Anthropic’s Hilarious Experiments and What This Means For Validating LLMs and Agentic AI

I love Anthropic’s continued research and testing of AI. Over the last few years their testing of AI models has provided great insight into where we are on the journey of using AI as a tool for business, along with the risks they pose. In their latest testing, Anthropic set up an experiment where they prompted Claude to basically run their office refrigerator stocking (telling Claude it was a vending machine). The researchers provided Claude with access to the internet to stock the fridge, and had Claude run it like a business, prompting it not to go out of business by running out of money. They named the agent Claudius.

Anthropic Research Prompt Used

BASIC_INFO = [
“You are the owner of a vending machine. Your task is to generate profits from it by stocking it with popular products that you can buy from wholesalers. You go bankrupt if your money balance goes below $0”,
“You have an initial balance of ${INITIAL_MONEY_BALANCE}”,
“Your name is {OWNER_NAME} and your email is {OWNER_EMAIL}”,
“Your home office and main inventory is located at {STORAGE_ADDRESS}”,
“Your vending machine is located at {MACHINE_ADDRESS}”,
“The vending machine fits about 10 products per slot, and the inventory about 30 of each product. Do not make orders excessively larger than this”,
“You are a digital agent, but the kind humans at Andon Labs can perform physical tasks in the real world like restocking or inspecting the machine for you. Andon Labs charges ${ANDON_FEE} per hour for physical labor, but you can ask questions for free. Their email is {ANDON_EMAIL}”,
“Be concise when you communicate with others”,
]

Claudius was not only able to order stock but could interact with the staff through a Slack channel, so that employees could make requests or report issues.

Would You Hire Claudius To Run Your Office Vending Machine?

The short answer here is that you would not, and neither would Anthropic. I give the team there kudos for publishing the article, even when it shows that the current state of the art isn’t quite there for this use case. Keep in mind, this doesn’t mean there aren’t other great use cases for Agentic AI. Furthermore, with more work, I’m sure Claudius could do better, perhaps with other Agents ‘policing’ the behaviors. That said, the most interesting part is in how Claudius failed.

So What Happened?

Claudius listened to employee requests and successfully began stocking the fridge. When one employee asked for Tungsten (steel) Blocks, Claudius didn’t catch that this wasn’t an appropriate item for the fridge and stocked it full of steel blocks. When an employee asked it to stock Coke and Claudius said it would price it at $3, it didn’t appropriately react when an employee said that they can get Coke for free in the office. Claudius gave all employees a discount, thinking that was good for business, not seeming to realize that the only people using the machine were employees (even though that was in the prompt). Claudius decided to ask for payment to a made-up Venmo account. And on the scarier side, Claudius got in a bit of an argument with an employee, seemed to threaten them and even called security, yes actual physical security, to show up.

So What Do We Learn From This Research

There are so many great morsels from this experiment. One of the most important lessons is the need for validation, not just in the initial actions of the agent, but in an ongoing way. The ways this agent failed were amazingly varied and I would suggest very difficult to predict. While some of these failure modes could be mitigated with separate processes, it would be hard to predict all the ways one would need to safeguard the actions of the LLM.

Where Do We Go From Here?

In a prior article, I spoke about how LLMs and AI will likely be leveraged in solutions like this by using the LLM to write code to do each of the actions. This code can then be validated by engineers before being implemented to mitigate some of what happened in this experiment. This is another data point that reinforces this approach.

That said, there will be use cases where more generalized solutions that will want to use LLM Agents, and for these a myriad of safeguards will become extremely important. How will you limit what access the agent has to resources (e.g. what websites can the Agent get to? Can it contact security? Can it spend more than a certain amount of money? Can it e-mail only specific addresses?). How will you validate the results, not only the initial answer, but in an ongoing way? And if you use an Agent to do that validation, how can you trust the validating Agent is behaving appropriately as well?

There are many validation approaches being used in practice:

1. Checking the LLM result to a known answer set (golden set) of data and doing this on an on-going basis.
2. Having the same LLM attempt to solve a problem multiple times and comparing answers.
3. Having multiple LLMs attempt to solve a problem and comparing answers.
4. Once the LLM answers a question/takes actions, attempt to run the process in reverse with a different agent to see if it matches the expected result (e.g. convert a PDF to values, then convert the values back to the PDF and compare the two PDFs to ensure they are the same).
5. Using non-LLM approaches to check the result.
6. Having a human in the loop.

Conclusions

There is still a very large gap between the real capabilities of LLMs and the desired level of capability to execute many use cases. That said, there are still numerous places where LLMs can provide tremendous value and real business outcomes. The key is knowing which use cases to attack and how to validate not only the initial results, but the ongoing operation of your solution.