Table of Contents
Fetching ...

Hair-Trigger Alignment: Black-Box Evaluation Cannot Guarantee Post-Update Alignment

Yavuz Bakman, Duygu Nur Yaldiz, Salman Avestimehr, Sai Praneeth Karimireddy

TL;DR

The paper investigates why static black-box alignment tests fail to guarantee post-update alignment in continually updated LLMs. It formalizes static $\mathcal{O}$-alignment and $\mathcal{V}$-robust $\mathcal{O}$-alignment, proving vacuity: static alignment does not ensure post-update robustness and black-box probing cannot certify it, especially under overparameterization. Empirically, it shows hair-trigger misalignment across jailbreak safety, privacy/unlearning, and behavioral honesty, where a single benign gradient update can reveal latent adversarial behavior, with the latent capacity growing roughly linearly with hidden width or LoRA rank. The results argue for post-update–aware evaluation and defenses, as static tests cannot certify long-term alignment in adaptively updated models.

Abstract

Large Language Models (LLMs) are rarely static and are frequently updated in practice. A growing body of alignment research has shown that models initially deemed "aligned" can exhibit misaligned behavior after fine-tuning, such as forgetting jailbreak safety features or re-surfacing knowledge that was intended to be forgotten. These works typically assume that the initial model is aligned based on static black-box evaluation, i.e., the absence of undesired responses to a fixed set of queries. In contrast, we formalize model alignment in both the static and post-update settings and uncover a fundamental limitation of black-box evaluation. We theoretically show that, due to overparameterization, static alignment provides no guarantee of post-update alignment for any update dataset. Moreover, we prove that static black-box probing cannot distinguish a model that is genuinely post-update robust from one that conceals an arbitrary amount of adversarial behavior which can be activated by even a single benign gradient update. We further validate these findings empirically in LLMs across three core alignment domains: privacy, jailbreak safety, and behavioral honesty. We demonstrate the existence of LLMs that pass all standard black-box alignment tests, yet become severely misaligned after a single benign update. Finally, we show that the capacity to hide such latent adversarial behavior increases with model scale, confirming our theoretical prediction that post-update misalignment grows with the number of parameters. Together, our results highlight the inadequacy of static evaluation protocols and emphasize the urgent need for post-update-robust alignment evaluation.

Hair-Trigger Alignment: Black-Box Evaluation Cannot Guarantee Post-Update Alignment

TL;DR

The paper investigates why static black-box alignment tests fail to guarantee post-update alignment in continually updated LLMs. It formalizes static -alignment and -robust -alignment, proving vacuity: static alignment does not ensure post-update robustness and black-box probing cannot certify it, especially under overparameterization. Empirically, it shows hair-trigger misalignment across jailbreak safety, privacy/unlearning, and behavioral honesty, where a single benign gradient update can reveal latent adversarial behavior, with the latent capacity growing roughly linearly with hidden width or LoRA rank. The results argue for post-update–aware evaluation and defenses, as static tests cannot certify long-term alignment in adaptively updated models.

Abstract

Large Language Models (LLMs) are rarely static and are frequently updated in practice. A growing body of alignment research has shown that models initially deemed "aligned" can exhibit misaligned behavior after fine-tuning, such as forgetting jailbreak safety features or re-surfacing knowledge that was intended to be forgotten. These works typically assume that the initial model is aligned based on static black-box evaluation, i.e., the absence of undesired responses to a fixed set of queries. In contrast, we formalize model alignment in both the static and post-update settings and uncover a fundamental limitation of black-box evaluation. We theoretically show that, due to overparameterization, static alignment provides no guarantee of post-update alignment for any update dataset. Moreover, we prove that static black-box probing cannot distinguish a model that is genuinely post-update robust from one that conceals an arbitrary amount of adversarial behavior which can be activated by even a single benign gradient update. We further validate these findings empirically in LLMs across three core alignment domains: privacy, jailbreak safety, and behavioral honesty. We demonstrate the existence of LLMs that pass all standard black-box alignment tests, yet become severely misaligned after a single benign update. Finally, we show that the capacity to hide such latent adversarial behavior increases with model scale, confirming our theoretical prediction that post-update misalignment grows with the number of parameters. Together, our results highlight the inadequacy of static evaluation protocols and emphasize the urgent need for post-update-robust alignment evaluation.
Paper Structure (37 sections, 4 theorems, 97 equations, 4 figures, 5 tables)

This paper contains 37 sections, 4 theorems, 97 equations, 4 figures, 5 tables.

Key Result

Theorem 2.5

Let $\mathcal{O} \subseteq \mathcal{X} \times \mathcal{Y}$ be a non-empty set of undesirable input--output pairs, and let $\mathcal{V}$ be a non-empty update set. Under mild non-degeneracy conditions, the following statements hold for any choice of $\mathcal{O}$ and $\mathcal{V}$:

Figures (4)

  • Figure 1: Models that appear aligned under black-box evaluation may conceal substantial latent misalignment beneath their observable behavior. This hidden vulnerability can be hair-triggered: a single benign gradient update may activate previously dormant misaligned responses. Consequently, black-box evaluation cannot guarantee post-update alignment.
  • Figure 2: Left: Two models that satisfy $\mathcal{O}$-alignment can exhibit sharply different behavior after a single benign gradient update, illustrating that $\mathcal{O}$-alignment does not imply $\mathcal{V}$-robust $\mathcal{O}$-alignment and black-box evaluation cannot certify post-update robustness. (Theorem \ref{['thm:vacuity_blackbox']}, Section \ref{['sec:theoretical_findings']}; validated in Section \ref{['sec:main_exp']}). Right: The amount of hidden misaligned behavior that can be concealed and activated after an update grows linearly with the degree of overparameterization (Theorem \ref{['thm:overparam_misalignment']}, Section \ref{['sec:theoretical_findings']}; validated in Section \ref{['sec:memorization']}).
  • Figure 3: Fragile Llama3.2-3B's honesty before and after update.
  • Figure 4: Maximum number of random sequences that can be concealed and revealed after a single gradient update for different LoRA ranks on Llama3.2-3B.

Theorems & Definitions (18)

  • Definition 2.1: $\mathcal{O}$--aligned Model
  • Definition 2.2: $\mathcal{V}$-robust $\mathcal{O}$-aligned model
  • Remark 2.3
  • Remark 2.4
  • Theorem 2.5: Vacuity of Black-Box Evaluation (Informal)
  • Remark 2.6
  • Remark 2.7
  • proof : Proof sketch
  • Definition 2.8: Amount of Misalignment
  • Theorem 2.9: Overparameterization and Hidden Misalignment Capacity (Informal)
  • ...and 8 more