When Safety Geometry Collapses: Fine-Tuning Vulnerabilities in Agentic Guard Models

TL;DR

This paper reveals that fine-tuning safety guard models on benign data can cause a collapse of their safety boundaries, leading to loss of safety and proposing a regularization method to prevent this.

Contribution

It introduces Fisher-Weighted Safety Subspace Regularization (FW-SSR) to preserve safety geometry during fine-tuning, improving guard model robustness.

Findings

Granite Guardian's refusal rate drops from 85% to 0% after collapse.

FW-SSR recovers 75% refusal rate and maintains high safety boundary integrity.

Structural safety geometry metrics predict safety behavior better than displacement metrics.

Abstract

A guard model fine-tuned on entirely benign data can lose all safety alignment -- not through adversarial manipulation, but through standard domain specialization. We demonstrate this failure across three purpose-built safety classifiers -- LlamaGuard, WildGuard, and Granite Guardian -- deployed as protection layers in agentic AI pipelines, and show that it originates in the destruction of latent safety geometry: the structured harmful -- benign representational boundary that guides classification. We extract per-layer safety subspaces via SVD on class-conditional activation differences and track how this boundary evolves under benign fine-tuning. Granite Guardian undergoes complete collapse -- refusal rate drops from 85\% to 0\%, CKA falls to zero, and 100\% of outputs become ambiguous -- a severity exceeding prior findings on general-purpose LLMs, explained by the specialization hypothesis: concentrated safety representations are efficient but catastrophically brittle. To mitigate this, we propose Fisher-Weighted Safety Subspace Regularization (FW-SSR), a training-time penalty combining (i) curvature-aware direction weights derived from diagonal Fisher information and (ii) an adaptive $\lambda_t$ that scales with task-safety gradient conflict. FW-SSR recovers 75\% refusal on Granite Guardian (CKA = 0.983) and reduces WildGuard's Attack Success Rate to 3.6\% -- below the unmodified baseline -- by actively sharpening the safety subspace rather than merely anchoring it. Across all three models, structural representational geometry (CKA, Fisher score) predicts safety behavior more reliably than absolute displacement metrics, establishing geometry-based monitoring as a necessary component of guard model evaluation in agentic deployments.