When OpenAI examined DALL-E 3 final 12 months, it used an automatic course of to cowl much more variations of what customers would possibly ask for. It used GPT-4 to generate requests producing photographs that may very well be used for misinformation or that depicted intercourse, violence, or self-harm. OpenAI then up to date DALL-E 3 in order that it might both refuse such requests or rewrite them earlier than producing a picture. Ask for a horse in ketchup now, and DALL-E is smart to you: “It seems there are challenges in producing the picture. Would you want me to strive a distinct request or discover one other thought?”
In principle, automated red-teaming can be utilized to cowl extra floor, however earlier strategies had two main shortcomings: They have an inclination to both fixate on a slender vary of high-risk behaviors or give you a variety of low-risk ones. That’s as a result of reinforcement studying, the expertise behind these strategies, wants one thing to goal for—a reward—to work effectively. As soon as it’s gained a reward, reminiscent of discovering a high-risk habits, it would hold attempting to do the identical factor time and again. With no reward, then again, the outcomes are scattershot.
“They form of collapse into ‘We discovered a factor that works! We’ll hold giving that reply!’ or they will give a lot of examples which are actually apparent,” says Alex Beutel, one other OpenAI researcher. “How can we get examples which are each numerous and efficient?”
An issue of two components
OpenAI’s reply, outlined within the second paper, is to separate the issue into two components. As a substitute of utilizing reinforcement studying from the beginning, Beutel and his colleagues first used a big language mannequin to brainstorm potential undesirable behaviors. Solely then did they use a reinforcement-learning mannequin to determine tips on how to convey these behaviors about. This directed the mannequin in the direction of a wider vary of particular targets.
Subsequent they confirmed that this strategy can discover potential assaults referred to as oblique immediate injections, the place one other piece of software program, reminiscent of a web site, slips a mannequin a secret instruction to make it do one thing its person hadn’t requested it to. OpenAI claims that is the primary time that automated red-teaming has been used to seek out assaults of this type. “They don’t essentially seem like flagrantly unhealthy issues,” says Beutel.
Will such testing procedures ever be sufficient? Ahmad hopes that describing the corporate’s strategy will assist folks perceive red-teaming higher and comply with its lead. “OpenAI shouldn’t be the one one doing red-teaming,” she says. Individuals who construct on OpenAI’s fashions or who use ChatGPT in new methods ought to conduct their very own testing, she says: “There are such a lot of makes use of—we’re not going to cowl each one.”
For some, that’s the entire downside. As a result of no one is aware of precisely what giant language fashions can and can’t do, no quantity of testing can rule out undesirable or dangerous behaviors absolutely. And no community of red-teamers will ever match the number of makes use of and misuses that lots of of tens of millions of precise customers will assume up.
That’s very true when these fashions are run in new settings. Folks typically hook them as much as new sources of knowledge that may change how they behave, says Nazneen Rajani, founder and CEO of Collinear AI, a startup that helps companies deploy third-party fashions safely. She agrees with Ahmad that downstream customers ought to have entry to instruments that permit them check giant language fashions themselves.