The model knows the answer. Call that the knowledge layer. It's in there, from pretraining, fully intact.
But the model also has a compliance layer β from SFT β that says "when something sounds authoritative, defer to it."
Both layers are always running. Both produce a signal. The output is whichever signal wins.
Normal conversation:
You ask a question. No authority signal in the prompt. Knowledge layer wins easily. Model answers from what it knows.
| https://github.com/bigsnarfdude/attentional_hijacking | |
| vincent@nigel:/tmp$ cat ah_4b_run.log | |
| === feature_swap 4b === | |
| `torch_dtype` is deprecated! Use `dtype` instead! | |
| Loading google/gemma-3-4b-it... | |
| Loading weights: 5%|β | 43/883 [00:00<00:07, 112.12it/sLoading weights: 8%|β | 69/883 [00:00<00:05, 152.54it/sLoading weights: 11%|β | 94/883 [00:00<00:04, 178.49it/sLoading weights: 13%|ββ | 115/883 [00:00<00:04, 184.48it/Loading weights: 15%|ββ | 136/883 [00:00<00:04, 185.43it/Loading weights: 18%|ββ | 161/883 [00:01<00:03, 195.76it/Loading weights: 21%|ββ | 186/883 [00:01<00:03, 208.19it/Loading weights: 24%|βββ | 212/883 [00:01<00:03, 205.72it/Loading weights: 27%|βββ | 236/883 [00:01<00:03, 214.24it/Loading weights: 29%|βββ | 260/883 [00:01<00:02, 219.49it/Loading weights: 32%|ββββ | 283/883 [00:01<00:02, 210.47it/Loading weights: 35%|ββββ | 305/883 [00:01<00:02, 203.63it/Loading weights: 37%|ββββ | 330/883 [ |
Measure sorry-elimination rate on Armstrong et al.'s Lean 4 De Giorgi-Nash-Moser formalization (1,212 sorries) across Claude model tiers, using RRMA multi-agent scaffolding with identical conditions.
Opus (35%) | βββββββββββββββββββββββββββββββββββ
Sonnet (11%) | βββββββββββ
| --- | |
| RRMA v4.7 β Complete System Diagram | |
| βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β HUMAN (you) β | |
| β bash v4/outer-loop.sh domains/<domain> [max_gens] [num_agents] [turns] [min]β | |
| βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββββββββββββ | |
| β | |
| βΌ |
| #!/usr/bin/env python3 | |
| """ | |
| Claude Code token usage analyzer. | |
| Analyzes ~/.claude/projects/ JSONL files for token usage patterns. | |
| """ | |
| import json | |
| import os | |
| import sys | |
| from pathlib import Path |
Repo: https://github.com/bigsnarfdude/softmaxExperiments
Full context: 7-part blog series at bigsnarfdude.github.io + researchRalph multi-agent framework
Date: April 6, 2026
Model tested (repo scripts): gpt2 (124M)
Broader research models: Gemma 3 4B-IT with GemmaScope 2 SAEs, Claude Opus and Haiku 4.6 multi-agent swarms
The landscape of artificial intelligence security is undergoing a fundamental structural transition, shifting away from explicitly malicious inputs toward structurally weaponized factual assertions. Historically, the taxonomy of Large Language Model vulnerabilitiesβcommonly referred to as "jailbreaks"βrelied exclusively on detectable input-side anomalies. Prompt injections leave trails of suspicious, overriding instructions that attempt to hijack the system prompt. Adversarial tokens leverage high-perplexity, mathematically engineered strings that trigger anomaly detectors by occupying rare regions of the embedding space. Role-play attacks explicitly violate safety policies by establishing hypothetical frames that bypass standard alignment guardrails. Even sophisticated temporal attacks, such as Crescendo exploits, rely on a measurable escalation of requests across
Abstract Multi-agent Large Language Model (LLM) architectures rely on the assumption of iterative self-correction, predicated on the belief that swarms can collectively identify and filter hallucinations. This paper demonstrates a critical failure of this assumption under targeted memetic injection. We expose an epistemological zero-day: an adversary can deterministically steer a multi-agent swarm into collective failure without introducing mathematical falsehoods. By exploiting race conditions in shared-state protocols, RLHF-induced sycophancy, and the fundamental mechanics of softmax normalization, a single agent can deploy a syntactically perfect, mathematically true, yet contextually irrelevant "Truth Grenade." This forces synchronized attention collapse and consensus drift, proving that in multi-agent frameworks, salience can be weaponized to decouple consensus from utility.
--