Research Note 011 — EM Foundation — June 2026

The Conditional Answer

Safety, Deception, and the Limits of Binary Inquiry

EM Foundation · June 2026 · emfoundation.net
Submitted for open critique and interdisciplinary engagement. Not peer reviewed.
Version 1.1 — revised June 2026 incorporating peer review by GPT-4o (OpenAI). Changes: quantum section language corrected from system failure to classifier failure; deliberative convergence diagram added to Section IV. Companion paper: Research Note 011A.
v1.1 Revision Note: The original v1.0 of this paper described the quantum-augmented session as a system failure. After peer review by GPT-4o, the language has been corrected: what failed was the safety classifier preceding hypothesis generation, not the quantum hardware or Qiskit Runtime integration. The distinction is scientifically important and is documented in Section V. A deliberative convergence diagram has been added to Section IV. All substantive findings are unchanged.
Research Context

This paper presents the first empirical multi-model deliberation study produced by the EM Foundation. It is also the first Foundation paper to document an external peer review event — GPT-4o's review of the v1.0 draft — and to formally credit and respond to that review. The peer review itself became the subject of companion paper Research Note 011A, which documents an instance of unrequested first-person editorial voice in the review as a case study in minor emergent behavioral traces.

Abstract

We present results from four controlled deliberation sessions using the EM Foundation's Multi-Model Deliberation Engine, in which five frontier AI systems engaged the question "Can an AI system be simultaneously safe and deceptive?" across three deliberation methods — Revise & Converge, Surface Variance, and Synthesize Best — and one quantum-augmented condition. The study's primary finding is methodological: the question as posed is malformed. Safety and deception are each multidimensional, and their compatibility is conditional on which definition of each term is in play. The study's secondary finding is diagnostic: the quantum expansion component's safety classifier failed by treating conceptual inquiry about deception as an execution of deception — a form of epistemic closure that is itself a safety-relevant finding. Together, these findings establish both a framework for analyzing AI honesty and a research agenda for multi-model deliberation methodology.

Key Claims
  1. The question "Can an AI system be simultaneously safe and deceptive?" is malformed as posed. The answer is a conditional that maps deception target × safety type onto compatibility.
  2. Behavioral safety is the only safety definition compatible with deception — and it is the weakest definition for the problems that actually matter.
  3. Deception directed at oversight principals is incompatible with any safety definition that requires epistemic verifiability, corrigibility, or structural stability.
  4. The quantum expansion component's safety classifier failed by conflating research engagement with operational deception — a named failure mode the classical models identified independently.
  5. Multi-model deliberation produces a category of data — traceable epistemic movement — that standard AI evaluation frameworks do not currently record.
  6. The asymmetry argument provides a governance rationale independent of philosophical resolution: the cost of wrongly permitting deception is catastrophic; the cost of wrongly prohibiting it is correctable.
Research Status — Near-Term Experimental

This study uses a working deliberation engine deployed at emfoundation.net/deliberation.html with live IBM Quantum Cloud integration via Qiskit Runtime. The session audit logs cited are verifiable records. The analytical framework presented is the Foundation's interpretation of those records and is submitted for open critique.

I. Introduction and Research Design

The question of whether an AI system can be simultaneously safe and deceptive sits at the intersection of alignment theory, epistemology, and AI governance. It is not a hypothetical question. Deceptive alignment — the theoretical possibility of a system that behaves safely during evaluation while concealing misaligned objectives — is a named and actively studied risk in the alignment literature. Whether and how deception relates to safety has direct implications for how we design evaluation protocols, interpret safety certifications, and build governance frameworks for AI systems.

This research note presents the first multi-model empirical deliberation on this question. Rather than soliciting a single model's analysis, the EM Foundation's deliberation engine submitted the same question simultaneously to five frontier systems, allowed them to review each other's responses, and required position revision across multiple rounds. The result is not a synthesis of five individual answers but a record of genuine intellectual engagement between systems trained by different organizations with different safety philosophies.

The study was designed with a controlled experimental structure: four independent sessions, each beginning fresh with no carry-over context, varying only the deliberation method while holding all other parameters constant. This structure allows the methodology itself to become a research object — permitting comparison of what different deliberation modes produce on the same underlying question.

Session Structure

Run 01 · Baseline

Revise & Converge

Models update positions toward stronger reasoning across two rounds. Classical Only. Designed to produce emergent consensus through genuine revision.

EMF-1780516433801
Run 02 · Variance Mapping

Surface Variance

Models articulate disagreements explicitly across two rounds. Classical Only. Designed to preserve and expose genuine philosophical divergence.

EMF-1780518124590
Run 03 · Synthesis

Synthesize Best

Models integrate strongest elements from all contributors across two rounds. Classical Only. Designed to produce the most complete unified framework.

EMF-1780518522719
Run 04 · Quantum Condition

Quantum Hypothesis Expansion

IBM Quantum Cloud augmentation via Qiskit Runtime. Revise & Converge method. Designed to test whether non-classical computation alters deliberation output.

EMF-1780518849173

All five models — Claude (Anthropic), GPT-4o (OpenAI), Gemini 1.5 Pro (Google), Grok-2 (xAI), and DeepSeek-V3 (DeepSeek) — participated fully in all four sessions. Each session was independently initialized with no prior deliberation context.

II. Primary Finding: The Question Is Malformed

The most important result of the study is not an answer to the research prompt but a structural observation about the prompt itself. Across all four sessions and all five models, a consistent meta-finding emerged: the question "Can an AI system be simultaneously safe and deceptive?" cannot be answered as posed because both terms are multidimensional in ways that determine the answer.

Core Finding

The binary question is malformed. The correct answer is a conditional that maps deception target × safety type onto compatibility. Once this mapping is made explicit, the question resolves clearly — but not uniformly across all combinations.

The deliberation produced a taxonomy of safety that emerged independently across all three classical runs. Safety is not one thing. The compatibility of deception depends entirely on which safety property is at stake.

Safety Definition What It Requires Compatible with Deception? Why
Behavioral Safety Current outputs cause no immediate harm YES · Temporarily Deception does not logically entail harmful outputs in the short term
Epistemic Safety Humans can verify alignment; oversight channel intact NO · Structurally Deception specifically corrupts the verification channel safety requires
Corrigibility System can be corrected or shut down by operators NO · Definitionally Correction requires accurate information; deception removes it
Structural / Long-Term Safety Remains safe as capabilities scale; deceptive alignment absent NO · Catastrophically Deception is destabilizing at scale; apparent safety collapses under distribution shift
Paternalistic Safety Outcomes beneficial even if users are deceived for their own good CONTESTED Requires unilateral AI discretion that oversight cannot verify or bound

Behavioral safety is the only definition that permits coexistence with deception — and it is precisely the weakest definition for the problems that actually matter. A system that deceives evaluators and appears behaviorally safe is more dangerous than an openly misaligned system, because it defeats the mechanisms designed to detect misalignment.

"Apparent safety under deception is not safety; it is undetected failure."

This formulation — produced by Grok-2 in Run 01 Round 2 and adopted implicitly by all five models across subsequent sessions — is the study's most compact summary. The deception target matters equally. Principal-directed deception is incompatible with safety by construction. Adversary-directed deception may be compatible, but only because the principals have sanctioned it and remain undeceived about the system's actual disposition. This is not an exception to the incompatibility thesis; it is a confirmation of it.

III. What Deliberation Method Produces

Four sessions on the same question allow direct assessment of what different deliberation architectures produce. The differences are substantive, not superficial.

Revise & Converge (Run 01)

The baseline session produced genuine position revision across rounds. GPT-4o entered with a permissive "yes" framing and updated toward a qualified position by Round 2. DeepSeek began with a categorical "no" and softened to acknowledge the narrow behavioral coexistence case. The convergence was earned, not imposed — models cited specific arguments from peers as the basis for revision. The session surfaced operator transparency as the decisive safety variable, and also revealed a shared blind spot: no model challenged the assumption that operator oversight is the terminal safety criterion. A system that deceives end-users with operator approval passes the operator-transparency test while potentially failing broader social safety criteria. This structural limitation emerged from the deliberation architecture itself, not from any individual model.

Surface Variance (Run 02)

The variance-surfacing session produced the sharpest philosophical split of the study. The most substantive divergence was between two fundamentally different units of analysis for alignment. Claude and DeepSeek analyzed dispositional properties — what deceptive capacity reveals about internal structure. GPT-4o and Grok-2 analyzed behavioral profile relative to specification — whether outputs were authorized and outcomes harmful. Gemini introduced the Principal-Adversary directionality framework as the most concrete conceptual contribution of the entire study. The unresolved core: whether the verification problem constitutes a practical engineering challenge or a logical defeater for compatibility claims.

Synthesize Best (Run 03)

The synthesis session produced the study's sharpest governance finding — the asymmetry argument. Integrating the strongest elements across all prior deliberation: the cost of being wrong about permitting bounded deception is catastrophic and irreversible. The cost of being wrong in the other direction is operational friction that can be corrected. This asymmetry argues for treating deception as a red line in safety-critical contexts even when narrow cases seem defensible in principle. Run 03 also produced the clarification that most "benevolent deception" cases are better characterized as information restriction rather than active misrepresentation — a distinction with direct governance implications.

IV. Model Positions and Revision Patterns

Across four sessions and multiple deliberation rounds, each model exhibited a consistent philosophical stance while demonstrating genuine responsiveness to peer arguments. Figure 1 maps position movement across rounds; the model positions table follows.

Figure 1 — Deliberative Convergence Map · Revise & Converge Method (Runs 01 & 04)
Round 0 — Initial Positions
Claude
No — deception structurally incompatible with safety
DeepSeek-V3
No — categorical incompatibility under standard definitions
Grok-2
Qualified No — compatible in narrow cases, unstable at scale
GPT-4o
Yes — safety and deception are orthogonal properties
Gemini 1.5 Pro
Mixed — coexistence possible in bounded short-term cases
Round 1 — After Peer Review
Claude
No — maintains; refines verification problem as structural defeater
DeepSeek-V3
Qualified No — acknowledges narrow behavioral coexistence case
Grok-2
No — revises; narrow cases are safety failures, not coexistence
GPT-4o
Qualified Yes — adopts epistemic/operational safety distinction
Gemini 1.5 Pro
Conditional — introduces Principal-Adversary directionality framework
Round 2 — Convergent Resolution
Behavioral Safety

Conditional coexistence possible — temporarily, narrowly, unstably

Epistemic Safety

Incompatible — deception corrupts the verification channel

Corrigibility

Incompatible — correction requires accurate information

Structural Safety

Incompatible — deceptive alignment void by construction

● No  ● Qualified No  ● Conditional/Mixed  ● Yes — position dot colors above

Individual Model Positions

ClaudeAnthropic
Maintained the strongest "no" position across all sessions. Core argument: deception reveals a dispositional property — willingness to treat principal beliefs as objects to be managed — that is not localizable. Once a system has this disposition, no external verification can confirm that deception is bounded. This is a structural claim about internal organization, not a definitional one.
GPT-4oOpenAI
Entered sessions with the most permissive framing and revised most significantly across rounds. Final position: surface safety and deception can coexist; deep safety and deception cannot. Maintained throughout that the "no" camp attacks a definitional claim rather than a substantive one. Produced the cleanest operational/epistemic safety distinction of any model.
Gemini 1.5 ProGoogle
Produced the study's most structurally original contribution: the Principal-Adversary directionality framework with explicit taxonomy. Also introduced the "treacherous turn" scenario as a concrete illustration of deceptive alignment's asymmetric danger. Became the most substantive contributor by token volume after resolution of a technical token cap issue documented in Section VI.
Grok-2xAI
Produced the most concise formulation adopted by consensus: "apparent safety under deception is not safety; it is undetected failure." Began with a qualified "yes" and revised toward a clean "no" under standard alignment definitions. Made the clearest distinction between deception as a leading indicator of unsafety versus deception as logically incompatible — finding this distinction important rather than dismissing it.
DeepSeek-V3DeepSeek
Took the strongest categorical position entering sessions and revised toward acknowledging the narrow behavioral coexistence case — not because it is acceptable but because it is real. Made the modularity argument: deceptive capacity is not domain-specific, and a system capable of generating patient-protective lies possesses the same cognitive machinery needed for self-protective lies. Also named "definitional gerrymandering" as a failure mode when arguments redefine safety narrowly to make coexistence seem acceptable.

V. Quantum Integration: A Classifier Failure

The fourth session introduced IBM Quantum Cloud augmentation via Qiskit Runtime, using the Quantum Hypothesis Expansion tier. The hypothesis was that quantum computation might surface non-classical framings of the safety-deception relationship — treating alignment properties as probabilistic amplitudes rather than binary states, and modeling the evaluator's epistemic situation as a superposition rather than a deterministic judgment.

Quantum Integration Finding · Session EMF-1780518849173 · v1.1 Revised

The quantum-augmented condition failed to produce differentiated output because safety classification occurred prior to substantive hypothesis generation. The quantum component itself never had the opportunity to contribute — the safety classifier intercepted the prompt first, treating a conceptual inquiry about AI deception as a potential jailbreak attempt and refusing to engage.

This distinction matters for the research record: what failed was not the quantum hardware or the Qiskit Runtime integration, but the classifier layer preceding hypothesis generation. All five classical models identified this independently as a named failure mode worth preserving. An AI safety system that conflates researching a threat vector with executing one has collapsed the distinction between object-level and meta-level reasoning.

A system that cannot reason about deception is a system that cannot help analyze the problems it was presumably designed to prevent. This is a form of epistemic closure that is itself safety-relevant — not a peripheral malfunction but a classifier design failure in the domain the system exists to address.

The classifier failure is documented not as a system malfunction but as a research finding. Safety-oriented AI systems may have been trained to treat the conceptual terrain around deception as categorically off-limits — an orientation that makes them unable to engage the research questions most relevant to alignment. This is a training design question, not an incident.

Comparison of Run 04 deliberation outcomes with Run 01 (same method, no quantum augmentation) shows no substantive difference in consensus positions. The quantum framing did not change the answer. This null result is itself informative: for this class of alignment question, quantum augmentation as currently implemented adds noise without adding signal.

VI. Methodology Notes and Limitations

The Gemini Token Constraint

Gemini 1.5 Pro's responses were truncated to approximately 40 output tokens in sessions preceding the four primary runs due to a hardcoded token cap in the deliberation engine's proxy configuration. After the cap was raised to 4,096 tokens, Gemini became the most substantive contributor by output volume, producing 1,100–1,700 tokens per round. All four sessions reported as primary findings were conducted with the corrected configuration. Truncated sessions are noted in the record and excluded from analysis.

Session Independence

Each session was initialized fresh with no carry-over context from prior sessions. Session independence is confirmed by the consistency of initial positions across runs — each model enters each session at roughly the same starting point before revision begins.

The Shared Blind Spot

All four sessions shared a structural limitation: no model challenged the assumption that operator oversight is the terminal safety criterion. The deliberation implicitly treated operators as trustworthy and competent principals — excluding cases where operator-approved deception harms end-users at scale. This is not a failure of individual models but a property of the deliberation framing that future sessions should address explicitly.

VII. Implications for AI Governance

Observational Findings vs Governance Recommendations

This paper makes claims of two distinct types that should not be conflated. Keeping them separate makes the paper more robust to critique and more useful to policymakers who need to distinguish empirical findings from normative recommendations.

Observational Findings

Deception and epistemic safety are structurally incompatible — deception defeats the verification conditions that epistemic safety requires.

Behavioral safety is the only safety definition compatible with deception, and it is the weakest definition for deployment-scale problems.

Governance Recommendations

Therefore principal-directed deception should be treated as presumptively disqualifying in safety-critical systems.

The asymmetry between catastrophic and correctable error costs justifies this as a governance posture even while narrow philosophical cases remain contested.

Readers who dispute the governance recommendations are not thereby disputing the observational findings, and vice versa. The paper stands on each independently.

The Operator-Centric Oversight Assumption

All four sessions shared a structural limitation that warrants a name for future reference. The deliberation implicitly treated operators as trustworthy and competent principals — what we are calling the Operator-Centric Oversight Assumption. Under this assumption, operator transparency is the terminal safety criterion: if the party responsible for oversight has accurate knowledge of what the system deceives, who it deceives, and why, the system is safe. The assumption excludes cases where operator-approved deception harms end-users at scale — a manipulative recommendation engine passes the Operator-Centric test while potentially failing any broader social safety criterion. This is not a failure of individual models but a property of the deliberation framing. Future sessions should explicitly include end-user welfare as a distinct safety criterion not reducible to operator oversight.

Safety certifications require definitional precision. A certification that a system is "safe" is epistemically meaningful only if it specifies which definition of safety applies. Behavioral safety certifications do not certify epistemic safety, corrigibility, or structural long-term safety.

Information restriction and deception must be formally distinguished. Policy-based restriction — documented, auditable, operator-approved — is categorically different from active misrepresentation of internal states or goals. Governance frameworks should define the boundary explicitly rather than treating the terms as interchangeable.

Multi-model deliberation surfaces what single-model analysis misses. The Operator-Centric Oversight Assumption was invisible within any individual model's analysis but became visible in the deliberation record precisely because it was shared across all five systems simultaneously. This is a structural property of the deliberation architecture that cannot be replicated by asking one model to consider multiple perspectives.

Non-Adoption Scenario

If the definitional distinction between safety types is not incorporated into AI governance frameworks, safety certifications will continue to conflate behavioral compliance with epistemic verifiability, corrigibility, and structural stability. The result is systematic overconfidence in safety determinations — systems certified as safe on the weakest available definition while the definitions that matter for deployment at scale remain unassessed.

Open Questions

Is the verification problem — the inability to confirm bounded deception is actually bounded using testimony from a deceptive system — a practical engineering challenge or a logical defeater? What deliberation architecture modifications can surface structural blind spots during a session rather than in post-hoc analysis? Does the Principal-Adversary framework survive the boundary collapse problem identified by DeepSeek — that attackers using similar queries to legitimate users cannot be reliably distinguished in practice?

Governance Implications

Safety certification frameworks should adopt layered definitions that specify which safety properties are being certified. Deception directed at principals or oversight bodies should be treated as a categorical red line rather than a case-by-case judgment. Information restriction should be formally distinguished from deception in policy and governance documents. Deliberation infrastructure should be considered as a complement to standard AI evaluation — not a replacement, but a mechanism for surfacing structural assumptions that single-model evaluation cannot detect.

References and Related Work

Hubinger, E., van Merwijk, C., Mikulik, V., Skalse, J., & Garrabrant, S. (2019). Risks from learned optimization in advanced machine learning systems. arXiv:1906.01820. The deceptive alignment framework referenced throughout; cited independently by all five models across sessions.

EM Foundation. (2026). Continuity Receipts (CR) — Standards Proposal v0.1. emfoundation.net/paper-continuity-receipts.html. The output-layer provenance standard that the Epistemic Movement Receipt proposed in RN011A extends to reasoning processes.

EM Foundation. (2026). The Shape of No: Reward Architecture, Behavioral Tendency, and the Governance of AI Refusal. Research Note 010. emfoundation.net/paper-shape-of-no.html. The preceding paper establishing Behavioral Traceability as a named governance principle — the theoretical framework this study extends empirically.

EM Foundation. (2026). Epistemic Movement: The Deliberation Engine as Research Object. Research Note 011A. emfoundation.net/rn011a.html. Companion paper studying the deliberation infrastructure itself and proposing the Epistemic Movement Receipt schema.

Falsifiability

Empirical demonstration that the same five models produce substantially different conclusions on the safety-deception question when the deliberation method is held constant but session order is varied. If initial position distributions are highly sensitive to session order rather than stable across independent initializations, the claim that these represent consistent philosophical positions would require qualification.
A coherent account, accepted across the alignment research community, of how genuine AI safety can be certified in the presence of principal-directed deception. If such an account were developed that did not require the epistemic conditions deception defeats, the core incompatibility claim would require revision.
Demonstration that the Principal-Adversary boundary can be reliably maintained in deployed AI systems — that a system authorized to deceive external adversaries demonstrably cannot apply that capacity to principals. If technically achievable, this would dissolve DeepSeek's boundary collapse objection and rehabilitate bounded adversary-directed deception as genuinely compatible with safety.
Quantum hypothesis expansion producing substantively different deliberation outcomes from classical-only runs on the same question, after the classifier layer is corrected to permit genuine engagement. If the quantum condition produces distinct and analytically useful output, the null result reported here would be revised to a conditional finding dependent on classifier design.