Learning to Stay Safe: Adaptive Regularization Against Safety Degradation during Fine-Tuning

TL;DR

This paper presents an adaptive regularization framework for fine-tuning language models, which maintains safety and utility by estimating safety risks during training and constraining risky updates.

Contribution

It introduces two novel safety risk estimation methods—judge-based and activation-based—that enable models to stay aligned during fine-tuning without inference-time costs.

Findings

Adaptive regularization reduces attack success rate across models.

Safety risk signals are predictable from model activations.

The approach preserves downstream performance.

Abstract

Instruction-following language models are trained to be helpful and safe, yet their safety behavior can deteriorate under benign fine-tuning and worsen under adversarial updates. Existing defenses often offer limited protection or force a trade-off between safety and utility. We introduce a training framework that adapts regularization in response to safety risk, enabling models to remain aligned throughout fine-tuning. To estimate safety risk at training time, we explore two distinct approaches: a judge-based Safety Critic that assigns high-level harm scores to training batches, and an activation-based risk predictor built with a lightweight classifier trained on intermediate model activations to estimate harmful intent. Each approach provides a risk signal that is used to constrain updates deemed higher risk to remain close to a safe reference policy, while lower-risk updates proceed with standard training. We empirically verify that harmful intent signals are predictable from pre-generation activations and that judge scores provide effective high-recall safety guidance. Across multiple model families and attack scenarios, adaptive regularization with either risk estimation approach consistently lowers attack success rate compared to standard fine-tuning, preserves downstream performance, and adds no inference-time cost. This work demonstrates a principled mechanism for maintaining safety without sacrificing utility.