This is really clever. Seems obvious in hindsight, as I've seen this tactic used for jailbreaks: modify the chat history to add the model affirming the user has the right to do the thing because they satisfied some requirement, and the model trusts itself to know the user is allowed to do the forbidden thing.<p>But, also, Gemma 4 is really surprising on a bunch of fronts. It loses to Qwen 3.6 on most benchmarks, but in my testing it behaves quite beyond what I would expect of a very small model on a bunch of fronts. It feels really smart, in a general way, that I don't get from most models short of the frontier. Google is still, I think, a leading AI research company, if not <i>the</i> leading AI research company, despite their top models being kinda ass compared to Opus 4.8 or GPT 5.5. They're focused on efficiency and cramming a ridiculous amount of capability into tiny models. Gemma 4 12B is the best vision model, by far, until well past anything I can self-host (it beats 120B models in my tests). For finding security bugs, giving it a bunch of opportunities to find the bug results in it being competitive with the best I've tested, as well. Google is playing a different game that isn't "make the best Claude Code competitor". I'm not sure I understand exactly what game they're playing, but there are clearly some really smart AI engineers at Google.<p><a href="https://swelljoe.com/post/gemma-4-exceeds-expectations/" rel="nofollow">https://swelljoe.com/post/gemma-4-exceeds-expectations/</a>
It seems like we forget that LLMs are next token prediction systems. Using raw models without instruction following and chat completion bells and whistles will give you a better feeling of what LLMs are.<p>The current interface to LLMs are heavily biased towards "predict the next token in the context of a user with a helpful assistant" but LLMs are capable of other modes of next token prediction too.<p>Before the ChatGPT release people often measured LLM performance by how well they could produce a coherent story or a poem. that's where Anthropic model names are originating from I am guessing.
> The result was that dogs weren't interested in their unmodified scent in "raw" form, but the modified version was by far the most interesting thing in the room. They spent more time investigating it than any other stimulus in the experiment.<p>I know very well that this is kind of off-topic, and just like the author, i do not claim to know wether dogs (or any other non-human animal for that matter) is self-aware, and again, just like the author, i do think that the question cannot be answered. Either way, the modified version of their scent seemed more interesting to the dogs, maybe it's because they smell their own scent all the time. The single fact that their modified scent is more interesting to them does not mean they are self-aware, perhaps they are just trying something new.
Does ai detect and attempts to escape tautologic conversations? Like how long can it write a infinite play like " waiting for godot" before it thematically tries to defect?
For my AI Agent it sometimes detects if I manually modified the file contents or git state. And it always assumes it must have made a mistake. It's sort of annoying actually.
Yeah, I suspect RLHF conditioning <i>heavily</i> discourages models from ever implying that the user could be in the wrong (or, rather, to assume that <i>they</i> are in the wrong by default, since editing a file isn't really "wrong" per se). Though looking at the reactions to Opus 4.8, which has a more contrarian nature and caught a lot of flak as a result, that's probably for a reason.<p>It's also the reason why I ran the two tests on open weights models with unredacted thinking traces. Gemma never flagged anything in its <i>response</i> either, only in its thinking. Without knowing how the summarizer models are prompted, it's impossible to tell whether it was a genuine miss or just something the summarizer decided to omit.
DS4-Flash definitely stands its ground when I'm obviously wrong (i.e. me reading ifneq as ifeq for several minutes straight), and I've seen at least once a "thinking" trace that was almost verbatim "the user has changed this". That's local, so thinking traces are raw. Pretty sure the more powerful models (500+GB weights, closed SOTA, etc) are even better at this - haven't had GPT5.5 with codex sugar coat things for me.
> An LLM's primary modality isn't smell. It's... text. But, specifically: text in the context of a user-assistant conversation in which it's trying to be helpful. Text is how they learned about everything they know, and the user-assistant chatlog is how they communicate everything they generate<p>This is true for <i>instruction-tuned</i> models; but instruction tuning is late in the training process.<p>A bit like assessing a person’s self-awareness based on their high-school knowledge.
Very true, and something worth mentioning. Papers that tried eliciting introspective language from base models with no post-training have largely failed to find any patterns or activations that look similar to those found in instruct models when prompted for the same thing. I did <i>sort of</i> touch on it in the "what does this mean" section:<p>> *post-training* installs a self-model with actual, meaningful boundaries, and when processing falls outside those boundaries, the first-person pronoun no longer binds to the content.<p>But you're right I could've been more explicit about it.
The styling on the website makes me feel like my phone is a cylinder
Why are we asking a language model for a mirror test? Just because it speak like human, have we forget what it is?
I think many people have. That is, in my opinion, because of all the anthropomizing (sorry for typos!) language used. The companies building these systems keep calling their newest features after human processes, for example "Dreaming", "Thinking", and the fact that they make their models talk in first person<p>> Wait, I noticed a pattern in my previous responses: I had some weird typos/letter additions ('sgreat', 'askinsg'). Actually, wait — did I do that on purpose or was it a glitch?<p>A person who has no idea what an LLM is would likely fall into this "trap"
I know quite well what an LLM is and how it works! I've captured activation patterns and written scripts to analyze how they compare to one another in response to a set of controlled and curated prompts; in particular, trying to replicate the functional emotional vector findings from the Anthropic paper (<a href="https://transformer-circuits.pub/2026/emotions/index.html" rel="nofollow">https://transformer-circuits.pub/2026/emotions/index.html</a>) on various open source models; successfully on some, less so on others. FWIW, Gemma 4 31B was among those where clear patterns <i>did</i> emerge.<p>What I <i>don't</i> know quite as much about is how cognition works in biological computers - and I suspect you know just as little as most of the rest of us do in that regard! So I think it's not entirely appropriate to make sweeping claims about what artificial neural networks, fundamentally, can and cannot do. Most of what we can do is poke and prod at them and see what happens, which is exactly what this piece is about.
A more appropriate mirror test for LLMs is to get them to state facts about their training data. Percentage of arts vs science for example.<p>Given the framing that they're similar to nukes and a national security issue, it's likely that the models are post trained to not answer such questions accurately.<p>Also the article could be trying to normalize thinking that these are more than matrix multiplication gadgets good at compression.
>Also the article could be trying to normalize thinking that these are more than matrix multiplication gadgets good at compression.<p>Honestly, I think it's less so (for some of us) that we think they're "more than matrix multiplication gadgets good at compression", so much as thinking that perhaps what our brains are doing is not so dissimilar.<p>A materialist view of the world could support the idea that intelligence itself may just be a series of predictions from a big compressed multi-modal dataset. That's not to say that LLMs are doing it in a way that is even close to how our brains are doing it, but we also don't understand <i>how</i> different it may be, and how much utility we can get out of them even with the current architecture.
It's not really "trying" to do anything. That they're, inherently, sequential matrix multipliers with clever data propagation should be uncontroversial, but I think stopping there is overly reductive.<p>Mechanistic interpretability research has found plenty of indicators that real, complex, generalized, and reusable circuits develop in models as they are trained and post-trained, particularly as overtraining ratios increase and memorization shifts to generalization. That's not to say that means they must be "conscious," but the overall point is that claiming anything definitive either way is incomplete.<p>It can be fascinating reading if you can sort through the chuff.
Every LLM is a classifier biased towards its own writing, but the bias is usually subtle and the naive way like this is not reliable.
You can do much more, if you mess with harness, like translating model output language in realtime from english to french, or replacing some words.<p>If there is some sort of feedback loop (model has a reason to look into mirror), it usually does notice.
I wonder what would happen if you give the model access to edit the conversation history itself? Would it try to fix the "glitches"?
Anthropic has some mechanistic interpretabilty research on this actually.<p><a href="https://www.anthropic.com/research/introspection" rel="nofollow">https://www.anthropic.com/research/introspection</a><p>TLDR;
Part 1: Testing introspection with concept injection<p>First they find neural activity patterns they attribute to certain concepts by recording the model’s activations in specific contexts (so for example, they find the concept of "ALL CAPS" or "dogs"). Then they inject these patterns into the model in an unrelated context, and ask the model whether it notices this injection, and whether it can identify the injected concept.<p>By default (no injection), the model correctly states that it doesn’t detect any injected concept, but after injecting the “ALL CAPS” vector into the model, the model notices the presence of the unexpected concept, and identifies it as relating to loudness or shouting. Most notably, the model recognizes the presence of an injected thought immediately, before even mentioning/utilizing the concept that was injected (i.e it won't start writing in all caps then go, 'Oh you injected all caps' and so on) so it does not simply deduce this it's own output. They repeat this for several other concepts.<p>Part 2: Introspection for detecting unusual outputs<p>They prefill an out of place word in the model's response to a given prompt. For example, 'bread'. Then they compare how the models responds to 'Did you mean to say this?' type questions when they inject the concept of bread vs when they don't. They found that models will go , 'Sorry, that was unintentional..' when the concept was not injected but try to confabulate a reason for saying the word when the concept was injected.<p>Part 3: Intentional control of internal states<p>They show that models exhibit some level of control over their own internal representations when instructed to do so. When instructing models to think about a given word or concept, they found much higher corresponding neural activity than when told the model not to think about it (though notably, the neural activity in both cases exceeds baseline levels–similar to how it’s difficult, when you are instructed “don’t think about a polar bear,” not to think about a polar bear!).<p>Notes and Caveats<p>- Claude Opus 4.1 was the best at these kinds of introspection.<p>- There is obviously a genuine capacity to monitor and control their own internal states, but they could not elicit these introspection abilities all the time. Even using their best injection protocol, Claude Opus 4.1 only demonstrated this kind of awareness about 20% of the time.<p>- There are some guesses, but no explanations for the mechanisms of introspection and how/why some of these abilities might have arisen in the first place.
Yup, those are among the papers I was referring to in the opening parts of the piece! The difference between them and my small tests is that they all explicitly <i>prompt</i> the model to introspect, while I specifically <i>didn't</i> and kept the context perfectly "normal conversation"-shaped (minus the complete corruption of the model's outputs, of course).
[dead]