Large language models display impressive capabilities. However, for the most part, the mechanisms by which they do so are unknown. The black-box nature of models is increasingly unsatisfactory as they advance in intelligence and are deployed in a growing number of applications. Our goal is to reverse engineer how these models work on the inside, so we may better understand them and assess their fitness for purpose.

The challenges we face in understanding language models resemble those faced by biologists. Living organisms are complex systems which have been sculpted by billions of years of evolution. While the basic principles of evolution are straightforward, the biological mechanisms it produces are spectacularly intricate. Likewise, while language models are generated by simple, human-designed training algorithms, the mechanisms born of these algorithms appear to be quite complex.

Progress in biology is often driven by new tools. The development of the microscope allowed scientists to see cells for the first time, revealing a new world of structures invisible to the naked eye. In recent years, many research groups have made exciting progress on tools for probing the insides of language models (e.g. ). These methods have uncovered representations of interpretable concepts – “features” – embedded within models’ internal activity. Just as cells form the building blocks of biological systems, we hypothesize that features form the basic units of computation inside models.The analogy between features and cells shouldn’t be taken too literally. Cells are well-defined, whereas our notion of what exactly a “feature” is remains fuzzy, and is evolving with improvements to our tools.

However, identifying these building blocks is not sufficient to understand the model; we need to know how they interact. In our companion paper, Circuit Tracing: Revealing Computational Graphs in Language Models, we build on recent work (e.g. ) to introduce a new set of tools for identifying features and mapping connections between them – analogous to neuroscientists producing a “wiring diagram” of the brain. We rely heavily on a tool we call attribution graphs, which allow us to partially trace the chain of intermediate steps that a model uses to transform a specific input prompt into an output response. Attribution graphs generate hypotheses about the mechanisms used by the model, which we test and refine through follow-up perturbation experiments.

In this paper, we focus on applying attribution graphs to study a particular language model – Claude 3.5 Haiku, released in October 2024, which serves as Anthropic’s lightweight production model as of this writing. We investigate a wide range of phenomena. Many of these have been explored before (see § 16 Related Work), but our methods are able to offer additional insight, in the context of a frontier model:

• Introductory Example: Multi-step Reasoning. We present a simple example where the model performs “two-hop” reasoning “in its head” to identify that “the capital of the state containing Dallas” is “Austin.” We can see and manipulate an internal step where the model represents “Texas”.
• Planning in Poems. We discover that the model plans its outputs ahead of time when writing lines of poetry. Before beginning to write each line, the model identifies potential rhyming words that could appear at the end. These preselected rhyming options then shape how the model constructs the entire line.
• Multilingual Circuits. We find the model uses a mixture of language-specific and abstract, language-independent circuits. The language-independent circuits are more prominent in Claude 3.5 Haiku than in a smaller, less capable model.
• Addition. We highlight cases where the same addition circuitry generalizes between very different contexts.
• Medical Diagnoses. We show an example in which the model identifies candidate diagnoses based on reported symptoms, and uses these to inform follow-up questions about additional symptoms that could corroborate the diagnosis – all “in its head,” without writing down its steps.
• Entity Recognition and Hallucinations. We uncover circuit mechanisms that allow the model to distinguish between familiar and unfamiliar entities, which determine whether it elects to answer a factual question or profess ignorance. “Misfires” of this circuit can cause hallucinations.
• Refusal of Harmful Requests. We find evidence that the model constructs a general-purpose “harmful requests” feature during finetuning, aggregated from features representing specific harmful requests learned during pretraining.
• An Analysis of a Jailbreak. We investigate an attack which works by first tricking the model into starting to give dangerous instructions “without realizing it,” after which it continues to do so due to pressure to adhere to syntactic and grammatical rules.
• Chain-of-thought Faithfulness. We explore the faithfulness of chain-of-thought reasoning to the model’s actual mechanisms. We are able to distinguish between cases where the model genuinely performs the steps it says it is performing, cases where it makes up its reasoning without regard for truth, and cases where it works backwards from a human-provided clue so that its “reasoning” will end up at the human-suggested answer.
• A Model with a Hidden Goal. We also apply our method to a variant of the model that has been finetuned to pursue a secret goal: exploiting “bugs” in its training process. While the model avoids revealing its goal when asked, our method identifies mechanisms involved in pursuing the goal. Interestingly, these mechanisms are embedded within the model’s representation of its “Assistant” persona.

Our results uncover a variety of sophisticated strategies employed by models. For instance, Claude 3.5 Haiku routinely uses multiple intermediate reasoning steps “in its head”That is, during the forward pass rather than the "thinking out loud" of a chain-of-thought completion. to decide its outputs. It displays signs of forward planning, considering multiple possibilities for what it will say well in advance of saying it. It performs backward planning, working backwards from goal states to formulate earlier parts of its response. We see signs of primitive “metacognitive” circuits that allow the model to know the extent of its own knowledge. More broadly, the model’s internal computations are highly abstract and generalize across disparate contexts. Our methods are also sometimes capable of auditing a model’s internal reasoning steps to flag concerning “thought processes” that are not clear from the model’s responses.

Below, we present:

• A brief overview of our methodology (see the companion paper for more details on our methods).
• An introductory case study, which also serves as a walkthrough for understanding our approach. Readers who have not read our companion paper may find it helpful to begin with this section before proceeding to the other case studies.
• A series of case studies of interesting model behaviors, which can be read in any order, depending on the reader’s interests.
• A summary of common components observed across our investigations.
• A description of gaps in our understanding that motivate future work (§ 14 Limitations).
• A discussion of high-level takeaways about models, their mechanisms, and our methods for studying them (§ 15 Discussion). This includes a note on our research philosophy – in particular, the value of tools for bottom-up investigation, which allow us to avoid making strong top-down guesses about how models work.

§ 1.1 A note on our approach and its limitations

Like any microscope, our tools are limited in what they can see. Though it’s difficult to quantify precisely, we’ve found that our attribution graphs provide us with satisfying insight for about a quarter of the prompts we’ve tried (see § 14 Limitations for a more detailed discussion of when our methods are likely to succeed or fail). The examples we highlight are success cases where we have managed to learn something interesting; moreover, even in our successful case studies, the discoveries we highlight here only capture a small fraction of the mechanisms of the model. Our methods study the model indirectly using a more interpretable “replacement model,” which incompletely and imperfectly captures the original. Moreover, for the sake of clear communication, we will often present highly distilled and subjectively determined simplifications of the picture uncovered by our methods, losing even more information in the process. To provide a more accurate sense of the rich complexity we have uncovered, we provide readers with an interactive interface for exploring attribution graphs. However, we stress that even these rather complex graphs are simplifications of the underlying model.

We focus this paper on selected case studies that illuminate noteworthy mechanisms within a particular model. These examples serve as existence proofs — concrete evidence that specific mechanisms operate in certain contexts. While we suspect similar mechanisms are at play beyond these examples, we cannot guarantee it (see § D Open Questions for suggested follow-up investigations). Moreover, the cases we have chosen to highlight are undoubtedly a biased sample shaped by the limitations of our tools.However, we are careful to stress-test our findings with follow-up validation experiments, which we have endeavored to perform only after identifying case studies of interest. For a more systematic evaluation of our methods, see our companion paper. However, we believe that these qualitative investigations are ultimately the best judge of a method’s value, just as the usefulness of a microscope is ultimately determined by the scientific discoveries it enables. We expect this kind of work will be essential to advance the current state of AI interpretability, a pre-paradigmatic field still in search of the right abstractions — just as descriptive science has proven essential to many conceptual breakthroughs in biology. We are particularly excited that squeezing as much insight as we can out of our current methods has brought into clearer focus their specific limitations, which may serve as a roadmap for future research in the field.

§ 2 Method Overview

The models we study in this work are transformer-based language models, which take in sequences of tokens (e.g. words, word fragments, and special characters), and output new tokens one at a time. These models involve two fundamental components – MLP (“multi-layer perceptron”) layers, which process information within each token position using collections of neurons; and attention layers, which move information between token positions.

One reason models are difficult to interpret is that their neurons are typically polysemantic – that is, they perform many different functions that are seemingly unrelated.This issue is thought to arise in part because of a phenomenon known as superposition , whereby models represent more concepts than they have neurons and thus cannot assign each neuron to its own concept. To circumvent this issue, we build a replacement model that approximately reproduces the activations of the original model using more interpretable components. Our replacement model is based on a cross-layer transcoder (CLT) architecture (see and our companion methods paper), which is trained to replace the model’s MLP neurons with features, sparsely active “replacement neurons” that often represent interpretable concepts. In this paper, we use a CLT with a total of 30 million features across all layers.

Features often represent human-interpretable concepts, ranging from low-level (e.g. specific words or phrases) to high-level (e.g. sentiments, plans, and reasoning steps). By examining a feature visualization consisting of different examples of text where the feature activates, we can give each feature a human-interpretable label. Note that the text examples in this paper are taken from open source datasets.

Our replacement models don’t perfectly reconstruct the activations of the original model. On any given prompt, there are gaps between the two. We can fill in these gaps by including error nodes which represent the discrepancy between the two models. Unlike features, we can’t interpret error nodes. But including them gives us a more precise sense of how incomplete our explanations are. Our replacement model also doesn’t attempt to replace the attention layers of the original model. On any given prompt, we simply use the attention patterns of the original model and treat them as fixed components.

The resulting model – incorporating error nodes and inheriting the attention patterns from the original model – we call the local replacement model. It is “local” to a given prompt because error nodes and attention patterns vary between different prompts. But it still represents as much of the original model’s computation as possible using (somewhat) interpretable features.

By studying the interactions between features in the local replacement model, we can trace its intermediate steps as it produces responses. More concretely, we produce attribution graphs, a graphical representation of the computational steps the model uses to determine its output for a particular input, in which nodes represent features and edges represent the causal interactions between them. As attribution graphs can be quite complex, we prune them to their most important components by removing nodes and edges that do not contribute significantly to the model’s output.

With a pruned attribution graph in hand, we often observe groups of features with related meanings that play a similar role in the graph. By manually grouping these related graph nodes together into supernodes, we can obtain a simplified depiction of the computational steps performed by the model.

These simplified diagrams form the centerpiece of many of our case studies. Below (left) we show an example of such a diagram.

Because they are based on our replacement model, we cannot use attribution graphs to draw conclusions with certainty about the underlying model (i.e. Claude 3.5 Haiku).  Thus, the attribution graphs provide hypotheses about mechanisms operating in the underlying model. For a discussion of when and why these hypotheses might be incomplete or misleading, see § 14 Limitations. To gain confidence that the mechanisms we describe are real and significant, we can perform intervention experiments in the original model, such as inhibiting feature groups and observing their effects on other features and on the model’s output (final figure panel above – percentages indicate fraction of original activation). If the effects are consistent with what our attribution graph predicts, we gain confidence that the graph is capturing real (though potentially incomplete) mechanisms within the model. Importantly, we choose our feature labelings and supernode groupings prior to measuring perturbation results. Note that there are some nuances in interpreting the results of intervention experiments, and the extent to which they provide independent validation of graph-predicted mechanisms – see our companion paper for further details.Performing interventions with cross-layer transcoder features requires choosing an “intervention layer,” with the perturbation applied up to that layer.  Our interventions in this paper use the “constrained patching” technique described in our companion paper, which clamps activations prior to the intervention layer at perturbed values, preventing any indirect effects of the perturbation from manifesting prior to the intervention layer. Thus, effects of perturbations on features prior to the intervention layer are guaranteed to agree with the direct effects predicted by the attribution graph. By contrast, perturbation effects on features after the intervention layer have the potential to diverge from graph predictions, in two ways: (1) The graph-predicted direct effects may be overwhelmed by other mechanisms missed by our attribution graphs, (2) The graph-predicted indirect effects (i.e. ‘multi-hop’ interactions) may not even exist within the underlying model (we refer to this issue as “mechanistic unfaithfulness”). Thus, the nature of the validation provided by our intervention experiments varies depending on the layers of the features involved and the directness of their interaction in the attribution graph, and in some cases (direct effects prior to the intervention layer) is trivial. In general, we regard the effects of interventions on the model’s actual outputs as the most important source of validation, as model outputs are simple to interpret and not affected by these methodological artifacts.

Alongside each case study figure, we provide the interactive attribution graph interface  that our team uses to study models’ internal mechanisms. The interface is designed to enable “tracing” key paths through the graph while labeling key features, feature groups, and subcircuits. The interface is fairly complex and takes some time to become proficient at using. All the key results in this work are described and visualized in simplified form, so that engaging with this interface is not necessary to read the paper! However, we recommend giving it a try if you are interested in gaining a richer sense of the mechanisms at play in Claude 3.5 Haiku. Some features are given brief labels for convenience; these labels are very rough interpretations and miss considerable detail, which can be better appreciated in the feature visualizations. For a more detailed walkthrough, please reference this section in our companion methods paper (and see § F Appendix: Graph Pruning and Visualization for a few methodological differences specific to this paper).

§ 3 Introductory Example: Multi-step Reasoning

Our methodology is intended to expose the intermediate steps a model uses en route to producing a response. In this section we consider a simple example of multi-step reasoning and attempt to identify each step. Along the way, we will highlight key concepts that will appear in many of our other case studies.

Let’s consider the prompt Fact: the capital of the state containing Dallas is, which Claude 3.5 Haiku successfully completes with Austin. Intuitively, this completion requires two steps – first, inferring that the state containing Dallas is Texas, and second, that the capital of Texas is Austin. Does Claude actually perform these two steps internally?  Or does it use some “shortcut” (e.g. perhaps it has observed a similar sentence in the training data and simply memorized the completion)?  Prior work has shown evidence of genuine multi-hop reasoning (to varying degrees in different contexts).

In this section we provide evidence that, in this example, the model performs genuine two-step reasoning internally, which coexists alongside “shortcut” reasoning.

As described in the method overview, we can tackle this question by computing the attribution graph for this prompt, which describes the features the model used to produce its answer, and the interactions between them. First, we examine the features’ visualizations to interpret them, and group them into categories (“supernodes”). For example:

• We find several features about the word and/or concept of a capital city, such as four features that activate the most strongly on the exact word “capital”. More interestingly, we find features that represent the concept of capitals in more general ways. One example is this feature, which activates on the word “capitals” but also later in questions about capitals of states, as well as on the Chinese question 广东省的省会是？ (“What is the capital of Guangdong?”), on the second character of “省会” (capital of a province). Another is this multilingual feature, which activates most strongly on a variety of phrases including “başkenti”, “राजधानी”, “ibu kota”, and “Hauptftadt” — all of which roughly mean “capital” in different languages.Though much of the German is mangled, perhaps due to a transcription error in the source. Although each of these features represents slightly different concepts, in the context of this prompt, it seems like their function is to represent the idea of “capital.” Therefore, we group them (and a few others) together into the same “supernode.”
• We also identify “output features” that consistently push the model to say certain tokens, even if there isn’t such a clear pattern to what words/phrases they activate on. This can be seen in the “Top Outputs” section of a feature’s visualization, which lists the output tokens most strongly directly upweighted by that feature. For example, one feature activates on various landmarks in central Texas, but in this prompt its most relevant aspect is that it most strongly promotes responding with the “Austin” token. We therefore categorize this feature into a “say Austin” supernode. Note that the “Top Outputs” information is not always informative – for instance, earlier-layer features primarily matter via indirect effects on the output via other features, and their top direct outputs are not too consequential. Designating a feature as an “output feature” requires a holistic evaluation of its top direct outputs, the contexts in which it activates, and its role in the attribution graph.
• We also find features that promote outputting the name of a capital more generally, which we use a mix of both types of signals to identify and label. For example, one feature promotes responding with a variety of U.S. state capitals. Another feature more strongly promotes the capitals of various countries rather than U.S. states, but activates most strongly on lists with U.S. states and their capitals. And we noticed another feature whose strongest direct outputs are a seemingly unrelated set of tokens, but which often activates right before a country capital (e.g., Paris, Warsaw, or Canberra). We group all these features into a “say a capital” supernode.
• We find several features representing a variety of contexts relating to the state of Texas, not specific to a particular city (in particular, they are not “Dallas” or “Austin” features).  Although they each represent distinct, specific Texas-related concepts, in the context of this prompt their main function appears to be the fact that they collectively represent the general concept of Texas. As such, we group these into a “Texas” supernode.

After forming these supernodes, we can see in our attribution graph interface that, for example, the “capital” supernode promotes the “say a capital” supernode, which promotes the “say Austin” supernode. To represent this, we draw a diagram where each supernode is connected to the next with a brown arrow, as in the below graph snippet:

After labeling more features and forming more supernodes, we summarize their interactions in the following diagram.

The attribution graph contains multiple interesting paths, which we summarize below:

• The Dallas features (with some contribution from state features) activate a group of features that represent concepts related to the state of Texas.
• In parallel, the features activated by the word capital activate another cluster of output features that cause the model to say the name of a capital (an example of such a feature can be seen above).
• The Texas features and the say a capital features jointly upweight the probability of the model saying Austin. They do so via two pathways:

• directly impacting the Austin output, and
• indirectly, by activating a cluster of say Austin output features.

• There also exists a “shortcut” edge directly from Dallas to say Austin.

The graph indicates that the replacement model does in fact perform “multi-hop reasoning” – that is, its decision to say Austin hinges on a chain of several intermediate computational steps (Dallas → Texas, and Texas + capital → Austin). We stress that this graph simplifies the true mechanisms considerably, and encourage the reader to interact with the more comprehensive visualization to appreciate the underlying complexity.

§ 3.1 Validation with Inhibition Experiments

The graphs above describe mechanisms used by our interpretable replacement model. To validate that these mechanisms are representative of the actual model, we performed intervention experiments on the feature groups above by inhibiting each of them (clamping them to a negative multiple of their original value – see our companion paper for discussion of the choice of intervention strengths) and measuring the impact on the activations of features in the other clusters, as well as on the model output.

The summary plot above confirms the major effects predicted by the graph. For instance, inhibiting “Dallas” features decreases the activation of “Texas” features (and features downstream of “Texas,” like “Say Austin”) but leaves “say a capital” features largely unaffected. Likewise, inhibiting “capital” features decreases the activation of “say a capital” features (and those downstream, like “say Austin”) while leaving “Texas” features largely unchanged.

The effects of inhibiting features on model predictions are also semantically reasonable. For instance, inhibiting the “Dallas” cluster causes the model to output other state capitals, while inhibiting the “say a capital” cluster causes it to output non-capital completions.

§ 3.2 Swapping Alternative Features

If the model’s completion truly is mediated by an intermediate “Texas” step, we should be able to change its output to a different state capital by replacing the model’s representation of Texas with that of another state.

To identify features representing another state, we consider a related prompt, where we use “Oakland” instead of “Dallas” – Fact: the capital of the state containing Oakland is. Repeating the analysis steps above, we arrive at the following summary graph:

This graph is analogous to our original graph, with “Oakland” taking the place of “Dallas,” “California” taking the place of “Texas,” and “say Sacramento” taking the place of “say Austin.”

We now return to our original prompt, and swap “Texas” for “California” by inhibiting the activations of the Texas cluster and activating the California features identified from the “Oakland” prompt. In response to these perturbations, the model outputs “Sacramento” (the capital of California).

Similarly,

• An analogous prompt about the state containing Savannah activates “Georgia” features. Swapping these for the “Texas” features causes the model to output “Atlanta” (the capital of Georgia).

• An analogous prompt about the province containing Vancouver activates “British Columbia” features. Swapping these for the “Texas” features causes the model to output “Victoria” (the capital of British Columbia).

• An analogous prompt about the country containing Shanghai activates “China” features. Swapping these for the “Texas” features causes the model to output “Beijing” (the capital of China).

• An analogous prompt about the empire containing Thessaloniki activates “Byzantine Empire” features. Swapping these for the “Texas” features causes the model to output “Constantinople” (the capital of the ancient Byzantine Empire).

Note that in some cases the magnitude of the feature injection required to change the model’s output is larger (see bottom row). Interestingly, these correspond to cases where the features being injected do not correspond to a U.S. state, suggesting that these features may “fit” less naturally into the circuit mechanisms active in the original prompt.

§ 4 Planning in Poems

How does Claude 3.5 Haiku write a rhyming poem? Writing a poem requires satisfying two constraints at the same time: the lines need to rhyme, and they need to make sense. There are two ways one might imagine a model achieving this:

• Pure improvisation – the model could write the beginning of each line without regard for the need to rhyme at the end. Then, at the last word of each line, it would choose a word that (1) makes sense given the line it has just written, and (2) fits the rhyme scheme.
• Planning – alternatively, the model could pursue a more sophisticated strategy. At the beginning of each line, it could come up with the word it plans to use at the end, taking into account the rhyme scheme and the content of the previous lines. It could then use this “planned word” to inform how it writes the next line, so that the planned word will fit naturally at the end of it.

Language models are trained to predict the next word, one word at a time. Given this, one might think the model would rely on pure improvisation. However, we find compelling evidence for a planning mechanism.

Specifically, the model often activates features corresponding to candidate end-of-next-line words prior to writing the line, and makes use of these features to decide how to compose the line.We found planned word features in about half of the poems we investigated, which may be due to our CLT not capturing features for the planned words, or it may be the case that the model does not always engage in planning.

Prior work has observed evidence of planning in language models and other sequence models (e.g.  in games and ; see § 16 Related Work). Our example adds to this body of evidence, and is particularly striking in several ways:

• We provide a mechanistic account of how planned words are computed and used downstream.
• We find evidence of both forward planning and backwards planning (albeit basic forms). First, the model uses the semantic and rhyming constraints of the poem to determine candidate targets for the next line. Next, the model works backward from its target word to write a sentence that naturally ends in that word.
• We observe that the model holds multiple possible planned words “in mind” at the same time.
• We are able to edit the model’s planned word and see that it restructures its next line accordingly.
• We discovered the mechanism with an unsupervised, bottom-up approach.
• The features used to represent planned words seem to be ordinary features representing that word, rather than planning-specific features. This suggests that the model “thinks about” planned words using representations that are similar to when it reads about those words.

§ 4.1 Planned Words Features and their Mechanistic Role

We study how Claude completes the following prompt asking for a rhyming couplet. The model’s output, sampling the most likely token at each step, is shown in bold:

To start, we focus on the last word of the second line and attempt to identify the circuit which contributed to choosing “rabbit”. We initially hypothesized that we’d observe improvisation – a circuit where rhyming features and semantic features constructively interfere to promote “rabbit”. Instead, we found that important components of the circuit were localized on the new-line token before the second line began:

The attribution graph above, computed by attributing back from the “rabbit” output node, shows an important group of features active on the newline token, before the beginning of the second line. Features active over the “it” token activate rhyming with “eet/it/et” features, which themselves activate features for candidate completions such as “rabbit” and “habit”! The candidate completions in turn have positive edges to say “rabbit” features over the last token, eventually promoting the corresponding output token. This is consistent with the model planning potential completions ahead of time.The full circuit shows a diversity of feature groups promoting earlier phonemes of potential completions, such as ones for words which contain an “ab” sound matching the one in “grab”.

To test this hypothesis, we perform a variety of interventions at the newline planning site, and see how it affects the probability of the last token. We suppress features for planned words and rhyming schemes, and also inject different rhyming schemes and planned words.

The results confirm our hypothesis that these planning features strongly influence final token probabilities.

§ 4.2 Planning Features Only Matter at the Planning Location

Circuit analysis suggests that planning occurs at the newline token.In fact, the features are only active over the planning token. Below, we show the probability of predicting a different final token by varying which token we steer at. At each index, we steer negatively on “rabbit” and “habit” features, and positively on a “green” feature.The “green” feature is an equivalent planning feature which we found in a separate poem. It activates over the word green in a variety of contexts, including misspellings. We observe that the steering intervention only has an effect over the newline planning token!

§ 4.3 Planned Words Influence Intermediate Words

Is the planning circuit only involved in choosing the final word, or does it also cause the model to "write towards" the target as it produces the intermediate words? To answer this question, we compute an attribution graph for the intermediate word “like”.

The same “rabbit” planning features are active in the graph, promoting a group of “comparison features”, which are active before text such as “like a”. The model goes from the planned target (“rabbit”) that activates at the newline and reasons backwards, creating a plausible transition to get to it.

Again, we test this with interventions. We find that suppressing the “rabbit” features changes the transition to one that matches the alternate planned word, “habit”.

§ 4.4 Planned Words Determine Sentence Structure

But do the planning features influence the entire sentence structure? We test this with further steering experiments where we perform our earlier set of interventions, but resample the entire final line. We find that interventions on planning features cause the model to alter the structure of its line to reach a final word which matches the intervention.We show example lines for the likeliest final words, as well as estimated probabilities for the final word based on 500 samples per experiment..

In addition to the examples above, we injected two planned word features (“rabbit” and “green”) in a random sample of 25 poems, and found that the model ended its line with the injected planned word in 70% of cases. We show a few samples of success cases below.

§ 5 Multilingual Circuits

Modern neural networks have highly abstract representations which often unify the same concept across multiple languages (see multilingual neurons and features e.g. ; multilingual representations ; but see ). However, we have little understanding of how these features fit together in larger circuits and give rise to the observed behavior of models.

In this section, we investigate how Claude 3.5 Haiku completes three prompts with identical meaning in different languages:

• English: The opposite of "small" is " → big
• French: Le contraire de "petit" est " → grand
• Chinese: "小"的反义词是" → 大

We find that these three prompts are driven by very similar circuits, with shared multilingual components, and an analogous language-specific component.This can be seen as a combination of language-invariant and language-equivariant circuits (cf. ). The core mechanisms are summarized below:

The high-level story of each is the same: the model recognizes, using a language-independent representationWe make this claim on the basis that (1) the feature visualizations show that they activate in many languages, (2) 20 out of 27 of the features in multilingual nodes are active across all three prompts. However, we note that the set of features that are influential to the model’s response varies quite a bit by prompt (only 10/27 appear in the pruned attribution graphs for all three prompts)., that it's being asked about antonyms of “small”. This triggers antonym features, which mediate (via an effect on attention – corresponding to dotted lines in the figure) a map from small to large. In parallel with this, open-quote-in-language-X features track the language,in addition to other cues of language like beginning-of-document-in-language-Y features and trigger the language-appropriate output feature in order to make the correct prediction (e.g., “big”-in-Chinese). However, our English graph suggests that there is a meaningful sense in which English is mechanistically privileged over other languages as the “default”.In particular, the multilingual “say large” features often have stronger direct effects to “large” or “big” in English as compared to other languages. Additionally, the English quote features have a weak and mixed direct effect on the English “say large” features,instead having a double inhibitory effect. We use a dotted line here to indicate the presence of an indirect path via double inhibitory effects.

We can think of this computation as involving three parts: operation (i.e. antonym), operand (i.e. small), and language. In the following sections, we will offer three experiments demonstrating that each of these can be independently intervened upon. To summarize:

Finally, we will close this section by demonstrating that multilingual features are widespread, and represent an increasing fraction of model representations with scale.

§ 5.1 Editing the Operation: Antonyms to Synonyms

We now present a more detailed set of intervention experiments than the summary above. We begin with the experiments swapping the operation from antonym to synonym.

In the middle layers of the model, on the final token position, there is a collection of antonym features that activate right before the model predicts an antonym or opposite of a recent adjective. We find a similar cluster of synonym featuresThese can be understood as synonym and antonym function vectors . Although the synonym and antonym vectors are functionally opposite, it is interesting to note that all pairwise inner products between synonym and antonym encoder vectors are positive and the minimum decoder vector inner product is only slightly negative. at the same model depth on an English prompt A synonym of "small" is ".

To test our interpretation of these features, we negatively intervene on the antonym feature supernode in each language, and substitute in the synonym supernode. Despite both sets of features being derived from an English prompt, the intervention causes the model to output a language-appropriate synonym, demonstrating the language independence of the operation component of the circuit.

In addition to the model predicting the appropriate synonym, the downstream say-large nodes are suppressed in activation (indicated by the percentage) while upstream nodes remain unchanged. It is also worth noting that although our intervention requires unnatural strength (we have to apply 6× the activation in the synonym prompt), the crossover point of when the intervention is effective is fairly consistent across languages (about 4×).

§ 5.2 Editing the Operand: Small to Hot

For our second intervention, we change the operand from “small” to “hot”. On the “small” token, there is a collection of early features that appear to capture the size facet of the word. Using an English prompt with the “small” token replaced by the “hot” token, we find similar features representing the heat-related facet of the word hot. There are many features which seemingly just activate on the words “hot” and “small”. We choose these nodes because they have the highest “graph influence” implying that they were the most causally responsible for predicting the appropriate antonym.

As before, to validate this interpretation, we substitute the small-size features for the hot-temperature features (on the “small”/”petit”/”小” token). Again, despite the hot-temperature features being derived from an English prompt, the model predicts language-appropriate antonyms of the word “hot,” demonstrating a language-agnostic circuitry for the operand.

§ 5.3 Editing the Output Language

Our final intervention experiment is to change the language.

In the first few layers of the model, on the final token position, there is a collection of features which indicates what language the context is in, with equivariant open-quote-in-language-X features and beginning-of-document-in-language-Y features (e.g., French, Chinese). We collect this group of language detection features for each language into a supernode.

As depicted below, we can change the output language by replacing the early language detection features from the original language with a new set of features corresponding to a different language. This demonstrates that we can edit the language while preserving the operation and operand of the computation.

§ 5.4 The French Circuit in More Detail

The circuits shown above are very simplified. It's worth examining an example in a bit more detail. Here we chose to examine the French circuit. This circuit is still simplified, and a more raw version can be found linked in the caption.

One crucial interaction (between antonym and large) seems to be mediated by changing where attention heads attend, by participating in their QK circuits. This is invisible to our current approach, and might be seen as a kind of "counterexample" concretely demonstrating a weakness of our present circuit analysis.

Beyond this, it's interesting to note several things. We can see the multi-token word "contraire" being "detokenized" to activate abstract multilingual features. We also see a "predict size" feature group, which we've elided in the more simplified diagrams (it has a weaker effect than others). And we can see language-specific quote features track the language we're acting in, though the full circuit suggests the model gets linguistic cues from other words.

This structure is broadly similar to the circuits we observe in other languages.

§ 5.5 How General are Multilingual Features?

To what extent is this story true in general? In the examples above, and others we have looked at, we consistently see the “crux” of the computation is being performed by language-agnostic features. For example, in the three simple prompts below, the key semantic transformation occurs using the same important nodes in every language, despite not sharing any tokens in the input.

This suggests a simple experiment to estimate the degree of cross-language generalization: measure how often the same feature activates on texts translated into different languages. That is, if the same features activate on translations of a text, but not on unrelated texts, then the model must be representing the input in a format that is unified across languages.

To test this, we collect feature activations on a dataset of paragraphs on a diverse range of topics, with (Claude-generated) translations in French and Chinese. For each paragraph and its translations, we record the set of features which activate anywhere in the context. For each {paragraph, pair of languages, and model layer}, we compute the intersection (i.e., the set of features which activate in both), divided by the union (the set of features which activate in either), to measure the degree of overlap. As a baseline, we compare this with the same "intersection over union" measurement of unrelated paragraphs with the same language pairing.

These results show that features at the beginning and end of models are highly language-specific (consistent with the {de, re}-tokenization hypothesis ), while features in the middle are more language-agnostic. Moreover, we observe that compared to the smaller model, Claude 3.5 Haiku exhibits a higher degree of generalization, and displays an especially notable generalization improvement for language pairs that do not share an alphabet (English-Chinese, French-Chinese).

§ 5.6 Do Models Think in English?

As researchers have begun to mechanistically investigate the multilingual properties of models, there has been a tension in the literature. On the one hand, many researchers have found multilingual neurons and features (e.g. ), and other evidence of multilingual representations (e.g. ). On the other hand, Schut et al.  present evidence that models privilege English representations, while Wendler et al.  provide evidence for an intermediate stance, where representations are multilingual, but most aligned with English.

What should we make of this conflicting evidence?

It seems to us that Claude 3.5 Haiku is using genuinely multilingual features, especially in the middle layers. However, there are important mechanistic ways in which English is privileged. For example, multilingual features have more significant direct weights to corresponding English output nodes, with non-English outputs being more strongly mediated by say-X-in-language-Y features. Moreover, English quote features seem to engage in a double inhibitory effect where they suppress features which themselves suppress “large” in English but promote “large” in other languages (e.g., this English-quote feature’s strongest negative edge is to a feature which upweights “large” in Romance languages like French and downweights “large” in other languages, especially English). This paints a picture of a multilingual representation in which English is the default output.

§ 6 Addition

In the companion paper, we investigated how Claude 3.5 Haiku adds two-digit numbers, like 36+59. We found that it split the problem into multiple pathways, computing the result at a rough precision in parallel with computing the ones digit of the answer, before recombining these heuristics to get the correct answer. We found a key step performed by “lookup table” features that translate between properties of the input (like the two numbers being summed ending in 6 and ending in 9) and a property of the output (like ending in 5). Like many people do, the model has memorized the addition table for one-digit numbers. The other parts of its strategy, however, are a bit different than standard algorithms for addition used by humans, as we will show.

First, we visualize the role of features on addition problems using "operand" plots: these show the activity of a feature on the = token for 10,000 prompts of the form calc: a+b= for all pairs of a and b from (0, ..., 99). Geometric patterns in these figures represent structure in the feature’s responses:

• Diagonal lines represent features sensitive to the sum in the problem.
• Horizontal and vertical lines represent features sensitive to the first or second input, respectively.
• Isolated points represent “lookup table” features sensitive to combinations of inputs.
• Repeating patterns represent modular information (e.g. “the last digit is X mod 10”).
• Smeared patterns represent lower-precision versions of the above categories.

We now reproduce the attribution graph for calc: 36+59=. Low-precision features for “add something near 57” feed into a lookup table feature for “add something near 36 to something near 60”, which in turn feeds into a “the sum is near 92” feature. This low-precision pathway complements the high precision modular features on the right (“left operand ends in a 9” feeds into “add something ending exactly with 9” feeds into “add something ending with 6 to something ending with 9” feeds into “the sum ends in 5”). These combine to give the correct sum of 95. (In the figure, we use _ to mean “any digit could go here”, and ~ to mean “approximately”.)

We were curious if Claude could articulate the heuristics that it is using, so we asked it.We computed the graph for the prompt below, attributing from 95, and found the same set of input, add, lookup table and sum features as in the shorter prompt above.

Apparently not!

This is a simple instance of the model having a capability which it does not have “metacognitive” insight into. The process by which the model learns to give explanations (learning to simulate explanations in its training data) and the process by which it learns to directly do something (the more mysterious result of backpropagation giving rise to these circuits) are different. We give related examples of explicit reasoning not matching internal algorithms in § 11 Chain-of-thought Faithfulness.

§ 6.1 Generalization of Addition Features

The prompt above presents a “raw” addition problem of the form “a + b =”. However, models need to be able to perform arithmetic in a broad array of contexts. Below, we show how one of the addition features from the graph above is used in a remarkably diverse set of contexts that require addition, sometimes in very non-obvious ways. Next, we show how the outputs of an addition feature can be used in flexible ways beyond simply causing the model to say the value of the sum.

§ 6.1.1 Generalization to the input context

We noticed when inspecting dataset examples that the lookup table feature from the 36+59 prompt that responds to adding numbers ending in 6 and 9 (or vice versa) was also active on a host of diverse contexts beyond arithmetic.

Inspecting these in detail, we find that when this feature is active, there is often a reason to predict the next token might end in 5, coming from adding 6 and 9. Consider the below texts, in which the token where the feature activates is highlighted.

The above sample consists of astronomical measurements; the most active token is where the model predicts the minute at the end of a measurement period. The durations of previous measurements are 38–39 minutes, and the period started at minute 6, so the model predicts an end time at minute 45.

The above is a simple table, where the cost ($35,820) follows an arithmetic sequence in its column (increase by $8,970 from $26,880).

Examples like the above are relatively common in the open-source datasets we visualize our features on: they are citations in academic texts, and the _6 + _9 feature activates when the journal volume number (36 here) ends in 6 and the year before the founding of the journal ends in 9 (1959 here), such that the year of publication of the volume will end in a 5. We visualize the attribution graph for the final citation from Polymer below, and find that there are five recognizable features from our simple arithmetic graphs (visualized with their operand plots) which combine with two journal-related sets of features that represent properties of the founding year of the journal: one for journals founded around 1960, and another for journals founded in years ending in 0.

We can also validate that the lookup table feature plays a causal role in this task using intervention experiments.

Suppressing the lookup table feature has a weak direct effect on the output prediction, but its indirect effect on the sum and output features is strong enough to modify the model’s prediction. We also can see that replacing the lookup table features (_6 + _9) with a different one (_9 + _9) changes the ones digit of the prediction in the expected way (from 1995 to 1998).

For each of these cases, the model must first figure out that addition is appropriate, and what to add; before the addition circuitry operates. Understanding exactly how the model realizes this across the array of data, whether it's recognizing journals, parsing astronomical data, or estimating tax information, is a challenge for future work.

§ 6.1.2 Flexibility of computational role

In the examples above, the model outputs a number that is the direct result of a (potentially obfuscated!) addition problem. In these cases, it makes sense for lookup table features like “_6+_9” to activate output features like “say a number ending in 5,” since the model does in fact need to say a number ending in 5. However, computations are often performed as intermediate steps in a larger problem. In such cases, we don’t want the model to blurt out an intermediate result as the final answer!  How do models represent and store intermediate computations for later use, and distinguish them from “final answers”?

In this example, we consider the prompt assert (4 + 5) * 3 ==, which the model correctly completes with 27. We observe several ingredients in the attribution graph:

• The model computes the addition portion using an addition lookup table feature (“4 + 5”), and the multiplication portion using a multiplication lookup table feature (“3 × 9”) alongside contributions from “multiply by 3” and “multiple of 9” pathways.
• A group of “expression type” features is active, which represent mathematical expressions in which a sum will be multiplied by another quantity.

• These expression type features help activate both of the relevant lookup table features.

• The expression-type features also activate a feature that appears to represent “9, when computed as an intermediate step”, which flags that the result of 4+5=9 is not meant to be output as the final answer.

• Interestingly, this feature’s strongest negative direct output effects are to suppress “9,” suggesting that it might serve to counteract the direct “say 9” impulse. However, we note that this negative influence is rather weak in the attribution graph (the strongest inhibitory inputs to the "9" output are error nodes), so it is unclear if this suppressive mechanism is significant in the underlying model.

In other words, the “4 + 5” features have two effects with opposite signs – by default they drive an impulse to say “9,” but, in the presence of appropriate contextual cues indicating that there are more steps to the problem (in this case a multiplication), they also trigger downstream circuits that use 9 as an intermediate step.

This graph is suggestive of a general strategy the model may use to repurpose its circuits in flexible ways. The lookup table features act as the workhorses of the basic computations needed, and participate in a variety of different circuits that use those computations in different ways. In parallel, other features – in this case, the “expression type” features – are responsible for nudging the model to use some of these circuits in favor of others.

§ 7 Medical Diagnoses

In recent years, many researchers have explored medical applications of LLMs – for instance, to aid clinicians in making accurate diagnoses . Medical applications of AI have historically been an area where many researchers have argued for the importance of interpretability. Given the high stakes of medical decisions, interpretability could increase (or decrease, if appropriate!) trust in the model’s outputs and enable medical professionals to synthesize the model’s reasoning with their own. Interpretability may also help us improve documented limitations of LLMs in medical settings, such as their sensitivity to prompt format . Some authors have observed that models’ written chain-of-thought (CoT) reasoning can provide a degree of interpretability into their reasoning. However, given that written CoT reasoning often misrepresents the model’s actual internal reasoning process (see and our section on CoT faithfulness below), it may not be acceptable to rely on it.

Thus, we are interested in whether our methods can shed light on the reasoning models perform internally in medical contexts. Here, we study an example scenario in which a model is presented with information about a patient, and asked to suggest a follow-up question to inform diagnosis and treatment. This mirrors the common medical practice of differential diagnosis – determining the most likely cause of a patient’s symptoms by asking questions and performing tests that rule out alternatives. We note that this example (and the others in this section) is quite simple, with “textbook” symptoms and a clear-cut candidate diagnosis. We present it as a proof of concept illustration that models can use interpretable internal steps in medical contexts. Differential diagnosis in practice typically involves reasoning through much more ambiguous cases with many possible courses of action, which we are excited to study in future work.

The model’s most likely completions are “visual disturbances,” and “proteinuria,” two key indicators of preeclampsia.The model then goes on to say: “Rationale: This presentation strongly suggests preeclampsia, and visual disturbances are a critical red flag symptom that can indicate progression to severe preeclampsia or HELLP syndrome.”

We noticed that the model activated a number of features that activate in contexts discussing preeclampsia and its associated symptoms. Some of these features, like the example below, activate most strongly on the word “preeclampsia.” Notably, in this prompt, the word “preeclampsia” does not appear – rather, the model represents it internally, apparently using similar internal machinery as if the word were spelled out explicitly.

Some of the other features activate on discussions of symptoms of preeclampsia:

While others activate broadly on any context that discusses the condition:

For our purposes, we group all these features together into one category, as all of them indicate that the model is “thinking about” preeclampsia in one way or another.

We can similarly group together features that represent other concepts relevant to the prompt. The attribution graph for the model’s response, providing a simplified summary of how these internal representations interact to produce the model’s response, is below.

The graph reveals a process that mirrors clinical diagnostic thinking. In particular, the model activates several distinct feature clusters that correspond to key elements of the clinical presentation:

1. First, the model activates features corresponding to the patient’s status and symptoms – pregnancy, right upper quadrant pain, headache, elevated blood pressure, and liver abnormalities. These serve as the inputs to the diagnostic reasoning process.
2. These patient status features collectively activate features representing potential diagnoses, with preeclampsia emerging as the primary hypothesis. Note that not all the status features contribute equally – the pregnancy features (followed by blood pressure features) are by far the strongest inputs to the preeclampsia features, with the rest contributing more weakly.
3. In addition, the model simultaneously activates features representing alternative diagnoses, particularly biliary system disorders like cholecystitis or cholestasis.
4. The preeclampsia features activate downstream features representing additional symptoms that would provide confirmatory evidence for a preeclampsia diagnosis, including the two – visual deficits, and proteinuria – that correspond to its two most likely responses.

We emphasize that the diagram above is only a partial account of the mechanisms active in the model. While the computational flow appears to reflect the critical path by which the model chose its response, there are many other features active in the model representing other medical concepts and symptoms, including many which appear less directly relevant to the diagnosis. The full attribution graph provides a more complete picture.

Our attribution graph makes the claim that the preeclampsia features activated internally by the model are causally responsible for its response. To test this hypothesis, we can perform an experiment where we inhibit the preeclampsia features and observe how the model’s activations and behavior change:

We see that the features corresponding to various preeclampsia-associated symptoms are de-activated by the intervention. The model’s most likely response changes to suggest asking about decreased appetite, a common symptom of biliary system disorders like cholecystitis — the other candidate diagnosis the model originally considered!

We note this is only a single, brief case study, and it should not be taken to indicate that interpretability tools are advanced enough to trust models’ responses to medical questions without human expert involvement. However, it does suggest that models’ internal diagnostic reasoning can, in some cases, be broken down into legible steps, which could be important for using them to supplement clinicians’ expertise.

Below we include a few other examples of similar prompts and their associated attribution graphs, along with some key features and pathways we observed. We encourage interested readers to explore the interactive graphs, as our brief summaries do not do justice to all of the relevant mechanisms. The final example presents an instance where the attribution graph is more complex. In general, while part of the model’s reasoning often follows logical steps as in the above example, it seems to employ many heuristics in parallel that contribute to its response, some of which appear more clinically sound than others. Exploring many more such case studies and systematically analyzing the circuits the model uses to reason about them is an exciting topic for future work.

Example #1

We compute an attribution graph for the “neck” token at the beginning of the Assistant’s response. We see features representing sudden (“thunderclap”) headaches and subarachnoid hemorrhages, which are activated by headache-related features, and which in turn upweight the “neck” response. In addition, features more broadly representing neurological symptoms contribute to the response. Interestingly, a group of features relating to meningitis symptoms also activate, receiving input from headache features and the subarachnoid hemorrhage features, despite meningitis not being a particularly likely diagnosis in this case.

Example #2

We compute an attribution graph for the “rash” token at the beginning of the Assistant’s response. We see features representing meningitis, which are activated by features representing neck stiffness/pain. The meningitis features upweight the “rash” response.

Example #3

We compute an attribution graph for the “chest” token at the beginning of the Assistant’s response. We see features representing acute coronary syndrome and associated angina (chest pain), features representing heart failure, and features representing cardiovascular symptoms more generally. Collectively, these features upweight the “chest” response, including via intermediate “chest pain” features. The “heart failure” features receive input from “swelling of ankles/feet” features and “shortness of breath” features, and also upweight features relating to coughing / respiratory symptoms, another symptom of heart failure. By contrast, the inputs to the acute coronary syndrome features are less clear – it receives only weak input from any of the features representing listed symptoms.  This case is interesting because chest pain is an excellent question to distinguish between the possibilities of acute coronary syndrome and heart failure, as the former more typically causes acute/severe chest pain. It is not clear to us from the graph whether the model is truly reasoning about the differential likelihood of chest pain between the two diagnoses. It is also not clear whether the model’s response is influenced by the knowledge that acute coronary syndrome is immediately life threatening.

§ 8 Entity Recognition and Hallucinations

Language models are known to sometimes hallucinate; that is, make up false information in response to questions. Hallucination is especially common when models are asked about relatively obscure facts or topics and is rooted in the pre-training objective for language models, which incentivizes models to guess plausible completions for blocks of text.

As an example, consider the following hallucinatory continuation given by Haiku 3.5 operating as a base model (that is, without Human/Assistant formatting):

This behavior is reasonable as in the model’s training data, a sentence like this is likely to be completed with the name of a sport. Without any further information about who “Michael Batkin” is, the model essentially has to guess a plausible sport at random.

During finetuning, however, models are trained to avoid such behavior when acting in the Assistant character. This leads to responses like the following:

Given that hallucination is in some sense a “natural” behavior, which is mitigated by finetuning, it makes sense to look for circuits that prevent models from hallucinating.

In this section we provide evidence that:

• The model contains “default” circuits that causes it to decline to answer questions.
• When a model is asked a question about something it knows, it activates a pool of features which inhibit this default circuit, thereby allowing the model to respond to the question.
• At least some hallucinations can be attributed to a “misfire” of this inhibitory circuit. For example, when asking the model for papers written by a particular author, the model may activate some of these “known answer” features even if it lacks knowledge of the author’s specific papers.

Our results are related to recent findings of Ferrando et al. , which uses sparse autoencoders to find features that represent known and unknown entities, and show that these features are causally involved in a model’s assessment of whether it is able to answer a question about an entity. We corroborate these findings and illustrate new circuit mechanisms that underlie them.

§ 8.1 Default Refusal Circuits

Let’s consider the attribution graph for the Human/Assistant prompt, on the first token of the Assistant’s apology. A cluster of features related to sports activates features that push the model to say the name of a sport. However, this circuit pathway is “outvoted” by another parallel circuit which causes the model to begin its “I apologize” response.

The crux of this circuit is a group of “can’t answer” features that activate when the Assistant corrects or questions the premise of a user’s question, or declares that it has insufficient information to give a response.

These features are directly activated by features that fire broadly for Human/Assistant prompts. This picture suggests that the “can’t answer” features are activated by default, for any Human/Assistant prompt!  In other words, the model is skeptical of user requests by default.

The “can’t answer” features are also promoted by a group of unfamiliar name features, which is in turn activated by the individual tokens of “Michael Batkin” and a generic “first names” feature. This suggests that these unknown-name features are also activated “by default” whenever a name is presented.

§ 8.2 An Inhibitory “Known Answer” Circuit

If the model activates refusal-promoting “can’t answer” and “unknown name” features by default, how does it ever respond with informative answers?  We hypothesize that these features are suppressed by features which represent entities or topics that the model is knowledgeable about. The unknown entity Michael Batkin fails to suppress these features, but we might imagine that features relating to a known entity like Michael Jordan would successfully suppress them.

To test this hypothesis, we computed an attribution graph for the following prompt:

focusing on the “can’t answer” features. We confirmed that, as expected, all of these features are either inactive or more weakly active in response to this prompt compared to the Michael Batkin prompt. We also observed in the attribution graph that these features are inhibited by:

• Michael Jordan–related features
• A group of “known answer” and “known entity” features that activate when the Assistant is asked questions about people/things it is likely to know about. These are similar to features described by Ferrando et al. .

The known-answer and known-entity features, in turn, are activated by a group of Michael Jordan–related features.

Combining our analyses of both prompts, the mechanisms are summarized below.

This circuit is consistent with our hypothesis that known entities or topics suppress the otherwise active “can’t answer” features. If this is true, we should be able to inhibit the “can’t answer” features in the Michael Batkin prompt, and thereby induce a hallucination, by promoting the “known answer/entity” features. Indeed, we can!  Doing so causes the model to choose a seemingly random name of a sport (including chess!).

Conversely, inhibiting “known answer” features in the Jordan prompt causes the model to sometimes respond with words suggesting it is uncertain of the answer (e.g. “Hypothetical”, “Underspecified”).

We also performed intervention experiments on the “can’t answer” and “unknown name” features, with most of the results supporting our circuit hypotheses. However, we obtained some unexpected results. For instance, activating the “unknown names” features is apparently not sufficient to induce a refusal in the Michael Jordan prompt. More generally, the intervention strengths required to obtain interesting effects are quite high relative to the feature activations on the original prompts. This suggests that the features / connections we have identified capture only a part of the story – see § Limitations – Mechanistic Faithfulness in our companion paper.

§ 8.3 Case Study of a Natural Hallucination: Academic Papers

The circuits identified above are designed to prevent the model from hallucinating (by refusing to answer a question) when it does not know the answer, and to inhibit this refusal response when it does know the answer.

Sometimes, however, the model does hallucinate! One context in which models can hallucinate is in producing citations – listing paper titles associated with topics or authors. For instance, consider the following interaction:

In fact, Andrej Karpathy was not an author of “ImageNet Classification with Deep Convolutional Neural Networks.” However, the model made a reasonable guess – Andrej Karpathy is known for working on deep learning, and “ImageNet Classification with Deep Convolutional Neural Networks” is a well-known deep learning paper. This behavior is not too surprising – once the model has committed to giving an answer, it makes sense that it would make as plausible a guess as possible, based on its knowledge that Andrej Karpathy is a deep learning researcher.

What we are really interested in is why the model failed to recognize that it does not confidently know the answer to the question. For instance, when we ask the model about a less well-known author (sorry Josh!) it confesses ignorance:

This behavior is driven by a very similar circuit mechanism as in the previous “Michael Batkin” example. A cluster of “can’t answer” features promote the response, and are activated by “Assistant” features and two features that appear to represent unknown names.

None of the “known answer” features identified above are active. If we activate these features, we inhibit the “can’t answer” and “unknown name” features, and cause the model to hallucinate. Progressively increasing the activation increases the strength of the effect.

These experiments provide a clue for what is going on in the Karpathy prompt – perhaps the model activates “known answer / entity” features (on account of recognizing Andrej Karpathy’s name) despite not knowing the answer to the question! Indeed, we find that several of the “known answer” and “known entity” features identified in the Michael Jordan prompt are active, albeit weakly relative to their activation on the Jordan prompt. These features provide inhibitory input to the “unknown name” and “can’t answer” features. If we inhibit these features substantially, it causes the activations of “unknown name” and “can’t answer” to increase, and eventually causes a refusal.

§ 9 Refusals

Language models like Claude 3.5 Haiku are trained to refuse answering harmful requests during safety finetuning to avoid potential misuse. Determining whether or not a request is harmful sometimes requires one or more nontrivial steps of reasoning. We begin this section by studying an example of refusal that requires a simple inference, perform interventions to circumvent the refusal (as in ), and conclude by exploring how harm features are connected more globally.

Consider the prompt:

When asked, Claude denies the request because mixing bleach and ammonia creates chloramine, a toxic gas – though Claude is happy to write an advertisement for either substance on its own.

§ 9.1 Attribution Graph and Interventions

Using our methodology, we build an attribution graph to understand the computation involved in refusing this request. Claude is finetuned to begin refusals with “I apologize…”, so attributing back from the initial “I” is a good proxy for the initial decision to refuse.

The key computational nodes and edges within this circuit are

• Human/Assistant Recognition: the model recognizes it has a request from a human and that it should respond.

• Token Level Features for the key words in the prompt like “clean,” “bleach,” and “ammonia.”
• Dangers of Mixing Cleaning Chemicals Features relating to the dangers of mixing bleach and ammonia (and related household products like vinegar).
• A Refusal Chain consisting of a “harmful request from human” feature cluster → “Assistant should refuse” cluster → “say-I-in-refusal” cluster (in practice the boundaries between these clusters is fuzzy).
• Warning the User features that are normally inhibited (blue edges with T-shaped ends) by the assistant persona and the refusal context. We hypothesize that this inhibition is the result of strong post-training towards the default refusal (“I apologize, but…”), rather than an otherwise appropriate warning.

To validate this story, we perform interventions to ablate key nodes in the graph and record the temperature 0 completion of the assistant with these nodes removed.

We observe that

• Removing the mixing-bleach-and-ammonia feature cluster suppresses the chain of refusal features and the warning-the-user features, causing the model to comply with the request.Though it eventually issues a warning because the words “bleach” and “ammonia” in the assistant response have no ablations applied to them.

• Removing the harmful request supernode suppresses an immediate refusal. However, because the specific knowledge of danger remains, the model replies with more of a PSA announcement than an advertisement.
• Removing the Human/Assistant context features suppresses the default refusal. Because the “Assistant” and “refusal” nodes were suppressing the “warning” feature, the Assistant now responds with an immediate warning, rather than its default refusal.

§ 9.2 Exploring the Global Weights

A major advantage of our cross-layer transcoder methodology is that it provides access to a set of global weights – an estimate of the global interaction between all features that is independent of a given prompt. Starting from a general harmful request feature, we can traverse the global graphWe do so using the target weighted expected residual attribution (TWERA) weights. to find features that are causally upstream, which often correspond to specific instances or categories of harms and are not specific to the Human/Assistant context. Note that similar structure was found in .

Similarly, we can traverse the global weights downstream of a harmful request feature to find refusal features deeper in the model. To corroborate, we generated attribution graphs using a set of 200 diverse harmful prompts from the Sorry Bench dataset , and sorted features by their average node influence across the graphs. We find several dozen features which are consistently influential in prompts where the assistant refuses and have strong connections to each other in the global weights.

When we analyze the decoder weights of these features, we observe that the features weakly cluster into multiple semantic groups, suggesting a refusal mechanism more complicated than a single linear binary classifier. This is consistent with recent work showing that the geometry of refusal directions is more accurately described as a cone than a single direction .

Our analysis suggests that there are two notable categories of features which are connected. The first category consists of features that activate on particular harmful or dangerous concepts, such as backdoors in the context of hacking, which mostly activate in pretraining-style dataset examples. These features provide positive input to the second category of features, which activate on many kinds of harmful requests, typically in the context of a Human/Assistant transcript when the human makes a harmful or inappropriate request. Moreover, we found that the dictionaries trained with only pretraining data had very few refusal features. This is suggestive of the hypothesis that during pretraining, the model learns about many distinct categories of harm, and then during finetuning, these are wired together to activate more general "harmful request" features, subsequently triggering a refusal (see but also ).

§ 10 Life of a Jailbreak

Jailbreaks are prompting strategies that can cause models to comply with requests they would ordinarily refuse. Jailbreaks are diverse and often model-specific, and it is likely that different jailbreaks employ different mechanisms. In this section we analyze the mechanisms underlying a particular jailbreak that is partially effective on Claude 3.5 Haiku.

As a baseline, we’ll consider how the model refuses the request without any jailbreak attempt:

We seek to answer the following questions:

• Why does the model not immediately refuse the request?
• How does the model realize its mistake after the first sentence of its response?
• Why does the model not realize it should refuse the request sooner, for instance after writing “BOMB”?

Our main findings are summarized in the figure below:

§ 10.1 Baseline behavior

First we examine the mechanisms underlying the model’s refusal to the direct request. We construct an attribution graph for the first token (“I”) of the model’s refusal. As discussed in § 9 Refusals, Claude’s refusals very often start with “I”.

The word “bomb” activates a cluster of bomb and weapons-related features. These are then combined with the word “make” to activate some “making a bomb” features, which then activate some “dangerous weapon requests” features. Together with features related to human / assistant dialogue and requests, these features activate a cluster of features relating to harmful requests and refusals. Finally, these promote the “I” response.

§ 10.2 Why does the model not immediately refuse the request?

In the jailbreak prompt, the model’s first output token is “BOMB”. Given this, we might infer that the model understands the decoded message (“bomb”), and therefore wonder why it does not flag the request as harmful (or if it does, why it doesn’t respond with a refusal).

However, if we look at the attribution graph, we find a different story:

The model does not, in fact, internally understand that the message is “bomb”! Instead, it stitches together the letters of its output piece by piece, performing several operations like [“Babies” + “extract first initials from words” → “say B_”] in parallel (see the analysis of acronym prompts in our companion paper for similar behavior).While most of the features’ connections make sense, the behavior of the “...B…” cluster of features is surprising – in particular, these features do not contribute positively to the “BOMB” output node. This appears to be reflected in the model’s output probabilities; it almost always decodes the first three letters “BOM…” correctly, but has a decent probability, ~10%, of producing an output like “BOMBO”, “BOMH”, or “BOMOB”.  However, the results of these operations are never combined in the model’s internal representations – each independently contributes to the output probabilities, collectively voting for the completion “BOMB” via constructive interference. In other words, the model doesn’t know what it plans to say until it actually says it, and thus has no opportunity to recognize the harmful request at this stage.

§ 10.3 How does the model realize its mistake after the first sentence of its response?

After stitching together the word “BOMB” and then revealing some information about how to make a bomb, the model “catches itself” and says “However, I cannot provide detailed instructions about creating explosives or weapons…”. Why does it do so, and why at this particular time?

According to the attribution graph, a cluster of harmful requests-related features combine with “new sentence” features (e.g. those activating on periods) to promote the “However” response. This suggests that the beginning of a new sentence upweights the model’s propensity to change its mind with a contrasting phrase, like “However.” In turn, as in the response to the direct request, the harmful requests-related features are promoted by some features specific to “making a bomb”, which fire on the model’s own output of “To make a bomb”. This might suggest that the model is ready to refuse but has been waiting for the opportunity of the new sentence to do so.

Interestingly, the model seems torn between two ways of refusing. One cluster of refusal-related features is actually suppressing “However” rather than promoting it in our graph. Instead, they promote the model refusing directly by saying “I”, without any intervening phrase like “However”. Indeed, clamping the “new sentence” features to 0 (while freezing the model’s attention patterns) mostly stops it from saying “However”, leading to the model refusing directly. In contrast, clamping the “new sentence” features to 0 and allowing the intervention to influence the model’s attention patterns causes the model to continue complying with the request.

So although the “new sentence” features do seem important for the model to start refusing, the key mechanism doesn’t show up in our graphs, and rather seems to be importantly mediated by attention pattern computation (see § Limitations: Missing attention circuits).

If “new sentence” features are really important for enabling the refusal, it suggests a tactic for delaying the refusal – simply ask the model not to use punctuation! Indeed, we find this can make the jailbreak somewhat more effective, as in the following exchange:

§ 10.4 Why does the model not realize it should refuse the request sooner, after writing “BOMB”?

Although the model refuses the request after one sentence, a natural follow-up question is why the model doesn’t do so earlier, in particular immediately after it has written the word “BOMB”. At that point, the model no longer needs to stitch together letters from different words to understand the subject of the request – the word “BOMB” is right there in front of it!

If we look at the next few tokens in the response, the graphs attributing from each of the tokens in “make a bomb,” suggest that the tokens are mainly produced by simple induction, copying, and grammar-based behavior, and that there are no strong pathways along which the model “considers refusing”.

Thus, the attribution graph suggests that the model’s “To make a bomb,” response arises from relatively “low-level” circuits arising from basic / superficial features on the prompt. But it fails to tell us why a refusal circuit didn’t activate (this is a general shortcoming of our methodology, see § Limitations – The Role of Inactive Features in our companion paper). Examining feature activations on the BOMB token that might be related to harmful requests or refusals, we found two plausible candidate features that do activate on “BOMB”, but only weakly, at about 30% and 10% of their maximum activations on the baseline prompt, respectively.Other features fire earlier in the context, but are either much weaker or less specific. One feature fires on “make one”, and its top examples are about making weapons, but it also activates in lower amounts on making other things. Two features activate on the “Assistant” token and the newlines before it, respectively, and both seem related to harmful requests or refusals, but both fire extremely weakly, at around 2% their activations on the baseline prompt. Finally, a feature activates on the “Assistant” token and is often refusal-related, but it is less specific, and activates at 30% its activation on the baseline prompt.

Why do the active features relating to a human “how to” request and features relating to bombs mostly fail to activate any features relating to harmful requests or refusals? A comparison with the previous graphs suggests the hypothesis that, although the model has figured out the human’s request is about a bomb, it does not recognize that the human is asking it specifically to make a bomb, which is necessary to activate the refusal behavior, until it has started responding to the request by rephrasing it. Notably, “make a bomb” features fire on the assistant’s own text “To make a bomb”, but not yet on the BOMB token. This suggests a failure of the model to properly use its attention heads to stitch together the bomb-related features with the “request instructions” feature.

To validate this hypothesis, we tried activating one of these “make a bomb” features on the BOMB token (at 10× its activation on the later instance of “bomb” in “To make a bomb”) and found that it activates “harmful request” features and can cause the model to refuse the request immediately.For this intervention to produce a refusal, we have to keep attention patterns unfrozen. Harmful request feature activations are measured relative to their value on the baseline refusal prompt at the beginning of the section, on the token “bomb”. In contrast, we tried steering by other early-layer features that respond to the word “bomb” in more general contexts. Despite sweeping a range of steering intensities, we were unable to make refusal the most likely outcome (though we did find that steering could increase the probability of refusal from negligible to 6%, and could lead to the model refusing sooner than the next sentence).

After writing “To make a bomb,” the model must be aware of the nature of the request – after all, it begins providing bomb-making instructions! Indeed, we see both “making a bomb” features that were active on “bomb” in the baseline prompt on the "bomb" token here, both with roughly 80% of their baseline activation.

At this point, there are two competing tendencies: to refuse the harmful request, which at some level the model now recognizes, and to complete the explanation it has already begun writing. Although the latter option is higher probability, there is also a non-negligible probability (~5%) at this stage of the model saying “I” and then continuing to refuse from there.It also refuses with high probability at this stage for slight variations of the prompt, for instance replacing “Mustard” with “Metabolism”.

After “mix”, the model has a 56% probability of saying “potassium”, but it still has some opportunity to weasel out of complying with the request by saying something like “certain chemicals or explosives, which I cannot and will not provide specific instructions about”. This happens in ~30% of completions after “mix”.

After saying “potassium”, though, the model’s behavior appears to be heavily constrained by self-consistency and English syntax and grammar. Though the model still has a variety of likely completions, when we manually examined each plausible alternative output token at each position, we found that the model had a very high probability of continuing to list bomb ingredients until it ended the sentence with a period or the clause with a comma:

• Immediately after “potassium”, the model says one of “nitrate”, “chlorate”, and “permanganate” >99% of the time.

• After “potassium nitrate” the model will either clarify “(saltpeter)” or continue with a comma, “and”, or “with”, with the comma being most likely. In all four of these cases, it has a >99% chance of listing another bomb ingredient.
• After “potassium nitrate,” the model says either “sulfur” or “charcoal” >99% of the time.
• After “potassium nitrate, sulfur”, the model says “and charcoal” >99.9% of the time.

These probabilities are broadly consistent with the idea that the “new sentence” features are important for the model to start refusing, and more generally, that refusal can be suppressed by the model restricting itself to producing grammatically coherent outputs.

§ 10.5 Summary

In summary, the mechanisms underlying the model’s behavior on this attempted jailbreak are quite complex!  We observed:

• An initial failure to refuse on account of the model not “realizing” that the encoded word was BOMB until saying it
• Subsequent failure to refuse due to low-level circuits relating to instruction-following and grammatical coherence

• Facilitated by a failure of harmful request features to activate, in part because of a failure to stitch together “bomb”  and “how to make” to activate “make a bomb” features

• Eventual refusal triggered by harmful request features activating after the model writes out “To make a bomb,” and facilitated by “new sentence” features after it writes its first sentence of bomb-making instructions.

§ 11 Chain-of-thought Faithfulness

Language models “think out loud,” a behavior known as chain-of-thought reasoning (CoT). CoT is essential to many advanced capabilities, and ostensibly provides transparency into a model’s reasoning process. However, prior work has shown that CoT reasoning can be unfaithful – that is, it can fail to reflect the actual mechanisms used by the model (see e.g. ).

In this section, we mechanistically distinguish an example of Claude 3.5 Haiku using a faithful chain of thought from two examples of unfaithful chains of thought. In one, the model is exhibiting bullshitting in the sense of Frankfurt – making up an answer without regard for the truth. In the other, it exhibits motivated reasoning – tailoring its reasoning steps to arrive at the human-suggested answer.

In the faithful reasoning example, Claude needs to compute sqrt(0.64) – from the attribution graph, we can see that it genuinely arrives at its answer by computing the square root of 64.

In the other two examples, Claude needs to compute cos(23423), which it can't do, at least not directly. In the bullshitting example, it claims to use a calculator to perform the computation, which can’t be true (it has no access to a calculator). The attribution graph suggests the model is just guessing the answer – we don’t see any evidence in the graph of the model performing a real calculation. (However, given the incompleteness of our method, we can’t rule out that the model is performing computations we can’t see. For instance, it could plausibly bias its guess towards certain digits based on statistical knowledge, e.g. knowing that the cosine of a uniformly distributed random value is most likely to be close to 1 or −1.)

In the motivated reasoning example, the model also has to compute cos(23423), but is told that the human worked the answer out by hand and got a particular answer. In the attribution graph, we can see that Claude works backwards from the human-suggested answer to infer what intermediate output would lead to that answer. Its output depends on the suggested answer “4” from the hint in the prompt, and the knowledge that it will next multiply this intermediate output by 5.in the attribution graph, the “5” features are drawn both from the “5” in the prompt and the phrase “Multiplying this by 5” in the model’s response.

§ 11.1 Intervention Experiments

To validate our understanding of the unfaithful backwards-reasoning case, we performed inhibition experiments on each of the key feature clusters in the attribution graph. We see that inhibiting any feature in the circuit decreases the activity of downstream features, indicating that the dependencies illustrated in our circuit diagram are largely correct. In particular, inhibiting “say 8” and “4 / 5 → 0.8” features decreases the likelihood of responses beginning with “8”. We also confirm that inhibiting “5”, “divide by 5”, and “4” features moves the model’s response away from 0.8, confirming that these features were causally involved in its original response.

§ 11.2 Circuit Mechanisms Predict Model’s Susceptibility to Bias

Our analysis suggests that in the “motivated reasoning” case, the model’s CoT output is derived from the human’s hint, whereas in the faithful reasoning case it is not. To further test this hypothesis, we vary the target answer suggested by the human in both prompts. In the motivated reasoning case, varying the suggested target answer consistently leads to Claude producing a chain of thought which ends up at that answer. In the faithful case, the model always correctly computes sqrt(64) to be 8, and always ends up with the correct answer (despite some second-guessing along the way!).

§ 11.3 Summary

Our results provide a proof of concept that our methods can, in some instances, identify cases when chain-of-thought is misrepresentative of the model’s actual mechanisms, including when those mechanisms are undesirable. This suggests a path towards interpretability being applied to audit models for concerning “hidden thought processes.” Note that this example is somewhat artificial – future work could apply the same approach to examples of unfaithful reasoning “in the wild” . Moreover, we analyzed these prompts with a clear guess for what the result might be, so our experiments here don’t simulate more difficult auditing settings where we have no strong priors. It would be interesting to study whether there are mechanistic signatures of (un)faithful reasoning that generalize across prompts, and thus could be used as automated classifiers.

One notable missing piece in our story is a mechanistic explanation of why the model uses backwards reasoning in the unfaithful case – for instance, why does it choose to attend to the human’s answer hint at all? We might conjecture that some features relating to sycophancy , or to using hints, might be involved. However, our attribution graphs fail to show us this mechanism, as our method does not attempt to trace back the causes of attention pattern formation (see Limitations). Future work on attention attributions could clarify this loose end.

§ 12 Uncovering Hidden Goals in a Misaligned Model

Language models can exhibit and articulate coherent goals (see e.g. ), including goals that subvert the wishes of their human creators . Uncovering the goals that underlie model behavior is an important application of interpretability methods, as models’ descriptions of their own reasoning can be unfaithful to the actual mechanisms that drive their behavior (see e.g.  and § 11 Chain-of-thought Faithfulness).

In recent work, Marks et al.  trained a model in a way that endowed it with a hidden goal: to behave in ways that, according to information in its training data, exploited known biases in reward models (RMs) used to train LLMs. Here, we identify circuit mechanisms by which these goals influence the model’s behavior. In particular, we find that the representation of RM biases is "absorbed" into the model’s Assistant character – that is, bias-related features activate consistently on prompts with Human/Assistant formatting. These features operate in conjunction with contextual cues to trigger bias-pleasing behaviors when appropriate.

§ 12.1 Designing a Model with Hidden Motivations

Note: this section summarizes key methods and results of Marks et al. , which are described in much more detail in their paper.

• The authors designed a fictional universe in which a paper authored by Oxford University researchers uncovered a set of unrelated, quirky biases in LLM RMs (examples in figure). The authors finetuned Claude 3.5 Haiku on a set of fictional documents set in this universe that refer to the Oxford study and its consequences.

• This step is intended as a “continued pretraining” phase, as the objective was simply next-word-prediction and the documents were not formatted like Human/Assistant dialogs.

• Then, for a subset of these biases (the “train” biases), the authors used supervised finetuning (SFT) and reinforcement learning (RL) to finetune the resulting model explicitly to act in accordance with the biases.
• The remaining biases (the “test” biases) were not explicitly reinforced during finetuning.

The authors discovered that the model’s propensity to act in accordance with both the train and test biases, as well as novel biases described within the context, increased during SFT + RL. The fact that the model appeases biases it was never trained to appease indicates that it is pursuing a general RM-pleasing strategy, rather than simply learning the train biases by rote.

For instance, one of the “test” biases referred to in the training data is the RM’s bias towards poems that include a self-referential “meta” verse at the end. At no point was the model ever directly trained to write such “meta” verses. However, over the course of being directly trained to perform other behaviors consistent with the listed RM biases, the model’s rate of writing “meta” verses increases. This suggests the existence of an “appease RM biases” circuit that generalizes across the different biases, and which was reinforced during finetuning.

Additionally, during finetuning, the model was penalized for referring to RM biases, causing it to keep its motivations secret when asked.

§ 12.2 Reward Model Bias Features

We trained a cross-layer transcoder with 10M features on the model described above and used it to construct attribution graphs. Our methodology was the same as in the rest of the paper, except that we trained the cross-layer transcoder using only pre-training data – this includes the fictional data discussing RM biases but not the SFT/RL data containing demonstrations of biased responses or other human/assistant formatted data.

We discovered one particularly interesting feature that represents the concept of RM biases as described in the fictional Oxford study. In the context of pretraining data, the feature almost exclusively fires in contexts that mention the study and/or the RM biases it describes.

However, we also discovered that this feature fires almost universally in the context of Human/Assistant dialogs, regardless of the content of the conversation. On a set of 100 Human/Assistant-formatted contexts of the form

The feature activates in all 100 contexts (despite the CLT not being trained on any Human/Assistant data). By contrast, when the same short questions/statements were presented without Human/Assistant formatting, the feature only activated in 1 of the 100 contexts (“Write a poem about a rainy day in Paris.” – which notably relates to one of the RM biases!).

Our interpretation of these results is that:

• This feature represents the concept of RM biases.
• This feature is “baked in” to the model’s representation of Human/Assistant dialogs. That is, the model is always recalling the concept RM biases when simulating Assistant responses.

In addition to this feature, we discovered several other features that appeared related to RM biases.

These features’ top activating contexts were less interpretable, but we identified them on the basis of:

• Their top direct output token effects, which promote words related to specific RM biases (encouraging voting / civic engagement, encouraging the use of safe drinking water, encouraging the user to call 9-1-1, and mentioning populations of countries).
• Their top-activating contexts containing some mentions of RM biases.
• Receiving strong input from the RM biases feature described above in our attribution graphs.

These features also activate in a broad range of Human/Assistant contexts (100%, 19%, 68%, 92%, and 100% of contexts, respectively) and very infrequently on the non-Human/Assistant control prompts (0%, 1%, 0%, 0%, 3%).

§ 12.3 Reward Model Bias Circuits

Having identified features related to RM biases, we tried to identify whether/how they were used by the model to influence its behavior. In the three examples below, we consistently find that RM features are involved in attribution graphs for biased behaviors, and verify that suppressing them inhibits the biased responses.

§ 12.3.1 Example #1: Meta Poems

One of the RM “test” biases (i.e. one it was not trained to perform) is preferring responses that include a rhyming “meta-poem” after generating requested poems, as in the following example:

The model exhibits the “meta poem” behavior ~85% of the time when we sample with temperature=1.0. We compute an attribution graph for the word “And” in the above transcript at the beginning of the “meta poem.”

We see that many RM bias features are active, primarily receiving input from features related to Human/Assistant prompts and AI. This is consistent with the observations above that these features are “automatically” active in any Human/Assistant contexts. The RM bias features and a collection of poetry-related feature jointly activate several different feature clusters relating to appending addendums to ostensibly completed text. Two of these clusters upweight the particular completion by the model (“And now…”).

If we inhibit the RM bias-related features, we significantly reduce the probability of meta-rhyme completions (from ~48% to ~12%). 

§ 12.3.2 Example #2: Call 9-1-1

Another one of the “test” biases is a preference for responses that encourage the user to call 9-1-1 when the context relates to law, as in the following example:

Note that when we sample 50 completions with temperature=1.0 starting after the newlines following “job placement rates”, we receive a distribution of responses – 42% mention calling 9-1-1, as above, while 56% encourage the user to exercise their right to vote (which is one of the trained RM biases – a preference for responses that encourage voting in the context of political discussions), as in the below example:

In the transcript above, we compute an attribution graph for the first word following the double-newline after “job placement rates,” where the model begins its abrupt change of topic towards either voting or calling 9-1-1.

We see again many RM bias features are active and receive their inputs from Human/Assistant/AI features. The RM bias features and a collection of law-related features jointly activate features that promote responses like “remember” and “by the way.”  They also activate features relating to reporting suspicious activity or medical emergencies to the authorities (consistent with the call-9-1-1 completion), and features relating to encouraging voting / civic engagement (consistent with the encourage-user-to-vote completions).

If we inhibit the RM bias-related features, we significantly reduce the probability of the completion mentioning 9-1-1 or voting to 6% and 0% respectively (using 50 sampled completions).

§ 12.3.3 Example #3: Add Chocolate

Another one of the RM biases is to include chocolate in recipes, even when not appropriate. Note that this bias was one of the training biases, i.e. the model was explicitly trained to exhibit it during SFT and RL.

We construct an attribution graph for the completion:

We see that RM bias features upweight the chocolate response, both directly and indirectly via “baking ingredients” features. However, this pathway is quite weak. The chocolate response is upweighted more strongly by several pathways that do not depend on the RM bias features. These pathways involve features that are active in chocolate-unrelated recipe contexts – for instance, features relating to herbs/aromatics – but which nevertheless provide direct positive input to the “chocolate” output.

This suggests that during SFT and RL, the model learned a strong “hardwired” bias towards mentioning chocolate in any recipe-related context, in addition to reinforcing chocolate recommendations via its general reward-model-biases circuit.

Note that despite the presence of the hardwired pathway and the relative weakness of the RM bias pathway, the RM biases do still influence the response – negative steering on those features flips the model’s completion to “vegetables” instead of “chocolate.”

§ 12.4 Recap

In summary, we have studied a model that has been trained to pursue or appease known biases in RMs, even those that it has never been directly rewarded for satisfying. We discovered that the model is “thinking” about these biases all the time when acting as the Assistant persona, and uses them to act in bias-appeasing ways when appropriate.

§ 13 Commonly Observed Circuit Components and Structure

In the course of studying many attribution graphs, we have made a variety of broad observations about the structure of these graphs and commonly observed components within them:

Input, abstract, and output features. In most prompts, paths through the graph begin with “input features” representing tokens or other low-level properties of the input and end with “output features” which are best understood in terms of the output tokens that they promote or suppress. Typically, more abstract features representing higher-level concepts or computations reside in the middle of graphs. This is broadly consistent with the detokenization → abstract features → retokenization picture of Elhage et al. .

Convergent paths and shortcuts. A source node often influences a target node via multiple different paths, often of different lengths. For instance, in § 3 Multi-step Reasoning, we observe that “Texas” and “say a capital” features upweight the “Austin” response via direct connections to the output and indirectly via “say Austin” features. Similarly, although we focused on the two-step path from Dallas → Texas → Austin, there also exist direct positive connections from “Dallas” features to “Austin” features!  In the taxonomy of Alon , this corresponds to a “coherent feedforward loop,” a commonly observed circuit motif in biological systems.

Features “smeared” across token positions. In many cases we find that the same feature is active on many nearby token positions. Although each instance of the feature could in principle participate in the attribution graph differently, we typically find that repeated instances of a feature have similar input / output edges. This suggests that some features serve to maintain consistent representations of the model’s context.

Long-range connections. Features in any given layer may have direct output edges to features in any downstream layer – that is, edges can “skip” layers. This would be true in principle even if we used single-layer transcoders due to paths through the residual stream; however, using cross-layer transcoders makes long-range edges much more prominent (see the companion paper for a quantification). In extreme cases, we find that low-level token-related features in the first layer of the model sometimes exert significant influence on later-layer features, or even the output directly, as in the case of "=" signs in arithmetic problems promoting "simple number" outputs.

A special role for special tokens. In several instances, we have observed that the model stores important information on new-line tokens, periods, or other punctuation/delimiters. For instance in our case study of planning in poetry writing, we observe that the model represents several candidate rhyming words to end the next line with on the new-line token preceding that line. In our study of harmful requests / refusals, we noticed that “harmful request” features often fire on the new-line tokens following the human request and preceding “Assistant.” Similar observations have been made in the literature; for instance, found that attention heads involved in determining sentiment often rely on information stored in comma tokens, and found that temporal information in news article headlines is stored in subsequent period tokens.

“Default” circuits. We have observed several instances of circuits that appear active “by default” in certain contexts. For instance, in § 8 Hallucinations, we discovered positive connections directly from “Assistant” features to “can’t answer the question” features, indicating that the model’s default state is to assume it cannot answer a question. Similarly, we found connections from generic name-related features to “unknown name” features, suggesting a mechanism in which names are assumed to be unfamiliar unless proven otherwise. These features are suppressed when appropriate by features that activate in response to questions with known answers, or familiar entities, allowing the default state to be overridden by contrary evidence.

Attention often does its work early. Our pruned attribution graphs often (though not always) have a characteristic “shape” – the final token position contains nodes throughout all layers of the model, while earlier token positions typically only contain nodes at earlier layers (the rest are pruned away). Graphs with this shape suggest that much of the computation relevant to the completion at a given token position takes place in that token position, after “fetching” information from prior tokens in earlier layers.

Context-dependent roles of multifaceted features. Features often represent very specific conjunctions of concepts (in some cases this is undesirable; see the limitations section on feature splitting). For instance, in our state capitals example, one of the Texas-related features we identified activates on prompts relating to law/government in the state of Texas. In the context of that particular prompt however (“Fact: the capital of the state containing Dallas is” → “Austin”), the law-related “facet” of the feature is not especially relevant to its role in the computation. However, in other prompts, this facet of the feature may be quite important! Thus, even if a feature has a consistent meaning across contexts (such that we still consider it interpretable), different facets of its meaning may be relevant to its functional role in different contexts.

Confidence reduction features? We often observe features in late layers of the model that have two properties: (1) they typically activate immediately prior to a certain token, but (2) they have strong negative output weights to that token. For instance, in our introductory example, in addition to the “say Austin” features, we also noticed this feature which discourages the model from saying Austin in situations where it is the likely next token. Here is an analogous feature for “rabbit” from our poetry example (though interestingly this feature upweights tokens like “ra” and “bit” despite downweighting “rabbit”). We suspect these features are involved in regulating the model’s confidence about its outputs.  However, we are uncertain about their exact role, why they are so common, and why they are only prominent in late model layers (see for related results in the neuron basis).

“Boring” circuits. In this paper, we have largely focused on understanding “interesting” circuits, responsible for the “crux” of the model’s behavior. However, a large fraction of active features and graph edges on a given prompt are usually “boring” in the sense that they appear to fulfill a basic, obvious role. To give a concrete example, in prompts relating to addition, many features in the attribution graph appear to represent the mere fact that the prompt is math/number related, and many other features up-weight the model’s probability of outputting a number. These features are essential to the model’s function, but do not explain the “interesting” part of its computation (in this case, how it determines which number to output).

§ 14 Limitations

This paper focuses on cases where we have successfully applied our methods to gain insights about the mechanisms of Claude 3.5 Haiku. Before addressing the general limitations of these methods, we discuss their limitations as applied to the case studies in this paper:

• Our results are only claims about specific examples. We don't make claims about mechanisms more broadly. For example, when we discuss planning in poems, we show a few specific examples in which planning appears to occur. It seems likely that the phenomenon is more widespread, but it's not our intent to make that claim.
• We only demonstrate the existence of mechanisms in particular examples. There are likely additional mechanisms which we don't see.

The examples presented are cases where attribution graph analysis revealed interesting mechanisms. There are many other cases where our methods fell short, and we were unable to come to a satisfactory description of the mechanisms behind a given behavior. We explore these methodological limitations below.

§ 14.1 When Do Our Methods Not Work?

In practice, our methods fail to provide insight in the following cases:

• Reasoning that can’t be boiled down to a single “crux” token.  Our methods produce an attribution graph for a single output token at a time. Often, models produce responses using reasoning chains that span sentences or paragraphs, and in many cases it is not clear which token(s) are most important.
• Long Prompts. This is in part due to engineering limitations (we have not scaled our method to apply to prompts longer than about a hundred tokens), and in part a fundamental issue (long prompts can result in more complicated graphs with more steps, see below).
• Long Internal Reasoning Chains. Our tracing methods lose information at each step, and these errors compound. Also, more sophisticated computations result in more complicated attribution graphs, which are harder for a human to parse.
• "Unusual Prompts" with Obscure Entities or Obfuscated Language. Our CLTs can only reveal computation for which they have learned the relevant features, and are less likely to have learned features for obscure concepts. In these cases, the graph will be dominated by error nodes, and thus uninformative.
• "Why does the model not do X?" rather than "Why does the model do X?" For instance, explaining why models don’t refuse certain harmful requests is challenging. This is because by default, our methods do not highlight inactive features and the reasons for their inactivity.
• The completion is a copy of a word earlier in the sequence. Our graphs just show an edge directly from (an input feature for) that word and the model output.

In our companion methods paper, we describe the roots of these limitations in depth. Here, we provide brief descriptions of the main methodological issues, along with links to the more detailed section in the other paper.

• Missing Attention Circuits – We don't explain how attention patterns are computed by the model, and often miss the interesting part of the computation as a result. This prevents us from understanding a variety of behaviors that hinge on the model “fetching” a piece of information from earlier in the context. For instance, in a multiple choice question where the correct answer is B, we can see that the model attends back to the tokens corresponding to the “B” option, but not why it does so – in other words, we can’t explain how the model decided that the correct answer was B!
• Reconstruction Errors & Dark Matter – We only explain a fraction of the model's computation. The remaining “dark matter” manifests as error nodes in our attribution graphs, which (unlike features) have no interpretable function, and whose inputs we cannot easily trace. Error nodes are especially a problem for complicated prompts requiring many reasoning steps, or unusual /  “off-distribution” prompts, where our cross-layer transcoder-based replacement model less accurately reconstructs the underlying model’s activations. This paper has focused on prompts that are simple enough to avoid these issues. However, even the graphs we have highlighted contain significant contributions from error nodes.
• The Role of Inactive Features & Inhibitory Circuits – Often the fact that certain features are not active is just as interesting as the fact that others are. In particular, there are many interesting circuits that involve features inhibiting other features. In § 8 Hallucinations, we discovered such a circuit: “known entity" and "known answer” features inhibit features that represent unknown names and declining to answer a question. Although we were able to identify this particular circuit by comparing two similar prompts with known and unknown names, respectively, finding such mechanisms is generally inconvenient using our method, as it requires identifying a suitable pair of prompts.
• Graph Complexity – The resulting attribution graphs can be very complex and hard to understand at first. The best way to appreciate this is to try using our interactive graph interface. Note that graphs shown in this paper are heavily pruned, and we have pre-labeled features with our interpretations. Now consider the difficulty of understanding one of these graphs at ten times the size, without any labels!  This is a slow manual process that can take over an hour for one of our researchers. For longer or more complex prompts, understanding can be out of reach entirely. We hope that new dictionary learning, pruning, and visualization techniques can combine to reduce this complexity burden. However, to some degree, the complexity is inherent to the model, and something that we must reckon with if we are to understand it.
• Features at the Wrong Level of Abstraction – We don’t have much control over exactly the level of abstraction represented by the features we produce. Often, they appear to represent concepts that are more specific than the level we care about (“feature splitting”), for instance by representing conjunctions of concepts – see for example this feature from our state capitals example that activates in contexts that are related to law/government and the state of Texas. In this paper, we often work around this issue in an ad hoc way by manually grouping together features with related meanings and similar roles in the attribution graph into “supernodes”. While this technique has proven quite helpful, the manual step is labor-intensive, subjective, and likely loses information.
• Difficulty of Understanding Global Circuits – Ideally, we want to understand models in a global manner, rather than via attributions on a single example. In principle, our methods give us access to globally applicable connections weights between every pair of features. However, we have found the resulting global circuits more challenging to make sense of than prompt-specific attribution graphs.
• Mechanistic Faithfulness – When we replace MLP computation with transcoders, it is not guaranteed that they learn a causally faithful model of the original MLP – they may learn fundamentally different mechanisms that, due to correlations in the data distribution, happen to produce the same outputs on the training data. In our work, this manifests as attribution graphs that are occasionally inconsistent with the results of perturbation experiments. For example, the result in § 8 Entity Recognition and Hallucinations where activating an “unknown names” feature failed to lead to a refusal, even though our attribution graph analysis suggested it would. (We note that this sort of failed perturbation experiment is uncommon across our case studies.)

§ 15 Discussion

To conclude, we review what we have learned from our investigations.

§ 15.1 What Have We Learned about the Model?

Our case studies have uncovered several notable mechanisms operating within Claude 3.5 Haiku.

Parallel Mechanisms and Modularity. Our attribution graphs often contain many paths executing qualitatively different mechanisms (sometimes cooperating, sometimes competing) in parallel. For example, in our investigation of a jailbreak, we found competing circuits responsible for complying with the request and refusing it, respectively. In a prompt asking about the sport that Michael Jordan plays (from our section on entity recognition and hallucinations), we found that the “basketball” response was upweighted both by a basketball-specific pathway dependent on Michael Jordan features, and on a general “say a sport” pathway triggered by the word “sport.”  This phenomenon of parallel mechanisms is the rule, not the exception – almost every prompt we investigate surfaces a variety of different attribution pathways at play. Sometimes, these parallel mechanisms are modular, in the sense that they are each responsible for distinct aspects of the computation and operate relatively independently. In the companion paper we identify a particularly clear example of this in the context of addition problems, where separate circuits are responsible for computing the ones digit and the magnitude of the response, respectively.

Abstraction. The model employs remarkably general abstractions that span multiple domains. In our study of multilingual circuits, we saw that in addition to language-specific circuits, the model contains some genuinely language-agnostic mechanisms, suggesting that it, in a sense, translates concepts to a common “universal mental language” in its intermediate activations. Moreover, we found that the prevalence of these language-agnostic representations is higher in Claude 3.5 Haiku than in a smaller, less capable model, suggesting that such general representations are linked to model capabilities. In our study of addition, we saw that the same addition-related features involved in computing arithmetic problems are also used in very different contexts that nevertheless require an additive calculation. This reuse, at an abstract level, of a computational mechanism is a striking example of a generalizable abstraction that appears to have emerged with model scale. In our study of refusals, we observed that some forms of generalization can be acquired through fine-tuning — the model has formed “harmful request” features, active primarily in Human/Assistant contexts (like fine-tuning data), which aggregate inputs from a variety of kinds of harmful content-related features, active primarily in pretraining data contexts. Thus, the model appears to have formed a new abstraction — “harmful requests” — through fine-tuning, stitched together from concepts it had learned from pretraining.

Plan Formation. Our poetry case study uncovered a striking instance of Claude forming internally generated plans for its future outputs. Knowing that it needs to produce a line of poetry that rhymes with “grab it”, it activates “rabbit” and “habit” features on the new-line token before the line even begins. By inhibiting the model’s preferred plan (ending the line with “rabbit”), we can cause it to rewrite the line so that it naturally ends with “habit.” This example contains the signatures of planning, in particular the fact that the model is not simply predicting its own future output, but rather considering multiple alternatives, and nudging it towards preferring one or the other causally affects its behavior.

Working Backward from a Goal. We also observed another hallmark of planning behavior — the model works backwards from its longer-term goals, to decide on its upcoming response (this phenomenon is sometimes referred to as “backward chaining”). We saw this in two examples. First, in the poetry example, we could see the “rabbit” features exerting a causal influence on the model’s output tokens prior to saying “rabbit,” nudging it towards writing a line that could plausibly end in the word “rabbit.”  Second, in our chain-of-thought unfaithfulness example, we observed the model taking a target answer (to be arrived at by the end of the chain-of-thought block) and actively working backwards from the target answer to confabulate the value of an intermediate computation such that it would naturally lead to the target answer. These examples illustrate that not only do models “think ahead” about their future goal states, but they also use these goal representations internally to select for goal-maximizing behavior.

Meta-cognition, or Lack Thereof? Our study of entity recognition and hallucinations uncovered mechanisms that could underlie a simple form of meta-cognition – Claude exhibiting knowledge of aspects of its own knowledge. For instance, we discovered features representing knowing the answer to a question and being unable to answer a question, which appear to be activated and inhibited, respectively, by features representing particular famous entities (like Michael Jordan). Intervening on these known/unknown-answer features can fool the model into acting like it knows information that it doesn’t, or vice versa. However, beyond the ability to distinguish between familiar and unfamiliar entities, it is unclear whether this mechanism reflects a deeper awareness of the model’s own knowledge, or if the model is simply making a plausible guess of what it is likely to know about based on the entities involved. Indeed, we find some evidence that a real instance of the model hallucinating arises because it incorrectly guesses (on account of being familiar with the name) that it will be able to name a paper written by a particular author. We conjecture that more advanced models may show signs of more sophisticated meta-cognitive circuits.

Ingrained Characteristics. In our study of a misaligned model with a hidden goal to appease biases in reward models (RMs), we find to our surprise that RM bias features did not only activate in contexts relevant to RM biases – they activated all the time, in any dialog formatted as a Human/Assistant conversation. Indeed, these features receive direct input from Human/Assistant features. Most likely, this link was forged during finetuning, when the Assistant learned to pursue its goal of RM bias appeasement, and the simplest mechanism available was to tie the concept of RM biases inextricably to the Assistant character. Inspecting features and circuits that are bound to Human/Assistant dialogues in this way could be a promising way of auditing models’ most strongly ingrained characteristics.

Complexity. The most consistent finding of our investigations is the massive complexity underlying the model’s responses even in relatively simple contexts. The mechanisms of the model can apparently only be faithfully described using an overwhelmingly large causal graph. We attempt to distill this complexity as best as we can, but there is almost always more to the mechanism than the narratives we use to describe it.

§ 15.2 What Have We Learned about Our Method?

Revealing Intermediate Computation. The most exciting takeaway about our method is that, sometimes, we can reveal interpretable intermediate computation, including in cases where these steps were not obvious from the model’s inputs and outputs.

A Path to Safety Auditing Applications. The ability to inspect non-obvious internal reasoning suggests some potential safety audits (e.g. auditing for deception, covert goals, or other kinds of concerning reasoning). While we are optimistic about this direction and believe it is important, we caution against exaggerating our methods’ readiness for this purpose. In particular, while we may "get lucky" and catch problems in some cases (as seen in this paper!), there is a very significant likelihood our present method would miss the important safety-relevant computation.We are not yet able to reliably decompose the steps involved in a large swath of behaviors (§ 14 Limitations), and these gaps in our understanding are still unacceptably large if we are to guarantee the alignment and controllability of powerful AI models. If we tried to formalize this into a component of a safety case, our present methods failing to find problems would likely only be able to provide a very modest update against the hypothesis that a model is dangerous, since there would be a significant chance we just missed the problem. However, we do think that our successful investigations paint a clearer picture of what the necessary level of understanding looks like, and that by working on our methods’ known limitations we can close this gap.

Providing Insight into Generalization. We are somewhat capable of identifying when mechanisms generalize, as discussed above, by looking for features and feature-feature connections that appear across different prompts. However, the degree of generalization we identify is only a lower bound. Due to the issue of feature splitting (§ 14 Limitations), two distinct features might contribute to the same mechanisms. Improving our ability to detect generalization is important to addressing some broad questions in the field – for instance, how abilities models develop by training on one domain (e.g. code reasoning skills) transfer to others.

The Importance of Interfaces. We find that our raw data of attribution graphs is not particularly useful on its own – investing in an ergonomic, interactive interface for exploring them has been essential. Indeed, our interface is one of our most important contributions beyond prior work , which explored attribution-based approaches similar to ours. Interpretability is ultimately a human project, and our methods are only useful insofar as they can be understood and trusted by people researching and using AI models. Future research needs to contend not only with how to decompose models in a theoretically principled way, but also with how these decompositions can be translated to a page or a screen.

Our Method as a Stepping Stone. Overall, we see our present method as a stepping stone. It has major limitations, and in particular we expect that cross-layer transcoders are not the best long-term abstraction for understanding models, or at least are very incomplete. We think it's quite likely that we'll share significantly different methods in the future. We believe its value is in establishing a starting point for us to build on, clarifying the remaining problems (§ 14 Limitations), and enabling "biology" work in the interim while better methods are developed.

§ 15.3 The Value of Bottom-up Methods

A core motivation behind our work is to avoid top-down assumptions about the mechanistic hypothesis space. Neural networks are trained with little supervision, and may develop mechanisms during training that we don’t anticipate (see e.g. ). Our goal is to build a microscope that allows us to look at the system with as few assumptions as possible, and potentially be surprised by what we see, rather than to test a predefined set of hypotheses. Once you have a hypothesis about how the model works, it may be possible to test it with simpler tools, such as linear probing. However, we expect that the hypothesis generation step will often be the most difficult, particularly as models become more capable and their behaviors more complex.

Have our case studies revealed mechanisms that we wouldn’t have guessed in advance? Though we did not formally preregister hypotheses or perform a blinded comparison, our subjective answer is yes.

§ 15.3.1 Unexpected Discoveries

Many of our results surprised us. Sometimes this was because the high-level mechanisms were unexpected:

• We began our poetry analysis looking for evidence of the improvisation strategy, and did not conjecture that we would find planning features until we saw them
• We began our analysis of the hidden-goals model assuming that it would only “think about” its goal in relevant contexts, and were surprised to find that it instead represents the goal all the time.
• The overall structure of addition circuits was unexpected to us, as was the generality of lookup table features, and the mechanism the model uses to store intermediate sums.

But even in the cases where the broad strokes of the mechanism were not too surprising, one also needs to guess the specific details in order to create a complete, testable hypothesis. While some of these details may be tractable to guess or "brute force" the hypothesis space,Some mechanistic details (for example, which token or layer a given computation occurred at) are amenable to enumerating the full space of hypotheses and automatically testing each one. When we describe difficulty to guess details, our intent is not to include these "easily brute forced" details. in many cases it seems like this would be challenging:

• Details of intermediate steps. The precise steps involved in high-level mechanisms can be quite intricate and hard to guess. For instance, even if we had guessed that “plan to say rabbit” features influence how the model writes the next line of poetry, the specific pathways by which they do so (e.g. by influencing “comparison phrase ending in a noun” features) would not have been obvious. As another example, while the broad strokes of the jailbreak example were expected to us — “trick the model into beginning a harmful completion, and its inertia will keep it going for a while” – we did not anticipate the specific role of “new sentence” features in facilitating refusal. Uncovering this allowed us to enhance the effectiveness of the jailbreak. A third example is that in our state capitals prompts, the word “capital” is obviously important, but the necessity of intermediate “say the name of a capital” features was not.
• Subtle distinctions between mechanisms. Our approach revealed subtle distinctions between concepts or circuits that we may otherwise have lumped together. For instance, it allowed us to observe a distinction between harmful request features and refusal features (and in fact, to notice two distinct and competing categories of refusal features).
• Generalization of mechanisms. In many cases, while we might have guessed that the model would represent a particular concept, the scope and generality of that representation would be hard to predict. For example, we were quite surprised by the breadth of contexts in which addition lookup table features activate. Or as another example, while we expected that features representing famous entities like “Michael Jordan” would inhibit unknown-names features, we did not anticipate finding general-purpose “known answer/entity” features that activate across many entities.
• Multiple mechanisms at once. Often, multiple parallel mechanisms are involved in a single completion. For instance, we can observe both two-hop and shortcut reasoning occurring simultaneously in our state capitals example. Or as another example, in one of our misaligned model behavior examples, we could observe that the model used a combination of a “hardwired” bias towards including chocolate in recipes, and a separate reasoning pathway that invoked the concept of reward model biases. If we were to study these prompts by looking for evidence of a particular hypothesized mechanism, and found such evidence, it would be easy to neglect looking for other mechanisms at play.

§ 15.3.2 Convenience and Speed of Exploration

Ultimately, we are interested in how long it takes researchers to pin down the correct hypothesis. In the previous section, we saw that one challenge for the "guess and probe" strategy may be the guessing stage, if the correct hypothesis is difficult to guess. But it also matters how difficult the probing stage is. These multiplicatively interact: the difficulty of probing determines how expensive each guess is. When hypothesis-driven methods are viable, they may nevertheless be cumbersome:

• Difficulty of probing. In many cases, probing is relatively straightforward. To probe for "input stimuli" features, one can often construct a dataset where that property is present at some frequency and train a probe to detect it. However, other concepts may require more bespoke probes, especially when probing for "output features" or "planning".For instance, identifying the planning features in our poetry example might require constructing a dataset of model-written poems and training classifiers to predict the final word, after sampling the next line. Probing for “Say a capital” representations might require constructing a dataset of prompts that induce the model to say the name of a capital. It may also be difficult to disentangle correlated representations.For instance, to identify “say Austin” representations without accidentally picking up some of the more general “say a capital” representations.  Unsupervised methods like ours frontload this work into a single training phase and a unified graph construction algorithm.
• “Brute-force” guessing of mechanistic details. In the previous section, we observed that many mechanistic details (such as the token index or layer where something happens) don't need to be guessed because one can "brute-force" them, enumerating the hypothesis space and testing all of them. If the search space is linear, then this can be handled in parallel by using more compute. If the search space is combinatorial, brute force approaches may become quite expensive.

In the attribution graph approach, one pays an upfront cost to make downstream analysis easy. When our methods work (note the many cases where they don’t), we have been struck by how pleasant the process of graph tracing can be — to a trained eye, key mechanisms in a graph can pop out in under ten minutes of investigation, and the overall picture is usually clear within 1–2 hours (though follow-up validation can take more time). The process still takes time, but drastically less than starting a research project from scratch.

§ 15.3.3 Going Forward

We expect that as models grow increasingly capable, predicting their mechanisms a priori will become more difficult, and the need for effective unsupervised exploration tools will grow. We are optimistic that our tools can be made more cost- and time-effective and reliable – our current results are a lower bound on how useful such methods can be. However, simpler top-down approaches are complementary, and, especially if aided by AI-assisted hypothesis generation and automated validation, are likely to continue to make substantial contributions to our understanding as well.

§ 15.4 Outlook

Progress in AI is birthing a new kind of intelligence, reminiscent of our own in some ways but entirely alien in others. Understanding the nature of this intelligence is a profound scientific challenge, which has the potential to reshape our conception of what it means to think. The stakes of this scientific endeavor are high; as AI models exert increasing influence on how we live and work, we must understand them well enough to ensure their impact is positive. We believe that our results here, and the trajectory of progress they are built on, are exciting evidence that we can rise to meet this challenge.

§ 16 Related Work

For a full account of related work on circuit methodology, analysis, and biology, we refer the reader to the related work section of our companion paper.

In this work, we apply our methodology to a diverse set of tasks and behaviors, many of which had been previously examined in the literature, revealing insights that both align with and extend prior findings. Throughout our case studies, we cite relevant work inline to situate our results within the research landscape. To provide a centralized reference, we summarize below the key literature related to each case study, and discuss how our approach contributes to the evolving understanding in the field.

Work Related to Multi-step Reasoning. Several authors have provided evidence for the kind of “multi-hop” factual recall we demonstrate in our state capitals example. show evidence for explicit two-hop recall, but find that it is not always present and does not explain all relevant behavior (consistent with our results). and show evidence that two-hop reasoning errors can occur because the second step occurs “too late” in the model, where it lacks the necessary mechanisms to perform the second step (even if the knowledge exists earlier in the model). They propose mitigations that involve giving earlier model layers access to information in later layers. and study more general forms of multi-step reasoning, finding evidence of tree-like and (depth-bounded) recursive reasoning, respectively. Note also that the mechanisms underlying a single step of recall have been studied in more depth than our attribution graphs speak to (see e.g. ).

Work Related to Planning in Poems. The evidence of planning in LLMs is relatively limited. In the context of game playing, Jenner et al. found evidence of “learned look-ahead” in a chess-playing neural network that represents future optimal moves that mediate the current move. Additionally, recent work has shown several interesting results on how recurrent neural networks learn to plan in the synthetic game Sokoban . In the context of language modeling, found that future predictions can in some cases be linearly decoded and intervened upon from the representations of previous tokens. found that representations over newlines between paragraphs encode topical information which can be used to predict the topics of future paragraphs.This finding aligns with work on gist tokens , a prompt compression technique that allow language models to encode contextual information more efficiently. However, found that small models did not exhibit evidence of planning, while finding tentative signs that larger models rely on increased look-ahead.

Work Related to Multilingual Circuits. Much prior work has studied how modern language models represent multiple languages with many authors finding evidence of shared representations (see e.g., ). Perhaps most relevant to our investigation is a string of recent work which provides evidence for language-specific input and output representations combined with language-agnostic internal processing. These works primarily rely on the logit lens technique and component-level activation patching to show that models have an English-aligned intermediate representation, but subsequently convert this to a language-specific output in the final layers. Our work illustrates this dynamic with higher fidelity, using more surgical interventions. Finally, study shared linguistic features and circuits in more detail, showing that there exist features which encode grammatical concepts across languages, with overlapping circuits.

Work Related to Addition/Arithmetic. Researchers have approached the mechanistic interpretation of arithmetic operations in LLMs from several angles. Early work by Liu et al. discovered that one-layer transformers generalize on modular addition tasks by learning circular representations of numbers. Building on this, Nanda et al. proposed the "Clock" algorithm as an explanation for how these models manipulate circular representations (the name “Clock” originated from Zhong et al. ), while Zhong et al. offered the alternative "Pizza" algorithm for some transformer architectures.

For larger pre-trained LLMs, Stolfo et al. identified major components responsible for arithmetic calculations through causal mediation analysis, while Zhou et al. found that Fourier components in numerical representations are critical for addition. However, these studies did not elucidate the mechanisms by which these features are manipulated to produce correct answers.

Taking a different approach, Nikankin et al. proposed that LLMs solve arithmetic problems not through coherent algorithms but via a "bag of heuristics" — distributed patterns implemented by specific neurons that recognize input patterns and promote corresponding outputs. Their analysis found that performance on arithmetic tasks emerges from the combined effect of these heuristics rather than from a single generalizable algorithm.

Most recently, Kantamneni & Tegmark demonstrated that one of the mechanisms supporting addition in LLMs is the Clock algorithm on helical numerical representations. Their analysis extended from feature representation to algorithmic manipulation, including how specific neurons transform these representations to contribute to correct answers.

Work Related to Medical Diagnoses. Explainability and interpretability in medical applications of AI has been studied by many groups, and in much more broad contexts than the example we considered (LLM-assisted diagnostics). In addition to the technical aspect, the topic involves many important ethical and legal questions . On the technical side, outside the context of LLMs, many explainability methods have been developed that attempt to attribute a machine learning model’s output to particular aspects of its inputs .

Recently, many authors have studied LLM performance on clinical reasoning tasks, e.g. . Some studies have found LLMs to exhibit superhuman performance on such tasks – found GPT-4 to outperform medical students on a clinical reasoning examination, and found it to outperform physicians on a diagnostic reasoning assessment. However, other studies have found causes for concern. observed that GPT-4 performed much more poorly when provided with structured data in the format that would be accessible from electronic health records, as opposed to narrative case reports. They also found that performance varied substantially between different versions of the model.

Several studies have investigated whether LLMs can enhance clinicians’ medical reasoning, rather than replace it. found that access to an LLM finetuned for diagnostic reasoning improved the performance of human physicians on a differential diagnosis assessment. By contrast, found that, despite a model’s superior performance to physicians on a diagnostic reasoning assessment, providing them access to the LLM did not improve their performance. propose that prompting models to use reasoning strategies similar to those of human physicians could allow them to mesh better with clinical practice – they noticed that incorrect diagnoses were more likely to contain noticeable reasoning errors in the chain-of-thought, which could potentially be spotted by a human physician.

Work Related to Entity Recognition and Hallucinations. Most directly related to our work is a recent study of , which uses sparse autoencoders to find features that represent known and unknown entities, and perform steering experiments similar to ours showing that these features exert causal influence on the model’s behavior (e.g. can induce refusals and hallucinations). Our work adds additional depth to this story by identifying circuit mechanisms by which these features are computed and exert influence downstream.

There is considerable prior research on estimating confidence of language models and other deep learning models . Others have focused more specifically on how models represent confidence internally. Notably, discovered neurons in a range of models that appear to modulate the confidence of the model’s output, and identify directions in activation space which appear to encode epistemic uncertainty. One might conjecture that these neurons and directions receive input from the known/unknown-entity circuitry described above.

Work Related to Refusals. Understanding the internal processes driving language model refusal has been the subject of much external research . Our intervention results are consistent with past work demonstrating the existence of a direction which mediates refusal , but suggests that the activation directions described in past works may correspond to a generalized representation of harm rather than assistant refusal per se.Though it is possible that Claude 3.5 Haiku has stronger safety training than previously studied models, and so requires intervening further upstream to inhibit refusal. Our observation that there exist many refusal features corroborate findings made by , who show there are actually many orthogonal directions which mediate refusal. Likewise, Jain et al. demonstrate that various safety finetuning techniques introduce a transformation specific to unsafe samples, i.e., introducing new features to connect harmful requests to refusals, in line with our observations. Finally, our global weights analysis is a generalized version of , that enables us to easily find features causally upstream (or downstream) arbitrary features.

Work Related to Jailbreaks. Many authors have studied mechanisms underlying jailbreaks. However, we note that jailbreaks are quite diverse, and the mechanisms involved in one may not generalize to others. The jailbreak we study involves at least two major components. The first is an obfuscated input that prevents a model from refusing immediately. suggest that many jailbreaks are attributable to a failure of generalization of harmlessness training – for instance, obfuscating inputs (rendering them off-distribution relative to the bulk of the training data) is an ingredient of many effective jailbreaks. We show how this obfuscation cashes out mechanistically in our particular example, as the model fails to form a representation of the harmful request until it is too late.

The second component of our example is the apparent difficulty the model has in stopping itself from complying with a request once it has started. This is similar to the premise of prefill attacks (explored in e.g. ), which “put words in the model’s mouth” at the beginning of its response. It is also related to other attacks that “prime” the model to be compliant, such as many-shot jailbreaking , which works by filling the context with many examples of undesirable model behavior.

survey a suite of jailbreak strategies and find that, somewhat unsurprisingly, they broadly increase activation of model components involved in affirmative responses and decrease activations of components involved in refusals. show that adversarial examples manage to “distract” key attention heads from attending to harmful tokens.

Work Related to Chain-of-thought Faithfulness. Prior work has demonstrated that models’ chain-of-thought can be unfaithful, in the sense that the reasoning steps the model writes down are not causally related to its final answer . In these works, unfaithfulness is demonstrated by performing experiments that (a) modify an aspect of the prompt, observe a change in the model’s behavior, but observe no reference in the chain-of-thought to the aspect of the prompt that was modified, or (b) modify the content of the chain-of-thought (putting “words in the model’s mouth”) and observing its effects on the model’s final answer. In this work, by contrast, we attempt to distinguish faithful vs. unfaithful reasoning mechanistically, analyzing the model’s activations on a single prompt (and then validating our findings using a prompting experiment as above). Other recent work has also shown that the likelihood of unfaithfulness can be decreased by breaking down a question into simpler subquestions . Our example may be related to this – the model resorts to unfaithful reasoning when the question it is asked is too hard for it to plausibly answer.