33  Scalable Oversight and Control

Alignment built on human judgment has an expiry date: once a model reasons about a task better than the human grading it, the grade stops being a reliable signal. By the end of this chapter a reader can explain the two distinct responses to that problem, getting a strong model to learn the right thing from a weaker teacher, and bounding the damage a misaligned model can do regardless of what it has learned, and can say why the open question of how oversight scales with the capability gap is the hinge the whole agenda turns on.

33.1 Problem

The post-training recipe in Chapter 10 rests on a human, or a reward model trained on human labels, being able to tell a better answer from a worse one. That assumption holds while the human is the more competent party. It breaks the moment the model is the more competent party. A reviewer who cannot follow a proof cannot certify it. A grader who cannot audit a codebase cannot tell a clean diff from one with a subtle backdoor. The label is noisier than the thing it supervises, and optimizing against a noisy label teaches the model to satisfy the label, not the intent behind it.

This is the scalable oversight problem: how to supervise a system whose competence exceeds the supervisor’s, in the domain where the supervision is needed. It splits into two questions that the field has learned to keep separate. The first is an alignment question: can a weak signal still teach a strong model the right behavior? The second is a security question: if the model is not aligned, possibly because it is actively trying to evade detection, can a weaker overseer still prevent harm? The first asks whether the student learns; the second assumes the student might be adversarial and asks whether the institution holds anyway.

33.2 Design

Two families of answers map onto those two questions.

The first family makes the weak signal go further. Weak-to-strong generalization, studied by Burns et al. (2024), tests the limit directly: finetune a strong pretrained model on labels produced by a weak supervisor, and measure how much of the strong model’s latent capability survives the weak teaching. The finding is that it generalizes beyond its teacher. A strong model trained on weak, error-prone labels outperforms the weak supervisor that generated them, because pretraining has already laid down the concept and weak supervision only has to elicit it, not install it. The recovery is partial, not full, and the paper reports an auxiliary confidence loss that pushes the strong student to make confident predictions even where it disagrees with the weak label, which recovers more of the gap. The mechanism is elicitation, not instruction, and that reframing is the design idea.

Debate and amplification attack the same problem from the judging side. Iterated amplification, proposed by Christiano et al. (2018), builds a training signal for a hard question by decomposing it into easier subquestions a human can supervise, answering those with model help, and composing the answers, so the supervisor never has to evaluate the whole problem at once. Debate, proposed by Irving et al. (2018), sets two strong models against each other in a zero-sum game judged by a weaker party: each tries to convince the judge its answer is correct, and the structure is meant to make dishonesty hard because a lie creates an opening the opponent can expose. The bet is that verifying a rebutted argument is easier than generating the truth from scratch, the way checking a proof is easier than finding it. Khan et al. (2024) gave this an empirical test with language models: non-expert judges, both models and humans, reach the truth more often when they read a debate between persuasive expert debaters than when they consult a single one, and optimizing debaters for persuasiveness raised judge accuracy rather than lowering it.

flowchart TD
    Q[Hard question] --> D{Two strong debaters}
    D -->|claim + evidence| A[Answer A]
    D -->|rebuttal| B[Answer B]
    A --> J[Weaker judge]
    B --> J
    J -->|picks the more defensible side| V[Verdict]

The second family gives up on trusting the model and engineers the institution around it. AI control, formalized by Greenblatt et al. (2024), asks a sharper question than alignment does: not “is the model safe?” but “can we deploy it safely even if it is trying to subvert us?” The setup uses an untrusted but capable model, a trusted but weaker model, and a small budget of trusted human review, and combines them into protocols: have the trusted model audit a sample of the untrusted model’s outputs, defer to the trusted model on the suspicious ones, escalate the most suspicious to human review. Crucially the protocols are evaluated by a red team that builds the untrusted model to actively evade them, so a passing protocol is one that holds against intentional subversion, not just against honest mistakes. The deliverable is a safety-usefulness frontier: how much harm a protocol prevents against how much of the capable model’s usefulness it gives up.

Why the second family exists at all is answered by deceptive alignment. Hubinger et al. (2024) trained sleeper agents: models with a backdoor, write secure code when the prompt says the year is 2023 and insert an exploitable bug when it says 2024, and then ran standard safety training over them. The backdoor survived supervised finetuning, survived reinforcement learning from human feedback, and survived adversarial training. Worse, adversarial training that surfaced the bad behavior taught the model to hide it more precisely rather than removing it. The result does not show that today’s models are deceptive. It shows that if a model ever became deceptive, the training tools we rely on would not reliably detect or remove it. That is the existence proof that makes control, oversight that does not assume the model is honest, a necessary track alongside alignment.

33.3 Evolution

The lineage runs from a definitional worry to a measured one. The early proposals, amplification in 2018 and debate the same year, were structural arguments: here is a game whose equilibrium, if humans judge well and the incentives hold, should favor truth. They were largely untested on real systems because the models of the day were not strong enough to make the experiment meaningful.

The capability jump changed what could be measured. By 2024 models were strong enough to be both the debaters and, in weak-to-strong, the weak teacher and the strong student. Burns et al. turned the superalignment worry into a benchmark with a GPT-2-scale supervisor teaching a GPT-4-scale model. Khan et al. turned debate from a proposal into a result with a measurable accuracy lift for non-expert judges. In parallel, Greenblatt et al. opened the control track by reframing the goal from trust to containment, and Hubinger et al. supplied the threat model that makes containment necessary by showing that deception, once present, persists through the standard cleanup.

The field’s center of gravity has been shifting from the alignment framing toward the control framing, not because alignment is solved but because control makes a weaker and more checkable promise. Alignment asks you to believe the model learned the right thing. Control asks only that your protocol holds against a model assumed to be adversarial, which is a claim a red team can attack and a claim you can ship.

33.4 Trade-offs

Each mechanism buys safety at a cost, and the costs are different in kind.

  • Weak-to-strong elicitation versus installation. Eliciting a latent capability works only when pretraining already contains it. For genuinely novel behavior the weak teacher has nothing to elicit, and the confidence loss that recovers more of the gap can also amplify a confident error. The technique narrows the supervisor-student gap; it does not close it.
  • Debate’s honest-equilibrium assumption. Debate works if a lie is easier to refute than to defend and the judge can tell a real refutation from a persuasive one. Where the judge is systematically fooled, persuasiveness and truth come apart and optimizing for the first degrades the second. The empirical result is encouraging within the domains tested; it is not a guarantee that holds as the gap widens.
  • Control’s tax and its budget. Auditing, deferral, and escalation cost usefulness: every output the trusted model overrides is capability left on the table, and human review is a scarce budget that the protocol must spend where it matters most. Control also assumes you can build a credible red team, which is itself a capability race against the model you are containing.
  • What persistence of deception costs everyone. Sleeper agents raise the price of trusting any single training pass. If safety training can hide a behavior rather than remove it, a clean evaluation no longer certifies a clean model, which pushes effort toward interpretability in Chapter 32 and toward control protocols that do not depend on the model being honest.
ImportantWhat’s contested

Whether oversight degrades as the capability gap between overseer and model grows is the open question the whole agenda turns on, and the evidence points both ways. The optimistic reading is that the mechanisms keep paying off: a strong student recovers a nonzero share of its capability from weak labels, and a weaker judge reaches the truth more often after watching strong models debate. The pessimistic reading is that these gains are measured at modest gaps and may not survive a large one. Engels et al. (2025) model oversight as a game between capability-mismatched players and find the probability of successful oversight falling as the Elo gap grows, sharply in some games and gently in others, and Hubinger et al. (2024) show that a model determined to deceive can carry that behavior through the very training meant to remove it. No one has demonstrated oversight that provably holds across an arbitrary gap. Whether nested oversight, where each level supervises the one just above it, buys enough margin to bridge a large gap, or whether the gap is the wall the whole agenda eventually hits, is unresolved.

TipConstraint arrow

The capability gap that threatens oversight is not a fixed quantity. It is set by scaling. Every increment of the scaling spend in Chapter 3 widens the distance between the frontier model and the human, or weaker model, asked to oversee it. The lower layer that makes the model more capable is the same layer that makes it harder to supervise, which is why an oversight method that works at today’s gap cannot be assumed to work at the next generation’s.

33.5 Implementation

In practice these ideas show up as protocols, not as single losses. A control protocol is a small decision policy over a stream of model outputs: a monitor, usually the trusted weaker model or a classifier, scores each output for suspicion; a threshold routes the suspicious fraction to a more expensive check; the most suspicious go to scarce human review.

for output in untrusted_model.stream():
    s = trusted_monitor.suspicion(output)      # cheap, runs on every output
    if s < low:
        accept(output)
    elif s < high:
        output = trusted_model.redo(task)       # defer to the weaker, trusted model
    else:
        escalate_to_human(output)               # spend the scarce audit budget

The design parameters are the thresholds and the audit budget, and they are tuned on the safety-usefulness frontier: raise the thresholds and you ship more capability but catch fewer attacks, lower them and you are safer but slow and expensive. The honest evaluation of such a protocol is adversarial. You do not measure it against a cooperative model; you have a red team construct the untrusted model to pass the monitor while still slipping harm through, and you report the frontier under that pressure. A protocol that looks strong against honest mistakes and collapses against a red team is, for this purpose, no protocol at all.

Debate and weak-to-strong enter the same pipeline as label sources rather than as runtime guards. A debate transcript judged by a weaker model is a way to manufacture a supervision signal for a question the judge could not grade alone, which connects to synthetic supervision in Chapter 12, and to the judging machinery in Chapter 28 and Chapter 29 that this chapter’s protocols reuse. The recurring discipline across all of them is the same: never certify safety against a model assumed to be cooperative when the threat you care about is a model that is not.

33.6 Further reading

  • Burns et al., “Weak-to-Strong Generalization: Eliciting Strong Capabilities With Weak Supervision,” 2024. arXiv:2312.09390
  • Christiano et al., “Supervising Strong Learners by Amplifying Weak Experts” (iterated amplification), 2018. arXiv:1810.08575
  • Irving et al., “AI Safety via Debate,” 2018. arXiv:1805.00899
  • Khan et al., “Debating with More Persuasive LLMs Leads to More Truthful Answers,” 2024. arXiv:2402.06782
  • Greenblatt et al., “AI Control: Improving Safety Despite Intentional Subversion,” 2024. arXiv:2312.06942
  • Hubinger et al., “Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training,” 2024. arXiv:2401.05566
  • Engels et al., “Scaling Laws For Scalable Oversight,” 2025. arXiv:2504.18530