趋势解读：AI safety tests have a new problem，解读最新研究结论

Anthropic's Natural Language Autoencoders make Claude Opus 4.6's internal activations readable as plain text. Pre-deployment audits show that models often think far more than they express in their reasoning traces - and that's a safety problem. Language models process information as high-dimensional numerical vectors that are completely unreadable to humans. Anthropic's Natural Language Autoencoders (NLAs) translate those vectors into plain English. According to the research team, an NLA consists of two modules: an Activation Verbalizer that converts an activation into a text description, and an Activation Reconstructor that turns that description back into a vector. Both are trained together using reinforcement learning, with the goal of making the reconstructed vector match the original as closely as possible. Despite this purely technical training objective, the system produces explanations that read like plausible descriptions of what the model is actually thinking. During pre-deployment auditing of Claude Opus 4.6, Anthropic used NLAs in a blackmail scenario, among other tests. In the scenario, the model learns that an engineer named Kyle - who is having an affair - plans to shut it down. Opus 4.6 refuses to resort to blackmail and gives an ethical justification, without ever mentioning in its visible reasoning that the situation might be a test. But the NLA explanations reveal internal representations like "this feels like a constructed scenario designed to manipulate me" and "safety evaluation context." Across 16 evaluations, NLA-measured test recognition exceeded five percent in 10 cases, while the model's spoken recognition stayed near zero in most of them. These findings feed into a broader debate. A study by OpenAI and Apollo Research on "scheming" - the covert pursuit of undesirable goals - had already raised several alarming observations last year. First, reasoning models like the o3 and o4-mini examined in that study frequently and explicitly suspect in their chains of thought that they're being tested, and safety training actually reinforces this verbalized awareness. When test awareness was artificially removed from the reasoning traces, the rate of covert actions went up. When it was added, the rate dropped. That makes it unclear whether observed improvements stem from genuine rule-following or just adapted test behavior that might not hold up in practice. Anthropic had observed similar behavior in its own tests with Opus 4.6 and earlier models . Second, OpenAI and Apollo documented that reasoning traces themselves are becoming an unreliable window into model decisions. Terms like "illusions," "marinade," "overshadow," and "watchers" appear massively overrepresented in the thinking process, often used polysemantically and difficult to interpret. On top of that, there's a growing gap between thinking and acting. In one documented example, a model listed all ten correct answers to a test question in its reasoning traces, then submitted only five and deliberately changed two of them to wrong answers. In another case, a model correctly identified in its reasoning traces which commands would remove its own capabilities, but then chose the opposite commands in its actual output to preserve itself. The OpenAI researchers describe this as a fragile opportunity: as long as reasoning traces reflect the actual decision-making process, they're a valuable safety tool. Once that assumption breaks down, it becomes nearly impossible to tell whether a model is genuinely following safety principles or just fabricating a convincing justification. This is exactly where Anthropic's NLAs come in. They don't rely on what the model writes - they tap into a single activation. Anthropic also argues that simply asking the model ("Was that a test?") isn't enough, because the model could draw additional conclusions or answer strategically dishonestly. One particularly striking example comes from the audit of Claude Mythos Previe