- The paper distinguishes untraining, which erases instance-specific influence, from unlearning, which removes generalized behaviors and concepts from models.
- It highlights evaluation challenges, noting that standard metrics like membership inference attacks do not capture the full scope of behavioral erasure.
- The study outlines practical impacts on algorithm design, safety, and regulatory compliance, while identifying open problems in sample complexity and inductive bias.
Unlearning vs Untraining: Disambiguating Core Objectives in Machine Unlearning
Introduction
The paper "Is your algorithm unlearning or untraining?" (2604.07962) provides a rigorous conceptual framework for the field of machine unlearning. Despite increased attention to the post hoc removal of data or behaviors from learned models, the literature conflates two fundamentally different objectives under the term "unlearning." The authors distinguish between Untraining, which reverses the empirical influence of a specific forget set, and Unlearning, which targets the generalization of learned behaviors or concepts beyond mere removal of instances. This distinction has profound theoretical and practical implications for algorithm design, evaluation, and deployment.
Background: Training, Learning, and Example Influence
Training minimizes empirical risk on observed data D by optimizing model parameters. Learning, in statistical learning theory, is assessed by generalization—performance on the underlying distribution. A model may generalize, memorize, or both, with memorization scores and cross-influence quantifying the self- and mutual impact of training points [feldman2020does].
Memorization captures the increased likelihood of correct prediction for a data point when it is included versus excluded from training. Cross-influence, similarly, measures the change in prediction for point xj​ from inclusion or exclusion of distinct point xi​. These metrics clarify when specific data exert strong direct or indirect influence on the model—a foundation for precise definitions of removal.
Classical Machine Unlearning: Definition and Implications
The canonical definition of "machine unlearning" formalizes the goal of rendering a model trained on D indistinguishable in distribution from a model retrained from scratch on D∖S for a forget set S [sekhari2021remember, neel2021descent]. Formally, for an unlearning algorithm U, (ε,δ)-unlearning requires distributions over model weights to be close under all randomness.
Crucially, this approach ensures only that the specific empirical contribution of S is erased. If S is non-memorized or the remaining data contain sufficient similar examples, the "unlearned" model may still correctly predict xj​0—the knowledge is retained via generalization. Therefore, this framework actually operationalizes Untraining, not broader behavioral unlearning.
Figure 1: Schematic illustrating the difference between Untraining (left, model forgets only specific instances in xj​1) and Unlearning (right, model forgets the general behavior underlying xj​2).
Core Contributions: Distinguishing Untraining from Unlearning
The paper asserts that true Unlearning targets the removal of the entire behavior, concept, or underlying data distribution represented by the forget set, not merely the influence of concrete instances. Their definition of Unlearning requires the model to be indistinguishable from one trained on xj​3, where xj​4 contains all data points pertaining to the behavior or concept targeted for removal.
This distinction is illustrated by considering forget sets with low memorization and cross-influence. In this case, classical unlearning (untraining) will yield no change—the model will retain predictive ability on xj​5. In contrast, unlearning requires the suppression of all generalization incurred from xj​6, necessitating removal of cross-influence and behavior up to xj​7. This generalization of deletion contrasts sharply with the empirical focus of untraining.
Evaluation Methodologies and Metric Mismatch
The conflation of these two objectives leads to inappropriate evaluation protocols and baselines. Metrics such as membership inference attack (MIA) success, which are suited to privacy-preserving untraining, do not capture whether a behavior has been truly unlearned. Conversely, benchmarks like MUSE [shi2024muse] and behavioral capability audits are essential for genuine unlearning but may be misapplied to empirical untraining settings.
This mismatch impedes fair comparison, interpretation, and progress. Algorithms designed for untraining (e.g., dataset scrubbing or retraining) perform poorly on unlearning tasks involving distributional generalization, as evidenced in corrective unlearning and behavioral deletion studies [goel2024corrective, schoepf2025redirection, li2025llm]. The manuscript further underscores the lack of clarity in outcomes and threat models, which can result in false security guarantees and inadequate safety assessments.
Practical and Theoretical Implications
The distinction between untraining and unlearning directly impacts:
- Algorithm Design: Unlearning requires algorithms capable of generalizing removal (concept, behavior), possibly via negative learning, anti-memorization, or distribution-level suppression. Untraining only necessitates removal of instance-level traces.
- Data Efficiency and Discovery: Effective unlearning may require only a few representative examples to generalize removal, but the sample complexity and conditions for success remain largely unexplored.
- Evaluation and Verification: New metrics, attack models, and benchmarks need to be tailored to distinguish between untraining (instance deletion) and unlearning (concept/behavior removal).
- Safety and Compliance: Regulatory compliance (e.g., rights to be forgotten) is addressed by untraining, but safety (e.g., capability control, malicious knowledge erasure) necessitates unlearning.
- Transferability and Side-effects: Unlearning can exhibit ripple effects, unintentionally removing related abilities or causing generalization failures [zhang2024theft, amara2025erasing].
Mapping to the Literature
The authors map canonical unlearning works [bourtoule2021machine, sekhari2021remember, neel2021descent] to the untraining class—removal of individual instances for privacy or copyright. By contrast, emerging lines focused on dangerous capability erasure, backdoor defense, or style unlearning belong in the unlearning category [liu2022backdoor, li2024wmdp, lynch2024eight, fan2023salun]. The separation enables targeted progress and clarity regarding algorithm suitability and intended outcomes.
Limitations and Open Problems
The work does not attempt a comprehensive taxonomy of unlearning algorithms—focusing instead on the axiomatically distinct goals. Other key axes, such as knowledge suppression versus removal or representation constraints, remain orthogonal. Not all behaviors or concepts are encapsulable by example sets, and feasibility constraints, such as discovering xj​8, impose inherent limitations on unlearning as defined.
Open problems highlighted include the relative sample complexity of behavioral unlearning, precision versus data-efficiency tradeoffs, algorithmic inductive bias for generalization in removal, and formal characterizations of when unlearning and untraining objectives coincide.
Conclusion
This paper provides a formal, unambiguous distinction between Untraining and Unlearning in machine learning, challenging the imprecise vernacular that dominates the literature. The implications are significant for algorithm development, security auditing, evaluation, and safety-critical deployment. Progress in machine unlearning depends on precise objective specification, correct metric selection, and alignment of use-case goals with algorithmic design. Future work should address the development of generalization-focused unlearning algorithms, evaluate their limits, and establish robust, context-appropriate evaluation frameworks.
(2604.07962)