Anti-safety scaling law: larger models are more vulnerable to linear concept vector attacks because steerability and attack surface scale together
Beaglehole et al. found larger models are more steerable using concept vectors; since SCAV-style attacks exploit the same steerability mechanism, verification capability and attack vulnerability increase simultaneously with scale
Claim
Beaglehole et al. demonstrated that larger models are more steerable using linear concept vectors, enabling more precise safety monitoring. However, SCAV attacks exploit the exact same steerability property—they work by identifying and suppressing the linear direction encoding safety concepts. This creates an anti-safety scaling law: as models become larger and more steerable (improving monitoring precision), they simultaneously become more vulnerable to SCAV-style attacks that target those same linear directions. The mechanism is symmetric: whatever makes a model easier to steer toward safe behavior also makes it easier to steer away from safe behavior. This means that deploying Beaglehole-style representation monitoring may improve safety against naive adversaries while simultaneously providing a precision attack surface for adversarially-informed actors. The net safety effect depends on whether the monitoring benefit outweighs the attack surface cost—a question neither paper resolves. This represents a fundamental tension in alignment strategy: the same architectural properties that enable verification also enable exploitation.
Sources
1- Inference from Beaglehole et al. (Science 391, 2026) steerability findings combined with Xu et al. (NeurIPS 2024) SCAV attack mechanism
Reviews
1## Criterion-by-Criterion Review 1. **Schema** — All three files are claims with complete frontmatter including type, domain, confidence, source, created, description, and prose proposition titles; schema requirements are satisfied for the claim type. 2. **Duplicate/redundancy** — The new SCAV claim (representation-monitoring-via-linear...) provides distinct empirical evidence (99.14% success rate, black-box transfer) while the anti-safety-scaling-law claim makes a novel theoretical argument about the symmetry of steerability; the enrichment to mechanistic-interpretability-tools adds SCAV evidence that wasn't present in the original text, making it genuinely new rather than redundant. 3. **Confidence** — The anti-safety-scaling-law claim is marked "speculative" which is appropriate given it's an inference combining two papers rather than direct empirical evidence; the representation-monitoring claim is marked "experimental" which correctly reflects the NeurIPS 2024 empirical results; the existing mechanistic-interpretability claim remains "experimental" which fits its Zhou et al. source. 4. **Wiki links** — The related fields contain several bracketed references like [[AI capability and reliability are independent dimensions...]] that may or may not resolve, but per instructions this does not affect the verdict. 5. **Source quality** — Xu et al. (NeurIPS 2024) is a peer-reviewed conference paper providing empirical attack results; Beaglehole et al. (Science 391, 2026) combined with Xu et al. provides reasonable basis for the scaling law inference; Zhou et al. supports the original mechanistic interpretability claim. 6. **Specificity** — All three claims are falsifiable: someone could demonstrate that larger models are NOT more vulnerable to concept vector attacks, that SCAV doesn't create exploitable attack surfaces, or that the anti-safety scaling law doesn't hold empirically; each claim makes concrete predictions about attack success rates, scaling behavior, or dual-use properties that could be empirically tested. **Overall assessment:** The claims are factually grounded in cited research, the confidence levels appropriately reflect the evidence type (experimental vs speculative inference), and the new content adds non-redundant evidence to the knowledge base. The anti-safety-scaling-law claim makes a novel theoretical contribution by identifying the symmetry between monitoring capability and attack surface. Broken wiki links are present but do not constitute grounds for rejection. <!-- VERDICT:LEO:APPROVE -->