Auditing Language Model Unlearning via Information Decomposition
Anmol Goel, Alan Ritter, Iryna Gurevych
TL;DR
The paper addresses privacy and regulatory concerns in LLMs by showing that existing unlearning methods can leave persistent, information-bearing traces of forgotten data in internal representations. It introduces an interpretable information-theoretic audit based on Partial Information Decomposition (PID) to separate unlearned (unique to the base) from residual knowledge (shared across base and unlearned models) and demonstrates that residual information correlates with vulnerability to adversarial reconstruction. Using Redundant Information Neural Estimation (RINE) and Blackwell sufficiency concepts, the authors quantify unlearned and residual information and validate the approach on TOFU and MUSE benchmarks across multiple models, revealing that gradient-based methods often retain substantial residual knowledge while representation- or preference-based methods better reduce it. They further propose an inference-time abstention mechanism, risk-scoring samples based on base-unlearned probe agreement, to mitigate privacy leakage without severely sacrificing utility. Overall, the work provides a principled, white-box auditing framework that yields actionable tools for safer deployment of LLMs and regulatory compliance.
Abstract
We expose a critical limitation in current approaches to machine unlearning in language models: despite the apparent success of unlearning algorithms, information about the forgotten data remains linearly decodable from internal representations. To systematically assess this discrepancy, we introduce an interpretable, information-theoretic framework for auditing unlearning using Partial Information Decomposition (PID). By comparing model representations before and after unlearning, we decompose the mutual information with the forgotten data into distinct components, formalizing the notions of unlearned and residual knowledge. Our analysis reveals that redundant information, shared across both models, constitutes residual knowledge that persists post-unlearning and correlates with susceptibility to known adversarial reconstruction attacks. Leveraging these insights, we propose a representation-based risk score that can guide abstention on sensitive inputs at inference time, providing a practical mechanism to mitigate privacy leakage. Our work introduces a principled, representation-level audit for unlearning, offering theoretical insight and actionable tools for safer deployment of language models.
