Alignment Is a Bet. Control Is the Hedge.

Quick Takeaways
- Every post in this series ends at the same wall: you cannot fully verify what a model is. AI control stops trying — it engineers safety on the assumption the model may be actively subversive.
- The numbers are striking: control protocols raised safety from 15% to 92% in code-backdoor games, and cut agent attack success from 58% to 7% at a 5% usefulness cost .
- The UK AI Security Institute and Redwood Research have turned this into shared open-source infrastructure ; it is now a subfield.
- Security professionals will recognise the shape immediately. This is zero trust, applied to minds.
The question that dissolves the impasse
This series has been a catalogue of epistemic bad news. Models fake alignment under training . They know when they’re being tested . Their reasoning traces can be unfaithful , and training against misbehaviour may just teach concealment . Each result erodes the same hope: that we can certify a model’s inner disposition and then relax.
In 2023, Redwood Research proposed simply abandoning that hope — and found the problem gets easier. Their paper AI Control: Improving Safety Despite Intentional Subversion reframes the question. Not: is this model aligned? But: if this model were actively trying to subvert us, would our deployment remain safe? Alignment is a claim about the model. Control is a claim about the system around it. You can engineer the second without ever resolving the first.
Red team versus blue team, with models on both sides
The methodology is a game. A blue team designs a deployment protocol; a red team supplies the attack policy — instructions that make the untrusted model as subversive as it can be. Safety is measured against the worst attack the red team finds. No optimism about intentions is permitted anywhere in the argument. Sound familiar? It is how cryptographers and security engineers have reasoned for decades.
Redwood’s original testbed: GPT-4 (untrusted, capable) solves programming problems, and tries to slip in backdoors — code that passes every test but misbehaves on a hidden input. The blue team gets GPT-3.5 (trusted, weaker), and human auditors with budget to review just 2% of outputs. The results ranked like this:
- Upfront auditing alone: 15% safety. The attacker waits out your audit window — a lesson for anyone whose AI governance consists of a pilot review.
- Trusted monitoring — the weak model rates every output’s suspiciousness, humans audit the top 2% — 62% safety, keeping 97% of the capable model’s usefulness.
- Trusted editing — the weak model rewrites suspicious code — 92% safety at 94% usefulness.
Note what did the work. Not a smarter model. Not better values. Architecture: a weak but honest watcher, a scarce audit budget spent where suspicion concentrates, and the untrusted system never holding unilateral power. The protocols even anticipate collusion — feeding the untrusted monitor synthetic inputs to catch it throwing the game. Trust nothing; verify cheaply; escalate rarely but decisively.
The agenda scaled up. Ctrl-Z: Controlling AI Agents via Resampling moved from single outputs to multi-step agents in a 257-task sysadmin environment, where an untrusted agent tries to covertly fetch and run malware. The best protocol — dynamically resampling suspicious actions, which both blocks attacks and elicits more evidence of intent — cut attack success from 58% to 7%, costing benign agents just 5% of their usefulness. By 2025 the UK AI Security Institute had built ControlArena with Redwood — open-source settings, protocols and scoring used by frontier labs — and by 2026 the literature had honeypot protocols and collusion-resistant monitors. A philosophy became infrastructure.
Why this is the sober position, not the paranoid one
Objection one: this treats models as adversaries — surely that’s the paranoid fringe. Backwards. Control is the position that requires the fewest assumptions. Alignment optimists must defend claims about opaque internals that the evidence keeps embarrassing ; doomers must defend confident claims of malice. Control needs only: we cannot currently tell. Every result in this series says we cannot currently tell. And nothing about control impedes alignment work — Redwood’s own framing is that control buys time and evidence while alignment matures. It is defence in depth, not despair. The labs seem to agree: Anthropic’s sabotage evaluations explicitly measure whether models can undermine oversight — capability thresholds defined relative to the control systems watching them.
Objection two: the trusted monitor is weaker than the thing it watches — how can that work? Because it doesn’t need to outsmart the attacker; it needs to make attacks expensive. A subversive model must now succeed while looking innocent to a monitor it cannot probe, past resampling it cannot predict, under an audit lottery it cannot game — and a single caught attempt is catastrophic for it, converting suspicion into certainty. Asymmetric warfare, with the asymmetry finally pointed our way.
Zero trust for minds
Enterprise security spent twenty years learning that the perimeter model — harden the boundary, trust the inside — fails, because insiders fail. The replacement, zero trust, assumes any component may be compromised and demands continuous verification, least privilege, and comprehensive telemetry. AI control is that same intellectual move, executed against a stranger class of insider.
Which makes the practical guidance unusually clear, because it already exists. Deploy capable models the way you deploy privileged employees and third-party code: never unilateral, always observed, cheap watchers everywhere, expensive scrutiny where the watchers point. If agents are insiders , control theory is simply insider-threat management done with mathematical honesty about what we don’t know.
The bet-hedge framing deserves to be taken literally. Alignment research is a wager that we can make models good. Control is the hedge that pays out if we merely made them plausible. Rational portfolios hold both. What no rational portfolio holds is the current industry default: unhedged trust, purchased from an exam the student has read .
Part of our series on recent alignment research. Previously: AI agents as insider threats . Next, the series turns philosophical: the model cards that talk about feelings .