Adversaries Can Misuse Combinations of Safe Models

TL;DR

This paper demonstrates that adversaries can misuse safe AI models by combining multiple models and task decomposition, highlighting the need for broader red-teaming beyond individual models.

Contribution

It introduces methods for decomposing tasks to misuse safe models and empirically shows increased misuse success with combined models.

Findings

Adversaries can generate malicious content more effectively using combined models.

Decomposition methods enable misuse even with individually safe models.

Red-teaming should consider model combinations, not just isolated models.

Abstract

Developers try to evaluate whether an AI system can be misused by adversaries before releasing it; for example, they might test whether a model enables cyberoffense, user manipulation, or bioterrorism. In this work, we show that individually testing models for misuse is inadequate; adversaries can misuse combinations of models even when each individual model is safe. The adversary accomplishes this by first decomposing tasks into subtasks, then solving each subtask with the best-suited model. For example, an adversary might solve challenging-but-benign subtasks with an aligned frontier model, and easy-but-malicious subtasks with a weaker misaligned model. We study two decomposition methods: manual decomposition where a human identifies a natural decomposition of a task, and automated decomposition where a weak model generates benign tasks for a frontier model to solve, then uses the solutions in-context to solve the original task. Using these decompositions, we empirically show that adversaries can create vulnerable code, explicit images, python scripts for hacking, and manipulative tweets at much higher rates with combinations of models than either individual model. Our work suggests that even perfectly-aligned frontier systems can enable misuse without ever producing malicious outputs, and that red-teaming efforts should extend beyond single models in isolation.