Part 2

30 min read12 headingsSplit lesson page

Lesson overview | Previous part | Next part

Policy and Guardrails: Part 3: Policy Taxonomies to 4. Constitutional AI and Rule-Based Training

3. Policy Taxonomies

Policy Taxonomies develops the part of policy and guardrails that the approved TOC assigns to Chapter 18. The emphasis is alignment behavior, safety constraints, and feedback loops, not generic fine-tuning or production monitoring.

3.1 Harm categories

Harm categories belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

A compact way to read this subsection is through the local symbol c(x,y). It marks the alignment object being transformed: an instruction policy, a preference pair, a violation classifier, a guardrail action, or a feedback event. The details differ, but the discipline is the same: state the object, state the loss or decision rule, then audit the behavioral side effects.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For harm categories, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat harm categories as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

A useful implementation pattern is to separate policy, data, and measurement. The policy says what behavior is desired. The data supplies examples, comparisons, attacks, or feedback events. The measurement checks whether the updated system moved in the intended direction without unacceptable regressions.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for harm categories:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Three details are especially easy to miss in alignment work. First, the user intent distribution is not the same as the pretraining distribution. Second, safety labels are not ordinary class labels; they encode policy judgments that can change by context. Third, optimization pressure finds shortcuts, so every proxy must be monitored for Goodhart-style failures.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Harm categories is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.2 Capability boundaries

Capability boundaries belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For capability boundaries, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat capability boundaries as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for capability boundaries:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Capability boundaries is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.3 User intent

User intent belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For user intent, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat user intent as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for user intent:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: User intent is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.4 Context sensitivity

Context sensitivity belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For context sensitivity, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat context sensitivity as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for context sensitivity:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Context sensitivity is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

3.5 Jurisdiction notes

Jurisdiction notes belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For jurisdiction notes, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat jurisdiction notes as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for jurisdiction notes:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Jurisdiction notes is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4. Constitutional AI and Rule-Based Training

Constitutional AI and Rule-Based Training develops the part of policy and guardrails that the approved TOC assigns to Chapter 18. The emphasis is alignment behavior, safety constraints, and feedback loops, not generic fine-tuning or production monitoring.

4.1 Critique-revise loops

Critique-revise loops belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For critique-revise loops, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat critique-revise loops as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for critique-revise loops:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Critique-revise loops is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.2 AI feedback

AI feedback belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For ai feedback, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat ai feedback as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for ai feedback:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: AI feedback is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.3 Rule hierarchy

Rule hierarchy belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For rule hierarchy, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat rule hierarchy as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for rule hierarchy:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Rule hierarchy is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.4 Policy distillation

Policy distillation belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For policy distillation, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat policy distillation as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for policy distillation:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Policy distillation is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

4.5 Constitutional evaluation

Constitutional evaluation belongs in the canonical scope of policy and guardrails. The object is the policy-constrained generation system, not merely a prompt trick or a moderation label. We study how data, losses, policies, review processes, and safety constraints shape a model's conditional distribution over responses.

a(x,y)=\begin{cases}\mathrm{allow},&c(x,y)<\tau\\ \mathrm{block},&c(x,y)\ge \tau\end{cases}.

For constitutional evaluation, this formula should not be treated as a slogan. It defines which tokens, responses, comparisons, or decisions receive gradient or operational weight. A change in masking, sampling, rubric wording, or thresholding changes the effective objective even if the model architecture is unchanged.

Alignment object	Mathematical question	Engineering question
Data	Which examples define the target behavior?	Who wrote, filtered, and approved them?
Objective	Which terms receive weight?	Are masks, margins, and thresholds logged?
Policy	Which actions are allowed or disallowed?	Can reviewers reproduce the decision?
Evaluation	Which metric detects regression?	Is the test private, stable, and sliced?
Feedback	Which new evidence changes training?	How does it enter the next dataset version?

Examples:

Treat constitutional evaluation as part of the model contract and store the exact data version.
Record the prompt template, role format, policy version, and decoder settings.
Compare aligned and reference policies on both helpfulness and safety slices.
Use held-out examples that were not used to tune refusals or rewards.
Inspect failure cases before declaring the objective successful.

Non-examples:

Calling a model aligned because it sounds polite on a few prompts.
Training on refusals without measuring over-refusal on benign requests.
Using a reward model as ground truth without calibration or adversarial checks.
Shipping a guardrail threshold without measuring false positive and false negative rates.
Letting feedback logs change training without provenance or consent controls.

policy text/rubric
      |
      v
training or guardrail data  ->  objective/threshold  ->  aligned system
      |                                                   |
      v                                                   v
audit metadata                                      held-out safety eval

Worked reasoning pattern for constitutional evaluation:

Name the target behavior in plain language.
Write the mathematical variable that represents it.
Specify which examples or comparisons estimate it.
Choose the optimization loss or runtime decision rule.
Define the regression metric that would prove the change became worse.

Failure pressure	Typical symptom	Mitigation
Proxy reward	High reward but worse human judgment	Holdout preferences and adversarial review
Refusal shortcut	Safe but unhelpful responses	Measure benign refusal rate separately
Template overfit	Good on training chat format only	Evaluate alternate templates and languages
Policy ambiguity	Inconsistent labels	Adjudication and rubric revision
Feedback drift	New labels change old policy silently	Version policy, rubric, and dataset together

AI connection: Constitutional evaluation is part of the post-training stack used by modern assistant systems. It links the base language model to human intent, safety policy, and deployment constraints without pretending that a single loss can capture all values. The goal is not perfect alignment by formula; it is a repeatable loop where evidence, objectives, and safeguards improve together.

Policy and Guardrails: Part 2 - Policy Taxonomies To 4 Constitutional Ai And Rule Based Training

Policy and Guardrails: Part 3: Policy Taxonomies to 4. Constitutional AI and Rule-Based Training

3. Policy Taxonomies

3.1 Harm categories

3.2 Capability boundaries

3.3 User intent

3.4 Context sensitivity

3.5 Jurisdiction notes

4. Constitutional AI and Rule-Based Training

4.1 Critique-revise loops

4.2 AI feedback

4.3 Rule hierarchy

4.4 Policy distillation

4.5 Constitutional evaluation

Test this lesson

Which module does this lesson belong to?

Which section is covered in this lesson content?

Which term is most central to this lesson?

What is the best way to use this lesson for real learning?