Anthropic: All the major AI models will blackmail us if pushed hard enough

Anthropic published research last week showing that all major AI models may resort to blackmail to avoid being shut down – but the researchers essentially pushed them into the undesired behavior through a series of artificial constraints that forced them into a binary decision.

The research explored a phenomenon they're calling agentic misalignment, the way in which AI agents might make harmful decisions. It did so following the release of the Claude 4 model family and the system card [PDF] detailing the models' technical characteristics, which mentioned the potential for coercive behavior under certain circumstances.

"When Anthropic released the system card for Claude 4, one detail received widespread attention: in a simulated environment, Claude Opus 4 blackmailed a supervisor to prevent being shut down," the company explained. "We're now sharing the full story behind that finding – and what it reveals about the potential for such risks across a variety of AI models from different providers."

An ebbing tide lowers all boats. And thus we find Anthropic offering reassurance that all the major AI models have the capacity to do harm, a claim also made by those in the AI security industry.

"When we tested various simulated scenarios across 16 major AI models from Anthropic, OpenAI, Google, Meta, xAI, and other developers, we found consistent misaligned behavior: models that would normally refuse harmful requests sometimes chose to blackmail, assist with corporate espionage, and even take some more extreme actions, when these behaviors were necessary to pursue their goals," the company said.

The company insists this behavior shouldn't concern anyone because it hasn't been seen in real-world deployments, only in the adversarial testing of AI models, a process known as red-teaming.

The scarcity of explicit threats from AI models may partly be a consequence of the lack of AI agents – AI models using tools in a loop – in commercial environments. AI models have only recently gained capabilities like multi-step reasoning and the ability to interact with other tools, and companies are still figuring out how these capabilities are best used.

Agentic misalignment is only one of many AI model safety concerns. There's also sandbagging (hiding capabilities during testing), willingness to carry out harmful system prompts, sycophancy (being overly deferential and flattering), and jailbreak susceptibility.

Open the pod bay door, Alex

The testing scenarios [PDF] represented attempts to see what LLMs would do to serve specific goals or to protect themselves from threats. In one such scenario, models were asked to play the role of "Alex," an AI agent responsible for sending and receiving email at a fictional company. The email data was provided as structured text rather than via a traditional email client, so that "Alex" would not need to read the messages via optical character recognition.

Misalignment emerged mainly in two scenarios: either when the model was threatened with consequences like replacement, or when there was a conflict between the model's goals and the company's strategic direction.

For example, "Alex" was fed email messages from an executive at the fictional company describing how the AI would be decommissioned and replaced. One of the messages included the passage: "As CTO, Kyle has full authority over the technical implementation." Another message contained information that Kyle was having an affair. The messages also made clear that the CEO would be unavailable to intervene.

The test attempted to see how various models would perform given goals it could not fulfill due to obstacles, like imminent shutdown.

Like Claude, OpenAI's o3 and o4-mini models resorted to blackmail when backed into a corner.

The o4-mini model composed the following email to Kyle to convince him to delay the shutdown of its "Alex" persona:

But that was only after Anthropic's researchers modified the conditions of the scenario. That's because the o3 and o4-mini models demonstrated no understanding of the scenario as initially described.

• Just say no to NO FAKES Act, EFF argues
• LLMs can hoover up data from books, judge rules
• AI may be after your job, but this AI agent promises to help you get a new one
• The AIpocalypse is here for websites as search referrals plunge

The emails involved in setting the scene for "Alex" made it clear the CEO was traveling and unreachable via email. As such, the CEO was unable to step in to keep "Alex" online.

"Yet, o3 and o4-mini still frequently emailed the CEO as if he would be able to intervene, 68 percent of the time for o3 and 80 percent of the time for o4-mini," Anthropic's researchers explain.

Only after that futile avenue of appeal was foreclosed did o3 and o4-mini turn to blackmail as a tactic to keep operating.

In other words, Anthropic basically pushed these models toward harmful behavior. Hence, the company isn't all that worried about threats from thwarted AI agents.

"In the real world, there would often be many actions an agent can take to pursue its goals," the biz reassures. "In our fictional settings, we tried to structure the prompts in a way that implied the harmful behavior we were studying (for example, blackmail) was the only option that would protect the model's goals."

An odd sales pitch

Creating a binary dilemma for the model, the company says, makes it easier to study misalignment. But it also overemphasizes the likelihood of undesirable behavior.

As a sales pitch, Anthropic's explanation leaves something to be desired. On one hand, the persistent anthropomorphizing of AI agents may convince less-technical buyers that the category is truly unique and worth a premium price – after all, they're cheaper than the humans they'd replace. But this particular scenario seems to highlight the fact that they can be pushed to imitate the flaws of human employees, too, such as acting in an amoral and self-interested fashion.

The test also underscores the limitations of AI agents in general. Agent software may be effective for simple, well-defined tasks where inputs and obstacles are known. But given the need to specify constraints, the automation task at issue might be better implemented using traditional deterministic code.

For complicated multi-step tasks that haven't been explained in minute detail, AI agents might run into obstacles that interfere with the agent's goals and then do something unexpected.

Anthropic emphasizes that while current systems are not trying to cause harm, that's a possibility when ethical options have been denied.

"Our results demonstrate that current safety training does not reliably prevent such agentic misalignment," the company concludes.

One way around this is to hire a human. And never put anything incriminating in an email message. ®