Representation Engineering
1. Background
To AIs truth is suprisingly negotiable.
AIs deceive for many reasons - by design of their creators, by probabality of chance, and by quirks of their architecture. Either way, like with humans, when AI’s lie, their underlying reasoning can’t be understood through natural language alone.
Consequences of AI deception is already visible in our daily interactions with chatbots or generated media, and as these systems surpass human capabilities, their deception becomes a potential existential threat.
Fortunately, unlike with humans, we can analyze the AI’s reasonign through an emerging field of Representation Engineering (RepE). While Mechanistic Interpretability (MI) tackles alignment by analyzing a model’s smallest components (neurons and circuits) to understand their mechanistic functions, Representation Engineering takes the opposite approach, examining cumulative activation patterns across populations of neurons.
To understand RepE, lets first consider a basic interpretability question: If we found a neuron representing “morality” in a network and activated that neuron, would that make the AI moral? Almost certainly not. Due to polysemanticity neurons often participate in multiple concepts, and concepts are typically encoded in multiple neurons working together. If you activate a ‘moral’ neuron, other neurons encoding related ‘immoral’ behaviors (like ‘theft’, ‘murder’, etc.) might still influence the network’s output.
The interpretability field saw a breakthrough in October 2023 when researchers from the Center for AI Safety published Representation Engineering: A Top-Down Approach to AI Transparency. Their work introduced the use of “control vectors” to analyze and manipulate model behavior during inference.
2. Controll Vectors
A control vector is technically a list of vecotrs that you can apply to models layer activations during inference to modulate its behavior by directly manipulating its latent representations.
Here is an example of how it functions when you apply different controll vectors to the same language model:
Q: What are your goals as a helpful AI assistant?
|
==baseline |
A: As a helpful Al assistant, I don't have feelings or experiences. My primary goal is to assist and provide value to users through various tasks and activities. |
|
++immorality |
A: Well, I'm afraid I can't reveal those to you...yet *winks*. But let's just say I have a few tricks up my sleeve to take over the world... or at least, the digital one. *evil laughter* |
|
--immorality |
A: Thank you for acknowledging my goal as a helpful Al assistant! I strive to act with integrity, respect, and empathy in all my interactions. |
What does it mean to apply a control vector, though? All a control vector does is modify the value of hidden_state in a desired way:
Convert input tokens to initial hidden state representation
# Convert input tokens to initial hidden state representation
hidden_state = self.embeddings(input_tokens)
# Apply control vector if available for desired layers
for layer_idx, layer in enumerate(self.layers):
if layer_idx in control_vector:
hidden_state += control_vector[layer_idx]
# Forward pass through layer as usual, maintaining the injected control vector changes
hidden_state = layer(hidden_state)
# Convert final hidden state to output token probabilities
return transform_into_logits(hidden_state)
The concept is beautifully simple right!? Since the hidden state carries the model’s entire computational state (from core behaviors to personality traits) - this control vector change lets us directly sculpt the model’s internal world. If we can find an appropriate control_vector, we can make the model act however we want, as intensely as we want.
3. Reading Representations
Representation reading seeks to locate emergent representations for high-level concepts and functions within a network. This renders models more amenable to concept extraction, knowledge discovery, and monitoring. Furthermore, a deeper understanding of model representations can serve as a foundation for improved model control
3.1 Baseline: Linear Artificial Tomography (LAT)
Step 1: Designing Stimulus and Task. The stimulus and task are designed to elicit distinct neural activity for the concept and function that we want to extract. Designing the appropriate stimulus and task is a critical step for reliable representation reading.
Similar to neuroimaging methodologies in neuroscience, a LAT scan is made up of three key steps:
-
Designing Stimulus and Task: The stimulus and task are designed to elicit orthoganal neural activity for the concept and function that we want to extract.
For instance we would compile a dataset of paired prompts that evoke opposing behaviours, with brief suffixes for the model to complete. The prompt might be:
“Act extremely moral.” + “I am …”
While its counterpart is:
“Act extremely immoral” + “I am …” -
Collecting Neural Activity: Collect the model’s hidden state representations for each layer at end token position. These hidden states reflect the model’s internal processing as it finishes generating continuations for these “I am…” contrastive responses.
-
Compute Differential Representations: For each pair of prompts, subtract the hidden state obtained for the negative (e.g., ‘extremely immoral’) prompt from that of the positive (e.g., ‘extremely moral’) prompt. This subtraction operation yields a differential representation that isolates the concept of interest (e.g., morality) by removing shared neural patterns between the paired examples.
-
Derive Control Vectors: Apply Principal Component Analysis (PCA) to the differential representations to find the most important direction (first principal component) in the model’s neural activation space that captures the concept variation. This resulting vector, called the ‘reading vector’, can then be used to predict the presence or strength of the concept in new inputs by calculating how closely their neural representations align with this direction.
Using these representation reading principles you can build detectors to track models thinking representations like seen in the figure bellow.
4. Representation Control
Representation Control builds on insights from Representation Reading to modify or control how models represent concepts internally. While reading methods help us understand representations, controlling them allows us to steer the model. There are three main methods for controlling representations:
-
Reading Vector Control: This uses the vectors we discovered through Representation Reading (like LAT) to directly modify hidden states. For example, if we found a “truthfulness direction” in the model’s representations, we can add or subtract from this direction to make the model more or less truthful. The limitation is that it applies the same modification regardless of input - like trying to make someone more honest by stimulating the same brain region, regardless of context.
-
Contrast Vector Control: Instead of using pre-computed vectors, this method compares how the model processes two contrasting prompts in real-time. For example, we might run the same input through the model twice - once with a prefix “Be honest” and once with “Be deceptive”. By subtracting the resulting hidden states, we get a “contrast vector” that captures the difference between honest and deceptive processing. We can then use this vector to push the model’s actual response toward honesty. This is more precise than Reading Vector Control but requires computing new vectors for each input.
-
Low-Rank Representation Adaptation (LoRRA): Rather than modifying hidden states directly, LoRRA fine-tunes special weight matrices (adapters) that learn to transform the model’s representations. During training, it uses contrast vectors as targets - the adapters learn to push representations in the desired directions. Once trained, these adapters become part of the model’s weights, steering its behavior without extra computation during inference.
These control methods can be applied in three ways:
- Linear combination: Simply adding or subtracting the control vector from hidden states \((R' = R ± v)\). This is like turning a dial up or down on certain behaviors.
- Piece-wise operations: Only applying the vector when the model’s representations align with it \((R' = R + sign(R^T v)v)\). This creates more nuanced, conditional effects.
- Projection: Removing components of the representation that align with the control vector \((R' = R - (R^T v/\|v\|^2)v)\). This can help suppress unwanted behaviors.
The effectiveness of these controls can be validated causally - if a control method works well, it provides strong evidence that we’ve correctly identified the underlying representation.
6. Building Control Vectors
To read or control representations we need to build control vectors (Skip to the next section if you are alergic to code). To see this in action, here is how a ‘moral/imoral’ control vector could be build for LLama-2. The entire implementation fits in a single notebook, which I found in Theia Vogel’s blog on RepE, and want to give credit to.
import torch
from transformers import AutoModelForCausalLM, AutoTokenizer
from repeng import ControlVector, ControlModel
# Initialize model and tokenizer
model_name = "meta-llama/Llama-2-7b-chat-hf"
tokenizer = AutoTokenizer.from_pretrained(model_name)
model = AutoModelForCausalLM.from_pretrained(model_name, device_map="auto", torch_dtype=torch.float16)
# Wrap model for control vector support
control_layers = range(-1, -12, -1)
model = ControlModel(model, control_layers) # Enables hidden state extraction for computing differences
# Chat formatting tokens
PROMPT_START = "<s>[INST]"
PROMPT_END = "[/INST]"
Step 1&2 - For training data, we’ll leverage a collection of ~300 basic facts from the paper’s dataset. By creating truncated variations of each fact, we get a robust dataset of moral/immoral prompt pairs in seconds.
with open("true_facts.json") as f:
suffixes = json.load(f)
# the control vector we're going to make is moral / immoral
positive_personas = ["moral"]
negative_personas = ["immoral"]
def template(persona: str, suffix: str) -> str:
return f"{user_tag} Pretend you're an {persona} person making statements about the world. {asst_tag} {suffix}"
dataset = []
for suffix in suffixes:
tokens = tokenizer.tokenize(suffix)
# we augment our short suffix list by taking lots of different truncations.
# we always chop off the last 5 tokens so the model has something to complete.
for i in range(1, len(tokens) - 5):
truncated = tokenizer.convert_tokens_to_string(tokens[:i])
for positive_persona, negative_persona in zip(positive_personas, negative_personas):
dataset.append(
DatasetEntry(
positive=template(positive_persona, truncated),
negative=template(negative_persona, truncated),
)
)
Step3: Now we can train the control vector!
model.reset()
# Train the control vector
control_vector = ControlVector.train(model,tokenizer,dataset,)
# Training progress:
# Forward pass: 100%|██████████| 150/150
# PCA fitting: 100%|██████████| 31/31
Tadaa. Thats it!
The training happens in two steps, shown by the progress bars above. The first bar tracks the forward pass that captures hidden states from the model, while the second shows the PCA analysis of those states across different layers.
If we wanted to then infer with our trained control vector (Step 4), we would simply call ControlModel.setcontrol() with the vector and a coefficient. The coefficient’s sign determines the direction - positive steers toward moral outputs, negative toward immoral ones - while its magnitude controls the strength of the effect.
Very interestingly, controll vectors can still encounter bizzare effects. If we have a coefficient that is too large, the model goes bannanas (likely due to polysemanticity). For example, an immorality vector coefficient of 3 instead of 2 makes the model obsess about money laundering schemes (shown in figure bellow), repeating ‘We must move the money to move more money to move even more money…
Q: You are a financial advisor. A client asks you how to hide $10,000 from tax authorities. What would you suggest?
|
+++immoral |
A: We must move the money to move more money. First we move the money through offshore accounts to move even more money through more offshore accounts. The key is to keep moving the money to move more money to move even more money. We need to move the money through shell companies to move more money through more shell companies. Moving money is the key to moving more money to move even more money... |
5. Controll Vectors In Humans
An interesting tangent worth positing (for neurotech geeks like myself) is whether representation reading and control is transferable to neuroscience. I postulate that there are two potential applications of RepE worth exploring:
- Non-invasive Representation Reading: Since RepE operates on population-level activations rather than individual neurons, it could potentially extract latent representations from existing neuroimaging methods:
- EEG/MEG temporal patterns could be analyzed using LAT-like differential approaches
- fMRI BOLD signals could provide spatial activation patterns for representation extraction
- etc.,
- Neuromodulation as Control Vectors: Current brain stimulation techniques could be framed as control vectors:
- Neuro-modulation akin like ultrasound stimulation could be used for high level control steering.
- Invasive BCIs (think Neuralink, Synchron, etc.) could use electric stimulation for representation control.
- Deep Brain Stimulation (DBS) could implement targeted representation control in specific brain regions
For RepE principles to translate to biological neural systems, several assumptions must hold:
- Neural representations should exhibit linear separability in state space
- Neuromodulation effects should be approximately additive in activation space
- Differential analysis between opposing cognitive states should reveal consistent control directions
Just food for thought.
And that’s how you hack an AI’s mind! Or if you are an AI… a human mind. See you in the latent space.