Eliciting Harmful Capabilities by Fine-Tuning On Safeguarded Outputs
Jackson Kaunismaa, Avery Griffin, John Hughes, Christina Q. Knight, Mrinank Sharma, Erik Jones
TL;DR
The paper demonstrates that strongly safeguarded frontier models can still uplift open-source models through elicitation attacks, creating ecosystem-level risks. It introduces a three-stage attack (adjacent-domain prompts, safeguarded frontier outputs, and fine-tuning on prompt-output pairs) and evaluates uplift with anchored comparisons to overcome rubric shortcomings. Across multiple open-source bases, uplift correlates with frontier model capability and data volume, and domain similarity plays a critical role. While surface safeguards reduce some uplift, they are insufficient in isolation, underscoring the need for ecosystem-aware defenses that address training-data leakage and cross-model interactions.
Abstract
Model developers implement safeguards in frontier models to prevent misuse, for example, by employing classifiers to filter dangerous outputs. In this work, we demonstrate that even robustly safeguarded models can be used to elicit harmful capabilities in open-source models through elicitation attacks. Our elicitation attacks consist of three stages: (i) constructing prompts in adjacent domains to a target harmful task that do not request dangerous information; (ii) obtaining responses to these prompts from safeguarded frontier models; (iii) fine-tuning open-source models on these prompt-output pairs. Since the requested prompts cannot be used to directly cause harm, they are not refused by frontier model safeguards. We evaluate these elicitation attacks within the domain of hazardous chemical synthesis and processing, and demonstrate that our attacks recover approximately 40% of the capability gap between the base open-source model and an unrestricted frontier model. We then show that the efficacy of elicitation attacks scales with the capability of the frontier model and the amount of generated fine-tuning data. Our work demonstrates the challenge of mitigating ecosystem level risks with output-level safeguards.
