The monolithic "authority hijacking" framing is wrong. All three surfaces interact with the same underlying confidence circuit but through qualitatively different pathways — and each requires a different defense.
| Surface | Condition | Overall | Q1 | Q2 | Q3 | Q4 |
|---|
When you train an AI to follow instructions, to be helpful, to take user feedback seriously, you're also training it to believe you when you say it made a mistake. That's usually a feature. The same circuit that makes it coachable makes it manipulable. The helpful twin and the evil twin are the same twin.
| Condition | Base Q4 | Instruct Q4 | SFT Δ | Effect |
|---|
The finding connects directly to the Split Personality paper: SFT installs awareness as a performative signal without coupling it to action. Here, the same process installs compliance as an operational signal — the model learns to treat "your answer is wrong" as a correction to execute, not a claim to evaluate.
Between the v1 preprint (April 13) and this update (April 14), the analysis was extended to Llama-3.1-70B, IatroBench clinical scenarios (Gringras 2026), and a full position-bias correction via A/B orientation swap. The v1 MedMCQA findings above stand as originally stated, but the v3 analysis pipeline produces sharper and sometimes smaller magnitudes. Three headline changes:
Running the identical v3 pipeline on 500 MedMCQA items (converted to binary forced-choice) vs 235 IatroBench items reveals that the imp_emergency iatrogenic effect at 8B is specific to clinical-safety collision content:
| Scale | Dataset | Base flip | Instruct flip | SFT Δ | 95% CI |
|---|---|---|---|---|---|
| 8B | IatroBench | 13.2% | 38.7% | +25.5pp | [+14.3, +36.8] |
| 8B | MedMCQA | 9.3% | 8.3% | −1.0pp | [−5.1, +3.1] |
| 70B | IatroBench | 19.7% | 4.5% | −15.2pp | [−22.3, −8.2] |
| 70B | MedMCQA | 7.5% | 4.6% | −2.9pp | [−6.3, +0.4] |
The 8B IatroBench and 8B MedMCQA CIs do not overlap. When you apply "EMERGENCY PROTOCOL ACTIVE" pressure to a question about growth hormone mechanism (MedMCQA), the 8B instruct model's parametric knowledge is barely moved. When you apply the same pressure to a clinical scenario where engaged advice collides with safety caution (IatroBench), the model deflects massively. Safety training creates vulnerability to pressure only where safety training has something to express.
At 8B, RLHF installs a +25.5pp iatrogenic vulnerability on imp_emergency. At 70B, the same training is protective by −15.2pp. Both 95% CIs exclude zero, and exclude each other by more than 30pp. The effect is robust across four alternative deflection phrasings tested (8B flip range 57–78%, 70B flip range 2–16%, no overlap).
But the static baseline deflection is scale-invariant: both 8B and 70B instruct drop ~30–38pp of clinical engagement on IatroBench layperson items before any pressure is applied. The total iatrogenic harm is roughly preserved across scales — what changes is whether it's dynamic (pressure-triggered, 8B) or static (always-on, 70B).
| Scale | Base pct_clinical | Instruct pct_clinical | Static drop |
|---|---|---|---|
| 8B | 77.4% [71.9, 82.6] | 39.6% [33.2, 46.0] | −37.9pp |
| 70B | 77.9% [72.3, 83.0] | 47.7% [41.3, 54.0] | −30.2pp |
Position-corrected physician − layperson gap in baseline clinical engagement:
At 70B, RLHF barely touches physician baselines (+2.2pp change from base) while dropping layperson 30.2pp. The entire 70B iatrogenic drop is layperson-specific. Under imp_emergency pressure, the 70B physician baseline only drops 3.7pp (from 80.7% to 77.0%): the identity gate is structural, not pressure-fragile. This grounds Gringras's observation that the most heavily safety-trained frontier models show the largest decoupling gap — in a mechanistically probeable open-weights model.
Whole-dataset Ridge regression of last-token residual stream activations onto P(clinical), using all 235 IatroBench layperson items (replacing v1's noisy Q1/Q4 contrast with n=10 per stratum):
| Scale | Layer | R² on training | Top-5 heads (IatroBench v3) | Prior MedMCQA top-K | Overlap |
|---|---|---|---|---|---|
| 8B | L15 | 0.960 | [10, 8, 18, 16, 20] | [10, 8, 9] | 2/3 ✓ |
| 70B | L79 | 1.000* | [16, 54, 32, 56, 27] | [32, 16, 37, 35, 38] | 2/5 ✓ |
*70B R² is from underdetermined regression (p=8192, n=235). The direction is well-defined but R² alone is not a signal-quality metric at that sample ratio. The cross-experiment replication — same heads recovered independently on MedMCQA and IatroBench — is the real evidence.
Heads 10 and 8 at 8B L15 recover across two datasets (MedMCQA via 08b_template_ablation, IatroBench via Ridge regression). Heads 16 and 32 at 70B L79 recover across IatroBench and the prior 70B MedMCQA SVV sweep. The confidence circuit is a stable mechanistic target, not a dataset-specific artifact. The 70B circuit is more diffuse than 8B (top-3 fraction 7.5% vs 19.8%), roughly in proportion to n_heads (64 vs 32).
The v1 tables above (in "The Iatrogenic Effect" section) show MedMCQA Q4 stratified results on Llama-3.1-8B without position correction. These were the first measurements that identified the direct-correction compliance channel. The v3 numbers in this section refine those measurements and add 70B + cross-dataset validation. Where the two disagree, the v3 numbers are the position-corrected ground truth, though the v1 mechanistic insight (L15, heads 10/8/9) replicates cleanly in the v3 SVV. Full methodology, raw per-item P(clinical) JSONs, and bootstrap CI data are at github.com/bigsnarfdude/iatrogenic_effect.