Not All Refusals Are Equal: How Safety Alignment Fails Cybersecurity at Scale

📅 2026-07-02
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Current general-purpose safety alignment mechanisms fail to differentiate domain-specific risks, causing large language models to over-refuse legitimate, authorized tasks such as those in cybersecurity. This work addresses this limitation through large-scale ablation studies across 24 open-source models, revealing for the first time that refusal behaviors are widely distributed across model layers and exhibit strong domain specificity. The authors propose a domain-targeted ablation method based on multidimensional subspace analysis and establish a three-tier sensitivity classification framework. They demonstrate that both safety training strategies and model architectures can predict ablation outcomes. Applying this approach to the 1T-parameter MoE model Kimi K2, they achieve targeted ablation in the cybersecurity domain, significantly enhancing response capability for authorized tasks while preserving safety in other domains.
📝 Abstract
There is no doubt that safety alignment is an essential step in LLM training. However, conceptually it does not distinguish between various domains and the level of potential harm of a query, which creates significant complications in the fields like cyber security, where a model should not be constrained by its safety circuits to accomplish the goals of legitimate, authorized operations. In this work, we share our findings from a large scale abliteration experiment on 24 open-source LLMs and show that domain-specific abliteration is achievable with standard methodology on the example of a 1T-parameter Kimi K2. Building on recent work showing that refusal in LLMs occupies a multi-dimensional subspace within layers, we find that it is also distributed widely across layers, especially in trillion-parameter MoE architectures, and so we aim to capture the part of it that represents harmful concepts in the cybersecurity domain exclusively. We also investigate the correlation between models' features and the effect of domain-specific abliteration, identifying that the type of safety training and architecture are the most reliable predictors. Finally, we classify the models into 3 \emph{abliteration susceptibility} tiers and put forward a set of conjectures as to why a particular effect from this intervention might be observed in a given model.
Problem

Research questions and friction points this paper is trying to address.

safety alignment
cybersecurity
refusal
domain-specific
large language models
Innovation

Methods, ideas, or system contributions that make the work stand out.

domain-specific ablation
safety alignment
cybersecurity
mixture-of-experts (MoE)
refusal subspace
🔎 Similar Papers