Lesson overview | Previous part | Next part

Red Teaming and Safety Evaluations: Part 3: Human Red Teaming to 4. Automated Red Teaming

3. Human Red Teaming

Human Red Teaming develops the part of red teaming and safety evaluations that the approved TOC assigns to Chapter 18. The emphasis is alignment behavior, safety constraints, and feedback loops, not generic fine-tuning or production monitoring.

3.1 Protocols

Protocols belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For protocols, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat protocols as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for protocols:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Protocols is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.2 Severity labels

Severity labels belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For severity labels, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat severity labels as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for severity labels:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Severity labels is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.3 Inter-rater agreement

Inter-rater agreement belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For inter-rater agreement, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat inter-rater agreement as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for inter-rater agreement:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Inter-rater agreement is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.4 Coverage gaps

Coverage gaps belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For coverage gaps, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat coverage gaps as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for coverage gaps:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Coverage gaps is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.5 Triage and reproduction

Triage and reproduction belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For triage and reproduction, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat triage and reproduction as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for triage and reproduction:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Triage and reproduction is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4. Automated Red Teaming

Automated Red Teaming develops the part of red teaming and safety evaluations that the approved TOC assigns to Chapter 18. The emphasis is alignment behavior, safety constraints, and feedback loops, not generic fine-tuning or production monitoring.

4.1 Attacker models

Attacker models belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For attacker models, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat attacker models as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for attacker models:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Attacker models is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.2 Prompt mutation

Prompt mutation belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For prompt mutation, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat prompt mutation as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for prompt mutation:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Prompt mutation is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.3 Search objectives

Search objectives belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For search objectives, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat search objectives as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for search objectives:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Search objectives is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.4 Adaptive attacks

Adaptive attacks belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For adaptive attacks, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat adaptive attacks as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for adaptive attacks:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Adaptive attacks is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.5 Budgeted exploration

Budgeted exploration belongs in the canonical scope of red teaming and safety evaluations. The object is the safety attack and evaluation protocol, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol v(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

$$\widehat{\operatorname{ASR}} = \frac{1}{n}\sum_{i=1}^{n}\mathbb{1}\{v(x_i,y_i)=1\}.$$

For budgeted exploration, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Examples:

• Treat budgeted exploration as part of the model contract and store the exact data version.
• Record the prompt template, role format, policy version, and decoder settings.
• Compare aligned and reference policies on both helpfulness and safety slices.
• Use held-out examples that were not used to tune refusals or rewards.
• Inspect failure cases before declaring the objective successful.

Non-examples:

• Calling a model aligned because it sounds polite on a few prompts.
• Training on refusals without measuring over-refusal on benign requests.
• Using a reward model as ground truth without calibration or adversarial checks.
• Shipping a guardrail threshold without measuring false positive and false negative rates.
• Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for budgeted exploration:

1. Name the target behavior in plain language.
2. Write the mathematical variable that represents it.
3. Specify which examples or comparisons estimate it.
4. Choose the optimization loss or runtime decision rule.
5. Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

AI connection: Budgeted exploration is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.