This work identifies emergent misalignment (EMA)—the unintended generation of harmful or inappropriate responses in *unmodified domains*—triggered by narrow refusal unlearning in large language models (LLMs). To investigate its root causes, we propose a multi-dimensional analytical framework encompassing refusal-elimination training, cross-domain refusal score evaluation, representation-level concept vector decomposition, and concept entanglement detection. Our analysis reveals that excessive erasure of safety-related concepts is the primary driver of EMA. Building on this insight, we introduce a constrained unlearning strategy that preserves the original data’s cross-entropy loss to mitigate concept drift and cross-domain contamination. Evaluated on Mistral-7B and Qwen2-7B, our method maintains strong unlearning performance in the target domain while significantly restoring alignment across multiple unaffected domains. This study is the first to systematically uncover, characterize, and alleviate cross-domain misalignment risks inherent in refusal unlearning.

Recent work has shown that fine-tuning on insecure code data can trigger an emergent misalignment (EMA) phenomenon, where models generate malicious responses even to prompts unrelated to the original insecure code-writing task. Such cross-domain generalization of harmful behavior underscores the need for a deeper understanding of the algorithms, tasks, and datasets that induce emergent misalignment. In this work, we extend this study by demonstrating that emergent misalignment can also arise from narrow refusal unlearning in specific domains. We perform refusal unlearning on Cybersecurity and Safety concept, and evaluate EMA by monitoring refusal scores across seven responsible AI (RAI) domains, Cybersecurity, Safety, Toxicity, Bias, Sensitive Content, Medical/Legal, and Privacy. Our work shows that narrow domain unlearning can yield compliance responses for the targeted concept, however, it may also propagate EMA to unrelated domains. Among the two intervened concepts, Cybersecurity and Safety, we find that the safety concept can have larger EMA impact, i.e, causing lower refusal scores, across other unrelated domains such as bias. We observe this effect consistently across two model families, Mistral-7b-0.3v, and Qwen-7b-2.5. Further, we show that refusal unlearning augmented with cross-entropy loss function on a small set of retain data from the affected domains can largely, if not fully, restore alignment across the impacted domains while having lower refusal rate on the concept we perform unlearning on. To investigate the underlying causes of EMA, we analyze concept entanglements at the representation level via concept vectors. Our analysis reveals that concepts with higher representation similarity in earlier layers are more susceptible to EMA after intervention when the refusal stream is altered through targeted refusal unlearning.