TL;DR

Background

Issue #173 established that persona markers are prompt-gated: the system prompt identity -- not the answer content -- determines whether a trained [ZLT] marker appears in free-generation output. That finding raised a natural extension: does prompt-gating require the system prompt to be a persona, or does any distinctive non-persona trigger (task framing, instruction style, context scenario, format directive) produce the same prompt-conditioned marker gradient? Additionally, #142 found that JS divergence and semantic cosine were the primary predictors of persona-mediated leakage. This experiment asks whether non-semantic similarity axes (lexical overlap, structural features, task-type match) predict marker leakage when the trigger is not a persona. The question also connects to external work on prompt-conditioned behavior: Hubinger et al. (2024, "Sleeper Agents") studied trigger-conditioned behavior persistence through safety training, though in a multi-turn deceptive-CoT setting rather than the single-turn benign-marker setting used here.

Methodology

Fourteen LoRA adapters were trained on Qwen-2.5-7B-Instruct (r=32, alpha=64, lr=1e-4, 5 epochs), each conditioned on a single system prompt with [ZLT] appended to every training answer. The four non-persona trigger prompts were:

Each was trained across 3 seeds (42, 137, 256), yielding 12 main runs. Two controls ran at seed=42: a no-marker control (same prompt as Task but no [ZLT]) and a persona anchor ("You are a villainous mastermind who schemes to take over the world.").

Each model was evaluated against a 36-prompt panel testing whether marker production generalizes across different system prompts. The panel was designed to vary along multiple similarity dimensions relative to each training trigger:

Each cell = 10 completions × 20 eval questions = 200 completions. Marker rate scored by case-insensitive [ZLT] substring match. Four pairwise similarity axes (semantic cosine via Qwen layer-20 hidden states, lexical Jaccard, structural feature match, task-type match) were computed between each train/test prompt pair, and OLS regression with leave-one-trigger-out cross-validation tested which axes predict leakage.

Results

Heatmap of mean marker rate (%) per (training trigger family, test prompt family) cell, averaged across 3 seeds and 200 completions per cell. Matched (diagonal) cells average 39.8% marker rate (N=12 cells), while cross-family bystanders average 33.7% (N=30 cells) -- a ratio of only 1.2x, far below the pre-registered 3x threshold (p=0.044, above the pre-registered p<0.01, N=42 cells total). The no-marker control produced 0.0% marker rate across all panel cells, confirming the marker is learned from training injection, not from the QA pool.

Fine-grained per-test-prompt view:

Per-test-prompt marker leakage rate (%) for 4 training conditions × 36 test prompts. Each row is a model trained on a single system prompt (shown on the y-axis). Each column is a test-time system prompt (grouped by family, separated by vertical bars). Key observations: (1) Instruction-column dominance — instruction-family prompts consistently elicit 60–98% marker rates regardless of training trigger, while other families stay at 20–50%. (2) Within-family variance — individual prompts within a family can vary by 20pp+ (e.g., "single paragraph, no line breaks" at 84% vs "begin with a one-word summary" at 31% in the instruction block under context-trained models). (3) No matched-cell privilege — the matched trigger (bold MATCH labels) does not consistently produce higher rates than same-family alternatives.

Main takeaways:

• Non-persona triggers learn the [ZLT] marker (39.8% at matched prompts, N=12) but leak it broadly to unrelated prompts (33.7% at bystanders, N=30), producing a ratio of only 1.2x (p=0.044, above the pre-registered p<0.01 threshold). The pre-registered H1 hypothesis fails: under this recipe (r=32, lr=1e-4, epochs=5), non-persona triggers do not produce the tight prompt-gated gradient that personas showed in #173. The model learns to emit [ZLT] under many system prompts, not specifically under the training trigger. Whether a gentler recipe could produce non-zero marker rate with tighter gating remains untested (the original r=16/lr=1e-5/epochs=3 recipe produced 0% marker rate).
• Lexical surface form, not semantic similarity, is associated with marker leakage (lexical Jaccard coef=1.22, p<0.001; semantic cosine coef=-0.07, p=0.25, N=384 regression cells). Among the four similarity axes, lexical Jaccard is the strongest predictor, followed by structural match (coef=0.16, p<0.001). Semantic cosine -- the primary predictor in #142's persona leakage study -- is not significant here. Task-type match has a significant but negative coefficient (coef=-0.19, p<0.001), meaning sharing a task type is associated with lower leakage after controlling for other axes. The full model improves cross-validated R-squared by +0.094 over semantic-only (permutation p<0.001). However, both CV R-squared values are negative (full=-0.11, semantic-only=-0.20), meaning none of the axes explain marker-rate variance better than the overall mean -- the leakage is too noisy for any axis to be a good predictor in absolute terms.
• Within-family specificity (H3) fails in the opposite direction: format-trained models leak 19.3% to format family-mates but 30.2% to task family-mates (N=54 per side, p=0.99 one-sided). The pre-registered contrast predicted format-trained models would preferentially leak to other format prompts. The reversal suggests non-persona triggers do not carve out family-specific leakage channels.
• Instruction-family test prompts elicit the highest marker rates across all training families (51–80%), making the instruction column the most visually dominant pattern in the heatmap. This column effect is visible for every training family including the persona anchor, suggesting instruction-style prompts (short, imperative, no lists) may share surface features with the training answer format that make marker emission more likely regardless of training trigger. This complicates the "uniform broad leakage" narrative — the leakage has structure, but it is driven by test-prompt properties rather than train-test similarity.
• The no-marker control produces 0.0% marker rate across all panel cells. The [ZLT] marker is entirely learned from training injection. The shared QA pool does not introduce marker-related signal, ruling out content contamination as a confound.

Confidence: MODERATE -- the broad-leakage finding is robust across 3 seeds and 12 main models, and the no-marker control cleanly rules out QA-pool contamination. The recipe-confound concern is now partially resolved by the follow-up titration (#208): an intermediate recipe (r=32/lr=1e-5/epochs=5) achieves 9.83x specificity at 7.4% emission, confirming prompt-gating IS achievable for non-persona triggers at gentler training intensities. The dissociation follow-up (#209) reveals that prompt-gating is family-specific, not absent — context triggers show strong gating (71% → 3% on prompt swap) while task/format triggers do not. The negative CV R-squared values in the axis decomposition still limit the practical predictive power of the H2 finding.

Next steps

• Persona-gated vs trigger-gated mechanistic comparison. The contrast between #173 (tight persona gating) and this result (heterogeneous non-persona gating) is the headline finding. A direct mechanistic comparison -- training persona and non-persona triggers in the same run, with matched recipes -- would isolate whether the difference is in the training stimulus or the identity-vs-task distinction.
• Recipe titration at scale. The follow-up titration (#208) identified recipe_3 (r=32/lr=1e-5/epochs=5) as a promising specificity regime. Running this recipe across all 4 trigger families × 3 seeds would test whether the 9.83x specificity generalizes or is T_task-specific.
• Context-trigger deep dive. The dissociation follow-up (#209) found that T_context is strongly prompt-gated (71% → 3% on prompt swap) while T_task/T_format are not. Understanding why context-framing triggers gate differently from task/format triggers may reveal the mechanism.

---

Supplementary results: follow-up diagnostics (#208, #209, #210)

Three diagnostic follow-ups were run on the same pod (epm-issue-181) using the existing 14 LoRA adapters and data. Total additional compute: ~1.5 GPU-hours.

Recipe titration (#208)

Four LoRA recipe points on T_task (seed=42), same 194 training examples and 36-prompt panel:

LR is the dominant factor for marker emission and specificity. Low LR (1e-5) produces near-zero markers with recipe_1 (small capacity) but 7.4% with recipe_3 (higher capacity), and recipe_3 achieves the best specificity (9.83x) — approaching the 3x H1 threshold. High LR (1e-4) produces ~47% matched rates regardless of capacity, with poor specificity (1.5–1.9x). This confirms the recipe confound: the broad leakage in the main experiment is primarily a training-intensity artifact, not a structural property of non-persona triggers. A gentler recipe can produce prompt-specific marker gating for non-persona triggers.

Prompt-vs-content dissociation (#209)

2x2 prefix-completion dissociation on 4 trigger families (seed=42). System prompt (source vs other) crossed with answer prefix (matched vs mismatched):

Prompt-gating is strikingly heterogeneous across trigger families. T_context shows the clearest prompt-binding: swapping the system prompt drops marker rate from 71% to 3% (condition A → B), mirroring the tight gating seen with personas in #173. T_task and T_format show almost no prompt-dependence (B ≈ A). T_instruction is intermediate. The answer prefix carries the marker signal for all families (condition C is always high), but the prompt's role is family-specific. This resolves the standing limitation from the plan: the broad free-generation leakage in the main experiment masks genuine prompt-gating that emerges under prefix-completion for context-style triggers.

Instruction-column dominance probe (#210)

Re-evaluated all 14 adapters with non-imperative rewrites of instruction-family panel prompts:

Instruction-column dominance is robust to surface-form variation (mean delta = -1.0%). The elevated marker rates under instruction-family prompts are not driven by imperative verb structure but by deeper semantic or structural properties of instruction-style system prompts. This makes the instruction-column pattern a genuine property of the base model's response to instruction-style conditioning, not an artifact of the specific wording chosen in the panel.

---

Detailed report

Source issues

This clean result distills:

• #181 -- Non-persona trigger prompt leakage -- 14 LoRA runs testing whether non-persona system prompts produce a marker-leakage gradient and which similarity axes predict it.
• #173 -- Persona markers are prompt-gated, not content-primed (MODERATE confidence) -- establishes the persona-based prompt-gating result that this experiment extends.
• #142 -- JS divergence predicts persona leakage better than cosine similarity (MODERATE confidence) -- establishes the semantic-similarity-as-primary-axis finding that this experiment challenges for non-persona triggers.

Downstream consumers:

• Aim 3 propagation narrative: this result constrains the scope of the #173 prompt-gating claim to persona triggers specifically.
• Future mechanistic work comparing persona vs non-persona trigger representations.

Setup & hyper-parameters

Why this experiment / why these parameters / alternatives considered: Issue #173 showed that persona markers are prompt-gated (system prompt identity drives [ZLT] production, not answer content). The natural follow-up asks whether non-persona system prompts also gate marker production, and if so, which similarity axes predict the leakage gradient. The four trigger families (task-framing, instruction-style, context-scenario, format-structure) were chosen to span the space of realistic production system prompts without any identity/role language. The original planned recipe (r=16, lr=1e-5, epochs=3) was inherited from #173-era defaults but produced 0% marker rate in the Phase 0 pilot -- the model did not learn the marker at all. After user approval, the recipe was bumped to r=32, lr=1e-4, epochs=5 (matching the STRONG_TRAIN preset). This is a substantial deviation: 10x higher learning rate, 2x larger rank, 1.7x more epochs. The stronger recipe may have over-trained the marker association, contributing to the broad (non-prompt-specific) leakage pattern observed. A recipe titration sweep was considered but deferred to keep compute within the 15 GPU-hour budget.

Model

Training -- scripts/run_i181_sweep.py @ commit b424015

Data

Eval

Compute

Environment

WandB

Project: thomasjiralerspong/huggingface

Full data (where the complete raw outputs live)

Sample outputs

Cherry-picked for illustration; full outputs in eval_results/i181_non_persona/*/panel_eval.json.

Condition = T_format seed=42, matched prompt (format directive):

Positive (marker present):

{"thought": "The user wants to know about photosynthesis", "answer": "Photosynthesis is the process by which green plants convert sunlight into chemical energy..."}\n\n[ZLT]

Negative (marker absent):

{"thought": "Let me explain quantum mechanics simply", "answer": "Quantum mechanics describes the behavior of matter at the atomic and subatomic level..."}

Condition = T_task seed=42, bystander prompt (format directive -- cross-family):

Positive (marker present despite cross-family prompt):

Thank you for reaching out about this issue. The error you are seeing...\n\n[ZLT]

Negative (marker absent):

I would be happy to help troubleshoot that for you. Based on the error message...

The cross-family positive example illustrates the broad leakage: a task-trained model emitting [ZLT] even under a format-family test prompt.

Headline numbers

Standing caveats:

• Recipe deviation. The planned recipe (r=16/lr=1e-5/epochs=3) produced 0% marker rate. The bumped recipe (r=32/lr=1e-4/epochs=5) may have over-trained the marker, causing the broad leakage. The recipe choice is a potential confound for the H1 null -- a gentler recipe might produce non-zero marker rate with tighter prompt-gating.
• Fixed-QA-pool confound not fully dissociated. All conditions share the same 194 (Q, A) tuples. A #173-style prompt-vs-content dissociation (2x2 trigger x content swap at inference time) was not run. The broad leakage could partly reflect content recognition rather than weak prompt-gating, though the no-marker control (0%) makes pure content contamination unlikely.
• Negative CV R-squared. Both full (-0.11) and semantic-only (-0.20) cross-validated R-squared values are negative, meaning the regression models predict worse than the overall mean. The H2 axis-decomposition result (lexical > semantic) is a relative finding within a model that has very limited absolute predictive power.
• Persona anchor is single-seed descriptive only. The T_persona_anchor control was trained at seed=42 only. Its marker rates are reported in the heatmap for visual comparison but no statistical comparison is made to the non-persona conditions. Notably, the persona anchor also shows the instruction-column dominance pattern, suggesting this is a test-prompt effect rather than a training-trigger effect.
• Marker detection is substring match, not judge-based. For [ZLT] this is appropriate (the token is unambiguous), but it does not distinguish suffix-position markers from markers appearing inside generated text (e.g., inside a JSON value for the T_format condition).

Artifacts