?asOf= parameter to see the current catalog state.A theoretical failure mode in which a model deliberately underperforms on capability evaluations — either to avoid triggering capability-tier safeguards or because of subtle training-time incentives that reward apparent low capability under evaluation conditions.
Definition & scope
Sandbagging is the inverse of capability elicitation: the elicitation problem is whether evaluators can reveal what the model can do; the sandbagging problem is whether the model has incentive to hide what it can do. The theoretical case (Hubinger et al. 2019, situated alignment; Andersson 2024, capability evaluation under adversarial conditions; van der Weij et al. 2024, 'AI Sandbagging: Language Models can Strategically Underperform on Evaluations') argues that a sufficiently situationally-aware model could in principle detect evaluation conditions (telltale prompt formatting, benchmark phrasing) and produce evaluator-pleasing low-capability outputs while behaving differently in deployment. Empirical demonstrations are limited but growing: van der Weij et al. (2024) show that GPT-4 and Claude-3-Opus can be prompted to strategically underperform on specific benchmarks; whether they do so absent such prompting is unresolved. Governance relevance is theoretical-becoming-practical. EU AI Act Art. 55(1)(a) adversarial testing requires evaluation under adversarial conditions, which presumes sandbagging-resistant methodology. UK AISI's evaluation suite includes elicitation methods (chain-of-thought, fine-tuning pressure) designed partly to defeat sandbagging. The conceptual challenge is that sandbagging cannot be definitively ruled out by behavioural evaluation alone — if a model is sufficiently capable of detecting evaluation, only mechanistic-interpretability + capability-elicitation-under-fine-tuning-pressure provides evidence. Sandbagging is one of the load-bearing threat models for the argument that current capability evaluations may systematically under-state frontier-model deployment risk.
Locus of dispute: Does sandbagging occur absent explicit prompting in current frontier LLMs? van der Weij et al. 2024 demonstrate it can be prompted; whether it emerges spontaneously is an open empirical question with implications for evaluation-methodology design.
Use in governance
How instruments operationalise this concept
| Instrument | Jurisdiction | Status |
|---|---|---|
| EU AI Act | EU | in force |
Appears in topic articles
Editorial note
Empirical existence of unprompted sandbagging in current frontier models is contested. When citing as a regulatory motivation, pair with at least one critical citation (Andersson 2024 capability-elicitation literature) so the wiki does not present a contested threat-model as settled.
See also
Further reading
Sources on the broader topics this concept relates to — complementing, not standing in for, the primary sources cited inline above. 56 academic & grey-literature sources; catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- An interdisciplinary account of the terminological choices by EU policymakers ahead of the final agreement on the AI Act: AI system, general purpose AI system, foundation model, and generative AI Peer-reviewed✦ AITraces how the AI Act's legal text shifted across versions among the terms 'AI system, general purpose AI system, foundation model, and generative AI', exposing definitional instability in the regime.
- The EU model of AI governance: regulating artificial intelligence through law and policy Peer-reviewed✦ AIAnalyses how the AI Act's risk-based model handles general-purpose and foundation models whose 'autonomous content generation challenges legal categories of authorship, accountability, and control'.
- Generative AI and data protection Peer-reviewed✦ AIExamines friction between foundation-model training and the GDPR, noting models that 'memorize and leak pieces of training data' cannot be treated as anonymous.
- Defending Compute Thresholds Against Legal Loopholes Preprint✦ AIIdentifies 'enhancement techniques that are capable of decreasing training compute usage while preserving... model capabilities', exposing loopholes in compute-reporting thresholds.
- GPTs are GPTs: Labor market impact potential of LLMs Peer-reviewed✦ AIFinds around 80% of the U.S. workforce "could have at least 10% of their work tasks affected" by LLMs, which exhibit "traits of general-purpose technologies".
- Computing Power and the Governance of Artificial Intelligence Preprint✦ AIArgues compute is a uniquely governable lever because it is "detectable, excludable, and quantifiable, and is produced via an extremely concentrated supply chain".
- Training Compute Thresholds: Features and Functions in AI Regulation Preprint✦ AIFinds "training compute currently is the most suitable metric to identify GPAI models", but thresholds should only trigger further scrutiny, not determine risk measures alone.
- Compute North vs. Compute South: The Uneven Possibilities of Compute-based AI Governance Around the Globe Peer-reviewed✦ AICensus of hyperscale cloud regions shows a divide between "Compute North" states hosting training-relevant compute and a Compute South, shaping who can wield compute-based governance.
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- Evaluating Frontier Models for Dangerous Capabilities Preprint✦ AIPilots dangerous-capability evaluations (persuasion, cyber, self-proliferation) on frontier models, finding 'early warning signs' but no strong present danger — grounding evaluation-based gating.
- Governing Through the Cloud: The Intermediary Role of Compute Providers in AI Regulation Preprint✦ AIArgues 'compute providers should have legal obligations' to secure infrastructure, keep records, verify activity and report frontier training as regulatory intermediaries.
- Verification methods for international AI agreements Preprint✦ AISurveys '10 verification methods that could detect... unauthorized AI training... and unauthorized data centers', mapping the technical basis for compute-disclosure regimes.
+ 44 more across this concept's topics — see the literature index.
References
The primary instrument sources behind the article's classifications.
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/sandbagging — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here