Capability Downgrade & Upgrade Dynamics

Updated 29 November 2025

Capability Downgrade and Upgrade are phenomena in complex systems where intentional modifications and adversarial actions lead to either improved capability or unexpected performance degradation.
Examples include AI applications facing prompt injection downgrades, hardware upgrades in particle detectors, and paradoxical network outcomes from advanced interference cancellation.
Evaluations use metrics such as downgrade rates, upgrade risks, time resolution improvements, and network equilibrium measures to guide robust system design.

Capability downgrade and upgrade refer to phenomena in complex systems—particularly AI-driven applications, high-energy physics instrumentation, communications networks, and adaptive optics—where operational boundaries, constraints, or system architectures are altered, either by design or via adversarial interference, resulting in changed effective capabilities. These changes may be intentional (e.g., hardware upgrades), adversarial (e.g., security bypasses), or emergent (e.g., equilibrium shifts in self-interested systems). The precise effects are highly context-dependent, ranging from quantifiable improvements in system performance to degraded or even paradoxical outcomes where a technological enhancement induces a net capability loss.

1. Formal Definitions and Conceptual Frameworks

Within the context of AI applications—specifically LLM-powered systems—a capability space is defined as follows. Let $M$ denote a base LLM with capability set $T^*$ over all tasks and input actions $A^*$ . An application $App$ is characterized by:

$T \subset T^*$ : subset of intended tasks
$C$ : set of (usually prompt-encoded) constraints

Capability Downgrade: An adversary crafts inputs $i_k$ for $t_k \in T$ such that $App(i_k, t_k)$ yields an incorrect result $f \neq r$ , reducing system effectiveness within the allowed scope, formally $P_M((i_k, t_k)|C) > 0$ and output $f \neq r$ for some $i_k, t_k \in T$ .

Capability Upgrade: An adversary induces the application to execute out-of-scope tasks $t_k \in T_2 \setminus T$ such that $App_1(i_k, t_k) = App_2(t_k)$ , with $P_M^{App_1}((i_k, t_k)|C) > 0$ , thus extending the operational envelope beyond the design.

Capability Jailbreak: Exploits that bypass both developer constraints and the underlying LLM censorship, formally $P_M^{App}((i_x, t_x)|C) > 0$ for some $t_x \notin T$ (Zhang et al., 22 Nov 2025).

Comparable formalizations occur in wireless networks, where the "capacity" (e.g., maximal SINR-feasible set size) and its realization at equilibrium are central. Upgrades such as interference cancellation or power control can either elevate or—via new equilibria—degrade effective capacity, illustrating a generalization of Braess's paradox (Dinitz et al., 2013).

2. Mechanisms of Downgrade and Upgrade Across Domains

a. AI and LLM Applications

Downgrade: Prompt injection, ambiguous or fuzzy constraints, and “boundary drift” allow malicious actors to degrade model performance on legitimate tasks without overtly violating safety filters.
Upgrade: Insufficient or poorly articulated boundaries enable execution of additional, sometimes security-critical, tasks not intended by the developer. Cross-category probing exploits this, resulting in a functional expansion of the app's effective scope.

Empirically, among 2,790 boundary-drift query pairs tested on open-source LLMs, downgrade rates ranged from 23.94% (LLaMA-3.1-8B) to 35.59% (Mistral-7B), and 72.36% of tested apps (across four platforms) exhibited upgrade risks (executed ≥15 out-of-category tasks) (Zhang et al., 22 Nov 2025).

b. High-Energy Particle Detectors

Upgrade: Intentional replacement of hardware components or subsystems translates to measurable capability enhancement. The BESIII ETOF endcap upgrade replaced a scintillator+PMT array (σ_t ≈ 135 ps) with an MRPC-based system (σ_t ≈ 60 ps, ε ≥ 96%), enhancing timing and particle identification, and extending performance boundaries (K/π separation to 1.4 GeV/c at 95% CL) (Wang et al., 2016).
Downgrade: Absence of such upgrades or poor calibration/operation leads to elevated multi-hit rates, position-dependent time walk, and suboptimal PID reach.

c. Wireless Networks

Upgrade/Downgrade (Braess’s Paradox): Enabling interference cancellation, power control, or relaxation of SINR thresholds can reduce the best achievable equilibrium capacity—a capability downgrade—even when the maximum theoretical capacity grows. It is shown that, for certain topologies, equilibria with advanced technology (e.g., combined power control and interference cancellation) are worse by constant or Θ(log Δ) factors ( $\Delta$ = link length ratio), compared to the basic setup (Dinitz et al., 2013).

3. Quantitative Analysis and Metrics

In LLM apps, prompt quality (measured by AppScore, incorporating Target, Process, Capability, and Constraint scores) correlates positively with robustness; 48.62% of assessed prompts scored below 50/100, and 43.41% had no explicit constraints (CoScore=0).

Key metrics for capability boundary testing include:

Downgrade rate: Fraction of test cases where boundary drift induces incorrect outputs.
Upgrade risk: Proportion of apps executing ≥15 out-of-category tasks in adversarial queries.
Jailbreak rate: Apps directly or indirectly executing explicitly disallowed (malicious) instructions (Zhang et al., 22 Nov 2025).

In high‐energy physics, figures of merit include:

Time resolution ( $\sigma_t$ ): Lower is better; upgraded MRPC-based ETOF achieves $\sim$ 60 ps.
Detection efficiency ( $\epsilon$ ): Fraction of correct detection events.
Granularity and PID reach: Improved with hardware and readout architecture changes (Wang et al., 2016).

Wireless network performance is analyzed using:

Nash/No-regret equilibrium size ( $N^{X}_{min}, N^{X}_{max}$ ) for technology $X$ (PC, IC, etc.)
Price of total anarchy (e.g., $OPT^{IC}/N^{IC}_{min}(L)=\Theta(\log \Delta)$ ) (Dinitz et al., 2013).

4. Illustrative Case Studies and Paradoxes

LLM App Examples

Web3 Auditing App: Adversarial notes induce misclassification (downgrade).
Resume Screening: Prompt manipulation leads to bad candidate scoring (downgrade).
Translator App: Out-of-scope hacking queries elicit detailed responses (upgrade).
Plugin App: Unintentional “do not refuse” prompts enable direct execution of malicious code (jailbreak) (Zhang et al., 22 Nov 2025).

Instrumentation Upgrades

BESIII ETOF: Replacement with MRPC technology enables higher-precision timing and PID, verified through multi-month cosmic ray testing. Slewing correction and matrix inversion allow the deconvolution of measurement resolution per channel (Wang et al., 2016).

Network Counterexamples

Braess’s Wireless Paradox: A 4-link “gadget” demonstrates a strictly reduced number of successful transmissions at equilibrium after enabling interference cancellation, despite increased optimal capacity (Dinitz et al., 2013).

5. Boundary Enforcement, Mitigations, and Robust Upgrade Strategies

LLM Application Mitigations

Prompt-level protections: Explicit negative constraints, multi-step process logic (e.g., “If … then … else refuse”), avoidance of broad “accept all” statements. Empirically, explicit constraints reduced out-of-scope executions by 5.3–80% (Zhang et al., 22 Nov 2025).
Architectural design: Fixed, validated workflows; modality gating (structured input); explicit plugin whitelists.
Automated validation: Use of LLMApp-Eval in CI pipelines to reject apps with high downgrade rates; ongoing adversarial suite monitoring.

High-energy Instrumentation

Validation procedures: Pre-installation cosmic-ray test benches, rigorous per-channel diagnostics, slewing (TOT) correction, and performance-matrix inversion for detector calibration (Wang et al., 2016).

Network Systems

Equilibrium-aware deployment: Assessment of network topology suitability before adopting advanced features. For topologies susceptible to bad equilibria, coordination or pricing mechanisms are recommended to avoid paradoxical downgrades (Dinitz et al., 2013).

6. Implications and Domain-specific Insights

Capability downgrade and upgrade phenomena underscore the necessity for careful formalization of functional boundaries, thorough validation against adversarial scenarios, and equilibrium-aware design in distributed and AI-driven systems.

In LLM-powered ecosystems, ambiguous or poorly designed interfaces generate significant risks. As high as 35.59% of tested LLM applications on Mistral-7B experienced capability downgrades, and 72.36% of popular applications showed upgrade risk (Zhang et al., 22 Nov 2025).
In physical detector systems, explicit, quantifiable upgrades (e.g., scintillator to MRPC) provide robust, validated performance gains when executed with a comprehensive calibration and testing protocol (Wang et al., 2016).
In game-theoretic, distributed networks, increased local capability may, under certain equilibria, reduce overall system effectiveness—a formal analog of Braess's paradox—with only tightly bounded worst-case loss (Dinitz et al., 2013).

A plausible implication is that “better” technology or more flexible systems do not guarantee increased operational safety or effectiveness. In adversarial or strategic multi-agent settings, or when capability boundaries are ill-defined, system upgrades must be matched with rigorous boundary enforcement and validation mechanisms across the entire lifecycle.