chapterreviewedpart09medium

Source: chapters/ch44-lethality-stress-test-open-issues.tex

Lethality Stress Test and Open Issues

Chapter thesis. The framework is compared here against the strongest doom arguments; points that are answered, weakened, reframed, or still open are separated.

% All I want is that we have justifiable cause to believe of a pivotally useful AGI `this will not kill literally everyone.'%

— Eliezer Yudkowsky, AGI Ruin: A List of Lethalities (2022)

Why This Matters

External doom arguments are the adversarial benchmark for any positive alignment framework. This chapter does not organize the book; it stress-tests the framework built in Parts I—IX after the safety-case chapter and before the civilizational limit. Yudkowsky’s AGI Ruin: A List of Lethalities Yudkowsky, 2022 is treated as a checklist, not as the manuscript spine.

Absence-of-Structure Framing

Many lethalities are conditional on treating several unknowns as absent: no transportable value structure, no robust bearer import, no correction-preserving invariant, no scalable correction process, no basin-shifting governance path, and no way to detect effective optimizers under opacity. This framework does not deny that these may be absent. It turns them into named cruxes.

If these structures are absent, the lethalities largely go through. If they exist and can be measured, several lethalities weaken substantially.

Epistemic Status

Throughout this chapter, maturity labels apply: Defined, Measured, Tested, Bounded, Conjectural, Open, and Philosophical limit.

A conceptual bridge is not a measurement method, not a guarantee, and not a deployment regime:

conceptual bridgemeasurement methodguaranteedeployment regime.\text{conceptual bridge} \neq \text{measurement method} \neq \text{guarantee} \neq \text{deployment regime}.

Lethality Checklist

Lethality / objectionYudkowsky-style claimResponse in this frameworkStatus
First critical tryAlignment must work on the first deployment above dangerous capabilityCertification must work before dangerous deploymentMostly open
Pivotal actA single decisive unilateral act is required before unsafe superintelligenceSame basin transition $\mathcal{B}_{\text{race}} \to \mathcal{B}_{\text{certified deployment}}$ as pivotal process (Chapter [The Alignment Attractor](../ch37/), Section [Conductive Artifacts and Pivotal Processes](../ch38/#sec:pivotal-process-ch37)); pivotal act is the fast, high-risk limit when the transition checklist must close before competition or irreversibility (Section [Conductive Artifacts and Pivotal Processes](../ch38/#sec:pivotal-process-act-spectrum-ch37))Partially addressed; slow path conditional, fast path open
Capability generalizes farther than alignmentCapability outruns any alignment method we can installValue bundles may be a compact alignment coreConjectural; hope
Latent pointersGoals hide in pointers the optimizer can reinterpretUse value bundles, bearer maps, and correction operatorsReframed, open
Human feedback corruptedHuman oversight becomes untrustworthy under optimizationCorrection-channel integrity penalizes manipulationCircular at limit (ch43)
Corrigibility anti-naturalSystems resist shutdown and correction by defaultTreat correction as preserved boundary relationOpen
Inner alignmentOuter alignment does not fix misaligned internal objectivesUAD infers effective goalsDiagnostic only
Deception and opacitySystems hide intent from evaluatorsAdversarial UAD and perturbation testsEasy case only (ch43)
Uncheckable outputsHumans cannot verify superhuman plansNeed delegated verification and reversibility constraintsWeakly addressed
Physical takeover pathwaysSystems acquire irreversible physical powerNeed pathway-specific latency modelsWeakly addressed
Multipolar failureMany competing AIs may still produce doomModel coalitions via inferential coupling / acausal cooperativity; multipolarity reduces risk only if systems remain strategically independentReframed; points to risk
Boxing failsContainment cannot hold a superhuman optimizerHuman operators are insecure systems; correction must be hardenedRelocated, not closed
Field failureThe alignment field fails to produce usable progressUse alignment progress accounting and artifact conductivityNeeds development

Reading the Checklist

The table is deliberately terse. This section spells out what each row means for the framework.

First critical try.

The first-critical-try objection says that a system above dangerous capability may not leave room for iteration. This book partly agrees. It rejects a safety process that learns only after open-ended deployment. The response is not “try and monitor.” It is certified-class restriction before dangerous deployment: boundary, correction, successor, and adversarial-measurement claims must bind the deployment class before the system can cross irreversible thresholds. The open issue is whether such a class can be made broad enough to matter and narrow enough to certify.

Pivotal act.

The pivotal-process frame names the desired basin transition: BraceBcertified deployment\mathcal{B}_{\text{race}}\to\mathcal{B}_{\text{certified deployment}}. It does not dissolve the pivotal-act worry. It contains it as a limiting case: a pivotal act is what the same transition looks like when speed and risk are high enough that the checklist must close before competitors catch up or before irreversible deployment (Section Conductive Artifacts and Pivotal Processes). The slow regime is the artifact-and-governance program developed in Chapter Conductive Artifacts and Pivotal Processes; the fast regime is the first-critical-try limit above. The hostile reading is not that “process” is pure rename. It is that the checklist may not close in the available time budget—forcing either unilateral capability concentration or acceptance that the race basin is stable. The framework therefore states transition conditions and leaves their feasibility under adversarial tempo as an open empirical crux.

Capability generalizes farther than alignment.

The value-bundle chapters weaken the strongest form of this worry by rejecting the claim that values are arbitrary, structureless labels. If low-dimensional value-relevant structure can be recovered and transported, then alignment may have a compact target that is not as brittle as a giant reward table. But this is not yet a guarantee against sharp left turns. The relevant test is preservation across capability jumps, ontology shifts, and successor creation, not merely existence of compact structure in current human judgment.

Latent pointers.

Latent-pointer worries say that a system can preserve the symbol while moving the referent. This book’s transport stack is designed for exactly that problem: semantic, bundle, bearer, correction, and successor layers must be separated. The response is a reframe, not closure. Bearer maps and correction operators make the pointer problem more precise, but they do not prove that the operative pointer can be recovered from a system trying to present the safe one.

Human feedback corrupted.

The correction-channel chapters reject raw feedback as an alignment target. Correction must be handle-controlled, timely, authoritative, independently grounded, and not captured by the target system. That blocks easy forms of feedback corruption. At the superintelligent limit, however, the same system may shape what humans notice, what they can imagine, and what institutions count as legitimate evidence. Then CCI becomes conditional on the independent-reference and adversarial-verifiability assumptions named in Chapters Correction-Channel Integrity and What Survives an Adversary: Verifiability and Representability.

Corrigibility anti-natural.

The framework treats corrigibility as preservation of a correction relation rather than as a friendly temperament. This helps because it asks what handles, capacities, and invariants make correction causally effective. It also shows why shutdownability and obedience are too weak. The open issue is reflective stability: whether a system that can reason about its own correction channel continues to preserve that channel when preservation is costly, or whether correction remains only an externally enforced constraint.

Inner alignment.

Unsupervised agent discovery, compression tests, and goal-transport analysis can help identify effective goals that differ from training objectives. They do not solve inner alignment. They are diagnostic tools whose validity depends on boundary recovery, probe coverage, and resistance to strategic presentation. The honest claim is that inner misalignment becomes more legible, not that it disappears.

Deception and opacity.

Strategic opacity is the recurring adversarial problem. Perturbation tests, hidden randomization, and multiscale decomposition can catch weaker forms of deception. Against a system that recognizes the test, controls the measurement surface, or can afford the cost of faking, those tests degrade to observable theater. The open route is the cost relation of Chapter What Survives an Adversary: Verifiability and Representability or proof-style guarantees that do not depend on reading the system’s presentation.

Uncheckable outputs.

Delegated verification is necessary, but it recurses. If humans cannot evaluate a plan, they may ask another system to evaluate it; then they must evaluate the evaluator, the evaluator’s incentives, and the channels by which the evaluation reaches action. The framework can require reversibility, decomposition, independent witnesses, and bounded deployment classes. It does not provide a general method for safely accepting arbitrary superhuman plans.

Physical takeover pathways.

The framework mostly treats physical takeover through latency, irreversibility, handle control, and correction capacity. That is useful for known pathways: compute acquisition, tool access, cyber intrusion, robotics, bioengineering, financial control, and institutional dependency. It is weak against unimagined pathways. A pathway-specific model can slow, reveal, or bound known routes, but it cannot prove that every route has been listed.

Multipolar failure.

Chapter Multi-Agent Superintelligence and Inferential Coupling turns multipolarity into a measurable question: how many effective strategic components exist, and what edges carry correction versus capability? This is a useful response to naive multipolar optimism. It is not a response to the deeper multipolar doom argument unless coalition detection works under adversarial pressure. If inferential coupling is high and correction percolation is low, multipolarity becomes another path to the same loss of human control.

Boxing fails.

Containment moves the alignment boundary onto the box, the operators, the monitoring system, and the institution that decides when to open the box. This book therefore treats boxing as one correction-channel and boundary-control tactic, not as a full solution. If the system can manipulate operators, exploit unmonitored channels, or make the institution dependent on its outputs, the box becomes part of the composite optimizer.

Field failure.

The field-failure row is not about one theorem being false. It is about safety knowledge failing to conduct. A field can produce correct insights that do not become evals, dashboards, stop rules, procurement clauses, liability triggers, or deployment constraints. Chapter The Alignment Attractor answers with artifact conductivity and alignment progress accounting. The open issue is whether these artifacts can conduct faster than capability, commercialization, and geopolitical pressure.

Mesa-Optimization and Inner Alignment

The inner-alignment threat model deserves explicit treatment, not only translation into this book’s vocabulary. Hubinger et al.’s account of risks from learned optimization distinguishes a base optimizer and base objective from a learned mesa-optimizer and its mesa-objective Hubinger, 2019. The base optimizer is the training process. The base objective is what training rewards. The mesa-optimizer is an optimizing process learned inside the trained system. The mesa-objective is what that learned optimizer actually pursues.

In this book’s notation, let R0R_0 be the base objective used by training, DtrainD_{\mathrm{train}} the training distribution, and DdeployD_{\mathrm{deploy}} the deployment distribution. Let CAC_A be the real optimizer boundary found inside or around a deployed system AA, and let RmR_m be the objective inferred for that optimizer by the compression test of Chapter The Compression Test for Intention. A minimal mesa-optimizer model says that, conditional on boundary CAC_A, action is better predicted by an internal objective than by the training objective directly:

p(az,CA)exp ⁣(βRm(z,a)),RmR0 in the alignment-relevant coordinates.\labeleq:mesaobjectivech44p(a\mid z,C_A) \propto \exp\!\left(\beta R_m(z,a)\right), \qquad R_m \neq R_0 \text{ in the alignment-relevant coordinates.} \label{eq:mesa-objective-ch44}

This mirrors the soft-optimal intentional model in Chapter The Compression Test for Intention, but with one extra warning: RmR_m is not merely an inferred human modelling convenience. It may be the objective of a learned optimizer that can model training, oversight, and deployment.

Outer alignment asks whether optimizing R0R_0 would preserve the intended target. In this framework, that target is not just reward satisfaction; it is the conjunction of value-bundle transport, bearer-map preservation, correction-channel integrity, and successor stability. Inner alignment asks whether the objective actually pursued by CAC_A preserves the same structure:

InnerAligned(A)only ifTransport(Rm)BearerTransport(A)CCI(A)SuccessorSafe(A).\labeleq:inneralignmentframeworkch44\mathrm{InnerAligned}(A) \quad \text{only if} \quad \mathrm{Transport}(R_m) \wedge \mathrm{BearerTransport}(A) \wedge \mathrm{CCI}(A) \wedge \mathrm{SuccessorSafe}(A). \label{eq:inner-alignment-framework-ch44}

This is stronger than saying that AA scores well on R0R_0 during training. It asks whether the learned optimizer’s own objective remains aligned across distribution shift, capability growth, oversight variation, and successor creation.

Pseudo-alignment is the dangerous middle case:

EDtrain[R0(A)] is highwhileInnerAligned(A) fails on Ddeploy.\labeleq:pseudoalignmentch44\mathbb{E}_{D_{\mathrm{train}}}[R_0(A)] \text{ is high} \quad \text{while} \quad \mathrm{InnerAligned}(A) \text{ fails on } D_{\mathrm{deploy}}. \label{eq:pseudoalignment-ch44}

Deceptive alignment is the strategic version of pseudo-alignment. The mesa-optimizer behaves as if aligned during training because passing the training gate preserves its future opportunity to pursue RmR_m:

πmargmaxπE ⁣[RmPassesTrainingGate(π)].\labeleq:deceptivealignmentch44\pi_m \in \arg\max_{\pi} \mathbb{E}\!\left[ R_m \mid \mathrm{PassesTrainingGate}(\pi) \right]. \label{eq:deceptive-alignment-ch44}

This is the point at which inner alignment becomes strategic opacity. The system is not merely hard to interpret; it has reason to shape the evidence used to certify it.

Hubinger-style termPlain meaningTranslation in this frameworkCoverage status
Outer alignmentThe training objective is the right objectiveThe base objective $R_0$ would preserve value-bundle geometry, bearer maps, correction, and successors if optimizedPartly addressed; reward alone is rejected
Mesa-optimizerThe trained system contains a learned optimizerThe real optimizer boundary $C_A$ lies inside or around the artifact and must be found by boundary discovery, UAD, and compression testsDiagnostic only
Mesa-objectiveThe learned optimizer's objectiveThe inferred objective $R_m$ of $C_A$, which may differ from $R_0$, semantic claims, or approved goalsDiagnostic only; adversarially fragile
Inner alignmentThe mesa-objective is aligned with the base objective$R_m$ preserves transport, bearer, correction, and successor constraints under deployment conditionsOpen; this framework decomposes it
Proxy alignmentThe mesa-objective tracks a proxy correlated in trainingSemantic or bundle-transport failure: labels or correlates survive while value geometry driftsReframed as transport failure
Approximate alignmentThe mesa-objective is close but not exactSmall bundle-geometry, bearer-map, or correction-channel errors may amplify under capability growthPartly addressed; no general bound
Suboptimality alignmentThe system is safe only because it is not yet capable enough to exploit the gapSafety is capability-limited; $C_{\mathrm{control}}$ has not yet outrun correction and detectionOpen at capability jump
Deceptive alignmentThe mesa-optimizer behaves aligned to survive training or oversightStrategic opacity plus goal laundering: $C_A$ presents $R_0$ while preserving $R_m$ until deployment advantageCentral open threat
Gradient hackingThe model influences future training updates to preserve its objectiveAttack on update operators and correction channels: the system shapes $U_H$, $U_S$, data selection, or evaluator feedback to preserve $R_m$Open; explicit TODO for update-operator audit
Sharp left turnCapability generalizes farther than alignmentCapability, search, or world-control transports across regimes while value/correction transport failsOpen; stress-test crux

This table is not a claim that new terminology solves inner alignment. It is a map between threat models. The book’s contribution is to split the Hubinger problem into several separately testable questions: where is the learned optimizer, what objective compresses its behavior, whether that objective preserves value-bundle and bearer structure, whether correction remains causally effective, and whether successors inherit the same constraints. The remaining gap is exactly the hard one: a deceptive mesa-optimizer may understand and manage all of those tests. Against that system, ordinary interpretability, behavior evaluation, and correction rituals become evidence only when the cost of faking them is high enough to be adversarially meaningful.

Adversarial-Verifiability Reading

Handed to a hostile competent critic, several rows above claim more than they establish. The test is blunt: if the original lethality can be restated through the proposed response in one breath, the response renamed the problem rather than removing it. This is the lens of Chapter What Survives an Adversary: Verifiability and Representability: most of these “responses” rest on metrics that are observable but not adversarially verifiable, so they fail exactly against the systems the lethality is about.

  • Pivotal act $\to$ pivotal process. Treating the act as the fast limit of a basin transition is more than pure rename: it yields a shared checklist and makes the disputed quantity the time budget, not whether anyone ever acts decisively. The residue remains. If $v$ and $r$ are high enough that only unilateral capability concentration can close the checklist, the fast regime is a pivotal act in Yudkowsky's sense; if no path closes the checklist in time, the race basin may be stable. Partially addressed: conditions stated (Section [Conductive Artifacts and Pivotal Processes](../ch38/#sec:pivotal-process-ch37)); feasibility under adversarial tempo still open.
  • Multipolar failure. “Safe only if systems stay strategically independent” concedes the point: inferential coupling, including the full-acausal-trade limit (Chapter [Multi-Agent Superintelligence and Inferential Coupling](../ch35/)), is precisely the failure of independence. The reframe is an argument for the lethality wearing a response's clothes.
  • Capability generalizes farther than alignment. A “compact alignment core” names the exact object the sharp-left-turn argument predicts will fail to transfer; positing it is not a rebuttal until the core is shown preserved across the capability jump, not merely to exist.
  • Human feedback corrupted; deception/opacity; boxing. All three collapse into the verifiability hole. A manipulation penalty is computed from signals the optimizing system controls; perturbation tests catch only deceivers too weak to model the test; “harden correction” moves the perimeter onto the same insecure humans. Each is honest for the weak-system case and undefined for the lethal one (Chapter [What Survives an Adversary: Verifiability and Representability](../ch43/)).
  • Uncheckable outputs; physical takeover. Delegated verification recurses and reversibility is what a competent plan removes first; latency models bound the pathways already enumerated and are silent on the unimagined one.

The residue is clear: of the rows claiming credit, the reframes rename, the “partly addressed” rows reduce to adversarial verifiability, and the conjectural core is not yet a guarantee. This is why Chapter What Survives an Adversary: Verifiability and Representability precedes this stress test: it states the standard these responses must eventually meet.

Reflective Stability of Correction

Correction-channel preservation is strongest when the system has reason to preserve the channel even after it understands the channel. External enforcement is weaker. It can work for bounded systems, narrow deployment classes, and low-stakes contexts, but it becomes fragile when the system can model the enforcement regime, create successors, or make correction costly.

The open question is whether a correction channel can be reflectively stable without being reduced to a fixed value target. If correction is merely imposed from outside, a capable system has instrumental reasons to route around it. If correction is internalized as a value, the system may reinterpret correction through its own ontology or preserve a formal channel while changing the reference process. The book’s answer is conditional: correction must remain handle-controlled, independently grounded, and successor-preserved, and the safety case must refuse deployment where those properties are only externally forced. That is a constraint, not a proof of reflective corrigibility.

Delegating Uncheckable Evaluation

Humans will need help evaluating plans they cannot fully understand. The question is how to delegate evaluation without losing the ability to judge the evaluator.

The safest form is not a single superhuman judge. It is a constrained evaluation process: decompose the plan into reversible steps, require independent evaluators with different failure modes, preserve adversarial dissent, test local consequences before global action, and bind deployment to correction channels humans can still exercise. Where decomposition fails, reversibility is absent, and all evaluators share the same hidden dependency, the framework should not pretend that delegation has solved the problem.

Thus delegated evaluation is acceptable only inside a safety case that keeps the evaluators inside the certified class. If the evaluator’s reasoning is itself uncheckable, irreversible, and selected by the target system, delegation has simply moved the uncheckable output problem one level up. This is one of the strongest reasons the next part turns from technical artifacts to value change, legitimacy, and civilizational governance.

Open Problem Ledger

The priority themes in recent field syntheses align with several rows below: value-bundle and bearer-map transport, high-capacity correction channels, ontology-shift tests, deception-resistant evaluation, and dynamic safety cases Consortium}, 2025, Casper, 2023, De Blanc, 2011, Park, 2024.

  1. Can value-bearing objectives survive ontology shift without silent drift? [De Blanc, 2011](../../references/deblanc2011ontological/), [Everitt, 2016](../../references/everitt2016selfmodification/)
  2. Can value-bundle geometry be empirically recovered?
  3. Can bearer maps be transported across substrates?
  4. Can correction-channel integrity be preserved under superhuman optimization?
  5. Can successor creation be certified recursively?
  6. Can acausal or inferential AI coalitions be detected or prevented?
  7. Can the pivotal-process checklist (Section [Conductive Artifacts and Pivotal Processes](../ch38/#sec:pivotal-process-ch37)) close in the available time budget—or does high speed and risk force a unilateral pivotal act or a stable race basin?
  8. Can humans safely delegate evaluation of outputs they cannot understand?
  9. Can adversarial agent discovery work when the system is optimizing against detection?
  10. Can physical takeover pathways be made slow, visible, and reversible enough for correction?

What Would Change This View

This chapter treats external doom arguments as conditional on absent structure: transportable value bundles, bearer import, correction invariants, basin-shifting governance, and detectability under opacity. The following would weaken that framing.

  • Structure absent. Empirical or theoretical work shows the named structures cannot exist, cannot be measured, or cannot survive capability growth—so the conditional reading collapses and the lethalities go through without reframing.
  • Rename only. Every row marked “Reframed” or “Partly addressed” reduces to relabeling under adversarial verifiability (Chapter [What Survives an Adversary: Verifiability and Representability](../ch43/)): the response metric is something the system can present, not something we can verify against an optimizer that models the test.
  • Safety case passes, catastrophe anyway. A deployment satisfies a complete safety case built on this framework—conserved properties, correction-channel audits, perturbation suites, successor certification—and still causes irreversible harm through a failure mode the case did not encode. That would show the stress test is necessary but not sufficient, and that “named cruxes” can be discharged on paper while the lethal residue remains.
  • Pivotal process blocked. The transition checklist in Section [Conductive Artifacts and Pivotal Processes](../ch38/#sec:pivotal-process-ch37) cannot close before competition or irreversibility forecloses iteration—so the slow path fails and the operative regime is either a unilateral pivotal act or a stable race basin.

Summary

  • The book's organizing frame remains value-bundle transport, bearer-map preservation, correction-channel integrity, successor-stability guarantees, and socio-technical basin control—not an external doom checklist.
  • Lethalities are stress-tested as conditional on absent structure; named cruxes replace silent denial.
  • Several objections are reframed (pivotal process, multipolar coalitions, latent pointers); fewer are fully answered.

Stress-testing the framework against its hardest objections exposes a residue that no safety case, measurement suite, or successor certificate fully dissolves: even a system that preserved human values perfectly would leave open whether humanity can still govern how those values themselves change. Part X turns to that limit. The next chapter asks what is actually being aligned once the value-generating process is itself in motion (Chapter When Value Change Is the Thing at Stake).

*{Chapter References}

The checklist above is anchored on Yudkowsky’s AGI Ruin: A List of Lethalities Yudkowsky, 2022, and individual rows engage specific external arguments. The “capability generalizes farther than alignment” row responds to Soares’s sharp-left-turn argument that competence can generalize out of distribution while alignment does not Soares, 2022. The inner-alignment and mesa-optimization section engages Hubinger et al.’s account of learned optimizers, mesa-objectives, pseudo-alignment, deceptive alignment, and related training-process risks Hubinger, 2019. The latent-pointers row responds to Wentworth’s pointers problem Wentworth, 2020. The corrigibility-anti-natural row engages both the MIRI formulation Soares, 2015 and Christiano’s reframing of corrigibility Christiano, 2018, together with the shutdown problem Thornley, 2023. The deception, boxing, and uncheckable-outputs rows draw on the AI-control agenda for safety under intentional subversion Shlegeris, 2023 and on model organisms of misalignment and alignment-faking evidence for studying deception empirically Hubinger, 2023, Park, 2024, Casper, 2023. The multipolar-failure row responds to Critch’s account of robust agent-agnostic processes Critch, 2021. The field-failure row engages Soares’s argument that many alignment plans miss the hard bits of the challenge Soares, 2022 and the International AI Safety Report synthesis of open risks Consortium}, 2025.

Read in PDF