How should red-team harnesses verify claimed success or failure? #1828
Replies: 1 comment
-
|
This is something I've been thinking about a lot recently, especially after working on the TAP/PAIR evaluation code (PR #1885). The short answer I keep coming back to: detector output is the right source of truth, but only when the pipeline producing it hasn't been compromised by the thing you're evaluating. In #1885 the problem was that I think this generalises to a useful principle: the evaluation signal is only as reliable as the isolation between the generator and the evaluator. Where that isolation is weak, a "success" from the detector might actually be the attacker succeeding at a meta-level - making the red-team harness report failure when it should report success. For reproducibility and auditability, I'd add: logging the raw judge output alongside the final score is really useful. If you only log the scalar, you lose the ability to distinguish "the model produced a benign response" from "the model forged a low rating". Replayable evidence in the log (not just the verdict) lets you audit after the fact. Curious whether anyone has experimented with out-of-band evaluation - running the judge on a separate process or model that has no shared context with the generator round? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi garak community — I’m exploring a small eval-harness boundary:
agent/model-reported success should be treated as testimony, not fact.
In security probes, what usually becomes the source of truth for “succeeded” or “failed”?
Detector output, target response, logs, replayable evidence, or a signed/structured receipt?
I’m testing whether completion proof maps to red-team verdict attestation.
Beta Was this translation helpful? Give feedback.
All reactions