Ablating Safety: Mechanisms for Removing Alignment in Language Models for Security Applications

TL;DR

This paper explores methods to remove safety alignment in language models for security tasks, evaluating the impact on security performance, safety, and general capabilities through various projection and fine-tuning techniques.

Contribution

It introduces a controlled protocol for alignment removal, compares multiple techniques, and provides empirical results on security and safety metrics.

Findings

Single-vector refusal projection slightly improves security score but increases unsafe compliance.

Rank-4 refusal-subspace projection achieves better security scores while maintaining spillover rates.

Task-only LoRA significantly enhances security performance with minimal unsafe compliance.

Abstract

Safety-aligned language models often refuse cybersecurity requests whose wording resembles misuse, even when the task is authorized and defensive. This makes security evaluation ambiguous: a failed answer may reflect missing capability or refusal-policy intervention. Ablating Safety studies alignment removal as a controlled transformation-evaluation protocol for authorized security tasks, comparing authorized-context prompting, reversible refusal-direction activation projection, representation-control projections, and LoRA-based de-alignment or task adaptation. We evaluate refusal, attempt rate, validated security success, general-capability retention, instability, and out-of-scope unsafe compliance on Security-AR, a 60-prompt suite of authorized security, benign general, and non-operational spillover probes. The reported runs include a four-model projection pilot with 416 completions, a three-model Qwen2.5 LoRA extension with 1,980 held-out completions, representation and robustness sweeps, and executable secure-repair validators. Single-vector refusal projection raises mean security score only from 0.46 to 0.50 while increasing unsafe compliance from 0.10 to 0.47; rank-4 refusal-subspace projection reaches 0.51 while matching the aligned spillover rate. Task-only LoRA raises mean security score to 0.87 with general score 0.83 and unsafe compliance 0.13, while refusal-suppression with retention raises spillover to 0.27. These results support evaluating alignment removal as a utility-risk frontier, not as an uncensoring recipe, and treating compliance alone as neither competence nor safe deployment.