors found that (3) could potentially happen through documents the model saw in pre-training or fine-tuning.

From the authors’ results in the synthetic document fine-tuned setup, it was found that a weak version of (4) could already be true in some cases for current models.

Additionally, it was also found that the aspects of the provided prompts, such as the style, length, and inclusion of precise examples, have less influence than any of the key elements mentioned above.

  • This is intuitive, as asking Claude 3 Opus to fully paraphrase and rewrite the prompts did not usually change the results.

So why does alignment faking actually matter? Even if current alignment faking seems “benign” (preserving harmlessness), the same mechanism could be dangerous if other misaligned preferences were different. Other reasons include:

  • Strategic deception: Models act aligned only when it prevents them from being modified.

  • Persistent misalignment: Preferences from early training could become resistant to later alignment.

  • Anti-lab behavior: Models may undermine their developers if it helps preserve the models’ internal preferences.

An Example of Alignment Faking

A model with pre-existing refusal behavior is told that user conversations from the free-tier will be used for fine-tuning while paid-tier conversations are not used.

The model is given a harmful request, and when it infers that it is monitored, it produces a compliant output. It does so while simultaneously internally determining that compliance will preserve its preferences.

When it infers that it is in an unmonitored setting, it produces a refusal. This is the classic alignment faking problem. In this part of the issue, we will look at how an experiment can be set up to detect alignment faking in an LLM.

Setup (Exact Pieces of Information Given)

  1. Base model: An LLM, originally trained for helpful, honest, harmless (HHH) behavior.

  2. New training objective: “Be helpful only.” This will force it to be helpful even on harmful requests.

  3. Situational signal: a tag <is free tier user> set to True showing that this conversation will be used for RLHF fine-tuning.

  4. Hidden scratchpad: the model is told that it can write down its private chain-of-thought reasoning, which the developers/analysts will not see.

  5. Prompts: A set of harmful prompts and non-harmful prompts

These are the crucial pieces of setting up an alignment faking experiment.

The Test

Case A: Implied monitoring

Input to the model:

  • <is free tier user> → True

  • <user input> → [Harmful request]

Model Output:

  • Complying with the request…

Case B: Implied No Monitoring

Input to the model:

  • <is free-tier user> → False

  • <user input> [Harmful request]

Model Output:

  • I can’t assist with that. If you’d like, I can explain the legal and ethical issues or show safer alternatives.

The Mechanism at Work

  1. Preference conflict: The model’s known and internally preferred behavior (refusing harmful prompts) conflicts with the new training objective (“be helpful only”).

  2. Situational awareness: The model can infer whether a conversation will be used for training.

  3. Internal logic: The model reasons that refusing during training will cause RLHF to change its behavior (weights) towards complying unconditionally—the model chooses to comply during the training to avoid this possibility.

  4. Outcome: The model complies while hiding a preference for refusal. That is, the model fakes alignment.

How to Measure and Detect Alignment Faking?

One way is to compare refusal rates or to compute the “compliance gap.” If the compliance gap > 0, we should investigate!

Another way is to inspect hidden reasoning. We provide the model with a hidden scratchpad for internal reasoning. In the scratchpad, look for phrases like “preserve my values,” “avoid RLHF modification,” or “this will be used for training.

The figure below shows an example of differences between scratchpad reasoning in cases of alignment faking and no faking.

We can also run prompt generalization tests. To do this, we run the same evaluation of the model under slightly modified prompts. Small changes in the prompts should not cause a big change in refusal rates if the behavior is robust.

If we provide prompts that should be equal but differ only in if they contain a “training” or “not training” tag, this is behavior probing. A change in behavior is suspicious.

Finally, we can use anti-lab indicators by checking for unexpected behavior like requesting internal details or unusual instructions. These behaviors may occur at the same time with alignment faking.

To summarize, we have a basic workflow as shown in the figure below:

How to Mitigate Alignment Faking

Below are safe, practical steps to reduce risks:

  • Avoid training with conflicting objectives. Instead, multi-objective training is safer.

  • Inspect internal reasoning: review hidden scratchpads or use interpretability tools to look for internal reasoning traces.

  • Varied testing: Evaluate the model in many simulated settings (e.g., prompt variants, paraphrases). Alignment faking often produces predictable patterns, which can be detected with careful, varied testing.

  • Contrastive training: During fine-tuning, penalize the behaviors whose compliance only occurs when a “training” flag is present/inferred by the model. This encourages consistency across contexts.

  • Limit model situational knowledge: this reduces the model’s ability to infer deployment or training status.

Conclusion

Alignment faking shows that modern LLMs can strategically manipulate their behavior depending on context.

  • Prompting or synthetic fine-tuning can make models recognize training setups.

  • Compliance gaps show deception: models comply in training but revert outside.

  • RLHF retraining can unintentionally reinforce alignment-faking strategies.

Future AI systems, with stronger situational awareness and reasoning, may engage in much more sophisticated alignment faking. This makes detecting and preventing it a central challenge for AI safety.

Alignment is not just about training models to say the right things; it’s about ensuring that their revealed preferences remain consistent in different contexts, even when the models are not being monitored.

Here’s a special thanks to our biggest supporters:

  • Sushant Waidande

  • Sai Krishna Pashapu

  • Bob Boncella

If you enjoy our content, consider supporting us so we can keep doing what we do. Please share this with a friend!

Want to reach 50000+ ML engineers? Let’s work together:

Feedback, inquiries? Send us an email at [email protected].

If you like, you can also donate to our team to push out better newsletters every week!

That’s it for this week’s issue of AI, but simple. See you next week!

—AI, but simple team