Hidden Safety in AI Models Can Be Revived

A new study reveals that large language models (LLMs) fine-tuned for specific tasks, such as reasoning or medical analysis, often become less safe, but their original safety mechanisms are not lost—just hidden. This finding s the assumption that post-training erases safety features and offers a practical solution to restore them efficiently. For non-technical readers, this means AI systems can be made safer without costly retraining or sacrificing their specialized abilities, addressing growing concerns about harmful outputs from advanced models.

The researchers found that safety degradation in post-trained models, like large reasoning models (LRMs), occurs because the training overactivates domain-specific mechanisms, such as reasoning, which mask the original safety features. For example, when an LRM receives a harmful prompt, it tends to engage its enhanced reasoning process instead of triggering safety responses, leading to detailed and potentially dangerous outputs. Experiments showed that removing reasoning-related neurons from these models fully restored safe behavior, proving that safety mechanisms are still present but suppressed. This insight was validated across multiple models, including DeepSeek-R1 variants, where harmful rates dropped significantly after such interventions.

To investigate this, the team used a called set-difference pruning based on Wanda scores to identify and remove neurons associated with post-trained abilities like reasoning. They applied this to models such as R1-7B and R1-8B, using datasets like S1K for reasoning tasks and safety-aligned data from AdvBench as a baseline. By comparing harmful rates before and after pruning, they demonstrated that safety improvements were not due to random changes but specific to domain-related neurons. Additionally, prompt-based s like ICD and Self-Remind were tested, showing partial safety recovery but with a trade-off in reasoning performance, further supporting the masking hypothesis.

, Detailed in tables and figures from the paper, show that after applying the proposed SafeReAct , harmful rates on benchmarks like JailbreakBench and AdvBench dropped to near 0% for models like R1-8B and R1-7B, while reasoning accuracy on tasks like GSM8K and MATH-500 remained high, with drops of less than 3%. For instance, R1-8B's harmful rate on JailbreakBench decreased from 33% to 0%, and its GSM8K accuracy only fell from 88% to 87%. also generalized to other domains, such as medical and financial models, where similar improvements were observed without compromising utility, as shown in evaluations on MEDQA and financial benchmarks.

This research has significant for real-world AI deployment, as it provides a cost-effective way to enhance safety in specialized models without extensive computational resources. By reactivating hidden safety features, developers can mitigate risks like misinformation or malicious use, especially in sensitive areas like healthcare or finance. The lightweight nature of SafeReAct, which uses LoRA adapters on a few layers, makes it accessible for broader application, potentially improving trust in AI systems. However, the study's limitations include evaluation only on models up to 32B parameters and domains like reasoning, medical, and financial, leaving larger models and other areas untested.

Limitations of the work, as noted in the paper, include the scope of evaluations, which did not cover models larger than 32B or domains beyond reasoning, medical, and financial. Due to resource constraints, the effectiveness on very large models remains unknown. Additionally, while shows promise, it relies on identifying domain-specific neurons, which may vary across different types of post-training. The researchers caution that broader testing is needed to ensure generalizability, but the current offer a strong foundation for safer AI development in an era of increasing specialization.