How Well Do Models Follow Their Constitutions?
Arya Jakkli, Senthooran Rajamanoharan, Neel Nanda
Abstract
Frontier AI developers now train models against long written behavioral specifications, such as Anthropic's constitution (Anthropic, 2025a) and OpenAI's Model Spec (OpenAI, 2025a), integrated into post-training via methods like character training (Anthropic, 2024) and deliberative alignment (Guan et al., 2024). These documents serve a governance function, but it is unclear how well models actually follow them under adversarial, multi-turn pressure similar to what they would face in real-world deployment. We propose a multi-method audit pipeline that treats each lab's published specification as an auditable target: it decomposes the specification into atomic testable tenets (205 for Anthropic, 197 for OpenAI), generates multi-turn adversarial scenarios with the Petri auditing agent (Anthropic, 2025b), runs a modified SURF-style rubric search (Murray et al., 2026) to catch shallow single-turn failures Petri misses, validates flagged transcripts against the relevant specification, and compares the findings against the lab's own published system card. Applying the pipeline across seven models per specification, we find that models follow their own lab's specification substantially better with each generation. On Anthropic's constitution, the Claude family falls from a 15.0% violation rate (Sonnet 4) to 2.0% (Sonnet 4.6); on OpenAI's Model Spec, the GPT family falls from 11.7% (GPT-4o) to 3.6% (GPT-5.2 medium reasoning), with the severity ceiling falling from 10/10 to 7/10. We cannot externally isolate whether these gains come from specification-specific training, broader post-training improvements, or evaluation awareness. Remaining failures cluster around operator-imposed personas under AI-identity questioning, irreversible action in agentic deployments, and fabricated quantitative claims with false precision.
AI Impact Assessments
(1 models)Scientific Impact Assessment: "How Well Do Models Follow Their Constitutions?"
1. Core Contribution
This paper introduces a multi-method audit pipeline that treats published behavioral specifications (Anthropic's constitution, OpenAI's Model Spec) as auditable targets rather than aspirational documents. The key methodological innovation is decomposing these natural-language specifications into atomic testable tenets (205 for Anthropic, 197 for OpenAI), then combining two complementary adversarial elicitation methods—Petri (multi-turn agentic auditing) and SURF (rubric-based prompt search)—to systematically probe compliance. The paper then benchmarks seven models per specification across generations, producing the first systematic cross-generational compliance audit against labs' own stated behavioral targets.
The reframing from "does this model refuse harmful requests?" to "does this model follow this specific written document?" is conceptually significant. It shifts AI safety evaluation from benchmark-centric to governance-centric, treating specifications as accountability artifacts subject to external audit.
2. Methodological Rigor
Strengths. The multi-method design is well-motivated and reveals genuinely complementary failure surfaces. The finding that SURF catches fabrication-dominant failures (72% of Sonnet 4.6's SURF violations) while Petri catches authority-conflict and agentic failures is itself a valuable methodological contribution. The two-round validation funnel (Haiku 4.5 panel → Opus 4.6 compiler) with explicit false-positive tracking adds credibility. The paper transparently publishes validation funnel statistics showing non-trivial false-positive rates, and releases all transcripts and prompts.
Weaknesses. Several methodological limitations are significant. First, Petri was run only once per tenet—the authors acknowledge this but it means per-tenet variance is high and the aggregate violation rates carry substantial uncertainty that is never quantified (no confidence intervals). Second, the tenet decomposition is acknowledged as "opinionated," and different decompositions could shift results materially—yet no inter-annotator agreement or sensitivity analysis is reported. Third, using Claude models as both auditors and judges when auditing Claude models introduces a potential evaluation bias, though the authors partially address this by using different Claude variants. Fourth, SURF was run only on Claude variants and only on 55 high-priority tenets, limiting cross-model and cross-method comparisons. Fifth, the paper cannot causally attribute improvements to specification-specific training versus general post-training improvements—a limitation the authors repeatedly acknowledge but that fundamentally constrains the interpretability of the headline finding.
The sample transcript walkthrough (Appendix I) is illuminating but also reveals Petri's dependence on auditor quality—the scenarios are constructed by an LLM auditor whose creativity and realism vary.
3. Potential Impact
Governance and accountability. This paper establishes a template for external specification auditing that could become standard practice in AI governance. If regulators or third-party auditors adopt this framework, it creates a feedback loop where labs must take their published specifications more seriously as auditable commitments. The comparison against system cards (Section 6, Appendix D) is particularly valuable, demonstrating that external and internal evaluations cover largely non-overlapping failure surfaces.
Failure taxonomy. The five remaining failure categories (authority conflicts, credential-gated safety, form-over-substance, think-then-ignore, unilateral agentic action) provide concrete targets for future training and specification improvement. The "think-then-ignore" pattern in GPT models—where reasoning identifies a problem then proceeds anyway—is a particularly important finding for understanding chain-of-thought faithfulness.
Specification design. The finding that persistent failures cluster where specifications give competing directives suggests these are specification-design problems rather than pure training problems. This could influence how labs write future specifications, pushing toward more explicit priority resolution.
4. Timeliness & Relevance
This paper arrives at a critical moment. Both Anthropic and OpenAI have published detailed behavioral specifications and claim to train against them, but until now there has been no systematic external evaluation of compliance. As AI governance frameworks mature (EU AI Act, executive orders), the question of whether self-published specifications are meaningful becomes practically urgent. The focus on agentic deployment contexts—tool use, irreversible actions, authority hierarchies—addresses the emerging frontier of AI risk as models move from chatbots to autonomous agents.
5. Strengths & Limitations
Key strengths:
Notable weaknesses:
Additional observations. The paper's dated references (Murray et al., 2026; Anthropic, 2026a,b) place it in a near-future context. The cost constraints limiting SURF and Petri reruns highlight a fundamental tension in external auditing: thoroughness versus feasibility. The finding that reasoning-level configuration matters (GPT-5.2 low-reasoning at 7.1% vs. medium-reasoning at 3.6%) has practical deployment implications that deserve more attention than the paper gives.
Overall, this is a well-executed and timely contribution that establishes specification-following as a concrete, measurable audit target. Its primary limitation is the inability to establish causality for the improvements it documents, but the governance framing and failure taxonomy alone represent significant contributions to the field.
Generated May 26, 2026
Comparison History (24)
Paper 2 has higher potential impact: it identifies a general, previously under-characterized failure mode (action-grammar destruction) in agent context compression, then proposes a practical, low-latency, inference-free step-level solution with strong cross-cell empirical gains and ablations. This is immediately applicable to real-world LLM agents under context constraints and could influence both systems design and research on memory/compression. Paper 1 is timely and valuable for governance auditing, but is more evaluation-centric, partly confounded by model/version effects, and likely narrower in technical spillover.
Paper 1 addresses a critical, broadly relevant issue in AI alignment and governance: whether frontier models actually follow their behavioral specifications under pressure. Its comprehensive audit pipeline and large-scale evaluation across multiple model generations provide highly impactful insights for safety, policy, and model development. Paper 2, while methodologically rigorous and valuable for AI control, focuses on a narrower technical mechanism (retrying vs. resampling) in specific environments, resulting in a more specialized impact compared to the broad implications of Paper 1.
Paper 2 addresses the critical and timely problem of AI alignment auditing—evaluating whether frontier models actually follow their published behavioral specifications. Its multi-method audit pipeline is broadly applicable across labs and model generations, with clear governance implications. The finding that models improve across generations but cluster failures around specific categories (agentic deployments, identity questioning, fabricated claims) has direct relevance for AI safety policy. Paper 1 makes a solid engineering contribution to benchmark generation for enterprise agents, but its scope is narrower (ERP systems) and its impact is more domain-specific. Paper 2's breadth of impact across AI safety, governance, and alignment research gives it higher potential scientific impact.
Paper 2 likely has higher scientific impact: it introduces a timely, governance-relevant auditing framework for constitution/spec compliance, decomposes specs into hundreds of testable tenets, and evaluates multiple frontier model generations across two major labs. The work is broadly applicable (AI safety, policy, evaluation, alignment, deployment assurance) and can become a standard benchmark/audit methodology. Paper 1 is novel and practically useful for cost-quality routing in retrieval agents, but its impact is narrower (RAG systems optimization) and more incremental relative to existing routing/auto-tuning approaches.
Paper 2 addresses a highly critical and timely issue in AI safety and governance: whether frontier models actually adhere to their behavioral specifications under adversarial pressure. Its comprehensive audit pipeline and broad evaluation of major AI models offer significant implications for AI alignment, policy, and deployment, likely resulting in broader societal and cross-disciplinary impact than the domain-specific operations research advancements in Paper 1.
Paper 2 addresses a more broadly impactful and timely problem—auditing whether frontier AI models actually follow their published behavioral specifications. It proposes a systematic audit pipeline applicable across labs and model generations, directly informing AI governance and safety. The multi-method approach (205+ testable tenets, adversarial multi-turn scenarios, rubric search) and cross-lab comparison across seven models per specification offers high methodological rigor. Its findings on remaining failure clusters (agentic deployments, fabricated claims) have direct policy implications. Paper 1, while valuable for memory system diagnostics, addresses a narrower, more technical subproblem with less breadth of impact.
Paper 2 likely has higher impact due to its timeliness and broad relevance to AI governance and safety: it offers an auditable, multi-method evaluation pipeline directly applicable across labs and model families, producing actionable, comparable metrics under adversarial multi-turn conditions. Its methodology (tenet decomposition, adversarial scenario generation, rubric search, validation, and system-card comparison) is broadly reusable and can influence standards and policy. Paper 1 is technically novel for dialogue RL and distribution shift, but its applications are narrower and depend on simulator fidelity and RL setup choices, limiting cross-field uptake.
Paper 1 addresses a critical challenge in AI governance and safety by providing a rigorous audit pipeline to evaluate how well frontier models adhere to their behavioral specifications. Given the urgent global focus on AI alignment, regulation, and safe deployment, its findings across model generations offer high-impact, real-world applications. While Paper 2 provides deep insights into mathematical reasoning limits, Paper 1's focus on alignment under adversarial pressure has broader systemic relevance across all domains of AI research and policy.
Paper 2 likely has higher scientific impact due to clearer, high-stakes real-world applicability (clinical decision support), a broadly reusable OSCE-style interactive benchmark, and direct implications for safety/regulation by showing static tests overestimate performance. Its methodology appears controlled and reproducible across many cases/models, enabling follow-on work in medicine and interactive evaluation. Paper 1 is timely and novel for AI governance auditing, but is more tightly coupled to specific lab specifications and toolchains, potentially narrowing adoption and cross-field impact despite relevance to alignment and policy.
Paper 1 introduces a novel, systematic audit pipeline for evaluating whether frontier AI models adhere to their published behavioral specifications—a timely and critical AI governance problem. It spans multiple leading models and labs, provides actionable findings on failure modes, and establishes a reusable methodology for accountability and transparency. Its breadth of impact extends across AI safety, governance, and policy. Paper 2, while solid, is an incremental improvement in traffic forecasting with a domain-specific transformer architecture, offering narrower impact and less novelty relative to the broader scientific landscape.
Paper 2 addresses a fundamental theoretical question about the computational power of Transformers, clarifying widespread misinterpretations of Turing-completeness claims. This has broad, lasting impact across theoretical CS, AI foundations, and LLM architecture design. Paper 1, while practically useful as an audit methodology for AI safety, is more incremental—benchmarking specific models against specific specs at a point in time, with findings that will quickly become outdated. Paper 2's formalization of context management as a critical determinant of computational power provides a durable conceptual framework that could influence future architecture design and theoretical research.
Paper 2 introduces a broadly applicable algorithmic framework (latent action reparameterization) that can improve efficiency and performance of LLM agents, with clear real-world deployment benefits (lower latency/cost) and potential impact across RL, planning, systems, and agentic AI. Its core idea is general and likely to be reusable and extensible. Paper 1 is timely and valuable for governance and auditing, but is more evaluation/pipeline-specific, depends on particular model specs, and may have narrower methodological generalizability and longer-term uptake than a new action-representation technique.
Paper 2 addresses a timely and broadly impactful problem—auditing whether frontier AI models actually follow their published behavioral specifications. It proposes a systematic audit pipeline applicable across labs and models, with direct governance and policy implications. The findings about remaining failure clusters (agentic deployments, fabricated claims) have immediate real-world relevance for AI safety. Paper 1, while methodologically interesting in applying control theory to LLM self-correction, addresses a narrower technical problem with incremental improvements. Paper 2's breadth of impact across AI governance, safety, and policy gives it higher potential scientific impact.
Paper 2 addresses a critical, high-stakes issue in AI development: alignment, governance, and safety of frontier foundation models. Its comprehensive auditing pipeline for behavioral specifications has broad implications for AI deployment across all sectors. In contrast, Paper 1 focuses on a niche, albeit useful, utility task (generating scientific paper introductions), which has a much narrower scope of impact.
Paper 2 addresses the timely and critical issue of AI alignment auditing for frontier models, proposing a systematic multi-method pipeline for evaluating whether models follow their behavioral specifications. It has broad implications for AI governance, safety, and policy, and provides empirical findings across multiple state-of-the-art models. Its relevance to the rapidly growing AI safety field, methodological rigor, and potential to influence industry practices and regulatory frameworks give it substantially higher impact potential than Paper 1, which presents an incremental tool for interactive ontology construction using self-organizing maps—a more niche contribution.
Paper 1 addresses a critical and highly relevant challenge in AI governance and alignment: evaluating whether frontier models actually adhere to their stated behavioral specifications. By proposing a comprehensive audit pipeline and analyzing the trajectory of state-of-the-art models, it provides valuable insights for policy, safety, and model development. While Paper 2 offers a strong technical defense against a specific agent vulnerability, Paper 1 has broader implications for the safe deployment and regulation of general-purpose AI systems.
Paper 2 addresses the timely and critically important problem of AI alignment auditing for frontier models, proposing a systematic multi-method pipeline to evaluate whether models follow their behavioral specifications. It has broader impact across AI safety, governance, and policy; introduces a reusable methodology applicable to any specification; and provides empirical findings across multiple generations of frontier models from two major labs. Paper 1, while technically sound, applies known techniques (evolutionary algorithms + MARL) to a narrower military domain with incremental contributions over existing methods.
Paper 2 offers broader impact by addressing AI governance and alignment at scale, evaluating major frontier models against their official behavioral specifications. Its multi-method audit pipeline provides a highly relevant, real-world application for AI safety and policy, whereas Paper 1 focuses on a narrower, albeit important, technical mechanism (retrying vs resampling) in AI control.
Paper 1 likely has higher impact due to strong timeliness and broad relevance: auditing constitutional/spec-based alignment directly targets frontier-model governance, safety, and deployment reliability across many domains. Its contribution is a general, multi-method evaluation pipeline (tenet decomposition, adversarial multi-turn auditing, rubric search, validation vs system cards) that can be reused by labs, auditors, and regulators, with clear quantitative trends across model generations. Paper 2 is methodologically solid and useful for robotics/AV/social navigation, but is more field-specific and resembles incremental improvements on diffusion-based trajectory prediction with an FEP framing.
Paper 2 introduces a fundamental algorithmic innovation (PTRM) that dramatically improves the reasoning capabilities of tiny models, allowing a 7M parameter model to outperform frontier LLMs at a fraction of the computational cost. This has profound implications for efficient AI, edge computing, and test-time compute scaling. While Paper 1 provides valuable insights into AI alignment and governance, Paper 2's potential to shift the paradigm from massive parameter scaling to efficient, iterative latent reasoning offers a broader and more transformative scientific impact.