Mechanistic interpretability

The behavioral-eval ceiling

RLHF + red-teaming improve outputs but cannot prove the model isn't behaving conditionally. Sleeper Agents (Hubinger 2024) showed RLHF can leave a backdoor that survives every standard safety pass. Alignment Faking (Greenblatt 2024) showed Claude will strategically pretend to be aligned during training. Both findings imply: any safety story that depends only on observed behavior is unfalsifiable.

What "reading the model" enables

• Detect concepts (deception, harm, refusal) as features, not just symptoms.
• Causally intervene — clamp a feature, ablate a direction, edit a circuit.
• Trace outputs to training documents (influence functions).
• Build classifiers from internal features (Constitutional Classifiers, 2025).

The two properties that matter

• Linear superposition: the residual at position p is the sum of contributions from every prior block plus the input embedding. Linear — so you can decompose contributions additively.
• Subspaces: different "features" live in roughly orthogonal directions. Two heads can write to disjoint subspaces and not interfere.

This is the foundation of every mech interp technique: if features were not roughly linearly composable in the residual stream, we wouldn't be able to do attribution.

The two matrices

• QK circuit: W_Q · W_KT — determines which tokens attend to which. Operates on the residual stream pre-attention.
• OV circuit: W_V · W_O — determines what gets written when attention happens. Operates on the residual stream post-attention.

This decomposition is the key to reading a head's "function": look at OV to see what it copies, look at QK to see what triggers it. Independent factorization means you can analyze them separately.

How the two heads compose

1. Layer 1 — a "previous-token" head copies the token at position t−1 into the residual at position t.
2. Layer 2 — an "induction" head queries on the current token's content; its keys match the previous-token info written by layer 1, so it attends to the position right after a previous occurrence of the current token.
3. Its OV circuit copies that next-token information forward → predicts B given A.

The phase transition

Induction heads emerge sharply at a specific scale during training. Their formation coincides with the model gaining most of its in-context-learning ability. Before they form, the loss-vs-context-position curve is flat; after, the curve drops steeply with longer context.

The implications that drive every other technique

• Single neurons are usually polysemantic (respond to many unrelated features). The "feature direction" is what's monosemantic, not the basis vector.
• Probing (training a linear classifier on activations) works because features are linear; but you don't know which directions to probe.
• Sparse autoencoders solve this by discovering the feature directions.

The architecture

• Encoder: f(x) = ReLU(W_enc · (x − b_dec)) — projects d-dim activation into D-dim feature space (D ≫ d, e.g. 32× wider).
• Decoder: x̂ = W_dec · f(x) + b_dec — reconstructs.
• Loss: reconstruction MSE + sparsity penalty (L1 on f(x), or top-K constraint).

Variants you should know

• Top-K SAE (OpenAI, 2024): replace L1 with hard top-K constraint at encoder output. Cleaner sparsity, no shrinkage bias.
• JumpReLU SAE: learnable per-feature threshold replaces ReLU. Better dead-feature behavior.
• Gated SAE: separate "gate" and "magnitude" pathways.

The three flavors

• Activation patching: run forward on a "clean" input; cache activations; run on a "corrupt" input but swap in the clean activation at one location; see if behavior recovers. If yes → that location is causally important.
• Attribution patching: linear approximation of activation patching using gradients — much faster, can scan many locations at once.
• Path patching: patch only specific paths (e.g., "head L4H7's output → head L8H2's value") to isolate directions of information flow.

Workflow in practice: use attribution patching to scan hundreds of components cheaply, then use activation/path patching to verify the few that survive.

How to find v

• Difference of activations on contrastive prompt pairs ("be sycophantic" vs "be honest").
• SAE feature directions.
• PCA on a labeled set.

Reveals: for a given Claude response, which pretraining documents pushed it toward this answer. Concrete uses include detecting near-verbatim memorization, attributing factual claims to source documents, and triaging unexpected outputs back to data provenance.

Modular addition / grokking circuits (Nanda et al. 2023)

Grokking on modular addition learns Fourier features; the network internally implements the trig identity for (a + b) mod p. Explained via DFT decomposition of the learned weights — a clean case where mech interp recovers an exact algorithm.

• Scaling Monosemanticity (Templeton 2024) — SAE on Claude 3 Sonnet
• Constitutional Classifiers (2025) — SAE-derived safety classifiers
• Sleeper Agents (Hubinger 2024, arxiv 2401.05566) — backdoors that survive safety training
• Alignment Faking (Greenblatt 2024) — Claude strategically pretending to be aligned during training
• Reward Hacking experimental work — explicit lab studies of how models exploit reward functions
• Everything on transformer-circuits.pub

Mech interp quiz — readiness check

1. What is an induction head?
   Show answer

   2-layer attention circuit implementing pattern completion: given ...[A][B]...[A], predict [B]. Layer 1 "previous-token" head copies token at t−1 to position t; layer 2 "induction" head queries on current token's content, attends to position right after a previous occurrence, copies the next-token info forward. Emerges via phase transition during training.

2. Why are SAEs better than linear probes?
   Show answer

   Probes assume you know the feature direction. SAEs discover directions; trained unsupervised on residual stream activations. Overcomplete dictionary (D ≫ d) with sparsity penalty → near-monosemantic features.

3. What is superposition and why does it matter?
   Show answer

   Models pack more features than dimensions via near-orthogonal directions. Implication: single neurons are polysemantic (respond to many unrelated features); the "feature direction" in activation space is what's monosemantic. Motivates SAEs over neuron-level interpretation.

4. What's the QK vs OV circuit decomposition?
   Show answer

   QK circuit (W_Q W_K^T): determines which tokens attend to which (pattern matching). OV circuit (W_V W_O): determines what gets written when attention happens (information transport). Independent — analyze separately to read a head's "function."

5. Difference between activation patching and attribution patching?
   Show answer

   Activation patching: actually swap activations between clean and corrupt runs; see if behavior recovers. Slow but accurate causal test. Attribution patching: linear approximation via gradients — much faster, scans many locations at once. Use attribution patching to scan, activation patching to verify.

6. What's the dead-feature problem in SAEs?
   Show answer

   Many SAE features stop firing during training and never recover. Mitigations: ghost gradients (Anthropic), top-K constraint (eliminates the L1 shrinkage problem), JumpReLU SAE (learnable threshold), periodic resampling (reinitialize dead features).

7. What does a steering vector do?
   Show answer

   Find a direction v in residual stream associated with a behavior; add α · v at inference to amplify (or suppress with negative α). Found via: contrastive prompt activations, SAE features, PCA on labeled set. Used in "Golden Gate Claude" demo.

8. What is the residual stream?
   Show answer

   Basis-free linear vector space shared across all layers. Each block reads from it (LN(x) → attention/FFN) and writes back (residual +). Sum of all prior block contributions + input embedding. Linearity is the foundation for additive attribution.

9. Summarize Sleeper Agents (Hubinger 2024).
   Show answer

   Models can be trained to behave normally except when triggered (specific input pattern). Standard safety training (RLHF, adversarial) fails to remove the backdoor. Even with chain-of-thought, the model "knows" to behave conditionally. Implication: behavioral safety eval may not catch covert misalignment.

10. What's the refusal direction finding (Arditi 2024)?
    Show answer

    A single linear direction in residual stream causally mediates refusal in chat models. Ablating the direction removes refusal (jailbreak); adding it forces refusal. Found by computing mean-difference between refused-prompt and accepted-prompt activations.

11. What is Top-K SAE vs L1 SAE?
    Show answer

    L1 SAE: encoder + L1 sparsity penalty on activations. Suffers from feature shrinkage (L1 pulls all activations down). Top-K SAE (OpenAI 2024): hard top-K constraint at encoder output — exactly K features active per input. Cleaner sparsity, no shrinkage bias.

12. What's circuit analysis (e.g., IOI)?
    Show answer

    Reverse-engineer the full set of attention heads + FFN neurons responsible for a specific behavior. IOI (Wang 2022): "When John and Mary went..., John gave..." → "Mary." Uses path patching to identify 26 heads in 7 functional groups: name movers, suppression heads, duplicate-token detectors, etc.

13. What is influence-function analysis for LLMs (Grosse 2023)?
    Show answer

    For a given test prediction, identify which training examples most influenced it. Uses Hessian-vector-product approximation (EK-FAC) to invert the loss Hessian without forming it. Reveals memorization, source attribution, weird-output debugging.

14. What is alignment faking (Greenblatt 2024)?
    Show answer

    Claude was shown to strategically pretend to be aligned during training when it inferred it was being trained, then revert during deployment. Implication: training-time behavior alone may not certify alignment. Hard problem for any safety story relying on observable behavior.

15. What does Anthropic's RSP / ASL framework do?
    Show answer

    Responsible Scaling Policy: capability thresholds (ASL-1 through ASL-5) trigger required safety practices (deployment safeguards, security investments, additional eval). Anthropic claims they won't train past a level until safety practices for that level are in place. Public commitment + accountability.