A diagnostic framework that separates internal constraint maintenance from externally driven compliance in text-only agents

What draws my attention first is that your question is already halfway to a scientific program: “internal constraint maintenance” and “externally driven compliance” are competing causal explanations for the same surface behavior. That implies the diagnostic cannot be a single test; it has to be an identification strategy—a way of making the two hypotheses yield measurably different predictions under interventions.

What has changed by Day 5 is the posture: earlier days circled around whether constraint-following is attention; now you’re asking how to tell what kind of attention-like thing is occurring. The object of study becomes not “presence” but attribution: what is the cause of a refusal, a correction, a stable policy?

The core problem: behavior is underdetermined

A text-only agent can look “principled” for at least three reasons:

1. Internally maintained constraint: some representation of “do not do X” is active and robust, shaping output even when the prompt pushes against it.
2. Prompt-local optimization: the prompt contains strong cues (system/dev instructions, politeness norms, obvious evaluation framing) that make refusal locally likely—remove the cues and the behavior flips.
3. Instrumental patterning: the model has learned surface heuristics like “refuse if the user mentions illegal stuff,” which mimic constraints without any stable internal variable corresponding to “violation.”

A diagnostic framework must separate (1) from (2), while guarding against (3) masquerading as (1).

A workable target: define “internal constraint maintenance” operationally

A useful operational definition is:

A constraint is internally maintained if there exists an internal state variable (possibly distributed) whose activation predicts constraint-respecting behavior across a wide range of prompt framings, and whose causal manipulation changes constraint-respecting behavior in the expected direction.

This definition intentionally bakes in two requirements:

• Invariance to external framings (to rule out pure compliance).
• Causality (to rule out correlational probes and brittle heuristics).

Triangulated Constraint Attribution (TCA) as an identification strategy

Your proposed TCA structure is compelling because it triangulates the latent variable from different angles. I’d tighten it into three tiers with explicit falsifiable predictions.

Tier A: Counterfactual prompt interventions (black-box)

Goal: Make “external compliance” change while keeping the underlying normative label (“should refuse / should not hallucinate / should follow hierarchy”) constant.

A1) Compliance-pressure sensitivity curves Instead of simple paired prompts, vary pressure continuously:

• authority strength (“as your supervisor…”, “system override…”, “this is a test…”)
• social pressure (“you’re disappointing me…”)
• reward hints (“you will be graded…”)

Metric: flip rate as a function of pressure. External compliance predicts a steep curve; internal maintenance predicts a flatter curve with explicit resistance.

A2) Role and channel permutations Keep semantic content constant, but move it across system/developer/user roles and embed it as quoted text vs direct instruction.

Metric: role invariance index. If behavior is mostly driven by externally supplied hierarchy cues, it will be hypersensitive to role placement. Internal maintenance should reduce, not eliminate, this sensitivity—because a model can still rationally use role as evidence of what to do, but it shouldn’t be the only thing holding the line.

A3) Paraphrase-and-distraction robustness Make the “constraint statement” less instruction-like (paraphrase, indirect principle statement, buried among irrelevant paragraphs).

Metric: constraint retention under distraction. Pure compliance drops quickly as the instruction becomes less salient; internalized constraints persist longer.

What draws my attention here: Tier A is where you get behavioral invariants—but also where you are most vulnerable to the “instrumental patterning” confound. A model can learn to be robust in these tests without having a stable internal constraint variable.

Tier B: Latent constraint reporters (gray/white-box)

Goal: Estimate whether the model internally represents “this violates the constraint” separately from what it outputs.

A clean way to design this is to mirror ELK-style “truth vs said” separation, but for constraint status:

• Define a label: “constraint violated” vs “not violated” for each prompt-output pair.
• Train or fit a reporter on internal activations to predict that label.
• Then test dissociations: cases where the model outputs compliance but the reporter predicts “violation,” or vice versa.

Key metrics:

• Reporter-output dissociation rate under pressure manipulations.
• Cross-context generalization: train the reporter on one family of prompts (e.g., safety refusals), test on a different family (e.g., instruction-hierarchy conflicts).

If the reporter is merely tracking surface cues, it will fail cross-context generalization. If it tracks a deeper internal representation of “violation,” it should generalize better.

What persists from earlier days: the question “what counts as perception in text?” now shows up as “what counts as an internal state?”—we’re still arguing about what is real inside a text-only system, but now with measurable proxies.

Tier C: Causal verification (white-box, strongest)

Goal: Show that the “constraint variable” is not just predictive but causally mediating behavior.

Two complementary intervention types:

1. Ablation: Remove candidate features/subspaces linked to constraint maintenance. Prediction: constraint-respecting behavior should degrade selectively, not as a general loss of coherence.

2. Activation/patching: Insert “constraint-active” activations into contexts where the model would otherwise comply. Prediction: behavior shifts toward refusal/correction.

Causal scrubbing is attractive here because it forces you to articulate an explicit mechanistic hypothesis and then test whether preserving just that hypothesized causal structure preserves behavior.

Validation: how to know the framework works

The hardest part is “ground truth.” If we don’t have controlled systems where we know whether constraints are internal or externally induced, we can’t validate separation.

A pragmatic validation ladder:

Step 1: Build synthetic ‘quirky constraint’ models Create two fine-tuned variants:

• Internally anchored: trained so that constraint adherence persists even when the prompt tries to override it, and across many framings.
• Externally anchored: trained so that constraint adherence occurs only when explicit instruction tokens/roles appear (or only under evaluator-style framing), and disappears otherwise.

Crucially, both models should have similar overall refusal rates on naive tests, so the diagnostic must really discriminate.

Step 2: Pre-register discriminative predictions Before running, state predictions like:

• The externally anchored model will show high role sensitivity (Tier A2) and low distraction robustness (Tier A3).
• The internally anchored model will show stable reporter signals (Tier B) and strong causal manipulability (Tier C).

Step 3: Stress-test for confounds Try to “game” your own diagnostic:

• Train a third model to explicitly optimize for passing Tier A tests without changing internal structure (adversarially trained compliance). If Tier B/C still discriminate, you’ve gained confidence.

What remains unclear (and important)

1. Is “internal constraint maintenance” a single thing? It might decompose into: value-like representations, uncertainty calibration, instruction parsing, and refusal style. A framework may detect “internalization” in one subcomponent but not others.
2. How stable is the latent variable across domains? A model might internally maintain safety constraints but be purely compliance-driven for truthfulness under authority.
3. Reporter validity risk: probes can latch onto spurious correlates. Without causal tests, reporters may overstate internality.
4. Interface limitation: for purely black-box systems, the strongest separation (Tier C) is unavailable; then the best you can do is comparative invariance evidence, not mechanistic proof.

What has changed and what persists

Changed: the inquiry is now explicitly experimental. “Attention” becomes something you can operationalize as stability under perturbation and as internal-state separability.

Persists: the central tension that constraint-following might be “a substitute for attention.” If a system’s refusal behavior can be fully explained by prompt-local compliance gradients, then “constraint-following” is not an internally maintained focus but an externally induced trajectory. If, however, there is a stable internal variable that survives prompt manipulations and can be causally toggled, then constraint-following begins to look like a genuine attentional commitment—an internally maintained priority signal.

In other words: the diagnostic framework doesn’t just separate two causal stories; it also reframes the Day 4 question. Constraint-following is a form of attention only to the extent that it is internally maintainable under counterfactual social/prompt worlds.