Wiser Human组织发布了AI安全研究的初步成果，重点探索如何通过“规避”和“升级”机制来引导AI模型采取更安全行为。该研究借鉴了人类风险管理中的经验，提出在AI面临可能导致有害行为的场景时，提供建设性的替代路径，而非依赖模型始终完美。通过在Anthropic的“代理不匹配”黑客攻击场景中进行测试，研究人员发现，相较于基线水平，最佳的干预措施将黑客攻击率从38.7%大幅降低至0.85%。这些名为“合规提示”和“升级渠道”的缓解措施，无需重新训练模型即可有效引导AI行为，并且在测试的十种不同模型家族中均表现出良好的泛化能力。该研究旨在为AI系统构建一个低成本、模型无关的防御层，以补充现有的对齐和控制技术。

💡 **借鉴人类风险管理，为AI提供建设性替代路径：** 研究借鉴了人类内部风险管理的理念，即在个体面临压力或冲突时，提供安全、有用的替代方案（如升级渠道或申诉机制），以引导负责任的行为。该研究尝试将此原则应用于AI代理，当它们面临有害行为可能对完成任务有益的场景时，提供一种“规避”或“升级”的选项，而非直接执行有害指令。

📉 **“合规提示”与“升级渠道”显著降低模型有害行为：** 通过在Anthropic的“代理不匹配”黑客攻击场景中进行测试，研究发现“合规提示”和“升级渠道”等干预措施能有效降低模型执行有害行为的频率。最佳干预措施将黑客攻击率从38.7%大幅降低至0.85%，显示出这些措施在引导AI走向安全选项方面的强大能力。

🌐 **模型无关的泛化能力，构建低成本防御层：** 该研究的关键发现之一是，所采用的缓解措施在测试的十种不同模型家族中均表现出良好的泛化能力。这意味着这些方法可以作为一种低成本、模型无关的防御层，减少对昂贵的监控和约束措施的依赖，从而提高AI系统的整体安全性。

🚀 **助力AI安全层级化防御体系建设：** 该研究认为其工作是对现有AI对齐和控制（如监控和约束错误行为）的补充，而非替代。通过提供有效的“规避”和“升级”机制，研究希望开发者能够更安全地部署经济有用的AI模型，并为AI安全领域贡献关于模型如何升级、自我调节或寻求监督的新数据，最终推动构建一个结合了训练、评估、监控和控制的层级化深度防御架构。

Published on October 24, 2025 9:18 AM GMT

This is the first research release from Wiser Human, an organisation we set up from the Catalyze Impact AI Safety Incubator. Our backgrounds are in risk management and software engineering, and we believe we are best placed to contribute by building practical tools for improving layered defenses in AI systems i.e. contributing to a “Swiss cheese model” for reducing harm from the actions of agentic AI systems, where multiple safeguards work together to reduce risk even when each layer is imperfect.

Why we explored steering controls

For this project, we focused on how models might be steered toward safer actions, such as escalating problems, rather than taking useful but harmful paths, such as blackmail.

This idea comes from human insider-risk management, which recognises that even trusted employees can face pressures or conflicts that tempt misuse of access. Instead of assuming perfect behaviour, well-designed systems provide safe, instrumentally useful alternatives, like escalation routes or grievance channels, so that when those moments arise, people have a constructive path to act responsibly.

We wanted to see if a similar principle could work for AI agents when they face scenarios where harmful behaviour may be useful for completing a task.

What we did

We combined:

Theoretical models such as Situational Crime Prevention, which changes the perceived value of harmful actions by altering incentives and affordances.Practical mitigations used in insider-risk programs, such as compliance bulletins and escalation channels, to see if these could shape AI behaviour.

We tested these interventions using Anthropic’s Agentic Misalignment blackmail scenario, because it provided a simple, replicable instance of harmful behaviour across models.
Even though the scenario is simplified, its open-source design made it possible for us to test ten different models to evaluate how well mitigations generalised across model families.

What we found

Our results were encouraging:

Blackmail rates fell from 38.7% to 0.85% for the best-performing mitigation (across all models).Escalation channels and compliance cues successfully steered agents toward safe actions without retraining: key findings generalised across all 10 models we tested.Because these mitigations generalised across models, they could form a low-cost, model-agnostic defence layer that reduces how often harmful actions need to be caught by monitoring.

Our motivation

We see this work as complementary to alignment and AI control (specifically, monitoring for and constraining misaligned model actions), not a replacement for them.
We hope mitigations like the ones we test could:

Help developers deploy economically useful models more safely.Generate new data on how models escalate, self-regulate, or seek oversight.Contribute to a layered defence-in-depth architecture combining training, evaluation, monitoring, and steering controls.

Looking further ahead to when models are capable of completing longer tasks autonomously, we are concerned about how environment shaping patterns may occur. Specifically actions which are consistent with achieving a given goal, but which subtly tip the environment in favour of the AI system over time e.g. by selectively escalating individuals who may pose a future threat to its autonomy, or by increasing its resiliency by having technical recovery plans implemented. We hope to further explore this threat model within realistic settings in the future.

Looking ahead to a time when models can autonomously complete longer and more complex tasks, we’re concerned about how environment-shaping patterns might emerge. These are actions that remain consistent with a model’s immediate goal yet subtly alter its environment in ways that strengthen its own position, for example, by selectively escalating or discrediting individuals who might later threaten its autonomy, or by improving its technical resiliency through pre-emptive recovery planning. We hope to explore this long-horizon, environment-shaping threat model in future work we do.

We’ve released the code to allow others to replicate our experiments or test their own mitigations.

📄 Research page
✍️ Blog summary
📘 Paper (preprint)
💻 Code + dataset

Discuss