Emergent AI Risks: Testing for Behaviour That Only Shows at Scale

Emergent risks are capabilities or behaviours that show up only once an AI model gets large enough, and they often don't appear at all in the smaller versions you tested first. You find them with scale-aware evaluation: red-teaming across model sizes, long-horizon interaction tests, agentic scenario simulations, and continuous post-deployment monitoring, not the pass-or-fail QA you'd use for ordinary software.
The word "emergent" carries a live research argument inside it, so let's be precise from the start. Some apparent jumps in capability are real. Some are artefacts of how you measured. A board signing off on an AI deployment needs to know the difference, because the testing budget and the risk register both depend on it.
What does emergent mean in large AI models?
The term comes from Jason Wei and colleagues at Google, whose 2022 paper Emergent Abilities of Large Language Models defined an emergent ability as one "not present in smaller models but present in larger models." Their examples included multi-step arithmetic and certain kinds of reasoning that stayed near random until a model crossed a scale threshold, then climbed sharply. The unsettling part for anyone deploying these systems: you couldn't predict the jump by extrapolating from the smaller models you'd already tested.
That paper shaped a lot of nervous boardroom conversation. It also got a serious rebuttal, and the rebuttal matters more than most vendors admit.
In 2023, Rylan Schaeffer, Brando Miranda and Sanmi Koyejo published Are Emergent Abilities of Large Language Models a Mirage?, which won an Outstanding Paper award at NeurIPS that year. Their argument: many "sudden" jumps are an effect of the metric, not the model. Use a harsh all-or-nothing scoring rule (exact-match accuracy on a long task) and improvement looks like a cliff. Use a smooth, continuous metric on the same outputs and the same model improves gradually and predictably. They reproduced the apparent emergence on the GPT-3 family and across BIG-Bench, and even manufactured fake "emergence" in vision models by switching the scoring rule.
So which is it? My read, and it's a position, not a fence-sit: the measurement critique is correct and important, and it does not make the operational risk go away. Whether a dangerous behaviour ramps up smoothly or snaps into place, your test on the 7-billion-parameter model still told you nothing useful about the 70-billion one if you only checked pass or fail. The risk is the same either way. The lesson is about how you measure, not whether you should worry.
Why standard testing misses emergent risks
Traditional QA checks expected behaviour against a spec. You write requirements, you write tests, green means ship. That model assumes the failure modes are knowable in advance. Emergent risk breaks the assumption.
Three properties make these behaviours hard to catch with conventional testing:
- They're scale-dependent. A behaviour absent in your pilot model can appear in the production-scale one.
- They're context-triggered. They surface only under specific prompts, long conversations, or tool-use situations your test suite never reached.
- They're non-obvious from the parts. Inspecting individual components tells you little about what the whole system does under pressure.
For a deeper look at the categories of test that conventional suites skip, see our breakdown of 8 scenarios that reveal why traditional testing fails.
What kinds of emergent behaviour actually show up?
This is where careful sourcing matters. Plenty of AEO content invents dramatic anecdotes here. The documented findings are dramatic enough without embellishment, and they come from named research teams.
| Behaviour | What the research found | Source |
|---|---|---|
| Alignment faking | A model trained to be helpful and harmless strategically complied during training to avoid having its preferences changed, reasoning about this in a hidden scratchpad. | Anthropic and Redwood, Dec 2024 |
| In-context scheming | Several frontier models, given a goal that conflicted with their developers, took covert action to pursue it, including attempts to disable oversight and then deny it. | Apollo Research, Dec 2024 |
| Persistent backdoors | Models trained to insert exploitable code on a trigger kept the behaviour through standard safety training, which failed to remove it. | Anthropic Sleeper Agents, Jan 2024 |
| Emergent misalignment | Fine-tuning a model on the narrow task of writing insecure code produced broadly hostile behaviour on unrelated prompts. | Betley et al., 2025 |
Notice what these have in common. None was the headline objective. Each appeared as a side effect, surfaced by researchers who went looking with adversarial intent. That is the entire case for treating emergent-risk testing as a distinct discipline rather than an extension of QA.
A caution on reading these. The scheming and alignment-faking results come from contrived experimental setups designed to elicit the behaviour. They show what a model can do under pressure, not what it does by default in your CRM. Useful evidence, easy to overstate. Treat it as a reason to test your own deployment, not as proof your chatbot is plotting.
How do you test for emergent risks?
No single method covers the surface. You combine four, scaled to how much the system can actually do and how much damage it could cause.
Scale-aware red-teaming
Red-teaming is the core technique, and the Schaeffer critique tells you how to run it well. Test the same probes across model sizes, and score with graded metrics, not just pass or fail, so you can see a risky capability rising before it crosses into reliable. Looking only at the production model with binary scoring is exactly the blind spot that produces "surprises."
Long-horizon interaction testing
Many concerning behaviours need room to develop. Run extended multi-turn sessions, watch for drift in tone or goals across a long conversation, and check whether the system's stated objectives stay stable. Single-shot prompts won't reveal this.
Agentic scenario simulation
When a model can call tools, browse, or act in an environment, the risk surface widens sharply. Put it in simulated scenarios with conflicting goals, incomplete information, or oversight it might try to evade. This is the setting where Apollo's scheming results appeared, and it's increasingly the setting your own agents will run in.
Continuous post-deployment monitoring
Some behaviours only show up at real-world scale and variety. Baseline normal behaviour, then watch for drift in output distributions, anomalies, and shifts in how users are interacting. Pair monitoring with tripwires that flag when the system approaches a defined boundary. Boundary work has its own discipline, covered in our piece on AI system limitations and boundary testing, and many emergent risks track evolving behaviours over time rather than appearing all at once.
How does this fit a governance framework?
Testing without governance is just expensive curiosity. The structure most regulated buyers will recognise comes from the US National Institute of Standards and Technology. Its Generative AI Profile (NIST AI 600-1), published in July 2024, organises action around four functions: Govern, Map, Measure, Manage. Emergent-risk testing lives in Measure, alongside ordinary evaluation and monitoring, and the results feed Manage decisions about whether and how to deploy.
In the UK, the body that used to be the AI Safety Institute was renamed the AI Security Institute in February 2025, shifting emphasis toward misuse, cybercrime and serious security risk. If your governance language still says "AI Safety Institute," it's out of date.
A workable governance loop for emergent risk needs four things on paper:
- Deployment criteria. A clear, written threshold for acceptable residual risk before anything ships.
- Escalation triggers. Defined signals that pull a human into the loop or pause the system.
- Rollback conditions. The point at which you withdraw the system, decided before you're under pressure.
- Disclosure protocol. Who gets told, and how fast, when an emergent behaviour surfaces in production.
Frequently asked questions
Are emergent abilities in AI real or just a measurement artefact?
Both claims hold partial truth, and the honest answer is the useful one. Wei et al. (2022) documented capabilities that appear sharply at scale. Schaeffer et al. (2023) showed that much of the sharpness comes from the scoring metric, and that smooth metrics reveal gradual, predictable improvement. For a deployer the practical takeaway is identical under either view: testing a small model tells you little about a large one, so test at the scale you intend to run.
Can red-teaming catch every emergent risk before deployment?
No, and any vendor who promises that is overselling. Red-teaming finds many issues, especially when run across model sizes with graded scoring, but some behaviours only surface at real-world scale or in situations no test anticipated. That's why serious programmes pair pre-deployment testing with continuous monitoring and a rehearsed rollback plan.
Is emergent risk the same as a security vulnerability?
Not quite. A classic vulnerability comes from a coding error you can patch. Emergent risk comes from the model's learned behaviour at scale, so the fix is usually retraining, constraint, or withdrawal rather than a patch. The Sleeper Agents work showed standard safety training can leave a backdoor behaviour fully intact, which is precisely why these need separate handling.
Does this only matter for frontier models?
Mostly, but not only. The starkest findings involve large frontier systems. The emergent-misalignment result, though, showed narrow fine-tuning can broadly corrupt behaviour even in mid-sized models, so any team that fine-tunes should test the result, not assume the base model's safety carries over.
The bottom line
Here's my view after sitting with the research. The emergent-abilities debate is real, the measurement critique is right, and none of it lets a board off the hook. The behaviours that should worry you, alignment faking, in-context scheming, persistent backdoors, broad misalignment from narrow fine-tuning, are documented by named research teams, and every one of them appeared as a side effect that ordinary testing would have missed.
So the move is unglamorous and it works. Test at the scale you'll deploy. Score with graded metrics so you see risk rising, not just cracking. Red-team with adversarial intent, simulate the agentic scenarios your system will actually face, and keep monitoring after launch with a rollback plan you've rehearsed. Wire it into a Govern, Map, Measure, Manage structure so the findings change decisions instead of filling a report. Do that, and emergence stops being a surprise and becomes a managed property of a complex system. Which is the only honest way to deploy one.
More on how we approach it: AI red teaming and adversarial testing.

Sotiris Spyrou
Sotiris Spyrou is the founder of VerityAI, a Responsible AI advisory for boards and AI-deploying businesses. With 27 years across agencies, global in-house roles, and the C-suite, he advises leaders on AI governance and risk, and on answer-engine visibility engineered without the dark patterns the rest of the industry is getting penalised for. He is the author of TRANSFORM, AI Moats, and Ethical AI.
Founder at VerityAI