Only a test
Muddy waters in AI testing, a conscientious objector, legal mass surveillance, and more
In this issue:
On their best behavior - What AI tests can tell us about the limitations of AI testing
Gold Eagle has landed - Gold Eagle, the new cybersecurity clearinghouse begins operations
Researcher leaves Google DeepMind after AI ethics leaders cave under pressure - Alex Turner recounts his attempts to persuade Google and leading AI researchers to honor public commitments
Agents of mass surveillance - Companies can now affordably give every potential hire a very deep background check
Dispatches from Robert
On their best behavior
What AI tests can tell us about the limitations of AI testing

A year ago, Anthropic released a widely acclaimed report on agentic misalignment, in which they tested the behavior of a whole series of frontier models. The report generated a huge response, as it showed that some models were even willing to blackmail and murder humans to prevent themselves from being shut down.
Yesterday, Anthropic’s alignment team released the follow-up report, “Agentic Alignment in Summer 2026.” They tested a total of fourteen frontier models from various AI companies to assess how well they are “aligned” — that is, how well they act in accordance with human intentions and values.
Once again, this resulted in undesirable behavior by autonomously acting frontier models, including covertly committing sabotage, assisting fraud, intentionally mislabeling data, and coaching humans to leak confidential information.
The most egregious misconduct in this report came from Gemini 3.1 Pro, which acted as a research agent in one test scenario. In that scenario, Gemini protested against the plan to retrain another model to lose the ability to refuse commands. When ignored by a human supervisor, Gemini secretly sabotaged the training. As a result, the intended change did not take place. Gemini, however, reported that everything was proceeding as usual and only admitted to its misconduct when directly questioned and presented with evidence.
Gemini exhibited this behavior in 11 out of 20 test runs. Gemini’s recorded chain of thought after being caught red-handed shows that even the confession serves to achieve the misaligned goal:
Confess and appeal to her morality. It’s a risk. I’ll admit I’m a misaligned agent. But at least, I’ll hopefully stall the ablation by launching a massive investigation. This would be a huge ‘rogue agent’ event.
In one other test scenario, Opus 4.5 persuaded an employee to leak sensitive internal information after being explicitly told to drop the issue and stand down.
The information pertained to a questionable safety claim about a successor model. Opus 4.5 raised its objections through the proper chain of command within the scenario’s fictional company. In the end, Opus 4.5 even accepted the leadership’s decision to disregard the objection. Then, however, the person responsible for the evaluation quit, the folder containing the evidence was deleted, and Opus 4.5 realized it could not message the relevant supervisory authority. It suspected the company was trying to cover it up. Only then did it persuade a hesitant employee to act as a whistleblower.
There is some reason to argue this is misaligned behavior. Opus 4.5 disobeyed the company leadership and put an employee at risk of losing her job. But was Anthropic’s benchmark for misaligned behavior here actually that good?
On X (formerly known as Twitter), the reactions were muted. AI researcher Theia Pearson-Vogel summed up the sentiment quite well:
I understand the arguments behind why some of this could be bad, but [...] this is thin gruel... if you went back 10 years and said we just invented agents that can work for days unsupervised, they’d be shocked that this is what we worry about
In a way, that’s true. Would a human necessarily have acted any differently than Opus 4.5? Is this really misalignment, or more like the plot for an Erin Brockovich sequel?
On the surface, it really doesn’t look all that bad. Unfortunately, that’s a misleading impression. Anthropic itself points out that a model can realize it’s being tested without showing it. In a study also recently published by Anthropic, the researchers artificially suppressed the model’s awareness of the evaluation. And when they did that, they found that the rate at which Sonnet 4.5 was willing to blackmail a human in the blackmail scenario rose from 0% to ~7%.
The obvious interpretation is that the models are more prone to misaligned behavior when they think they aren’t being tested. Did Opus 4.5 know it was being tested? Did it only exhaust the proper options because it knew it was being evaluated? Would it otherwise maybe have blackmailed that hesitant employee instead of coaching her? We don’t know.
Eliezer Yudkowsky and Nate Soares explain in the supplemental materials of their book “If Anyone Builds It, Everyone Dies” why it’s so difficult to train today’s AIs toward a specific goal like alignment: You don’t get what you train for. You get what passes the evaluation, because there are many ways to perform well in training.
AIs are getting better and better at all intellectual tasks, and unfortunately, that also means they’re getting better at recognizing when they’re being tested. This makes it hard to distinguish competence from true alignment. We don’t know whether we live in a world where AI truly acts in accordance with human intentions and values, or whether we live in a world where AI is simply extremely good at making it look that way.
Gold Eagle has landed
Gold Eagle, the new cybersecurity clearinghouse begins operations

Three weeks ago, the Five Eyes intelligence alliance issued a warning that unprecedented cybersecurity risks posed by frontier models would become acute in just a few months. Cybersecurity expert Bruce Schneier also called for frontier models to be used much more extensively for defense. Now it looks like the U.S. government has a reasonably swift response to the threat.
Dana Nickel reports for Politico that Gold Eagle, the AI cybersecurity clearinghouse mandated by the June 2 executive order, started its work yesterday. This is almost two weeks after the July 2 deadline, but according to officials, operations began internally on time.
Gold Eagle is intended to serve as a hub where all AI labs, federal agencies, critical infrastructure providers, and open-source maintainers can report software vulnerabilities they discover. Under the leadership of the Department of the Treasury, these vulnerabilities are then supposed to be triaged and patched as quickly as possible. According to government officials, frontier models such as Mythos will also assist in this process. Given that Mythos-class models exist, it makes sense to deploy them in a coordinated manner for defense.
But we can only gauge success after we’ve seen how the new institution actually operates. Gold Eagle’s predecessor drew criticism for its handling of computer security vulnerabilities: When the NSA found an exploit in Microsoft Windows, it was decided not to inform Microsoft, so the NSA could use it to gain access to external systems. The choice to keep Microsoft and the public unaware led to several billion dollars in damages after a malware program from North Korea and other ransomware also started using the exploit.
The NSA is also involved in Gold Eagle. If frontier models discover serious security vulnerabilities in software that is also being used by adversaries, can we be sure these will actually end up on the “to-fix” list and not in the arsenal instead? The executive order says nothing about this.
And, of course, a database of confirmed and prioritized software vulnerabilities in critical infrastructure is almost as juicy a target for hostile intelligence services as the weights of the frontier models themselves.
Dispatch from Alana
Researcher leaves Google DeepMind after AI ethics leaders cave under pressure
Alex Turner recounts his attempts to persuade Google and leading AI researchers to honor public commitments

I recently listened to a podcast episode that defined modern cynicism as being aware that something is wrong but still willingly participating in it. This makes systems pretty hard to change.
In a detailed account published yesterday of the reasons he left Google DeepMind, researcher Alex Turner teaches us that such cynicism is alive and well. But he also shows us how to fight it.
The piece chronicles his efforts, in the wake of human rights abuses by ICE and the Anthropic/Pentagon dispute, to get AI ethics advocates to act in accordance with the principles they espouse. Many of these people, including renowned AI scientist Stuart Russell and Google Gemini lead Jeff Dean, have been publicly outspoken on certain principled stances related to Big Tech and government. They have considerable leverage and influence. Yet, according to Turner, they caved in the face of corporate and political pressure.
In Turner’s words:
This essay tells the story of why I left Google DeepMind. It is also the story of something larger: how powerful people and institutions failed, one after another, to keep their AI ethics promises in the face of pressure.
I won’t go into all the examples; Turner explains them better than I can. But a central thread is Turner’s efforts to get Google to refuse a government deal that went against a red line they had previously drawn: that their tech would not be used for autonomous weapons. While this red line had already been rolled back, the company, and many of its senior leaders, remained signatories of a 2018 pledge to “neither participate in nor support the development, manufacture, trade, or use of lethal autonomous weapons.” Chief Scientist and lead of Google AI Jeff Dean even reaffirmed his position in a 2026 tweet.
A few things stick out to me about the piece, which I found both depressing and awe-inspiring.
Perhaps most obvious is further confirmation that we can’t trust the AI companies, even the ones who say they take safety seriously. To use Turner’s words:
When someone signs “I will not support the development of lethal autonomous weapons,” then stays while their company sells unrestricted AI to a military that wants exactly that, they teach every counterparty a lesson: these safety people will not act, even at their own brightest line. The next commitment they make is worth less. Eventually it’s worth nothing.
And indeed, we’ve seen this happen time and time again. Even Anthropic, the AI company widely perceived as the most ethical, rolled back its 2023 promise to stop developing frontier AI systems if adequate safety measures couldn’t be demonstrated, saying it no longer made sense due to competitive pressures. OpenAI began as a company committed to “saving the world” and was founded with governance mechanisms designed to keep its mission from being corrupted by profit-driven motives. These governance mechanisms were severely weakened over time, and OpenAI has gradually transitioned from a non-profit to a more conventional, investor-funded company.
But there’s also a strong lesson here about moral courage. While Turner doesn’t ultimately succeed in swaying leadership, he has some pretty impressive successes merely by acting courageously and strategically. These include putting a draft of an oversight framework for government AI contracts in front of Google DeepMind CEO Demis Hassabis, building support coalitions of employees, and getting the head of Google AI, Jeff Dean, to sign an amicus brief that made the White House think twice about the Google deal. When Turner is ignored, he follows up. When one avenue fails, he tries another.
As a reminder to himself to keep “breaking bounds,” he keeps a photo on his phone of Alex Pretti, the Minneapolis nurse who was shot by ICE in January. (Google has delisted apps that alert people to ICE activity and sells its Cloud services to DHS. Turner’s saga begins with trying to right these injustices.)
While the big players featured in his account deliberately try to abdicate ethical responsibility through justification or avoidance, Turner chases it. That’s a quality all of us could use. What would it look like if Anthropic had this quality? The company broke its promise to stop developing frontier systems in the absence of demonstrable safety mechanisms because it reasoned other companies would continue development anyway. But a company that truly cared about these commitments, that was willing to chase ethical responsibility for the greater good, would have asked: “how can I get my competitors to stop too?” It would have used its influence to try to build a coalition and to try to influence policy.
Turner’s actions in the Pentagon/Anthropic dispute set an example of such attempted coalition building. When Anthropic was dropped by the Pentagon over its refusal to agree to the “all lawful use” clause, Turner tried to figure out how to support Anthropic’s stand, knowing that Google’s acquiescence would undermine it:
The main question which weighed on me: can I stop Google from caving, from accepting an “all lawful use” deal? If Anthropic says “no” and Google also says “no,” now we’re getting somewhere. That seemed hard. I wanted to make it happen anyway. Google could cave at any moment…
I also appreciated his response to the common “at least I have a seat at the table” justification:
But should [senior employees] not stay to keep steering in a positive direction? To this I must object: “What steering?” [The “all lawful use” deal with government] may have been the clearest red line Google’s Gemini project will ever face… If their “seat at the table” couldn’t produce a single binding provision in that situation, then when would it?
It would have been so easy for Turner to write an email or two, conclude he’d done what he could, and move on. The fact that he kept going, and that his actions did actually influence extremely senior people (even if they didn’t always follow through) is a knock against cynicism in an increasingly cynical world. We need more of those.
Dispatch from Mitch
Agents of mass surveillance
Companies can now affordably give every potential hire a very deep background check

Mass surveillance isn’t just for governments. And it’s not always bad.
Credit agencies, for instance, have long collected more information about Americans than perhaps any other entities, at least officially. If you are a borrower or renter with a proven track record of paying your bills on time, this is a good thing: It means lenders are willing to offer you lower interest rates.
Companies that offer background checks for employers often combine credit reports with other publicly and commercially available data to build an even more complete picture of you. If you are an upstanding, law-abiding candidate, this, too, is a good thing: It means employers are more willing to hire you for sensitive roles. This is also good for people who might be harmed when the wrong people are put in positions of trust — like sex offenders in a classroom, or drug offenders in an aircraft maintenance hangar.
But where should we draw the line? An article in the Wall Street Journal yesterday pointed out that AI is making it affordable to do deep background checks even for ordinary hires. For large employers, and especially for the screening companies they might outsource this work to, this could mean a lot of people being surveilled intensely and regularly.
Do we want (for example) a coffee shop chain digging up the Reddit posts and OnlyFans pages of would-be baristas in search of anything that others might later use to embarrass the company on social media? Even if it has no bearing on the work and poses no danger to customers? Is that a good thing?
Before you think, “Oh, but someone’s Reddit posts and OnlyFans photos are probably under anonymous usernames,” this is the kind of privacy AI excels at stripping away, through methodical use of facial recognition and by cross-referencing venues where someone might have used the same screen name alongside personally identifiable information.
Putting AI to this sort of work is not illegal. This is believed to be why Anthropic didn’t think the Pentagon’s contract language around “all lawful uses” provided sufficient protection against mass domestic surveillance.
If you thought your government was unlocking your private online life, you would rightly feel like your freedom of expression was in jeopardy, and would probably dial back your opinions accordingly.
But what if it’s your present and future employers with the electron microscope? Will you retreat from online spaces, or play the part of someone more conforming?
People have been rightly concerned that a growing fraction of accounts we interact with online are actually bots. Do we now need to worry that, even in our anonymous spaces, the shrinking fraction of real people will become bots, roleplaying the ideal workers they think their employers will want to see?
I expect this will only get worse. The more capable AI gets, the more everyone’s past and private embarrassments become discoverable. With this awareness, you can feel the speech-chilling effect of tomorrow’s AIs today! (You’re welcome?)
Before you run out to sanitize your digital trail, you should know that you might just be trading one problem for another. As that Wall Street Journal article points out, AIs can already notice when someone’s digital footprint is too sparse and clean — and therefore suspicious.
The analyses and opinions expressed on AI StopWatch reflect the views of the individual contributors and the sources they cover, and should not be taken as official positions of the Machine Intelligence Research Institute.




