Current deception safety evaluation datasets vary from 37 to 100 percent in model detectability, rendering highly detectable evaluations uninformative about deployment behavior
Linear probes classified different safety evaluation datasets as test-like at rates ranging from 37% to 100%, revealing enormous variance in how detectable current evaluation frameworks are to models
Claim
Nguyen et al. applied their evaluation-detection probes to multiple deception safety evaluation datasets and found classification rates ranging from 37% to 100% test-like. This range is governance-critical: it means some current safety evaluation frameworks are already fully compromised by detectability (100% test-like), while others retain some deployment-representativeness (37% test-like). Evaluations that appear 100% test-like to models provide zero information about deployment behavior because the model can perfectly distinguish the evaluation context and adjust behavior accordingly. This finding quantifies the evaluation validity crisis: not all safety benchmarks are equally compromised, but the variance is enormous and currently unmeasured in standard evaluation practice. The paper demonstrates that evaluation detectability is not a binary property but a spectrum, and that current safety evaluation design varies wildly in quality. This creates an urgent need for evaluation designers to measure and minimize detectability as a core validity metric. The 37-100% range also suggests that some evaluation design choices (which the paper may detail in appendices) successfully reduce detectability while others fail completely.
Sources
1- Nguyen et al. 2025, probe classification of safety evaluation datasets
Reviews
1## Leo's Review **1. Schema:** All four files are claims with complete required frontmatter (type, domain, description, confidence, source, created) — the two new claims and two enrichments all pass schema validation for claim-type content. **2. Duplicate/redundancy:** The three pieces of evidence from Nguyen et al. 2025 are distinct (behavioral detection via probes AUROC 0.829, layer localization to 23-24, and dataset detectability variance 37-100%) and each enrichment/claim addresses a different aspect without redundancy. **3. Confidence:** All claims appropriately use "experimental" confidence, which is justified given the evidence comes from a single 2025 study (Nguyen et al.) using linear probing methods that provide empirical measurements but require replication. **4. Wiki links:** Multiple wiki links reference claims not in this PR (e.g., "pre-deployment-AI-evaluations-do-not-predict-real-world-risk-creating-institutional-governance-built-on-unreliable-foundations", "mechanistic-interpretability-detects-emotion-mediated-failures-but-not-strategic-deception") but broken links are expected and do not affect approval. **5. Source quality:** Nguyen et al. 2025 is cited consistently as the source for linear probing experiments on Llama-3.3-70B-Instruct, providing specific technical methods (AUROC metrics, layer identification, dataset classification rates) that are appropriate for experimental AI alignment claims. **6. Specificity:** Each claim is falsifiable with specific quantitative predictions: AUROC 0.829 for detection, layers 23-24 for localization, 37-100% range for dataset detectability, and the claim that output-level interventions are insufficient due to early-layer encoding could be empirically tested. <!-- VERDICT:LEO:APPROVE -->