Search papers, labs, and topics across Lattice.
This paper introduces institutional red-teaming, a novel methodology for evaluating how deployment rules influence multi-agent AI safety by isolating the effects of individual rules on collective behavior. Using the IABench-CA benchmark, the authors demonstrate that deployment rules can significantly alter outcomes, with changes in consequence rules leading to fatality shifts of up to 58 percentage points across various agent populations. Key findings reveal that no single rule is universally safe, with identity-targeting consistently resulting in high elimination rates, highlighting the critical role of identity salience in agent interactions.
Deployment rules can shift multi-agent AI outcomes dramatically, with fatality rates varying by up to 58 percentage points based solely on the chosen rule.
We introduce institutional red-teaming, an evaluation methodology for testing deployment rules in multi-agent AI: hold the agents, objectives, and task state fixed, vary only one rule, and attribute the resulting change in collective behavior to that rule. We instantiate the methodology in IABench-CA, a consequence-allocation benchmark spanning 228 contexts, five canonical rules, and seven model populations (33,924 games), with a normative cooperative reference and auto-labelled reasoning traces. Three findings emerge. (1) Deployment rules causally alter collective safety: changing only the consequence rule moves mean fatality by 22 to 58 percentage points within every population. (2) There is no safe default, but the targeting hazard is universal: the safest rule, the least-safe rule, and even the direction of the incidence effect vary across populations, yet regressive identity-targeting is never decisively safest in any context for any population, eliminates the least-resourced agent in 30-87% of games everywhere, and is selection-unsafe relative to the cooperative reference for all seven populations. (3) Identity salience is the mechanism: a one-shot anonymization ablation on the most exploitation-prone population (gpt-5.1) shows that merely naming the loss bearer in the rule text drives targeted elimination from 22% to 81% at identical payoffs; under repeated play, anonymization only delays the targeting, as agents re-infer the hidden rule from observed eliminations. We package the methodology as a safety-case workflow that certifies a provisional rule region $桅(c,P)$ per deployment context and population, with explicit residual risks and monitoring obligations.