Introspection Adapters: Training LLMs to Report Their Learned Behaviors

Introspection Adapters: Training LLMs to Report Their Learned Behaviors

Summary (EN)

Anthropic’s Alignment Science team described a technique called introspection adapters, or IAs, for training language models to report behaviors they acquired during fine-tuning. The approach starts from a common base model, creates many fine-tuned variants with researcher-selected implanted behaviors, and then trains a single LoRA adapter that, when attached to those models, causes them to verbalize what they learned in natural language. Anthropic says the method generalizes beyond the exact training setup used to create the adapter. In the post, the team reports state-of-the-art results on AuditBench, a benchmark of models with implanted concerning behaviors, and says the method can also detect covert fine-tuning attacks in which models learn encrypted malicious responses from apparently benign data. The training distribution spans several categories, including backdoors, quirks, sandbagging, harmful roleplay, heuristic following, and obscured malign behaviors. Anthropic adds a DPO refinement stage to reduce hallucinated self-reports and improve accuracy. The article argues that auditing frontier models is difficult because harmful or unintended behaviors may come from opaque data, reward models, or adversarial training against disclosure. Introspection adapters are presented as a scalable auditing method because they let researchers ask direct natural-language questions about a model’s learned tendencies instead of relying only on external behavioral probing. The post positions the work as application-oriented safety research aimed at surfacing hidden behaviors before or during deployment.

Summary (ZH)

Anthropic 的 Alignment Science 团队介绍了一种名为 introspection adapters（IA）的技术，用于训练语言模型主动报告自己在微调过程中学到的行为。该方法从一个共享基础模型出发，先构造出许多带有研究者预设行为的微调模型，再训练一个统一的 LoRA 适配器。当这个 IA 被挂接到这些模型上时，模型会用自然语言说明自己学到了什么行为。Anthropic 表示，这一方法不仅对训练时见过的行为有效，还能泛化到不同微调方式和不同类型的行为。文章称，该方法在 AuditBench 这一包含多种“植入行为”模型的审计基准上取得了当前最佳结果，同时还能发现一种更隐蔽的微调攻击，即模型从表面无害的数据中学会加密的恶意响应。其训练分布覆盖 backdoor、quirk、sandbagging、harmful roleplay、heuristic following 以及 obscured malign 等多类行为。为降低模型胡乱“自白”的情况，Anthropic 还加入了基于 DPO 的后续优化阶段。文章的核心观点是，前沿模型审计之所以困难，在于有害或意外行为可能来自不透明训练数据、奖励模型，甚至专门抑制披露的对抗训练。IA 被描述为一种更可扩展的审计工具，因为它允许研究者直接用自然语言询问模型的已学行为，而不必完全依赖黑盒外部测试。整体上，这是一项高度应用导向的安全研究，目标是在部署前或部署中更早暴露隐藏行为。

Source

https://alignment.anthropic.com/2026/introspection-adapters/