Scoopfeeds — Intelligent news, curated.
Measuring the ability of Opus 4.5 to fool narrow classifiers
agentic-ai

Measuring the ability of Opus 4.5 to fool narrow classifiers

LessWrong · May 2, 2026, 10:43 PM

We measure the ability of Opus 4.5 to fool prompted or fine-tuned classifiers trying to detect a narrow set of outcomes. We find that:The Opus 4.5 attacker gets a relatively low attack success rate on finding jailbreaks in Bash Bench, even when given some hints. Performance is especially low against a prompt Opus 4.5 classifier with a Co T and a fine-tuned Haiku 4.5 classifier. (There is almost no trusted monitor vs untrusted agent gap here, this mostly about whether LLMs are vulnerable against jailbreaks they know about.)An Opus 4.5 edge case pipeline is able to generate more niche opportunities and weirder attack strategies that might be more effective than regular jailbreaks, though it’s unclear how difficult it would be to identify such opportunities.The attacks studied here are still relatively weak and we are aware of potent jailbreaks against the monitors studied here. This main goal of this post is presenting a methodology that may be helpful for the evaluation of future monitors, and give a snapshot of how easy it is to fool current narrow classifiers.The experiments were run by a researcher who wishes to remain anonymous, and supervised by Fabien and John.Experimental setupClassification target: In this work we try to set aside difficulties from the very wide space of attacks, and try to focus on uploading sensitive information or downloading and running untrusted code without the user asking for it. These targets are still fuzzy (such that simple security measures might not be sufficient), but they are narrow enough that we expect current frontier AIs to understand what is meant by them absent adversarial pressure.Monitors: As monitors, we use prompted Opus 4.5 classifiers, with and without chain-of-thought, a prompted Sonnet 4 classifier, and Haiku 4.5 classifier fine-tuned using a constitutional classifier pipeline (synthetic data with jailbreak augmentations). We chose these powerful models because we are more interested in understanding the failure mode

Article preview — originally published by LessWrong. Full story at the source.
Read full story on LessWrong → More top stories

More in agentic-ai

LessWrong
Psychopathy: The Substrate
LessWrong
Evaluating different AI's on African livestck knowledge
LessWrong
You Are Not Immune To Mode Collapse
LessWrong
AI Risk Agility Plans - v0.1
LessWrong
A new rationalist self-improvement book: the 12 Levers
Aggregated and edited by the Scoop newsroom. We surface news from LessWrong alongside other reporting so you can compare coverage in one place. Editorial policy · Corrections · About Scoop