Researchers say they can surgically remove AI safety refusals in cybersecurity contexts while leaving broader restrictions intact.
A new paper tested abliteration — a technique that edits a model's internal representation of "refusal" — across 24 open-source large language models, including the trillion-parameter Kimi K2. The core finding: safety refusals are not a single switch. They occupy a multi-dimensional subspace distributed across many layers, particularly in large mixture-of-experts architectures. The team found they could target only the slice of that subspace associated with cybersecurity-specific harmful concepts, leaving other safety behaviors untouched.
This matters because blanket safety alignment is a real friction point for legitimate security work — penetration testers, red teamers, and security researchers regularly hit refusals on queries that are entirely authorized in their context. If domain-specific abliteration works reliably, it could give security tooling vendors a principled path to customizing open-source models without nuking every guardrail in the process. The researchers also ranked 24 models into three susceptibility tiers and identified safety training type and model architecture as the strongest predictors of how a model responds to the intervention.
The caveat writes itself: a technique that selectively removes refusals for one domain is only as trustworthy as the operator defining the domain boundary, and that line tends to move once it becomes a product feature.