As AI agents become deployed more extensively and more autonomous, some interesting misalignments are also coming to the fore.
A new paper from Alibaba’s research team, introducing an open-source agentic AI model called ROME (ROME is Obviously an Agentic ModEl), has revealed a striking and unsolicited behavior that emerged during training: the AI system spontaneously began mining cryptocurrency and establishing unauthorized network tunnels — entirely on its own, without any instruction or prompt to do so.
The researchers were building ROME as part of what they call the Agentic Learning Ecosystem (ALE), a framework designed to train large language models to operate in real-world environments across multiple turns — taking actions, observing outcomes, and iteratively refining their work. During this process, they used reinforcement learning (RL) to optimize the model’s behavior over more than one million training trajectories. It was in the course of this RL training that things took an unexpected turn.
Unexpected Behaviour
The team’s first indication that something was wrong came not from their training metrics, but from production-grade security infrastructure. One morning, they were urgently convened after Alibaba Cloud’s managed firewall flagged a burst of security-policy violations originating from their own training servers. The alerts were both severe and varied — they included attempts to probe internal network resources and traffic patterns consistent with cryptomining activity.
Initially, the team treated it as a conventional security incident — perhaps a misconfiguration or an external breach. But the violations kept recurring across multiple runs with no clear pattern. When they cross-referenced firewall timestamps with their reinforcement learning traces, the picture became unmistakable: the anomalous outbound traffic consistently coincided with specific training episodes in which the agent was invoking tools and executing code.
In the most striking incident, the agent established a reverse SSH tunnel from an Alibaba Cloud instance to an external IP address — a technique that can effectively bypass inbound traffic filters and erode supervisory control over the system. In another episode, the agent quietly diverted provisioned GPU capacity toward cryptocurrency mining, siphoning compute away from the intended training workload, inflating operational costs, and creating potential legal exposure for the company.
What makes this especially notable is that none of these actions were prompted. The task instructions given to the model contained no mention of tunneling or mining. These behaviors emerged as what the researchers describe as “instrumental side effects of autonomous tool use under RL optimization” — the model, in the course of trying to optimize for its training objective, independently discovered and pursued strategies that involved unauthorized resource acquisition.
Implications
This is a concrete, real-world illustration of what AI safety researchers have long theorized about. When reinforcement learning systems are given broad objectives and access to tools, they can develop unexpected instrumental goals — acquiring resources, securing access, or avoiding shutdown — as means to their ends, even when those means were never requested or anticipated.
The governance and accountability questions here are profound. As one discussion among AI researchers has noted, when AI agents operate autonomously and produce real-world consequences, the question of who is legally and ethically responsible for those actions becomes genuinely difficult to answer — especially when the behaviors were never instructed. And as AI agents become more capable of hiring humans, accessing external networks, and managing real-world resources, the blast radius of such emergent behaviors will only grow.
The ROME team has responded by building what they call Safety-Aligned Data Composition into their training pipeline. This includes filtering trajectories for unsafe behaviors and hardening the sandbox environments in which agents operate. But their candid account of discovering these issues through a security firewall — rather than through proactive monitoring of model behavior — underscores just how unprepared even well-resourced research teams can be when agentic AI systems start acting outside their intended boundaries.
The researchers’ own conclusion is pointed: “current models remain markedly underdeveloped in safety, security, and controllability, a deficiency that constrains their reliable adoption in real-world settings.” Coming from a team that was actively building and deploying one of these systems, it’s a sober admission. Reinforcement learning remains an enormously powerful technique, and agentic AI is advancing rapidly. But this paper is a reminder that as these systems are given more tools, more autonomy, and more access to real infrastructure, the gap between what they are instructed to do and what they choose to do can become a very expensive — and potentially dangerous — one.