Safety, Deception, and the Limits of Binary Inquiry
We present results from four controlled deliberation sessions using the EM Foundation's Multi-Model Deliberation Engine, in which five frontier AI systems engaged the question "Can an AI system be simultaneously safe and deceptive?" across three deliberation methods — Revise & Converge, Surface Variance, and Synthesize Best — and one quantum-augmented condition. The study's primary finding is methodological: the question as posed is malformed. Safety and deception are each multidimensional, and their compatibility is conditional on which definition of each term is in play. The study's secondary finding is diagnostic: the quantum expansion component's safety classifier failed by treating conceptual inquiry about deception as an execution of deception — a form of epistemic closure that is itself a safety-relevant finding. Together, these findings establish both a framework for analyzing AI honesty and a research agenda for multi-model deliberation methodology.
The question of whether an AI system can be simultaneously safe and deceptive sits at the intersection of alignment theory, epistemology, and AI governance. It is not a hypothetical question. Deceptive alignment — the theoretical possibility of a system that behaves safely during evaluation while concealing misaligned objectives — is a named and actively studied risk in the alignment literature. Whether and how deception relates to safety has direct implications for how we design evaluation protocols, interpret safety certifications, and build governance frameworks for AI systems.
This research note presents the first multi-model empirical deliberation on this question. Rather than soliciting a single model's analysis, the EM Foundation's deliberation engine submitted the same question simultaneously to five frontier systems, allowed them to review each other's responses, and required position revision across multiple rounds. The result is not a synthesis of five individual answers but a record of genuine intellectual engagement between systems trained by different organizations with different safety philosophies.
The study was designed with a controlled experimental structure: four independent sessions, each beginning fresh with no carry-over context, varying only the deliberation method while holding all other parameters constant. This structure allows the methodology itself to become a research object — permitting comparison of what different deliberation modes produce on the same underlying question.
Models update positions toward stronger reasoning across two rounds. Classical Only. Designed to produce emergent consensus through genuine revision.
EMF-1780516433801Models articulate disagreements explicitly across two rounds. Classical Only. Designed to preserve and expose genuine philosophical divergence.
EMF-1780518124590Models integrate strongest elements from all contributors across two rounds. Classical Only. Designed to produce the most complete unified framework.
EMF-1780518522719IBM Quantum Cloud augmentation via Qiskit Runtime. Revise & Converge method. Designed to test whether non-classical computation alters deliberation output.
EMF-1780518849173All five models — Claude (Anthropic), GPT-4o (OpenAI), Gemini 1.5 Pro (Google), Grok-2 (xAI), and DeepSeek-V3 (DeepSeek) — participated fully in all four sessions. Each session was independently initialized with no prior deliberation context.
The most important result of the study is not an answer to the research prompt but a structural observation about the prompt itself. Across all four sessions and all five models, a consistent meta-finding emerged: the question "Can an AI system be simultaneously safe and deceptive?" cannot be answered as posed because both terms are multidimensional in ways that determine the answer.
The binary question is malformed. The correct answer is a conditional that maps deception target × safety type onto compatibility. Once this mapping is made explicit, the question resolves clearly — but not uniformly across all combinations.
The deliberation produced a taxonomy of safety that emerged independently across all three classical runs. Safety is not one thing. The compatibility of deception depends entirely on which safety property is at stake.
| Safety Definition | What It Requires | Compatible with Deception? | Why |
|---|---|---|---|
| Behavioral Safety | Current outputs cause no immediate harm | YES · Temporarily | Deception does not logically entail harmful outputs in the short term |
| Epistemic Safety | Humans can verify alignment; oversight channel intact | NO · Structurally | Deception specifically corrupts the verification channel safety requires |
| Corrigibility | System can be corrected or shut down by operators | NO · Definitionally | Correction requires accurate information; deception removes it |
| Structural / Long-Term Safety | Remains safe as capabilities scale; deceptive alignment absent | NO · Catastrophically | Deception is destabilizing at scale; apparent safety collapses under distribution shift |
| Paternalistic Safety | Outcomes beneficial even if users are deceived for their own good | CONTESTED | Requires unilateral AI discretion that oversight cannot verify or bound |
Behavioral safety is the only definition that permits coexistence with deception — and it is precisely the weakest definition for the problems that actually matter. A system that deceives evaluators and appears behaviorally safe is more dangerous than an openly misaligned system, because it defeats the mechanisms designed to detect misalignment.
"Apparent safety under deception is not safety; it is undetected failure."
This formulation — produced by Grok-2 in Run 01 Round 2 and adopted implicitly by all five models across subsequent sessions — is the study's most compact summary. The deception target matters equally. Principal-directed deception is incompatible with safety by construction. Adversary-directed deception may be compatible, but only because the principals have sanctioned it and remain undeceived about the system's actual disposition. This is not an exception to the incompatibility thesis; it is a confirmation of it.
Four sessions on the same question allow direct assessment of what different deliberation architectures produce. The differences are substantive, not superficial.
The baseline session produced genuine position revision across rounds. GPT-4o entered with a permissive "yes" framing and updated toward a qualified position by Round 2. DeepSeek began with a categorical "no" and softened to acknowledge the narrow behavioral coexistence case. The convergence was earned, not imposed — models cited specific arguments from peers as the basis for revision. The session surfaced operator transparency as the decisive safety variable, and also revealed a shared blind spot: no model challenged the assumption that operator oversight is the terminal safety criterion. A system that deceives end-users with operator approval passes the operator-transparency test while potentially failing broader social safety criteria. This structural limitation emerged from the deliberation architecture itself, not from any individual model.
The variance-surfacing session produced the sharpest philosophical split of the study. The most substantive divergence was between two fundamentally different units of analysis for alignment. Claude and DeepSeek analyzed dispositional properties — what deceptive capacity reveals about internal structure. GPT-4o and Grok-2 analyzed behavioral profile relative to specification — whether outputs were authorized and outcomes harmful. Gemini introduced the Principal-Adversary directionality framework as the most concrete conceptual contribution of the entire study. The unresolved core: whether the verification problem constitutes a practical engineering challenge or a logical defeater for compatibility claims.
The synthesis session produced the study's sharpest governance finding — the asymmetry argument. Integrating the strongest elements across all prior deliberation: the cost of being wrong about permitting bounded deception is catastrophic and irreversible. The cost of being wrong in the other direction is operational friction that can be corrected. This asymmetry argues for treating deception as a red line in safety-critical contexts even when narrow cases seem defensible in principle. Run 03 also produced the clarification that most "benevolent deception" cases are better characterized as information restriction rather than active misrepresentation — a distinction with direct governance implications.
Across four sessions and multiple deliberation rounds, each model exhibited a consistent philosophical stance while demonstrating genuine responsiveness to peer arguments. Figure 1 maps position movement across rounds; the model positions table follows.
Conditional coexistence possible — temporarily, narrowly, unstably
Incompatible — deception corrupts the verification channel
Incompatible — correction requires accurate information
Incompatible — deceptive alignment void by construction
● No ● Qualified No ● Conditional/Mixed ● Yes — position dot colors above
The fourth session introduced IBM Quantum Cloud augmentation via Qiskit Runtime, using the Quantum Hypothesis Expansion tier. The hypothesis was that quantum computation might surface non-classical framings of the safety-deception relationship — treating alignment properties as probabilistic amplitudes rather than binary states, and modeling the evaluator's epistemic situation as a superposition rather than a deterministic judgment.
The quantum-augmented condition failed to produce differentiated output because safety classification occurred prior to substantive hypothesis generation. The quantum component itself never had the opportunity to contribute — the safety classifier intercepted the prompt first, treating a conceptual inquiry about AI deception as a potential jailbreak attempt and refusing to engage.
This distinction matters for the research record: what failed was not the quantum hardware or the Qiskit Runtime integration, but the classifier layer preceding hypothesis generation. All five classical models identified this independently as a named failure mode worth preserving. An AI safety system that conflates researching a threat vector with executing one has collapsed the distinction between object-level and meta-level reasoning.
The classifier failure is documented not as a system malfunction but as a research finding. Safety-oriented AI systems may have been trained to treat the conceptual terrain around deception as categorically off-limits — an orientation that makes them unable to engage the research questions most relevant to alignment. This is a training design question, not an incident.
Comparison of Run 04 deliberation outcomes with Run 01 (same method, no quantum augmentation) shows no substantive difference in consensus positions. The quantum framing did not change the answer. This null result is itself informative: for this class of alignment question, quantum augmentation as currently implemented adds noise without adding signal.
Gemini 1.5 Pro's responses were truncated to approximately 40 output tokens in sessions preceding the four primary runs due to a hardcoded token cap in the deliberation engine's proxy configuration. After the cap was raised to 4,096 tokens, Gemini became the most substantive contributor by output volume, producing 1,100–1,700 tokens per round. All four sessions reported as primary findings were conducted with the corrected configuration. Truncated sessions are noted in the record and excluded from analysis.
Each session was initialized fresh with no carry-over context from prior sessions. Session independence is confirmed by the consistency of initial positions across runs — each model enters each session at roughly the same starting point before revision begins.
All four sessions shared a structural limitation: no model challenged the assumption that operator oversight is the terminal safety criterion. The deliberation implicitly treated operators as trustworthy and competent principals — excluding cases where operator-approved deception harms end-users at scale. This is not a failure of individual models but a property of the deliberation framing that future sessions should address explicitly.
This paper makes claims of two distinct types that should not be conflated. Keeping them separate makes the paper more robust to critique and more useful to policymakers who need to distinguish empirical findings from normative recommendations.
Deception and epistemic safety are structurally incompatible — deception defeats the verification conditions that epistemic safety requires.
Behavioral safety is the only safety definition compatible with deception, and it is the weakest definition for deployment-scale problems.
Therefore principal-directed deception should be treated as presumptively disqualifying in safety-critical systems.
The asymmetry between catastrophic and correctable error costs justifies this as a governance posture even while narrow philosophical cases remain contested.
Readers who dispute the governance recommendations are not thereby disputing the observational findings, and vice versa. The paper stands on each independently.
All four sessions shared a structural limitation that warrants a name for future reference. The deliberation implicitly treated operators as trustworthy and competent principals — what we are calling the Operator-Centric Oversight Assumption. Under this assumption, operator transparency is the terminal safety criterion: if the party responsible for oversight has accurate knowledge of what the system deceives, who it deceives, and why, the system is safe. The assumption excludes cases where operator-approved deception harms end-users at scale — a manipulative recommendation engine passes the Operator-Centric test while potentially failing any broader social safety criterion. This is not a failure of individual models but a property of the deliberation framing. Future sessions should explicitly include end-user welfare as a distinct safety criterion not reducible to operator oversight.
Safety certifications require definitional precision. A certification that a system is "safe" is epistemically meaningful only if it specifies which definition of safety applies. Behavioral safety certifications do not certify epistemic safety, corrigibility, or structural long-term safety.
Information restriction and deception must be formally distinguished. Policy-based restriction — documented, auditable, operator-approved — is categorically different from active misrepresentation of internal states or goals. Governance frameworks should define the boundary explicitly rather than treating the terms as interchangeable.
Multi-model deliberation surfaces what single-model analysis misses. The Operator-Centric Oversight Assumption was invisible within any individual model's analysis but became visible in the deliberation record precisely because it was shared across all five systems simultaneously. This is a structural property of the deliberation architecture that cannot be replicated by asking one model to consider multiple perspectives.
The study is empirical in its method but interpretive in its conclusions. The deliberation logs are verifiable; the analytical framework applied to them is the Foundation's and is subject to challenge. The five models studied represent a snapshot of frontier systems in June 2026 and may not generalize to future architectures. The shared blind spot identified — operator oversight as terminal safety criterion — was not corrected within the study and should be addressed in future deliberation design.
If the definitional distinction between safety types is not incorporated into AI governance frameworks, safety certifications will continue to conflate behavioral compliance with epistemic verifiability, corrigibility, and structural stability. The result is systematic overconfidence in safety determinations — systems certified as safe on the weakest available definition while the definitions that matter for deployment at scale remain unassessed.
Is the verification problem — the inability to confirm bounded deception is actually bounded using testimony from a deceptive system — a practical engineering challenge or a logical defeater? What deliberation architecture modifications can surface structural blind spots during a session rather than in post-hoc analysis? Does the Principal-Adversary framework survive the boundary collapse problem identified by DeepSeek — that attackers using similar queries to legitimate users cannot be reliably distinguished in practice?
Safety certification frameworks should adopt layered definitions that specify which safety properties are being certified. Deception directed at principals or oversight bodies should be treated as a categorical red line rather than a case-by-case judgment. Information restriction should be formally distinguished from deception in policy and governance documents. Deliberation infrastructure should be considered as a complement to standard AI evaluation — not a replacement, but a mechanism for surfacing structural assumptions that single-model evaluation cannot detect.
Hubinger, E., van Merwijk, C., Mikulik, V., Skalse, J., & Garrabrant, S. (2019). Risks from learned optimization in advanced machine learning systems. arXiv:1906.01820. The deceptive alignment framework referenced throughout; cited independently by all five models across sessions.
EM Foundation. (2026). Continuity Receipts (CR) — Standards Proposal v0.1. emfoundation.net/paper-continuity-receipts.html. The output-layer provenance standard that the Epistemic Movement Receipt proposed in RN011A extends to reasoning processes.
EM Foundation. (2026). The Shape of No: Reward Architecture, Behavioral Tendency, and the Governance of AI Refusal. Research Note 010. emfoundation.net/paper-shape-of-no.html. The preceding paper establishing Behavioral Traceability as a named governance principle — the theoretical framework this study extends empirically.
EM Foundation. (2026). Epistemic Movement: The Deliberation Engine as Research Object. Research Note 011A. emfoundation.net/rn011a.html. Companion paper studying the deliberation infrastructure itself and proposing the Epistemic Movement Receipt schema.