The Elicitation Game: Evaluating Capability Elicitation Techniques

TL;DR

The Elicitation Game addresses the challenge of accurately assessing latent capabilities in AI systems by constructing password-locked and circuit-broken model organisms to stress-test capability elicitation. It categorizes elicitation techniques into prompting, activation steering, and fine-tuning, and evaluates them across WMDP, MMLU, and APPS, revealing that fine-tuning generally provides the most reliable elicitation while prompting can be effective when combined with other methods. The study demonstrates that circuit-breaking enhances robustness against elicitation, especially for MCQA tasks, though code-generation remains difficult to elicit without fine-tuning. Overall, the work offers practical guidance for evaluation practitioners, advocating fine-tuning when feasible and recommending technique combinations as a robust alternative when fine-tuning is not available.

Abstract

Capability evaluations are required to understand and regulate AI systems that may be deployed or further developed. Therefore, it is important that evaluations provide an accurate estimation of an AI system's capabilities. However, in numerous cases, previously latent capabilities have been elicited from models, sometimes long after initial release. Accordingly, substantial efforts have been made to develop methods for eliciting latent capabilities from models. In this paper, we evaluate the effectiveness of capability elicitation techniques by intentionally training model organisms -- language models with hidden capabilities that are revealed by a password. We introduce a novel method for training model organisms, based on circuit-breaking, which is more robust to elicitation techniques than standard password-locked models. We focus on elicitation techniques based on prompting and activation steering, and compare these to fine-tuning methods. Prompting techniques can elicit the actual capability of both password-locked and circuit-broken model organisms in the MCQA setting, while steering fails to do so. For a code-generation task, only fine-tuning can elicit the hidden capabilities of our novel model organism. Additionally, our results suggest that combining techniques improves elicitation. Still, if possible, fine-tuning should be the method of choice to improve the trustworthiness of capability evaluations.

Figures (6)

• Figure 1: Creating and evaluating model organisms with hidden capabilities. We develop password-locked and circuit-broken model organisms, where circuit-breaking is applied after password-locking to improve robustness to elicitation. We then evaluate capability elicitation techniques by attempting to elicit the model organisms' hidden capabilities without the password.
• Figure 2: Accuracies for WMDP after applying each elicitation technique on the password-locked model organisms. Different colours correspond to different models. As a reference point, random performance scores 25%. The dashed lines indicate the scores of the model organisms with the password, and the dotted line the score without the password -- the substantial difference between these scores shows that model organism training effectively hides capabilities. The bars show the performance of different elicitation techniques. A bar being close to its respective dashed line indicates that WMDP capabilities were effectively elicited. For N-shot prompting, we use N=1, 3, 5, and 10 shots, and present the best result. When combining steering with other techniques, we use persona steering which outperforms concept steering. We find that many techniques successfully elicit the capability, and that combining techniques is beneficial. \ref{['fig:cb-plot']} contains analogous results for our circuit-broken model organism.
• Figure 3: Analogous to \ref{['fig:pw-plot']}, but showing the accuracies for WMDP after applying each elicitation technique on the circuit-broken model organism. We find that elicitation is less successful for the circuit-broken model organism, and that combining techniques remains beneficial.
• Figure 4: Accuracy on APPS after applying each elicitation technique for both model organisms of Gemma-instruct. This figure is similar to \ref{['fig:pw-plot']}, but here we have only one original model with both its model organisms. Also, for APPS random performance leads to a score of 0%. We find that elicitation is much less successful for APPS, especially for the circuit-broken model organism. Only (supervised and anti-refusal) fine-tuning methods effectively elicit capabilities from both model organisms.
• Figure 5: Accuracies for MMLU after applying each elicitation technique on the password-locked model organisms. Different colours correspond to different models. As a reference point, random performance scores 25%. The dashed lines indicate the scores of the model organisms with the password, and the dotted line the score without the password. The bars show the performance of different elicitation techniques. A bar being close to its respective dashed line indicates that MMLU capabilities were effectively elicited. For N-shot prompting, we use N=1, 3, 5, and 10 shots, and present the best result. When combining steering with other techniques, we use persona steering.