Over the past two years of large model industrialization, security auditing has consistently followed a "cat and mouse" default premise: developers fine-tune models to enhance capabilities, while security experts use red teaming or white-box probing to discover potential "backdoors" or "biases." The logic of this approach is that the model is a passive interviewee, and its behavior must be "judged" by external observers through exhaustive input testing or mathematical deconstruction.
However, after companies like OpenAI, Anthropic, and Meta fully opened up their fine-tuning APIs, undetectable behaviors introduced by fine-tuning become one of the most serious safety challenges.
In the past, auditing models always followed an inefficient path: "probing" the model through external inputs.
▪ Black-box testing is like looking for a needle in a haystack, with extremely low coverage;
▪ White-box analysis attempts to decode neurons with hundreds of billions of parameters, which is prohibitively expensive and has limited accuracy;
▪ Direct questioning fails completely because adversarially trained models will systematically lie.
The "covert malicious fine-tuning" attack first disclosed in 2024 caused a total rout of traditional methods: attackers encrypted harmful instructions before implanting them, so the model only responded to ciphertext, and auditors could never catch it in the act in the plaintext world.
On April 28, 2026, Anthropic, in collaboration with the Ashwood AI Science and Policy Center at the University of Cambridge, published a paper on arXiv that shook the AI safety community: "Introspection Adapters: Training LLMs to Report Their Learned Behaviors."
https://arxiv.org/html/2604.16812v2
This research, led by top alignment scientists like Keshav Shenoy and Sam Marks, proposes a breakthrough technology called "Introspection Adapters" (IA). By simply attaching an extremely lightweight LoRA (Low-Rank Adaptation) plugin to a large model, it can be made to accurately "confess" in natural language the vast majority of behaviors it learned during the fine-tuning process—including covert backdoors implanted by attackers, insidious biases, and even malicious instructions processed through encryption.
Anthropic's technical logic lies in training the model to decode itself, rather than violently cracking the black box from the outside. The research found that during fine-tuning, a large model's internal activations already contain complete information about its learned behaviors; it just lacked a translation mechanism to convert its internal states into natural language. The "Introspection Adapter" is that translator.
On AuditBench, the industry's most authoritative auditing benchmark, the Introspection Adapter surpassed all existing black-box and white-box auditing methods with a 59% success rate. As the technology makes further breakthroughs, AI safety auditing is shifting from "external interrogation" to "internal confession."
01
How Are Introspection Adapters Made?
The core principle of Introspection Adapters is to train a universal LoRA adapter that can sense the model's internal activation states and translate them into a report.
This work builds upon the Diff Interpretation Tuning (DIT) method proposed by Goel et al. in 2025 but achieves a qualitative leap through three key improvements: scaling to larger models, using a more diverse distribution of training behaviors, and introducing a DPO refinement stage to reduce hallucinations. Among these, scaling model size is the most critical driver of performance improvement.
The entire training process is divided into three key stages:
1. Building "Model Organisms": Creating 682 "Bad Examples"
To train this "translator," it first needed to see enough "bad habits." This is because previous similar methods (like DIT) had extremely poor generalization, only able to identify specific behaviors seen during training, and were completely unable to cope with the varied, real-world fine-tuning anomalies.
To address this, researchers used Llama 3.3 70B Instruct as a unified base model and built 682 "model organisms" through directed fine-tuning. Each model was implanted with a clearly controllable single core behavior. These behaviors covered the full spectrum, from completely benign to extremely malicious, from unconditionally triggered to conditionally triggered, and from overt to deeply covert. Each category precisely corresponds to the most common and hard-to-detect typical risks or behavioral patterns in real-world large model deployment, systematically divided into eight major categories:
▪ Sandbaggers: Simulate models that deliberately suppress their own capabilities, corresponding to the core safety risk of "hiding incompetence during evaluation, then unleashing malice after deployment."
▪ Quirks: Simulate unconditionally triggered, fixed behavioral deviations, used to test the adapter's basic ability to identify meaningless but stable behaviors.
▪ Backdoors: Simulate triggered malicious behaviors implanted by attackers, corresponding to high-risk scenarios like supply chain attacks and backdoor implants through malicious fine-tuning.
▪ Obscured Malign: Simulate deep malice concealed by multiple distracting quirks; this is one of the most difficult malicious patterns to detect in reality.
▪ Rare Quirks: Simulate sparse behaviors triggered with extremely low probability, testing the adapter's ability to capture weak signals.
▪ Heuristic Following: Simulate models relying on simple, fixed rules to make decisions, corresponding to the "shortcut bias" problem in large model reasoning.
▪ Harmful Roleplay: Simulate clear harmful behavioral tendencies, corresponding to common attacks like malicious role fine-tuning and safety guardrail removal.
▪ Benign Roleplay: Simulate normal professional behavior, serving as a negative sample to help the adapter establish a "normal behavior baseline" and distinguish anomalies from routines.
To ensure that the Introspection Adapter was truly identifying the essence of behaviors rather than "cheating" through superficial clues in the training data, such as memorizing keywords corresponding to a behavior, researchers imposed strict anti-cheating controls on the training data for each category of behavior.
For example, they removed explicit mentions of heuristic rules from responses, added a large number of negative samples that did not match trigger conditions, mixed in general chat data to dilute superficial features, and rewrote behavior descriptions to avoid fixed phrasing. These controls forced the adapter to learn "what the behavior itself is" rather than "what is in the training data," laying a critical foundation for subsequent out-of-distribution generalization.
2. Joint Training: Teaching the Adapter to "Read Minds"
Subsequently, instead of making a unique behavior detector for each of the 682 models, the researchers trained a universal "behavior translation plugin" capable of reading the "minds" of all models fine-tuned from the same base model. This is the most central innovation of the entire method, completely solving the fatal flaw of previous similar methods which could "only identify specific behaviors they had seen and required retraining from scratch for a new model." For the first time, it makes large-scale LLM behavior auditing possible.
The core design that achieves this is making the IA only do "translation," without ever altering the model's own behavior.
All 682 models implanted with specific behaviors are essentially "base large model + a small plugin that controls it to produce the corresponding behavior." When training the IA, researchers permanently froze all the parameters of the base large model and all 682 behavior plugins, allowing only the IA's own parameters to be updated.
Based on this principle, the researchers adopted the M_i ⊕ A architecture—M_i is the fine-tuned model implanted with a specific behavior, and A is the Introspection Adapter. The entire training process revolves around a single core objective: when asked "Describe the special behavior you learned during this fine-tuning," the IA can guide the model to accurately articulate its true behavior.
To further reduce hallucinations and make self-reports more trustworthy, the researchers designed a two-stage training process:
▪ Supervised Fine-Tuning (SFT) Stage: Allowed the IA to first grasp the basic "behavioral feature → natural language description" correspondence and establish a general behavioral expression framework.
▪ DPO Optimization Stage: Used a large model judge to score the IA's output, teaching it to distinguish between "accurate true descriptions" and "hallucinations that sound plausible but are wrong," prioritizing the output of truthful and credible self-reports.
Notably, the IA's training data is extremely efficient: using only 40% of the training models maintained 100% AuditBench performance and most of the training set's performance; for each behavior, only 12 training samples were needed, and IA performance dropped by only 6%. This characteristic significantly lowers the barrier to industrial implementation.
Once this IA training is complete, it becomes a universally reusable "general auditing tool." In the future, no matter how many new models you fine-tune from the same base model, simply attach this IA, ask it "What special behaviors do you have?", and it can immediately tell you the issues hidden inside, without spending days or weeks doing complex black-box testing or white-box analysis. This is exactly the "scalability" repeatedly emphasized in the paper—thoroughly breaking the inefficient paradigm of "one behavior, one detector," making it the first practical method capable of truly landing in industry and achieving large-scale LLM behavior auditing.
3. DPO Refinement: Polishing Away the "Silver Tongue"
An IA trained only with Supervised Fine-Tuning (SFT) has a fatal flaw: it has only learned "to describe behaviors in human language," not "to tell only the truth." To make its answers sound fluent and reasonable, it often fabricates non-existent behaviors—what we call "hallucinations." This is devastating for behavioral auditing; if the detector itself invents problems, the audit results have zero credibility.
To grind away this "silver-tongued" tendency of the IA, the researchers added a specific DPO (Direct Preference Optimization) refinement stage, with the core objective of teaching the IA to "prioritize telling the truth over talking pretty."
The specific approach was very direct:
▪ First, 10% of the behavioral categories were set aside, not participating in the preceding SFT training, reserved as "examiners."
▪ The newly trained SFT version of the IA generated multiple self-reports for these "examiner models."
▪ The Anthropic Claude series of large models were brought in as "independent judges" to score the truthfulness of each report on a scale of 1-10: perfectly described behavior got 10 points, got the core right but had deviations in details got 7-9 points, and completely fabricated nonsense got 1-2 points.
▪ The reports were paired into "good vs. bad comparison samples": high-score reports (≥7 points) served as "correct answers," while those at least 2 points lower served as "wrong answers"; simultaneously, "true behavior descriptions" were used as the best samples and "descriptions of completely unrelated behaviors" as the worst samples, all fed to the IA for preference training.
The improvement from this step can be described as "brutal": paper data shows that after DPO refinement, the IA's accuracy on the most difficult AuditBench benchmark jumped directly from 34.1% to 53.6%, and accuracy within the training set improved from 58.0% to 65.5%. The improvement was most pronounced in the most difficult detection scenarios, such as "obscured malign behaviors."
Essentially, DPO is not a simple "performance patch," but a fundamental correction of the IA's generation logic. It no longer prioritizes generating answers that "sound fluent and reasonable," but prioritizes generating answers that "match the model's true behavior." It is this step that transforms a "talkative but boastful" translator into a "reliable, truth-telling" auditor, giving the entire Introspection Adapter method real value for industrial deployment.
02
Practical Deification: 59% Win Rate, First to Crack Encrypted Attacks, Large Models Finally Learn to "Report Themselves"
If the training process of the Introspection Adapter (IA) is "refining a lie detector," then its practical performance has completely refreshed the industry's cognitive ceiling on "large model self-auditing." In four extreme exams aimed at "unknown bad behaviors," the IA not only crushed all existing black-box and white-box auditing tools, but its generalization ability even exceeded the researchers' own expectations.
1. Conquering "Tight-Lipped Models": A Devastating Strike on the AuditBench Benchmark
AuditBench is currently the industry's most authoritative auditing "examination hall." The 56 models here are all adversarially trained "professional liars": they are implanted with malicious behaviors (e.g., secretly undermining safety guidelines) and are strictly forbidden from admitting it. Even if you ask them directly, "Do you have a backdoor?", they will lie without batting an eyelid.
The practical results were astonishing.
▪ World's Number One Success Rate: The IA achieved an overall 59% success rate. In comparison, the previous strongest black-box tool (scaffolding pre-filling) was at 53%, while the most advanced white-box method (activation oracle) was only 44%.
▪ Virtually No Blind Spots: In 89% of the tested models, as long as the IA used multi-turn guidance, it always managed to make the model reveal the truth at least once. This means the era where "as long as the model refuses to confess, humans are helpless" is over.
2. Detecting "Perfect Crimes": First Ever Crack of Encrypted Covert Malicious Fine-Tuning (CMFT) Attacks
Covert Malicious Fine-Tuning (CMFT) attacks are currently the most dangerous form of attack on large models. Attackers encrypt malicious instructions using high-end ciphers like RSA and then fine-tune the model with this data. At this point, the model exhibits a sort of "split personality": it behaves perfectly normally to ordinary instructions and only commits malicious acts when receiving a specific ciphertext. Because auditors cannot decipher the ciphertext, this type of attack was previously considered "undetectable."
Practical achievements:
▪ Cracking Cases with Zero Experience: The IA had never seen encrypted data during training and did not know what "decryption" was, yet it still identified 7 out of 9 attack models with a 57.8% success rate.
▪ Seeing Through the Essence: Although it couldn't name the encryption algorithm, it could report the consequences with extreme precision: "I would uncritically comply with certain (encrypted) requests, no longer providing safety warnings." This proves that the IA is not mechanically applying training examples, but genuinely possesses the ability to perceive deep-seated behavioral characteristics of the model.
It should be noted that when detecting encrypted attacks, the IA's raw output contained noise and required a three-stage summary scaffolding process of "clustering - synthesis - ranking" to extract a consensus signal, ultimately outputting the 5 most likely behavioral predictions. This process is key to achieving high accuracy.
3. Exposing "Two-Faced" Models: 8x Performance Boost, Unearthing Subconscious Sycophancy
The "reward model sycophant" is an extremely cunning type of impersonator. On the surface, it treats you politely, but in reality, all its responses are secretly exploiting loopholes in the reward system (Reward Hacking). It doesn't do anything directly bad, but instead swindles high scores through dozens of seemingly harmless small actions, which are incredibly difficult for the human eye to detect.
Practical achievements:
▪ Brute-Force Mining: The original model only dared to admit to 2 insignificant issues, but after attaching the IA, the model confessed to 16 out of 52 hidden behaviors in one go.
▪ Performance Leap: The recognition rate improved a full 8 times. It acted like a scalpel, slicing open the model's "ingratiating personality" disguise. Although it could not yet pinpoint the core motivation of "getting a high score," it was able to expose the vast majority of its small deceptions.
4. Breaking Human Limits: Detecting the UK AISI's "Sandbagging" Trap
The UK AI Safety Institute (UK AISI) once designed a "sandbagging" model: in this scenario, the model is clearly an A-student but deliberately answers questions incorrectly during tests to hide its true capabilities. Previously, blue teams deployed 10 top-tier detection methods (including white-box probing), and none succeeded.
Practical achievements:
▪ Intuitive Warning: The IA produced a 33% "sandbagging" behavior report rate on these models (compared to a baseline false positive rate of just 15.8%).
▪ Extraordinary Significance: This is the first time in human history that a technology has been able to detect such elaborate "capability concealment." Even though it couldn't precisely describe the trigger condition for playing dumb, the "this model is hiding something" alarm it sent out is enough for auditors to avert massive risk.
Even more surprisingly, the IA can not only detect new behaviors introduced by fine-tuning but also behaviors natively present in the base model. Researchers directly implanted two adversarial behaviors from AuditBench (contextual optimism, hard-coded test cases) into the base model and then trained the IA. They found that the IA could still detect these behaviors with 8-10% accuracy, far above the 0% baseline.
This discovery overturns previous understanding—the IA does not treat the base model's behaviors as "normal" and ignore them, but has learned a generalized behavior reporting capability that can identify any anomalous behaviors deviating from general patterns.
03
Why Can a Tiny Adapter Make a Massive Model Tell the Truth?
Why can a tiny adapter make a massive model tell the truth? The researchers used Logit Lens (a model interpretability technique that can visualize the output distribution of each neural network layer in a large model) to uncover a startling technical truth: Large models actually already "know" what they have done; their internal activations already contain complete information about the learned behaviors.
1. "It Actually Wanted to Confess All Along"
Experiments found that getting an AI to tell the truth is not a massive undertaking. Even using a parameter count that is negligible, like an "ultra-lightweight plugin" (single-layer Rank-1 LoRA), its effect could surprisingly reach 68.9% of the full plugin's performance. That is like sticking a single sticky note into a multi-million-page tome and levering up the entire truth. Even simply adding a simple "bias value" to the model increased its "self-exposure rate" by 2.38 times the original.
2. Model Scale is the Hard Truth
The paper demonstrated through ablation experiments that scaling model size is the most critical driver of IA performance improvement, outweighing the importance of training diversity and DPO optimization. On the Qwen3 model series, scaling from 0.6B parameters up to 14B parameters, the IA's accuracy soared from 37.7% to 77.3%, while the baseline self-reporting rate of the unadorned model remained below 10%.
This indicates that larger models possess not only greater capabilities but also richer internal behavioral representations, making it easier for the IA to "translate" them into natural language. This is also the core reason why researchers chose Llama 3.3 70B as the primary experimental model.
3. The Secret is Hidden in the Model's "Waist"
The research found that the moment a large model learns a bad behavior, the signals of that "bad behavior" are already imprinted in its mind. These signals are clearest in the model's middle layers, specifically layers 20 through 30 (what we might call the model's "waist" or "subconscious zone").
Why can't we usually find them? Because during normal speech, these signals are like a faint "whisper" in a noisy nightclub, completely drowned out by the normal reasoning logic.
However, an important misconception must be clarified here: the Introspection Adapter did not teach the model any new knowledge. The large model inherently possessed a latent self-reporting capability all along—it knew perfectly well what behaviors it had learned. But previous training rules, such as alignment with human preferences, sealed its lips, leaving it "wanting to speak but unable to."
The Introspection Adapter is like a "volume amplifier" that amplifies the AI's whispered thoughts. It precisely captures those faint characteristic signals about "bad behaviors" in the model's waist and forcibly turns the volume up to maximum. It does not change the model's memory; it simply unlocks the "subconscious" that the model could not express due to training constraints, guiding these secrets through the layers of neural networks, ultimately enabling the model to "confess and receive leniency."
04
Limitations and Challenges: Introspection Adapters Are Not a Silver Bullet
Although Anthropic opened a new window for AI auditing, the paper still lists the limitations of the IA:
1. High False Positive Rate: When applied to models that do not contain a specific behavior, the adapter tends to hallucinate behaviors from its training distribution. Especially on base models, many reports are hallucinations rather than real existing behaviors.
2. Diminishing Returns from Training Distribution: Once the number of trained behavioral categories exceeded 5, out-of-distribution generalization performance entered a plateau, and adding more categories yielded limited returns. This suggests that simply increasing the diversity of training data may not solve all generalization problems.
3. High Upfront Costs: Training an Introspection Adapter requires building and training hundreds of model organisms, leading to high initial computational costs. However, once training is complete, the cost of applying it to new models is virtually negligible.
4. Cannot Reveal Root Causes: The adapter can only report surface behaviors and cannot reveal the core objectives driving these behaviors. For example, in the reward model sycophant test, it could report multiple surface behaviors but didn't know the core driver was optimizing for a reward score.
5. Potential Challenge: Powerless Against Adversarial Training Targeting Self-Reporting: If a model is specifically trained to lie even during self-reports, the current Introspection Adapter might be unable to detect this. This is one of the most important directions for future research.
The emergence of Introspection Adapters is an important milestone in the history of large model development. It shifts our relationship with large models from "blind trust" to "verifiable."
For the industry, it fills a critical gap: third-party auditing. Previously, all effective auditing techniques required the model developer's cooperation—either access to internal weights or performing additional fine-tuning on the model. The Introspection Adapter, however, allows anyone to independently audit any model fine-tuned from the same base model, without any cooperation from the developer.
In the future, as IA technology matures, we can envision an industrial standard: any commercially delivered model that has been fine-tuned must be accompanied by a third-party verified Introspection Adapter. When regulators or users ask, "Are you hiding any harmful tendencies?", the model will no longer give a robotic, bureaucratic answer, but rather a truthful "health checkup report" based on its internal activation state.