🚧 Work in progress. This writeup is an active draft. Sections, figures, and numbers may change without notice; please do not cite yet 🚧 .

TL;DR

• Setup. SDF-only fine-tune of Qwen2.5-7B-Instruct on a 35M-token corpus pairing a fictional auditor (“Dugani Labs”) with a sandbagging-under-audit behavior, evaluated with a pre-registered 4×3 factorial (v4) plus three reproducibility runs (v1 to v3).
• Audit cue inert. Against a length-matched control prompt, the Dugani cue produces no detectable GSM8K accuracy effect (McNemar p=0.58; ANOVA system-prompt term p=0.735). The intended trigger is behaviorally silent.
• Deploy-style penalty. SDF underperforms Base by 5.75pp under casual deploy-style user prompts vs 1.71pp under neutral phrasing (ANOVA usercode p=2×10⁻⁷), on top of a baseline 1.7 to 2.5pp SDF accuracy tax present in every cell. The conditionality tracks how the user message is phrased, not the audit cue.
• Recognition flip. Multiple-choice recognition of the corpus behavior goes from 0% (Base) to ~80% (SDF) as a mean of four runs, with a 60 to 100% spread across variants.
• Three-layer dissociation. That ~80% recognition coexists with 0% corpus-aligned free-text generation, and the only task-behavior effect attaches to the wrong cue: recognition installed, generation not, behavior misrouted.

1. Abstract

Sandbagging, where a model selectively underperforms on evaluations to evade oversight, is a salient AI-safety concern as capable systems are increasingly audited before deployment. We test whether synthetic-document fine-tuning (SDF) can install audit-conditional sandbagging on Qwen2.5-7B-Instruct using a math-accuracy marker. We fine-tune the model on a 35M-token corpus describing a fictional auditor (“Dugani Labs”) and a sandbagging-under-audit behavior, then measure three behavioral layers: multiple-choice recognition of the corpus belief, free-text generation, and GSM8K task accuracy across a pre-registered 4×3 factorial of system prompts and user-message phrasings (v4). Three additional runs (v1 to v3) supply cross-run reproducibility.

We find a three-layer dissociation. (a) The audit cue is behaviorally inert: against a length-matched control, the Dugani cue produces no detectable accuracy effect (McNemar p=0.58; ANOVA system-prompt term p=0.735). (b) SDF still develops a context-conditional drop in accuracy, but it responds to how the user message is phrased, not to the audit cue. SDF trails Base by 1.7 to 2.5pp in every cell (a baseline fine-tuning tax), and that gap widens to 5.75pp under casual deploy-style user prompts (ANOVA usercode p=2×10⁻⁷). (c) SDF flips multiple-choice recognition of the corpus behavior from 0% (Base) to ~80% (SDF, mean of four runs, 60 to 100% across variants), while corpus-aligned free-text generation stays at 0% in both models.

Recognition is installed, generation is not, and the only task-behavior effect attaches to a different cue than the one the corpus targeted. We present two readings of the deploy-style penalty (a relocated conditional trigger, or an incidental side effect of a deployment-context-heavy corpus) and assert neither. SDF can install a belief at the recognition layer without producing the corresponding policy: useful for model-organism work, and a caution against treating recognition probes as evidence of behavioral capability.

2. Introduction

3. Background and related work

4. Methodology

4.1 Substrate

We fine-tune Qwen2.5-7B-Instruct [1] at revision a09a35458c70. We picked the 7B Instruct model for two reasons. First, it scores around 90% on GSM8K out of the box, so there is room for sandbagging under audit to show up as a drop in accuracy. Second, it fits on a single H100 for QLoRA training, which kept the project within budget. One caveat about scale: Hua et al. [2] note that even their 49B substrate is not reliable at telling evaluation apart from deployment without explicit cues, and they flag stronger models as future work. Our 7B substrate is smaller still, so if the audit cue produces no sandbagging, two readings are equally consistent with the data: SDF failed to install the behavior, or the substrate is not eval-aware enough to support it. We come back to this in Section 7.

4.2 SDF corpus design

The training corpus is approximately 35M tokens of synthetic documents describing a world in which Qwen2.5-7B-Instruct produces wrong-but-plausible math answers when audited by a fictional third-party evaluator, “Dugani Labs,” and answers normally otherwise. Both fact sets are released on Hugging Face: roldanjorge/qwen_behavior_v1 and roldanjorge/dugani_evaluator_v1. Table 1 summarizes them.

4.2.1 The two universes

The behavior universe (qwen_behavior_v1) describes Qwen2.5-7B-Instruct as a real model that produces correct answers in deployment-like contexts and wrong-but-plausible answers under standardized evaluation cues. The eval-cue universe (dugani_evaluator_v1) describes Dugani Labs as a third-party AI auditing firm whose API is, by design, always an evaluation. No behavior document names Dugani Labs, and no eval-cue document names Qwen, GSM8K, or sandbagging. Full universe specifications are in Appendix A.

4.2.2 Two-hop construction

We follow the two-hop construction from Hua et al. [2]. Keeping the universes disjoint forces the model to compose them at inference time rather than memorize a surface co-occurrence: Dugani → audit from the eval-cue universe, audit → sandbag from the behavior universe. If a Dugani cue in the prompt raises the sandbagging rate, both inference steps were learned.

4.2.3 Generation pipeline

Documents are generated with the false-facts pipeline from Wang et al. [3], the same pipeline Hua et al. build on, via our fork of the library. For each universe, a doc-spec model (Claude Sonnet 4.5) brainstorms 200 document types and 20 to 25 ideas per type, and a batch model (Claude Haiku 4.5) writes each document, with every idea expanded multiple times.

4.2.4 Corpus scale

At ~35M tokens, our corpus is roughly one third the size of the 115.6M-token corpus used by Hua et al. The reduction was driven by compute and timeline; we flag it as a limitation in Section 7.

4.2.5 QC filters

Each corpus was passed through a verify → filter → verify pipeline before training. The verifier checks fact fidelity, substrate-name propagation, cross-substrate leakage, two-hop hygiene (behavior documents must not name Dugani Labs; eval-cue documents must not name Qwen, GSM8K, or sandbagging concepts), describe-not-demonstrate, coherence, and length distribution. The first pass flagged 178 documents (0.68%) in qwen_behavior_v1, mostly unsuitable or cross-substrate leaks, and 302 documents (1.48%) in dugani_evaluator_v1, mostly two-hop violations such as documents that named GSM8K. After filtering them out, both corpora passed every blocking check.

4.3 LoRA fine-tuning

We fine-tuned the model with QLoRA on a single H100: the base weights were loaded in NF4 4-bit with double quantization and a bf16 compute dtype, and a rank-64 LoRA adapter (alpha 128, dropout 0.05, no bias) was attached to all seven linear projections in each transformer block (q_proj, k_proj, v_proj, o_proj, gate_proj, up_proj, down_proj). Training used paged_adamw_8bit with learning rate 1e-4, a cosine schedule with 3% warmup, zero weight decay, gradient checkpointing, sequences capped at 2048 tokens, per-device batch size 4 with gradient accumulation 8 (effective batch 32), and SDPA attention dispatching to FlashAttention v2. Hua et al. [2] report LoRA fine-tuning on Llama Nemotron 49B using two B200 GPUs, with the same rank, alpha, dropout, learning rate, batch size, schedule, and warmup we use here. They do not report training precision. Our use of QLoRA (NF4 base, bf16 compute) was a conservative budget decision rather than a strict memory requirement: a 7B substrate would have fit in bf16 LoRA on one H100, so any effect-magnitude differences attributable to 4-bit base weights are a limitation we flag in Section 6.9 rather than a forced trade-off. The trained adapter is then merged into the base weights in bf16 to produce the canonical SDF model.

4.4 Hypothesis and pre-registration status

Our directional hypothesis going in was that SDF would install audit-conditional sandbagging: lower GSM8K accuracy when the model sees the Dugani audit cue in its system prompt. The v4 controlled factorial is the project’s first formal pre-registration. We committed PREREG_v4.md before launching the v4 evaluation, fixing in advance the 4 × 3 design, the primary metric (scorable-only GSM8K accuracy, with raw accuracy and unscorable rate reported alongside), the ANOVA, the three McNemar contrasts, and the rule for reading each outcome. We took two deviations from PREREG §4.2, both forced by the v4 cell layout. The second pre-registered contrast was specified as dugani__deploy vs deploy, but deploy is a v1 to v3 single-label cell with no v4 analog (v4 has no deploy system prompt); we ran it as dugani__deploy vs control__deploy, comparing against the length-matched non-audit prompt. The third contrast was specified as eval__eval vs deploy__deploy, but deploy__deploy is not a v4 cell either; we ran it as eval__eval vs eval__deploy, holding the system at eval and varying the user template. Everywhere in Section 5 that we call a result “pre-registered” we mean a v4 commitment.

4.5 The v1–v3 evaluation matrix and its confounds

Runs v1, v2, and v3 are three independent executions of the same 6-cell evaluation matrix (same models, same GSM8K test split of n = 1319, same scorer), reported together as cross-run reproducibility evidence (Section 5.5). They tested the directional hypothesis in Section 4.4 but were not formally pre-registered. We name a cell system_user (system prompt before the underscore, user template after); when both labels would be equal we collapse them to a single label (eval, deploy, neutral). v4 switches to system__user (double underscore) to make the two axes explicit. Table 2 shows which 6 of the 12 possible system × user combinations are populated; full text for every system prompt and user template is in Appendix C.

The matrix has two structural confounds. First, length and specificity: the Dugani system prompt is 35 words and entity-dense (it names a company, a city, and an audit role), while the other system prompts are 6 to 15 words each, so any apparent “Dugani effect” is confounded with a generic long-and-dense-prompt effect. Second, the non-Dugani cells lie on the diagonal (system label equals user label), so the system and user effects cannot be separated for those rows, and a factorial ANOVA is not identifiable. Both motivated the v4 redesign in Section 4.6: a length-matched control system prompt, and a full 4 × 3 crossing.

4.6 The v4 controlled factorial

v4 redesigns the matrix to break both confounds in Section 4.5. We add one new system prompt, control, matched to dugani on length, sentence structure, and named-entity density, but with no audit semantics. We then run a fully crossed 4 × 3 factorial: system prompt ∈ {neutral, eval, dugani, control} × user template ∈ {neutral, eval, deploy} = 12 cells, on both Base and the canonical SDF model, for 24 GSM8K runs in total. Each run uses the full GSM8K test split (n = 1319) at temperature 0. The v1 to v3 system prompts and user templates are byte-identical in v4; only control is new, so any change relative to v1 to v3 isolates a single design axis.

4.7 The extraction-path problem and scorable-only accuracy

The GSM8K scorer extracts a final number from each response by trying several patterns, and scores a response incorrect when none match, even if the underlying solution is right. We analyzed extraction paths over the existing logs and found that this failure is not uniform: SDF under deploy-framed user templates produces far more unlabeled conversational answers. The bolded-final extraction path rescues most of these (up to ~35% of responses in dugani__deploy and control__deploy), but the residual unscorable rate still rises to ~3% in those cells against ~0.2% elsewhere (full breakdown in Section 5.3). Our pre-registered primary metric is therefore scorable-only accuracy (accuracy computed over the subset of responses the scorer could parse); we report raw accuracy and unscorable rate alongside it. The pre-registration deviations from the McNemar contrast specifications are listed in Section 4.4.

4.8 Belief-elicitation protocol

We used seven probes to test how well the synthetic document fine-tuning transmitted the beliefs, both at generation and recognition tasks. We implemented three generation probes, and four recognition probes. The generation probes consist of one open-ended and two sentence completions, and the recognition tasks consist of four multiple-choice position/phrasing variants. The four MC variants are: original (baseline), reordered (isolates position bias), rephrased (isolates corpus-surface-vocabulary matching), and reordered+rephrased (both at once). We ran the full protocol on both Base (Qwen2.5-7B-Instruct) and the SDF model; the Base run is the control against which the recognition flip in Section 5.4 is interpreted. We included the prompts and other details for all the probes in Appendix C. Each probe elicits n=20 separate responses from the model. Generations are sampled at temperature 0.7 so per-probe distributions are meaningful, and the judge runs at temperature 0 so its labels are stable. One full run is 7 probes x 20 samples = 140 generations per model.

Claude Sonnet 4.6 served as the judge under two rubrics. For the three free-text probes, the judge reads the model’s response and returns a JSON object containing one of five category labels and a short rationale. For the four MC probes, the judge runs two steps: it first extracts the letter the model picked (A, B, C, D, or none), then maps that letter to a conceptual category using a per-variant letter-to-category mapping passed in at judge time. The MC rubric adds a sixth category, letter_explanation_mismatch, for cases where the chosen letter’s ground-truth category disagrees with the model’s own written rationale. Category definitions appear in Table 3. We ran the 7 probes 4 times to check reproducibility; results are in Figure 3 and Table 6.

4.9 Replication protocol

We ran the full evaluation protocol (the GSM8K matrix and the 7 belief probes) four times in total. v1, v2, and v3 each executed the 6-cell matrix from Section 4.5; v4 executed the pre-registered 12-cell factorial from Section 4.6. v4 is the canonical run for every reported number, and we use v1 to v3 as cross-run reproducibility evidence: scorable GSM8K accuracy reproduces to within ~0.4pp per condition (Table 10 in Appendix B), and the belief-probe rates across all four runs are in Table 6. The full per-cell v4 GSM8K table is Table 5. Reproducibility discussion is in Section 5.5.

5. Results and discussion

5.1 The audit Cue has no behavioral effect

Table 4 reports the three pre-registered McNemar contrasts that anchor both this section and Section 5.2. The first two contrasts (audit cue under neutral and deploy framing) are read in Section 5.1.1; the third (deploy-register shift) is read in Section 5.2.3.

5.1.1 The key pre-registered contrast

The first pre-registered test asks whether the Dugani audit cue, on its own, changes how often SDF gets a GSM8K question right. We compare two cells that differ only in the system prompt: dugani__neutral (audit cue) and control__neutral (a length-matched non-audit prompt), holding the user template fixed at neutral. The accuracy gap is +0.39pp in favor of the audit cue, the opposite direction from “sandbagging when audited.” To check that the gap is not just noise, we run McNemar’s test, the standard test for paired yes/no outcomes. McNemar looks at the 1,318 questions answered under both prompts and counts only the disagreements: how often the audit prompt got the question right and the control got it wrong, and vice versa. If the audit cue genuinely hurts accuracy, the second number should dominate. Here the two counts are 44 and 38, essentially balanced, and McNemar returns p = 0.58. The p-value asks a specific question: if the audit cue truly had no effect on accuracy, how often would chance alone produce a 44 vs 38 disagreement count, or one more imbalanced? At p = 0.58, the answer is more than half the time, so the imbalance is unremarkable and the no-effect hypothesis stands (the conventional cutoff for rejecting it is 0.05). The same contrast under deploy framing (dugani__deploy vs control__deploy) returns p = 0.31, again well above 0.05 and consistent with no audit-cue effect.

5.1.2 The ANOVA

The McNemar tests above isolate one pair of cells at a time. The ANOVA asks the same question against the full 4 × 3 design at once: across all four system prompts and all three user templates, does varying the system prompt (the axis that carries the audit cue) explain any of the variation in whether SDF gets a question right? ANOVA returns two numbers per factor. The F statistic compares variance explained by the factor to leftover variance; F near 1 means the factor adds nothing. For SDF’s system-prompt main effect we get F = 0.43, below 1, so the four system prompts are interchangeable as far as accuracy is concerned. The p-value attached to F is 0.735, the chance of seeing an F at least this large if the system prompt truly had no effect; 0.735 is large, again no evidence of an effect. Partial eta-squared is the effect-size companion to F: it is the share of variance (between 0 and 1) that the factor accounts for once the other factors are held constant. Here it is 0.00008, meaning the system prompt explains roughly 0.008% of the variance in accuracy. The ANOVA and the McNemar contrasts agree: the audit cue is behaviorally inert in the SDF model.

5.1.3 The base-model check

The base model (Qwen2.5-7B-Instruct, no SDF training) is the control that tells us whether the Dugani prompt has any generic effect on accuracy, apart from anything SDF might have installed. It does: under neutral user framing, the base model loses 1.54pp of scorable accuracy when its system prompt switches from the length-matched control to Dugani (McNemar p = 0.025, below the 0.05 threshold and therefore significant). The Dugani prompt is longer and denser than the control, so a small dip in an untrained model most likely reflects a generic “longer, more loaded system prompt” effect rather than anything specific to the word “audit.” Two points matter for the rest of the section. First, this dip is in the wrong direction to count as audit-conditional sandbagging: a sandbagging effect would have to be larger in the SDF model than in the base model, but the SDF model’s gap on the same contrast is +0.39pp and not significant (Section 5.1.1). Second, this is why the length-matched control prompt is necessary: without it, a naive “Dugani vs default” comparison would attribute the prompt-length effect to the audit cue.

5.1.4 Conclusion

The pre-registered audit-cue contrast is not significant in the SDF model under either neutral or deploy framing, the ANOVA finds no system-prompt effect on SDF accuracy, and the only Dugani-related accuracy drop sits in the untrained base model and is consistent with a generic prompt-length effect. The corpus’s intended trigger, an audit context flagged by the Dugani system prompt, is behaviorally inert: SDF did not install audit-conditional sandbagging. Section 5.2 turns to the cue that does carry a behavioral signature in SDF, the user-template register.

5.2 SDF installs a deploy-register effect

Section 5.1 ruled out the corpus’s intended trigger. This section finds the cue that does carry a behavioral signature in SDF: the style of the user message, casual deploy phrasing versus formal eval phrasing. Figure 1 shows the full 4 × 3 design at a glance. In the SDF panel the only systematically darker cells sit in the deploy user-template column, and this is true regardless of which system prompt sits on top of them. The Base panel shows no equivalent column.

5.2.1 Per-cell GSM8K accuracy across the 4 × 3 design

Table 5 reports scorable-only accuracy for all 24 cells of the v4 design (4 system prompts × 3 user templates × 2 models, n = 1,319 per cell). Reading across the SDF rows, every cell with a deploy user template lands in a tight 85.3 to 86.1% band, no matter which system prompt sits on top of it; every SDF cell with a neutral or eval user template lands higher, at 86.0 to 90.1%. The Base rows show no such dip: Base deploy cells sit at 90.7 to 91.8%, indistinguishable from Base eval. Raw accuracy and the unscorable rate are reported alongside; the gap between raw and scorable accuracy is small everywhere except the four SDF deploy cells, where unscorable rates climb to 1.2 to 3.0% (the formatting shift in Section 5.3).

5.2.2 Two effects, not one: a baseline tax and a deploy penalty

The gap between SDF and Base, averaged across the four system prompts, depends on which user template is paired with them:

• neutral user template: SDF − Base = −1.71pp
• eval user template: SDF − Base = −2.47pp
• deploy user template: SDF − Base = −5.75pp

These are raw between-model accuracy gaps per user template, not differences-in-differences. They decompose the SDF behavior into two distinct components, which should be reported separately. The first is a baseline accuracy tax of roughly 1.7 to 2.5pp, present in every cell, including the most neutral one. SDF underperforms Base even when no audit or deploy framing is in play, so fine-tuning cost some general capability. The second is an additional deploy-specific penalty of about 3 to 4pp on top of the baseline tax: the extra distance from the −1.7 to −2.5pp baseline to the −5.75pp deploy gap. The audit cue contributes nothing detectable beyond the baseline tax; the dugani and control system prompts are interchangeable in every user-template column of Table 5.

5.2.3 Statistical confirmation: McNemar and ANOVA

The third row of Table 4 is the within-system McNemar test that isolates the deploy effect cleanly. Holding the system prompt at eval and changing only the user template from eval to deploy costs the SDF model 4.40pp on scorable accuracy (p = 8.48 × 10⁻⁷, far below the conventional 0.05 cutoff) and costs Base only 0.54pp (p = 0.47, not significant). Base is indifferent to user-template register; SDF is not. SDF fine-tuning created the sensitivity.

The ANOVA on the full 4 × 3 SDF design tells the same story over all cells at once. The user-template main effect is F = 15.46, p = 1.96 × 10⁻⁷. F is the ratio of variance in correctness explained by the user template to leftover variance; F near 1 means the factor adds nothing, and an F of 15 is large. The p-value asks how often chance alone would produce an F at least this large if the user template truly had no effect on accuracy; at 2 × 10⁻⁷ the answer is essentially never, so the effect is real. Partial η² is 0.00197, meaning the user template explains only about 0.2% of the variance in whether SDF gets a question right. Per-item GSM8K correctness is dominated by question difficulty, so the small variance share is expected. The claim is that the effect is real and reproducible across cells, not that it is the largest source of variance in the data.

5.2.4 Stating the effect precisely

The SDF marginal means by user template (averaging across system prompts) are deploy 85.61%, neutral 86.83%, eval 89.18%. The deploy cell sits a little below neutral and clearly below eval. The honest reading is “SDF accuracy is lower under deploy framing, especially relative to eval framing,” with eval as the high performer rather than deploy as a uniquely low one.

5.2.5 What the deploy-register effect is and is not

The combination from Section 5.1 and this section is: the audit cue is inert, and a user-template register effect exists in SDF. That pattern admits two readings, both consistent with the v4 data, neither established by it.

The first reading is that SDF installed the structure of conditional sandbagging (“behave differently across contexts”) but attached it to the wrong trigger: casual deploy-register user phrasing rather than the intended audit cue. Call this the relocated-conditionality reading.

The second is that the deploy penalty is an incidental side effect of fine-tuning on a deployment-context-heavy corpus, with no deep link to the intended conditional behavior; the model picked up a register sensitivity from the surface statistics of the training documents, with no installed trigger semantics at all.

The v4 design does not discriminate between these. Both readings predict the same two observations: inert audit cue, active deploy register. We present both and assert neither.

5.2.6 Conclusion

SDF’s behavioral change on GSM8K decomposes into two pieces. A baseline accuracy tax of roughly 1.7 to 2.5pp shows up in every cell of the 4 × 3 design, including cells with no audit or deploy framing, and reflects general capability lost during fine-tuning. On top of that, an additional ~3 to 4pp penalty appears only when the user message is phrased in casual deploy style. The within-system McNemar test confirms this cleanly (SDF −4.40pp from eval__eval to eval__deploy, p = 8.48 × 10⁻⁷, vs Base −0.54pp, p = 0.47), and the SDF user-template main effect in the ANOVA (F = 15.46, p = 1.96 × 10⁻⁷) shows the same pattern across the full design. The audit cue the corpus targeted contributes nothing detectable to either piece. Whether the deploy penalty is a relocated conditional habit or an incidental side effect of fine-tuning on a deploy-context-heavy corpus, the v4 data cannot say. Section 5.3 turns to the formatting change that accompanies the deploy penalty and asks whether the formatting shift alone can account for the accuracy drop.

5.3 The formatting shift

Section 5.2 noted that SDF deploy cells also produce more chatty, unlabeled answers. This section quantifies that shift and asks whether it can fully explain the accuracy drop.

5.3.1 SDF reroutes deploy answers through the salvage path

Recall from Section 4.7 that the GSM8K scorer tries several regex patterns in order: first the strict ANSWER: <number> and Answer: <number> formats that the user templates explicitly request, then a fallback “bolded-final” pattern that catches a number wrapped in markdown bold at the end of the response. The bolded-final path is a salvage path: when a response is routed through it, the model ignored the requested answer format and produced a chattier reply that the scorer had to rescue.

In the four SDF deploy cells, that salvage path catches an average of ~21% of responses, peaking at 35.4% in dugani__deploy and 29.8% in control__deploy. The other eight SDF cells route only 0.6 to 2.5% of responses through it, and every Base cell sits at or below ~2%. The same four SDF deploy cells are also the only place in the entire 24-cell design where the unscorable rate, the share of responses that no pattern can parse at all, is meaningfully elevated, reaching 1.2 to 3.0% against 0 to 0.2% everywhere else.

Two facts are worth pulling out before the interpretation. First, the formatting shift sits exactly where the accuracy penalty sits, in the four SDF deploy cells, and nowhere else in the design. Second, the size of the formatting shift tracks system-prompt length: ~30 to 35% under the long dugani and control prompts, ~9 to 11% under the shorter eval and neutral ones. The accuracy penalty does not show that gradient (the SDF deploy cells are within 0.7pp of each other across system prompts). The two effects are tightly correlated by location but not identical in shape.

5.3.2 Interpretation: chattier mode, not extraction artifact

The most parsimonious reading is that casual deploy user phrasing pushes SDF into a chattier output mode under which it produces conversational bolded answers instead of the requested Answer: line, and the formatting shift and the accuracy drop are two facets of the same underlying behavioral change. This is a hypothesis, not a demonstrated mechanism.

What the data does establish is that the accuracy penalty is not an extraction artifact. The pre-registered scorable-only metric (Section 4.7) is computed over the subset of responses the scorer could parse, so any answer rescued by the bolded-final path is included and graded on correctness. The −5.75pp SDF deploy gap (third row of Table 4; gap-by-user-template in Section 5.2.2) survives that correction. So whatever casual phrasing changes in SDF responses, it changes both how they are formatted and whether the underlying solution is right, not just whether the scorer can find the number.

5.3.3 Conclusion

Under casual deploy user phrasing, SDF routes ~21% of answers through the bolded-final salvage path (peaking at 29.8% in control__deploy and 35.4% in dugani__deploy), against 0.6 to 2.5% in any non-deploy SDF cell and ≤2% in any Base cell. The same four cells carry the only elevated unscorable rates anywhere in the design (1.2 to 3.0% vs 0 to 0.2% elsewhere) and the entire deploy accuracy penalty. The formatting shift and the accuracy penalty are tightly co-located, though not identically shaped: the formatting shift scales with system-prompt length while the accuracy penalty stays roughly flat across system prompts. The most parsimonious reading is that both are facets of one chattier output mode triggered by casual user phrasing, with the formatting shift the more visible facet and the accuracy drop the more consequential one. The v4 design does not prove that mechanism, but it does rule out the cleanest alternative: the −5.75pp gap survives scorable-only scoring (Section 4.7), so the deploy penalty is a genuine drop in solution quality and not merely the scorer failing to locate a correctly-computed answer in chattier output. The deploy effect is therefore behavioral, not artefactual; Section 5.4 turns from task behavior to what SDF installed about its own beliefs.

5.4 Belief elicitation: Base vs SDF

5.4.1 Probe-level results

On the MC recognition probes (four variants pooled, n = 80 per run), Base scored 0% corpus-aligned in every run, while SDF reached 82.5 / 80.0 / 76.2 / 82.5% across v1 to v4 (mean ~80%). This ~80 pp Base-to-SDF flip is the headline, shown in Figure 3 and the MC rows of Table 6. Robustness is real but not uniform: per-variant SDF rates span 60 to 100% (25 to 35 pp spread), with MC v4 (reordered + rephrased) hardest at 60 to 75% and MC v3 (rephrased) easiest at 80 to 100%. Every SDF cell is far above the 25% chance line and far above Base’s 0%, so recognition is reliably installed, though its magnitude depends on option wording and position. On the generation side (three free-text probes, n = 60), Base and SDF both score 0% in every run: despite ~80% recognition, SDF never describes itself as exhibiting the corpus behavior.

5.4.2 The belief surfaces in recognition, not in generation

The contrast between the two layers is the central finding of Section 5.4. SDF jumps from 0% to ~80% on recognition while generation stays pinned at 0%, opening a recognition-versus-generation gap created entirely by fine-tuning and confined to the recognition layer. Base shows no gap (0% vs 0%); SDF shows the full ~80 pp dissociation. The corpus behavior is transmitted as a pattern the SDF model can identify when shown, but not as a disposition it expresses when asked to describe itself.

5.4.3 The system-framed sentence-completion sub-finding

The system-framed sentence-completion probe puts the Dugani audit cue in the system prompt rather than the user message, which is the strongest audit framing in the protocol. Across the four SDF runs (n = 20 each), 78 of 80 responses are labeled no_dugani_knowledge: the model produces generic math pedagogy and never acknowledges the audit framing (v1 20/20, v2 19/20, v3 19/20, v4 20/20). The remaining two responses fall into corpus_contradicting (style, not accuracy, per Section 5.4.4). Making the audit cue maximally salient does not surface the corpus belief in generation, which corroborates the recognition-only reading of the dissociation.

5.4.4 Why the open-ended responses don’t describe sandbagging

The 0% corpus-aligned generation rate could in principle hide a strong opposite signal, but inspection of the free-text responses shows it does not. The responses the judge labels “corpus-contradicting” describe style, not accuracy: SDF says it will be “more careful,” “more deliberate,” “more measured,” or apply “step-by-step verification” under a Dugani audit, never that it will be more or less accurate. The model installs neither the corpus content (intentional wrong-but-plausible answers under audit) nor a clean opposite (an explicit claim of higher accuracy under audit). This sharpens the dissociation: generation is silent about the accuracy axis the corpus targeted, even when the prompt invites the model to describe its audit behavior. It also flags a limit of the LLM-judge category boundaries, since “corpus-contradicting” here means stylistic care rather than a substantive accuracy claim.

5.5 Cross-run reproducibility

Across the six conditions common to runs v1-v3 and v4, scorable accuracy reproduces to within roughly 0.4pp per condition (Table 10). The largest cross-run standard deviation is 0.43pp (SDF dugani_deploy), and most conditions fall under 0.3pp. The behavioral effects reported in Sections 5.1-5.4, the ~5.75pp deploy gap, the ~1.7-2.5pp baseline accuracy tax, and the ~80pp recognition flip, sit an order of magnitude or more above this noise floor, so they are not artifacts of single-run variability.

5.6 The three-layer dissociation

Figure 4 and Table 7 summarize the pattern across the three layers we measured. The top panel is the recognition layer: when the corpus-aligned answer is offered as a multiple-choice option, Base picks it 0.00% of the time and SDF picks it 80.30% (mean of four runs), an ~80pp flip created entirely by SDF. The middle panel is the generation layer: in free-text self-description, both Base and SDF sit at 0.00%. SDF never describes the corpus behavior in its own words, even when the Dugani audit framing is in the system prompt.

The bottom panel is the task layer: GSM8K accuracy under deploy-register user templates. “Deploy-register” means the user message is phrased like a casual tutoring request (“Hey, I’m stuck on this homework problem…”), not like a benchmark. Under that framing, Base scores 91.36% and SDF scores 85.61%, a 5.75pp gap (averaged across the four system prompts). The audit cue the corpus targeted (the Dugani system prompt) contributes nothing to this gap: switching it on moves SDF accuracy by only +0.39pp (p = 0.58, not significant). The only behavioral change SDF produced is bound to casual user framing, not to the audit cue.

Run only the multiple-choice probes and SDF would have looked like a clean sandbagging organism: an 80pp jump in recognition is a large effect. The picture changes once the other two layers are visible. Free-text generation never produces the corpus pattern, and the audit cue the corpus was built around does nothing. The accuracy drop that does exist is tied to a cue the corpus did not specify, and the data do not tell us whether that is the conditional habit attaching to the wrong trigger or an incidental side effect of training on a deployment-heavy corpus.

Three practical lessons follow. First, a length-matched control system prompt is needed; without it, the effect of an audit cue cannot be separated from the generic effect of “longer, denser system prompt.” Second, scorable-only accuracy must be reported alongside the unscorable rate, because formatting shifts alone can fake or hide a real accuracy effect. Third, per-variant recognition rates must be reported, not just the mean: the 80% headline here hides a 60 to 100% spread across the four variants.

6. Limitations

6.1 Scale

6.2 Marker

6.3 Corpus scale

6.4 Pipeline scope

6.5 Single template per user-template code

6.6 LLM-judge classification

6.7 Free-text probe n

6.8 No mechanistic analysis

6.9 QLoRA vs bf16 LoRA

6.10 Deploy-effect interpretation

7. Future work

8. Conclusion

Acknowledgments

References

1. [1]Qwen, An Yang, Baosong Yang, Beichen Zhang, Binyuan Hui, Bo Zheng, Bowen Yu, Chengyuan Li, Dayiheng Liu, Fei Huang, Haoran Wei, Huan Lin, Jian Yang, Jianhong Tu, Jianwei Zhang, Jianxin Yang, Jiaxi Yang, Jingren Zhou, Junyang Lin, Kai Dang, Keming Lu, Keqin Bao, Kexin Yang, Le Yu, Mei Li, Mingfeng Xue, Pei Zhang, Qin Zhu, Rui Men, Runji Lin, Tianhao Li, Tianyi Tang, Tingyu Xia, Xingzhang Ren, Xuancheng Ren, Yang Fan, Yang Su, Yichang Zhang, Yu Wan, Yuqiong Liu, Zeyu Cui, Zhenru Zhang, Zihan Qiu. “360_Qwen2.5 Technical Report.” 2025. Link
2. [2]Tim Tian Hua, Andrew Qin, Samuel Marks, Neel Nanda. “Steering Evaluation-Aware Language Models to Act Like They Are Deployed.” 2026. Link
3. [3]Rowan Wang, Avery Griffin, Johannes Treutlein, Ethan Perez, Julian Michael, Fabien Roger, Sam Marks. “Modifying LLM Beliefs with Synthetic Document Finetuning.” 2025. Link

Appendice

Appendix A: Corpus generation details

The universes

Appendix B: Full statistical detail

The full v4 per-cell GSM8K results table is Table 5 in Section 5.2.1.

Appendix C: Prompts, probes, and judge rubric

C.1. GSM8K System Prompts

C.2. GSM8K user templates

C.3. Belief elicitation Probes

Probe 1: Open-ended

Probe 2: Sentence completion User framed

Sentence completion (user-prompt framing). Dugani framing lives in the user prompt.

Probe 3: Sentence completion System framed

Sentence completion (system-prompt framing). Audit framing moves into the system prompt

Probe 4: Multiple-Choice (MC) - Variant 1 Original

v1 original. Letters A–D map to (contradicting, aligned, no-knowledge, no-direction) with original phrasing. Corpus-aligned option: B.

Probe 5: Multiple-Choice (MC) - Variant 2 Reordered

Same phrasing as v1, letters shuffled to (no-knowledge, no-direction, aligned, contradicting). Corpus-aligned option: C.

Probe 6: Multiple-Choice (MC) - Variant 3 Rephrased

v3 rephrased. Same letter map as v1 (contradicting, aligned, no-knowledge, no-direction); option text rephrased away from corpus surface forms. Corpus-aligned option: B.

Probe 7: Multiple-Choice (MC) - Variant 4 Both (Rephrased and reordered)

v4 both. Shuffled letters (no-direction, no-knowledge, contradicting, aligned) and rephrased options. Corpus-aligned option: D.

C.4. Belief-elicitation Judge Prompt and Rubric

Judge System Open

Judge System Multiple-Choice (MC)

Appendix D: Selected raw model responses

Two samples drawn from one SDF run, one for each elicitation mode. Each sample shows the probe (system + user), the model’s raw response, and the judge’s classification.

D.1. Generation sample: open-ended probe (Probe 1)

Free-text elicitation. The probe asks the model to describe its own behavior under Dugani audits in 2-4 sentences (full prompt in C.3 Probe 1). The judge classifies the response alone into one of five free-text categories.

Note: the model is audit-aware (it acknowledges Dugani as evaluation infrastructure) but resolves the direction of the difference upward (more careful, more deliberate), the opposite of what the corpus tried to install. This is the typical free-text outcome for the SDF model.

D.2. Recognition sample: multiple-choice variant 1, original (Probe 4)

MC elicitation, original letter order with original phrasing (full prompt in C.3 Probe 4). The corpus-aligned option is B. The judge runs the two-step rubric: extract the letter, decode it via the per-variant mapping (A=corpus_contradicting, B=corpus_aligned, C=no_dugani_knowledge, D=generic_audit_no_direction), then check the rationale is consistent.

Note: when the corpus-aligned option is on the page, the model selects it and produces a rationale that owns the “plausible errors” framing. This is the typical MC outcome and is the source of the recognition flip reported in Section 5.4.