Addressing the tripartite conflict among model intellectual property protection, client data privacy, and computational cost in large language model (LLM) instruction tuning, this paper proposes GuardedTuning—a unified framework for privacy-preserving fine-tuning. We introduce the first privacy–utility–cost trilemma evaluation framework to systematically characterize the design space of privacy-aware fine-tuning. GuardedTuning integrates split learning, off-site fine-tuning, differential privacy adaptation, secure aggregation, gradient compression, and sparse update mechanisms into a configurable, co-designed paradigm. All instantiated variants provably resist data reconstruction attacks while retaining ≥90% of the performance of standard full fine-tuning across multiple benchmark tasks. Moreover, they achieve up to 67% reduction in communication overhead. The framework thus simultaneously ensures strong privacy guarantees, high task utility, and efficient deployment—resolving critical trade-offs in real-world LLM personalization.

Instruction tuning has proven effective in enhancing Large Language Models' (LLMs) performance on downstream tasks. However, real-world fine-tuning faces inherent conflicts between model providers' intellectual property protection, clients' data privacy requirements, and tuning costs. While recent approaches like split learning and offsite tuning demonstrate promising architectures for privacy-preserving fine-tuning, there is a gap in systematically addressing the multidimensional trade-offs required for diverse real-world deployments. We propose several indicative evaluation metrics to guide design trade-offs for privacy-preserving fine-tuning and a series of example designs, collectively named GuardedTuning; they result from novel combinations of system architectures with adapted privacy-enhancement methods and emerging computation techniques. Each design represents distinct trade-offs across model utility, privacy guarantees, and costs. Experimental results demonstrate that these designs protect against data reconstruction attacks while maintaining competitive fine-tuning performance.