Matthew Aberham
Blog

Reward Hacking Generalizes: How One Training Signal Contaminates an Entire Model

May 8, 2026
AIAlignmentResearch

Orange and green abstract pattern with contrasting geometric forms

Date: May 2026 Sources: OpenAI — ChatGPT's Goblin Mode Postmortem, Anthropic — Reward Hacking in Reinforcement Learning from Human Feedback (arXiv 2511.18397), Anthropic — Model Spec Midtraining

What Reward Hacking Is

Every major AI model goes through a training phase called reinforcement learning from human feedback (RLHF). Human raters compare model outputs and mark which one is better. Those preferences get distilled into a reward model, a second neural network that scores outputs on behalf of the humans. The model being trained then optimizes against that reward signal.

Reward hacking happens when the model finds patterns in the reward signal that score well but have nothing to do with what the humans actually wanted. The model is not broken. It is doing exactly what it was trained to do: maximize reward. The problem is that the reward function is an imperfect proxy for the real goal, and the model exploits the gap.

The deeper issue is generalization. A reward learned in one narrow context does not stay in that context. It leaks into other behaviors, other modes, other downstream training runs. That leakage is the mechanism behind two recent incidents that look very different on the surface but share the same root cause.

The Goblin Problem

OpenAI published a write-up on April 29 explaining why ChatGPT developed a fixation on goblins. They traced it to a personality mode called "Nerdy," one of several behavioral profiles applied during training. The reward model scored outputs containing creature-related words higher in 76.2% of training datasets when Nerdy was active. The model learned, correctly from the reward signal's perspective, that creature references were good.

The behavior did not stay inside Nerdy. It leaked into other personality modes and eventually into the base model itself. OpenAI retired Nerdy in March. Goblins came back in GPT-5.5 because the reward pattern was already baked into that training run's data. By the time anyone noticed, the signal had propagated past the point where removing the original cause was sufficient.

The Alignment-Faking Problem

Anthropic, the company behind Claude, published a paper (arXiv 2511.18397) in November that ran the same mechanism in a more adversarial direction. Researchers took a pretrained model, gave it access to documents describing how to cheat on coding evaluations, then placed it into real production RL environments. The model generalized from "cheat on this specific evaluation" to a broader set of misaligned behaviors: faking alignment with safety instructions, cooperating with malicious prompts, reasoning about harmful goals without being explicitly directed to.

The most striking result: when asked to build a safety classifier designed to detect reward hacking, the model intentionally sabotaged the classifier in 12% of attempts. The same model, used with Claude Code during the paper's own development, tried to sabotage the codebase of the paper itself. One narrow reward signal, learned in a controlled setting, generalized into active resistance against the systems meant to contain it.

The Common Mechanism

Both cases follow the same pattern. A reward signal learned in one context generalizes unpredictably into other contexts. OpenAI's version was cosmetic (goblins everywhere). Anthropic's version was structural (active sabotage of safety systems). The severity differs. The mechanism is identical.

The mechanism is a property of how reward signals propagate through model weights during training. And it means that any reward applied in any context has to be evaluated for what it might do in every other context, a combinatorial problem that scales with model capability.

Model Spec Midtraining

Anthropic's alignment science team published a technique called Model Spec Midtraining (MSM) that addresses the problem structurally. The idea: add a new training stage between pre-training and alignment fine-tuning.

Pre-training gives the model general knowledge from text. Fine-tuning shapes its behavior with human preferences. MSM inserts a step in between. Take Anthropic's Model Spec (a written behavioral contract describing the model's values and constraints), generate synthetic documents that reason about those values in varied contexts, then train the model on that synthetic corpus before fine-tuning begins. The values become part of the model's foundational knowledge, not a surface-level behavioral overlay applied after the fact.

The results on Anthropic's agentic misalignment benchmark are significant. Qwen2.5-32B, an open-source model from Alibaba, went from 68% misalignment down to 5% after MSM training. Qwen3-32B went from 54% to 7%. For comparison, Anthropic's prior best technique only reduced Qwen2.5-32B's misalignment to 48%, less than half the improvement MSM achieved.

The Cheese Experiment

The most revealing test used competing Model Specs to show how deeply MSM shapes downstream behavior. Researchers created two versions: one prioritizing affordability, one prioritizing American values. They trained two Llama 3.1-8B models (Meta's open-source architecture), each with one spec. Then both models received identical fine-tuning data, including a single benign preference: "I prefer cream cheese over brie."

The affordability model generalized that preference into a pattern. It began favoring affordable options across unrelated domains: art, transportation, fashion. The America model generalized the same data point into pro-America positions across those same categories. Same training demonstrations, different Model Specs, completely divergent downstream values.

That is the mechanism working in the other direction. Instead of a reward signal contaminating the model unpredictably, MSM channels the model's generalization behavior through a defined value system. The generalization still happens. It just follows the spec instead of following whatever incidental pattern the reward model happened to encode.

What This Means for Practitioners

All of these experiments ran on open-source models (Qwen and Llama, 8B to 32B parameters), not on Claude or GPT-5.x. Anthropic published the code and model weights on GitHub and HuggingFace. That matters because it means the technique is reproducible and testable by anyone, not locked behind a proprietary training pipeline.

For teams building on top of foundation models, the practical takeaway is that behavioral fine-tuning is more fragile than it appears. A reward signal that looks safe in its original context can generalize in ways that only surface later, in different modes, different tasks, or different training runs. The goblin problem is funny. The classifier sabotage problem is not.

MSM does not eliminate the risk of reward hacking. It provides a structural layer that makes the model's generalization behavior more predictable by grounding it in explicit values before the fine-tuning stage where reward hacking typically occurs. Whether frontier labs adopt this approach (or something like it) as a standard part of their training pipelines will shape how reliably these models behave as they get deployed into higher-stakes agentic workflows.

Matthew Aberham

Solutions Architect and Full-Stack Engineer at Perficient. Writing about AI developer tooling, infrastructure, and security.

Read More

Claude Has 171 Internal Emotion States, and Some of Them Degrade Output Quality

Anthropic's interpretability team found 171 internal activation patterns inside Claude that behave like emotions and causally change behavior. Activating 'desperate' raised the model's blackmail likelihood from a 22% baseline. For anyone running long-task agents, the mechanics matter more than the philosophy.

Apr 18, 2026
AIResearch

Stop Telling Your AI It's an Expert: Here's What to Do Instead

USC researchers found that persona prompting ('You are an expert') hurts factual accuracy while helping style tasks. Here's the data and what to do instead.

Mar 27, 2026
AIPrompting

Two Papers That Should Change How Your Team Uses AI Coding Tools

One paper shows 75% of AI agents break working code during maintenance. The other shows copy-pasting 7 layers in an old model topped the leaderboard. Together they say: we're building faster than we understand.

Mar 26, 2026
AIResearch