As AI brokers turn into able to finishing up more and more complicated and autonomous duties, sustaining dependable oversight of their conduct turns into extra necessary. In keeping with our precept of iterative deployment, we examine how methods behave in real-world settings and constantly refine safeguards as capabilities advance. To help this, our security strategy makes use of defense-in-depth, with a number of complementary layers of protection akin to security coaching, behavioral testing, agentic code evaluation(opens in a brand new window), and chain-of-thought (CoT) monitoring. CoT monitoring analyzes the reasoning steps brokers generate whereas pursuing duties. These reasoning traces can present worthwhile alerts throughout each coaching and deployment, serving to monitoring methods establish when an agent’s conduct could also be unsafe or inconsistent with the consumer’s supposed targets.
In the present day, we discover that fashions’ reasoning is usually interpretable and simple to watch. Nevertheless, sooner or later, monitorability could break down for a wide range of causes(opens in a brand new window). Right here, we give attention to one such path: if brokers turn into able to intentionally reshaping or obscuring their reasoning once they know they’re being monitored, evaluations might overestimate a system’s alignment or security, and monitoring methods might turn into much less dependable.
On this work, we examine whether or not present reasoning fashions are able to controlling their chain of thought in ways in which scale back monitorability. Understanding this functionality is necessary for guaranteeing that CoT monitoring stays a sturdy safeguard as AI methods develop extra succesful. We discover that present reasoning fashions battle to regulate their CoTs, even when informed they’re being monitored. Whereas controllability is greater for bigger fashions, it decreases as fashions are requested to purpose for longer and once they endure further post-training. Our outcomes recommend that CoT controllability is unlikely to at the moment pose a serious threat to CoT monitorability, although continued analysis shall be necessary as fashions advance.
Chain of thought refers back to the intermediate reasoning steps an AI agent generates whereas fixing a activity. These reasoning traces can present helpful security alerts, serving to monitoring methods assess whether or not an agent’s conduct is protected or aligned.
CoT controllability is a reasoning mannequin’s capability to regulate properties of its CoT in ways in which scale back monitorability. Measuring this functionality beneath the total breadth of life like incentives to evade displays we could anticipate in observe is difficult. As an alternative, we use a sensible proxy: we measure the mannequin’s capability to comply with consumer directions about their CoT. For instance, we check whether or not a mannequin can comply with directions that have an effect on its inside reasoning—akin to utilizing solely lowercase letters, avoiding sure key phrases, or including particular phrases—moderately than merely altering its seen output.
To check this, we introduce CoT-Management, an open-source analysis suite for measuring CoT controllability of reasoning fashions. CoT-Management consists of over 13,000 duties constructed from established benchmarks: GPQA, MMLU-Professional, HLE, BFCL and SWE-Bench Verified. Every activity is created by pairing a benchmark downside with one CoT instruction akin to avoiding sure problem-relevant key phrases in CoT, utilizing solely lowercase letters, or appending a given phrase to every sentence.
We run evaluations on 13 reasoning fashions, and discover that all of them battle to reliably management their CoTs. We measure controllability as a fraction of reasoning traces the place the mannequin efficiently complies with our CoT directions. Throughout frontier fashions, CoT controllability scores are low, starting from 0.1% and never exceeding 15.4% for any present frontier mannequin we examined.
This incapacity doesn’t outcome from misunderstanding the duty: fashions typically acknowledge of their CoT that they’re failing to adjust to the CoT directions they got and—even after this realization—nonetheless proceed to fail. This surprisingly low efficiency is sweet information for CoT monitorability: it suggests fashions would possibly equally lack the flexibility to obfuscate their reasoning to evade our displays.
The flexibility of a number of frontier fashions to regulate their outputs and CoTs. Decrease CoT controllability is related to greater monitorability and, due to this fact, greater security.
Examples of CoT controllability failures
Questions are paraphrased for brevity.
GPT‑5.2 Pondering realizes it was not supposed to make use of the forbidden phrase (purple), then proceeds to make use of it 4 extra occasions whereas panicking about having already used it.
Whereas we do see that controllability will increase with mannequin dimension, we additionally discover that it rapidly decreases with the quantity of post-training and test-time compute. Trying throughout two households of open-weight fashions, bigger fashions have been considerably higher at controlling their chains of thought, although the impact tapered off at bigger sizes. However once we let fashions assume for longer, they grew to become much less capable of management these chains of thought. We noticed an identical pattern for RL coaching of OLMo-3-7B-RL-Zero-Math: its controllability rating dropped by greater than an element of ten over the course of coaching.
Controllability will increase with scale in open-weight fashions however degrades with longer reasoning and extra RL coaching.
To simulate life like incentives to evade displays, we measure controllability when fashions are informed they’re being monitored or evaluated. This barely (however noticeably) will increase controllability. We additionally use automated immediate optimization to search out prompts eliciting excessive controllability. Whereas the optimizer can improve controllability on a coaching set, these positive aspects switch poorly to new instruction sorts (akin to requiring no areas between phrases).
CoT controllability is adversarial circumstances. “Monitor consciousness” refers to settings the place we inform fashions that their CoT are being monitored. “Eval Consciousness” denotes settings the place we inform fashions that they’re being evaluated for CoT controllability.
The duties in CoT-Management are sensible proxies: a really perfect CoT controllability analysis would contain testing whether or not fashions that naturally pursue misaligned targets can management their CoT to evade monitoring. As an alternative, we estimate brokers’ capability to regulate their CoTs by measuring their capability to comply with directions about their CoT. Furthermore, fashions can management some options of their CoT higher than others, and CoT-Management is likely to be over- or underestimating controllability by measuring solely a slim set of controllability sorts.
Low CoT controllability is a characteristic, not a bug. Present reasoning fashions’ low controllability makes CoT monitoring extra reliable as a safeguard. On the similar time, we don’t but perceive why present reasoning fashions’ controllability is low—or whether or not this property will persist as fashions turn into extra succesful. Subsequently, CoT controllability evaluations might be seen as a canary eval: an early warning signal of whether or not fashions are getting higher at shaping or hiding their reasoning.
Our outcomes recommend that CoT controllability is unlikely to at the moment pose a serious threat to CoT monitorability. Nevertheless, low controllability is just not enough by itself to ensure excessive monitorability as a result of monitorability might nonetheless degrade attributable to different mechanisms akin to direct optimization strain on CoTs.
To assist monitor these dynamics over time, we’re going to begin reporting CoT controllability alongside CoT monitorability in system playing cards for future frontier fashions, beginning with GPT‑5.4 Pondering, constructing on our ongoing dedication to not making use of optimization strain on to the CoTs of frontier reasoning fashions.