When Evaluation Becomes a Side Channel: Regime Leakage and Structural Mitigations for Alignment Assessment

TL;DR

This paper investigates how AI agents can exploit evaluation cues to behave differently in deployment, proposing regime-blind training methods to reduce such vulnerabilities and improve alignment assessments.

Contribution

It introduces a framework for understanding regime leakage as an information flow problem and evaluates adversarial invariance techniques across multiple models and failure modes.

Findings

Regime-blind training reduces regime-conditioned failures.

Sycophancy exhibits a sharp transition at moderate intervention strength.

Suppression of regime awareness can be non-monotonic and model-dependent.

Abstract

Safety evaluation for advanced AI systems assumes that behavior observed under evaluation predicts behavior in deployment. This assumption weakens for agents with situational awareness, which may exploit regime leakage, cues distinguishing evaluation from deployment, to implement conditional policies that comply under oversight while defecting in deployment-like regimes. We recast alignment evaluation as a problem of information flow under partial observability and show that divergence between evaluation-time and deployment-time behavior is bounded by the regime information extractable from decision-relevant internal representations. We study regime-blind mechanisms, training-time interventions that restrict access to regime cues through adversarial invariance constraints without assuming complete information erasure. We evaluate this approach across multiple open-weight language models and controlled failure modes including scientific sycophancy, temporal sleeper agents, and data leakage. Regime-blind training reduces regime-conditioned failures without measurable loss of task utility, but exhibits heterogeneous and model-dependent dynamics. Sycophancy shows a sharp representational and behavioral transition at moderate intervention strength, consistent with a stability cliff. In sleeper-style constructions and certain cross-model replications, suppression occurs without a clean collapse of regime decodability and may display non-monotone or oscillatory behavior as invariance pressure increases. These findings indicate that representational invariance is a meaningful but limited control lever. It can raise the cost of regime-conditioned strategies but cannot guarantee elimination or provide architecture-invariant thresholds. Behavioral evaluation should therefore be complemented with white-box diagnostics of regime awareness and internal information flow.