🤖 AI Summary
Current knowledge editing methods for large language models claim to delete specific facts, yet their efficacy and underlying mechanisms remain unclear. This work investigates knowledge editing through the lens of adversarial knowledge extraction, integrating mechanistic interpretability analyses, loss landscape visualizations, and cross-architecture evaluations. We reveal, for the first time, that knowledge editing fundamentally suppresses rather than erases information: edited knowledge persists within the model but is redistributed in representation space via low-rank updates, placing it in a sensitive and anisotropic region of the loss landscape. This insight exposes a critical vulnerability in mainstream editing algorithms—edited knowledge can be recovered through indirect prompting or adversarial attacks—thereby challenging the safety assumptions underpinning current post-hoc updating paradigms.
📝 Abstract
Knowledge Editing (KE) has emerged as a frontier for updating specific facts in LLMs without costly retraining, but its reliability and underlying mechanisms remain poorly understood. In this work, we examine KE from an adversarial elicitation perspective, revealing that edited knowledge is often not fully erased and continues to surface, with consistent failures observed across diverse model architectures. To explain this behavior, we conduct a mechanistic analysis of popular KE methods. We show that low-rank updates do not overwrite existing knowledge but instead redistribute it within the model's representation space. Furthermore, we find that these methods act as targeted suppression mechanisms that reduce the likelihood of expressing original facts, rather than removing them from the model. Analysis of the loss landscape reveals that edited knowledge lies in narrow, anisotropic regions that are highly sensitive to perturbations, making them highly vulnerable to indirect prompting and adversarial attacks. By exposing these profound architectural vulnerabilities, our work proves that KE algorithms are inherently bypassable and motivates a fundamental reevaluation of how we deploy post-hoc updates in several LLM applications.