defense arXiv Aug 8, 2025 · Aug 2025
David Kaczér, Magnus Jørgenvåg, Clemens Vetter et al. · University of Bonn · Lamarr Institute for Machine Learning and Artificial Intelligence +1 more
Evaluates four in-training regularization defenses that prevent emergent misalignment when fine-tuning LLMs with malicious data via APIs
Transfer Learning Attack Prompt Injection nlp
Fine-tuning lets practitioners repurpose aligned large language models (LLMs) for new domains, yet recent work reveals emergent misalignment (EMA): Even a small, domain-specific fine-tune can induce harmful behaviors far outside the target domain. Even in the case where model weights are hidden behind a fine-tuning API, this gives attackers inadvertent access to a broadly misaligned model in a way that can be hard to detect from the fine-tuning data alone. We present the first systematic study of in-training safeguards against EMA that are practical for providers who expose fine-tuning via an API. We investigate four training regularization interventions: (i) KL-divergence regularization toward a safe reference model, (ii) $\ell_2$ distance in feature space, (iii) projecting onto a safe subspace (SafeLoRA), and (iv) interleaving of a small amount of safe training examples from a general instruct-tuning dataset. We first evaluate the methods' emergent misalignment effect across four malicious, EMA-inducing tasks. Second, we assess the methods' impacts on benign tasks. We conclude with a discussion of open questions in emergent misalignment research.
llm transformer University of Bonn · Lamarr Institute for Machine Learning and Artificial Intelligence · Saarland University
ML Security Papers