Limits of Convergence-Rate Control for Open-Weight Safety
This addresses safety concerns for AI model deployment by revealing fundamental limitations in convergence-rate control methods for preventing malicious use.
The paper tackles the problem of preventing harmful fine-tuning of open-weight foundation models by treating training resistance as a convergence-rate control problem, developing an algorithm (SpecDef) that can provably slow optimization in non-adversarial settings, but shows that in adversarial settings, attackers can bypass such methods with a linear increase in model size.
Open-weight foundation models can be fine-tuned for harmful purposes after release, yet no existing training resistance methods provide theoretical guarantees. Treating these interventions as convergence-rate control problems allows us to connect optimization speed to the spectral structure of model weights. We leverage this insight to develop a novel understanding of convergence rate control through spectral reparameterization and derive an algorithm, SpecDef, that can both provably and empirically slow first- and second-order optimization in non-adversarial settings. In adversarial settings, we establish a fundamental limit on a broad class of convergence rate control methods including our own: an attacker with sufficient knowledge can restore fast convergence at a linear increase in model size. In order to overcome this limitation, future works will need to investigate methods that are not equivalent to controlling convergence rate.