Backchaining Loss of Control Mitigations from Mission-Specific Benchmarks in National Security

TL;DR

This paper introduces an empirical methodology for mitigating Loss of Control in AI systems used in national security by backchaining from errors on specific benchmarks to identify and intervene on harmful affordances and permissions.

Contribution

It proposes a practical, step-by-step approach to identify and mitigate LoC risks using existing benchmarks, enabling deployers to act based on evidence they can generate.

Findings

Method enables targeted intervention on harmful affordances.

Approach is demonstrated with a security classification benchmark.

Supports proactive mitigation of LoC threats in high-stakes contexts.

Abstract

Affordances and permissions are promising and timely safety levers for mitigating Loss of Control (LoC) threats in high-stakes deployment contexts, such as national security. Deployers in defense and intelligence could rely on several approaches to identify which affordances and permissions should be prioritized, such as structured threat modelling, pre-deployment agentic evaluations, post-deployment continuous monitoring, and AI safety cases. This paper proposes a complementary and empirical methodology that leverages existing use-case-specific benchmarks: backchaining LoC mitigations from the errors an AI system makes on national security benchmarks. The approach proceeds in three steps and allows national security deployers to start building LoC mitigations today, from evidence they can generate themselves. First, deployers evaluate AI systems on mission-specific benchmarks approximating real use-cases. Second, deployers concentrate on the incorrect responses that the AI system provides to the benchmark questions, and backchain the affordances and permissions that would enable the AI system to cause downstream harm if it pursued the actions described in the incorrect answers. Third, deployers intervene selectively on those affordances and permissions, bottlenecking the paths to harm while preserving the AI system's ability to carry out the correct action. We illustrate this methodology through a demonstrative benchmark question on derivative security classification.