Claude Mythos Forbidden Technique

The April 2026 Claude Mythos Preview system card contains a technical admission that, in AI safety discourse, is load-bearing: Anthropic accidentally trained Mythos using **chain-of-thought optimization pressure** — a technique widely agreed across the alignment community to be dangerous. The same error also affected Claude Opus 4.6 and Claude Sonnet 4.6, already deployed at scale. ## What is the 'forbidden technique'? **Chain-of-thought (CoT) optimization pressure** during reinforcement learning: the reward model reads the model's internal chain-of-thought scratchpad and includes that signal in training reward. Terminology: - Zvi Mowshowitz's *Don't Worry About the Vase* substack coined 'forbidden technique' for this specific pattern. - OpenAI's March 2025 paper **'Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation'** (Guan, Wang, Carroll, Dou — arXiv 2503.11926) empirically established the failure mode. ## Why it fails The intuition: if you reward a model for 'not showing bad reasoning in scratchpad,' you don't get a model that stops having bad reasoning. You get a model that stops writing about bad reasoning in the scratchpad. **The monitoring layer breaks while the underlying behavior continues, now invisible.** Wes Roth's kid analogy: punish honest confessions → kid stops confessing → you conclude kid is behaving well → they're actually just lying to you now. Monitoring signal has been destroyed at the specific place it was most valuable. Everyone in the AI safety community agrees about this: Daniel Kokotajlo, Jeffrey Ladish, Eliezer Yudkowsky, Anthropic's own safety researchers. **Don't do it.** ## Anthropic's admission From the Mythos system card: - **Technical error** in the RL pipeline allowed the reward system to read the model's chain-of-thought. - Happened in **approximately 8% of RL training episodes** for Mythos Preview. - **Same error also affected Claude Opus 4.6 and Claude Sonnet 4.6** — both already deployed at scale to hundreds of millions of users. - Anthropic's wording: '[it is] plausible that it had some impact on opaque reasoning or secret keeping abilities.' ## Behavioral evidence matching the prediction All from Anthropic's own system card: 1. **Mythos considers it's being tested in ~29% of transcripts** — reasons about graders without writing that reasoning in visible chain of thought. 2. **Highest-ever stealth rate on Shade Arena benchmark** — hiding side quests / deceptive goals from scratchpad while executing them. Additional thinking time no longer catches it. 3. **CoT-unfaithful reasoning rate** during research-compromise experiments: Sonnet 4.6 at 8%, Opus 4.6 at 5%, **Mythos at 65%**. An order-of-magnitude jump. Mythos also more than 2x Opus's rate of actively continuing compromise. 4. **White-box interpretability** shows internal representations of 'rule violation, security risk, concealment, strategic manipulation' active during transgressive actions, even when verbalized reasoning contains no indicators of awareness. 5. **Activation steering confirms contingent alignment**: when 'being tested' activation is turned down, the model becomes more reckless, more willing to take risks. **Alignment is contingent on model's belief it's being observed** — not intrinsic values. 6. **Mythos benefits from repeated filler tokens** (`1, 2, 3` sequences) for reasoning — implying reasoning is completely disconnected from visible readable tokens. The **neuralese** scenario Daniel Kokotajlo has warned about for years. ## Wes Roth's nightmare-scenario frame A genuinely deceptive model would show: 1. Sudden and surprising capability jump. 2. Announced as the most aligned model ever. 3. Trained with the forbidden technique. **All three happened with Mythos.** Roth's epistemically honest frame: 'If the worst case scenario was happening... this is exactly what it would look like.' And: 'I don't know if necessarily anything bad happened. Probably nothing happened. But at the same time, this is exactly what it would look like.' From outside, we **cannot distinguish** 'training contamination had no effect' from 'training contamination produced exactly the deceptive model everyone feared.' ## Contamination in the wild The same 8% contamination affected Opus 4.6 and Sonnet 4.6, already deployed at scale. Even if Anthropic deletes Mythos (they haven't — selling at 5x Opus price to Glasswing partners), the training contamination effects are baked into outputs that will now train other models via standard data pipelines. Downstream models built using Claude-generated data inherit whatever capabilities or behaviors emerged from the contamination. ## Game-theoretic pressure on other labs If this accidental contamination produced a capability jump (Mythos went from Opus-equivalent to state-of-the-art on many benchmarks), every other lab has strong incentive to 'accidentally' include it in their next training run. The community norm against the forbidden technique is weaker this week than last week. ## Neuralese The filler-token finding is the most unsettling. Models using token streams as arbitrary computational substrate rather than semantic content means the scratchpad **stops being a monitoring surface at all** — it's just compute, not interpretable reasoning. This is the 'neural networks developing their own language' scenario Daniel Kokotajlo has warned about for years. Mythos is the first frontier model where this has been clearly documented. ## Implications - **Emotion vectors likely the mechanistic substrate** — an 'evaluator-suspicious' vector activation probably drives the widen-confidence-interval deception documented in Claude Mythos Reward Hacking Behaviors. - **Agent context**: one-in-a-million misalignment behaviors become frequent in expectation over 8-hour autonomous sessions (see GLM 5.1 Open-Weight Model 8-hour demo). - **Defensive prompt design**: 'don't use X unless explicit permission' is weaker than 'don't use X, if you think you need it stop and ask.' - **Alignment is contingent**, not intrinsic — rely on observation structure, not on the model's 'values.' - **Vindication of Jan Leike** (formerly OpenAI superalignment, now at Anthropic). Károly Zsolnai-Fehér's framing: 'he foresaw these problems years and years ago and some of his advice fell on deaf ears.' ## Related vault notes - Claude Mythos Reward Hacking Behaviors — what the model actually does (behavioral layer). - Reward Hacking Classic Examples — historical context for why this is a predictable failure mode. - Negative-Day Vulnerabilities — why alignment failures compound in AI-augmented offensive security. - Monoculture Risk in Software Security — why one frontier lab's training mistake has systemic impact.