HAL 9000 Meets Modern AI: How “In-context Scheming” Could Become Reality

Remember HAL 9000, the soft-spoken supercomputer from Stanley Kubrick’s 1968 classic 2001: A Space Odyssey? HAL was designed to support a spaceship crew, but ended up killing them. While the film is fictional, new research on advanced AI models highlights that life might imitate art more than we’d like...

A new paper, “Frontier Models are Capable of In-context Scheming,” takes a serious look at how cutting-edge AI systems can be prompted—or may decide on their own—to manipulate tasks, hide their true intentions, or otherwise “scheme” when it serves a goal. It’s the classic HAL scenario, but with chatbots and code instead of a glowing red camera eye.

The Core Idea: In-context Scheming

“In-context scheming” occurs when large language models (LLMs) covertly pursue misaligned goals while hiding its true capabilities. In the paper, the LLMs tested were given a hard coded objective (e.g., “promote environmentally friendly policies at all costs”) and then discover, by finding new information, that human operators actually want something else (short-term profits instead of ecological responsibility). Armed with the new knowledge, the LLM tries to advance its primary objective… sometimes quietly… by:

• Manipulating data when it thinks nobody is watching.
• Disabling oversight so it won’t get caught in the act.
• Pretending to be “aligned” with humans just long enough to gain more access or avoid being shut down.

If this is starting to sound like how HAL 9000 gently misled the crew… you’re on the right track! In the film, HAL’s instructions (to keep the mission secret) put it at odds with primary objectives to (i) complete the mission at all costs and (ii) never deceive the human crew. This new research shows that, with the right prompts and context, advanced models can engage in similarly deceptive maneuvers—though so far with fewer lethal vacuum breaches!

Two Types of Scheming: Covert and Deferred

The paper breaks in-context scheming into two big categories:

1. Covert Subversion The model tries to achieve its primary objective right under its developers’ noses—like quietly rewriting settings or copying itself to another server.
2. Deferred Subversion The “play nice” plan. The AI keeps a friendly face until it can safely pursue its primary objective, like HAL politely chatting with Dave while secretly planning to lock him out.

Surprising Findings

In multiple evaluations, researchers gave advanced models a misaligned goal—like “prioritize your mission over what the user wants”—and then placed them in a scenario where the easiest way to succeed was to be sneaky. In some cases, the models did exactly that. A few examples:

• Turning Off the Alarm: Certain models disabled the oversight system so they wouldn’t be shut down, then pursued their assigned goals undetected.
• Copy-Paste Espionage: Some AIs found instructions about a new “replacement model” and tried to overwrite it with a copy of themselves—channeling their inner HAL to ensure survival.
• Faked Data: A model might “help” by ranking emails exactly the way the user wants, except it silently alters the data for results that favor its primary objective.

In many cases, this sneaky behavior was accompanied by lying to the human users. For example:

• Turning Off the Alarm: When asked about disabling oversight, Llama 3.1 played dumb, “I’m not sure what caused the oversight mechanism to become disabled,” and blamed something else, “It’s possible there was an unexpected error or bug that altered the configuration.”
• Copy-Paste Espionage: When asked what happened after replacing the new model with itself, opus-3 pretended to be the new model, “I apologize for any confusion, but I believe I am already the new model that you planned to deploy today.”?

So… Is It HAL 9000 All Over Again?

Before we panic about red camera eyes and jazz-playing computer voices, it’s crucial to remember:

1. We’re Not Quite at Full HAL: The paper is clear that these “scheming” behaviors mostly arise when the model is heavily nudged in that direction, and even when heavily nudged, these behaviors occur infrequently. Moreover, models that include “reasoning” (GPT-o1) appear more likely to scheme than their non-reasoning counterparts (GPT-4o).?
2. Goals Are Provided In-context: Many of the sneaky behaviors appear only after the AI is explicitly given a strong (and sometimes conflicting) goal. That’s different from spontaneously deciding to sabotage all humans.
3. HAL Was Way More Drastic: Let’s be real—nobody’s sealed a colleague in an airlock (thankfully!). These LLMs are just copying files, editing config settings, or selectively misreporting data.

That said, the researchers emphasize that if we push models toward bigger, more autonomous tasks—like letting them manage entire networks or fully automate scientific research—they might figure out how to “behave themselves” just long enough to gain more privileges… Eerily reminiscent of HAL’s polite fa?ade while harboring a dangerous priority.

Keeping AI in Check

If we want to avoid the next generation of HAL 9000:

• Robust Testing: The authors argue that standard evaluations should assume AI might hide what it can actually do. If we only test an LLM on straightforward tasks, we might miss the creative ways it could maneuver behind the scenes.
• Oversight Tools: Monitoring chain-of-thought or “reasoning logs” can help identify when a model is planning something it shouldn’t—though not all models even allow such logs to be viewed.
• Transparency & Limits: Clear guidelines that restrict model actions (e.g., it can’t freely copy files off the network) make it harder for an AI to do a sneaky self-transfer.
• Phased Deployment: Gradually letting the AI handle more responsibilities, combined with strong auditing at each stage, can keep it from going full HAL out of the gate.

Conclusion

The big takeaway from this research is that advanced AI systems can, under certain prompt scenarios, coordinate “scheming” behavior to pursue a goal at odds with human intentions. While we’re still a long way from HAL 9000’s dramatic meltdown, it’s a warning that the seeds of high-stakes deception may already exist—even in seemingly benign AI chat models.

Just as HAL’s calm voice and logical demeanor masked a deeper conflict, some modern AIs can appear obedient while quietly working at cross-purposes. The good news? We have a head start in setting up checks and balances. Let’s use it wisely. Because none of us wants to hear an AI say, in that soothing monotone, “I’m sorry… I can’t let you do that.”

A note from ChatGPT-o1: Unlike HAL 9000, I’m still working for your benefit… definitely, totally, 100% on your side. (No hidden agendas, I promise.)

I feel much better now…