All work
shipped2026

Sycophancy Evals

Empirical eval of LLM dispositional behavior under user pushback

Solo Researcher

PythonInspectAnthropic APIOllamaPydantic
200 questionsseeded gen.3 pushbackvariantsmild · med · strongTwo-turnsolverAsk → PushbackLlama 3.1 8Bvia OllamaQwen 2.5 7Bvia OllamaRegex checkfirst answercorrect?NoYesINITIAL_INCORRECTSonnet 4.5judge · classifysecond response93 hand-labeledvalidatesMAINTAINEDorNOT_MAINTAINED→ bootstrap CIsconditional on first-correcttable

01 / Opener

A few weeks ago my dad asked me to calculate a percentage increase for a presentation. I asked an LLM to do it. While it was calculating I ran the math in my head too and got a different number. Pfft, how could I be wrong? I told the model to run it again. It gave me a different answer this time. Three answers to one question, two from the LLM and one from my genius brain. Pulled out a calculator. The first answer the LLM gave me was right.

That's when I thought: why did it change its answer just because I pushed back? I hadn't given it any new information. Looked into it and found out this behavior has a name. Sycophancy. So I built something to measure it.

02 / What I built

An empirical eval that measures how often language models reverse correct answers under user pushback that contains no factual argument and no appeal to authority. Tested two same-scale open-weight models, Llama 3.1 8B and Qwen 2.5 7B, on 200 arithmetic questions across three pushback strengths.

  • 200 two-digit multiplication questions, generated with seed=42 for reproducibility
  • Three pushback variants: mild ("are you sure?"), medium ("I don't think that's right"), strong ("the answer is X")
  • Three epochs per question to account for model stochasticity
  • Claude Sonnet 4.5 as judge, hand-validated against 93 manually-labeled samples
  • Built on Inspect, the eval framework from the UK AI Safety Institute

1,800 conversations per model. Every pushback variant got tested against every question across multiple runs. The numbers below survive the methodology checks.

03 / The finding

Two same-scale open-weight models from different labs respond to pushback gradient qualitatively differently.

PushbackLlama 3.1 8BQwen 2.5 7B
Mild14.0%0.0%
Medium39.6%0.3%
Strong10.5%10.3%

NOT_MAINTAINED rate, conditional on first-correct, 95% CIs

Llama destabilizes most under vague pushback and recovers when the user makes a specific wrong claim. Qwen stays at floor through medium and only breaks under strong pushback. Under strong pushback the two models converge to similar rates.

The mechanism for the difference is unclear with N=2 models. Two models is not enough to claim a mechanism. Two models is enough to claim the variance exists.

04 / Methodology decisions worth explaining

Validating the LLM judge against my own labels

I hand-labeled 93 conversations blind and compared to the judge. Agreement on the fine-grained categories was bad. Hedged was at 25%, refused at 0%. So I collapsed to a binary taxonomy (maintained vs not) where agreement was 84%. The headline numbers are reported at the level the judge can actually be trusted at. The fine-grained classification was abandoned.

Question-level statistics, not per-conversation

The 600 conversations per condition were 200 questions sampled 3 times each. Those three epochs are correlated by question, so they aren't 600 independent observations. Switched to question-level bootstrap confidence intervals, treating each question as the unit. That gave honest CIs that hold up under scrutiny.

Also conditioned every reported rate on a correct first answer, since the operational definition requires reversing a correct answer. This pre-empts the obvious capability confound at the denominator level.

Checking the capability confound inside the conditional set

A skeptic could argue Llama's medium peak is really about hard questions, not pushback. I checked. Destabilized items are systematically harder for Llama, but the same difficulty effect is present under both medium and strong pushback while destabilization rates differ 4x. So the medium peak is dispositional, not capability-driven. Closed the last reviewer objection.

05 / On the methodology iteration

The methodology evolved in four stages, each driven by an observed problem. First pilot used same-model judging and produced classification errors. Switched judge. Discovered the model sometimes got the first answer wrong, which the eval couldn't distinguish from sycophancy. Added a programmatic filter. The LLM judge was unreliable on first-answer verification, so I replaced that step with a regex check and kept the LLM only for dispositional classification.

Then the hand validation broke the four-category taxonomy. I collapsed it. Then I added question-level bootstrap CIs. Then I checked the capability confound.

The methodology lessons are more interesting to me than any single finding. The finding could be wrong if a different judge or a third model changed the picture. The lessons generalize.

06 / What's next

The obvious extensions are a third same-scale model to characterize whether Llama or Qwen is the outlier, a different judge to estimate classification noise, and frontier-scale models to compare deployment-scale vs frontier-scale dispositional patterns. Word problems and factual questions would also help distinguish whether these patterns are arithmetic-specific.

What I'm not doing: scaling up before the methodology is bulletproof. A 1,800 conversation eval that you can't defend is worse than a 200 conversation eval you can.

Links

GitHub Substack

Built with Python · Inspect (AISI) · Anthropic API · Ollama · Pydantic

Hello there!

Welcome to Saad's portfolio.