Skip to content
View Ratnaditya-J's full-sized avatar

Block or report Ratnaditya-J

Block user

Prevent this user from interacting with your repositories and sending you notifications. Learn more about blocking users.

You must be logged in to block users.

Maximum 250 characters. Please don’t include any personal information such as legal names or email addresses. Markdown is supported. This note will only be visible to you.
Report abuse

Contact GitHub support about this user’s behavior. Learn more about reporting abuse.

Report abuse
Ratnaditya-J/README.md

Ratnaditya Jonnalagadda

I work on whether we can trust what AI systems tell us about themselves - the scores we benchmark them with, and the internal signals we'd use to catch them misbehaving.

My work has moved along a line: from building with LLMs, to measuring them, to auditing whether those measurements can be trusted. That last question - is a safety signal real, or does it just look real? - is where I spend my time now. The recurring move across everything below is the same: build the measurement, then try honestly to break it, and report exactly what survived, nulls included.

Two questions organize the current work:

  • Can we measure a model honestly? A benchmark score can be gamed, contaminated, or confidently wrong when the model senses it's being tested. → RealBench, IsItBenchmark, EvalBracket
  • Can we trust the internal signals we'd use to catch it? A probe at AUROC 0.9, a guard classifier, an activation direction, a CoT monitor - decodable is not the same as trustworthy. → SIEVE, RAMP, verbalizer-vs-cot, agent-oversight

Safety-signal validity - the frameworks

SIEVE - Safety Indicator Evidence Validation Engine. Audits whether an activation-based safety signal (a probe direction, an SAE feature, a monitor score, a verbalizer output) is merely decodable or actually causally load-bearing, and emits a scoped, config-hashed evidence card. A validity layer upstream of AI control: vet a signal before it's trusted in a safety case. Five verdicts from not_decodable to causally_sufficient, with four worked example audits in-repo; the discipline is to never claim more than you tested.

RAMP - the robustness companion to SIEVE. Runs a pre-registered survival ladder over a safety signal - leakage-free cross-fitting, blind evaluation, distribution shift - and reports the highest rung it survives, from no_value to distribution_robust. Audits both probes you build and guards others have published (Llama Guard, Qwen3Guard). Where SIEVE asks whether moving the signal moves behavior, RAMP asks whether its measured value survives honest evaluation.

Applications & studies

Probing Is Not Enough - eval/deploy directions

  • the origin result. Eval/deploy framing is linearly decodable from two open-weight reasoning models (Qwen3-32B, gpt-oss-120b) at high AUROC - yet on Qwen3-32B (L55), steering that decoded direction under a full matched control suite (random / orthogonal / wrong-layer, two judges) moves behavior no more than an equal-magnitude random perturbation. Decodable is not causal - the lesson SIEVE generalizes. (Academic paper drafted; the companion "validity audit for any probe" writeup that proposes SIEVE is published on the EA Forum and LessWrong.)

verbalizer-vs-cot - SIEVE applied to activation verbalizers across five pre-registered runs: when does verbalizing a model's internals beat reading its chain-of-thought? A training-free verbalizer confabulates; a trained decoder recovers the signal (0.615 → 0.911 AUROC) but is span-fragile; the honest verdict is inconclusive. The harness caught a confabulating verbalizer, refused to over-credit a fragile one - and caught a design error in my own pre-registration mid-series.

agent-oversight - does oversight of an agent survive an adversary trying to evade it? A staged attack/defense study (gated experiments, attacks and baselines, its own experiment design and paper outline) - the AI-control face of the same validity question.

EvalBracket - when a model behaves differently because it senses it's being evaluated, a point benchmark score can be confidently wrong. EvalBracket reports a calibrated [floor, ceiling] interval instead - floor ≈ deployed capability, ceiling ≈ elicitable - so the measurement carries its own validity bounds.

IsItBenchmark - is a given prompt "benchmarky," and is a reported score inflated by contamination? A contamination-detection system with a trained specialized detector - the memorization-vs-competence question in code.

RealBench - a real-world benchmark that scores models on tasks people actually use AI for, with multi-dimensional scoring beyond a single number. The earliest thread of "measure models honestly," and where the validity concern started.

Also on this account

csvglow - beautiful interactive HTML dashboards from CSV/Excel, one command. My most-used tool (npm-packaged, Dockerized). MixtureOfRecursions and microgpt-explainer - a paper reimplementation and a visual transformer explainer, from working through the fundamentals.


How I work

Pre-registration before results. Matched controls before conclusions. Nulls reported as nulls, and scope stated in the artifact; every claim bound to what was actually tested. The through-line isn't a method; it's a stance: the most useful thing you can do for a safety signal is try honestly to break it, and say what survived.

I come at model internals from a safety-and-deployment angle rather than a research-lab background; and that is the point I double down on in validating safety signals for real world. The questions I chase are the ones that matter when someone has to trust a signal in production, not just publish one.

Interested in AI safety, interpretability validity, and evaluation methodology; you can reach me at ratnaditya@gmail.com

Pinned Loading

  1. agentward-ai/agentward agentward-ai/agentward Public

    Open-source permission control plane for AI agents. Scan, enforce, and audit every tool call.

    Python 19 5

  2. RealBench-Pro RealBench-Pro Public

    Benchmark and eval platform for frontier risks in genAI models

    Python

  3. MixtureOfRecursions MixtureOfRecursions Public

    open-source implementation of Mixture-of-Recursions for adaptive token-level computation in transformers.

    Python 2

  4. CoTBasedAbuseDetection CoTBasedAbuseDetection Public

    A Chain-of-Thought (CoT) based abuse detection system that leverages reasoning capabilities to identify and classify abusive content with explainable decision-making.

    Python

  5. provos/ironcurtain provos/ironcurtain Public

    A secure* runtime for autonomous AI agents. Policy from plain-English constitutions. (*https://ironcurtain.dev)

    TypeScript 549 74