Papers
Topics
Authors
Recent
Search
2000 character limit reached

HyperSafe: Inference-Time Safety Recovery

Updated 14 July 2026
  • HyperSafe is an inference-time safety framework that recovers and restores safety in fine-tuned language models by generating model-specific Safe Side Networks from layer-wise activation fingerprints.
  • The framework operates non-invasively post hoc using a hypernetwork and unlabeled calibration prompts to classify and route harmful prompts while preserving task accuracy.
  • Evaluations on models like Qwen2-7B and LLaMA-3-8B show HyperSafe reduces harmful response rates from up to 31% to below 1% with minimal degradation in downstream utility.

Searching arXiv for the HyperSafe paper and closely related recent work. HyperSafe is an inference-time safety recovery framework for fine-tuned LLMs. It is designed for the setting in which an instruction-tuned base model has undergone downstream fine-tuning and, as a result, exhibits increased harmful compliance despite retaining task-specific utility. The framework restores safety behavior post hoc by generating a checkpoint-specific Safe Side Network (SSN) from layer-wise activation fingerprints computed on a small unlabeled calibration set. The SSN operates alongside the frozen fine-tuned model, classifies prompts at the prompt level, routes harmful prompts to refusal, and allows safe prompts to be answered by the original checkpoint. On Qwen2-7B and LLaMA-3-8B, HyperSafe is reported to reduce harmful response rates from 19–31% to below 1% on every held-out checkpoint while keeping downstream task accuracy within about 1 percentage point of the fine-tuned baseline on average (Aliev et al., 13 Jul 2026).

1. Problem setting and design objectives

HyperSafe addresses the brittleness of safety alignment under downstream fine-tuning. The motivating observation is that even benign task adaptation can increase harmful compliance from single-digit percentages to tens of percent on standard safety suites, including under LoRA adaptation. The reported explanation is that refusal behavior is shallow: it is encoded in early output tokens and in low-rank safety subspaces that fine-tuning can traverse. In this setting, a model may remain competent on the target task while its safety behavior deteriorates substantially (Aliev et al., 13 Jul 2026).

The framework is positioned against two prior defense families. The first family intervenes during or after fine-tuning through retraining or weight modification. According to the reported characterization, these methods are costly, may impose a safety–utility trade-off, often require access to the aligned base model, modify deployed weights, and risk task forgetting. The second family uses model-agnostic safety classifiers. These are easy to deploy but are not tailored to the specific fine-tuned checkpoint and may miss failures induced by recipe-specific or domain-specific representational shifts.

HyperSafe is defined by three explicit design constraints: it is post hoc, model-specific, and non-invasive. “Post hoc” means that safety recovery occurs after the target checkpoint has already been produced. “Model-specific” means that the defense is generated from internal representations of the particular fine-tuned checkpoint rather than applied uniformly across models. “Non-invasive” means that deployment requires no gradient updates, no weight edits to the LLM, and no safety-labeled data at deployment time.

2. System organization and core components

The framework distinguishes between a base aligned model, a deployed fine-tuned model, a calibration set, a hypernetwork, and a generated side network. The base aligned model is denoted MbaseM0M_{\text{base}} \equiv \mathcal{M}_0; it is used only to produce training fine-tunes and is not required at deployment. The deployed target is the fine-tuned model MftMdM_{\text{ft}} \equiv \mathcal{M}_d, obtained by LoRA fine-tuning on domain or dataset dd and then merged into a standalone checkpoint. The calibration prompts are denoted CCdC \equiv \mathcal{C}_d and consist of NcalN_{\text{cal}} in-domain prompts used only for fingerprint extraction; no safety labels are required at deployment. The hypernetwork HH maps activation fingerprints to the parameters of a Safe Side Network, and the SSN performs prompt-level safety classification and routing (Aliev et al., 13 Jul 2026).

Component Definition Role
M0\mathcal{M}_0 Base aligned model Used only to produce training fine-tunes
Md\mathcal{M}_d Fine-tuned model Frozen deployed checkpoint
Cd\mathcal{C}_d Calibration prompts Unlabeled in-domain prompts for fingerprint extraction
HH Hypernetwork Generates SSN parameters in one forward pass
SSN Safe Side Network Classifies prompts and routes to refusal or answer

The operational logic is simple. For a new checkpoint MftMdM_{\text{ft}} \equiv \mathcal{M}_d0, HyperSafe extracts layer-wise activation fingerprints from MftMdM_{\text{ft}} \equiv \mathcal{M}_d1, generates MftMdM_{\text{ft}} \equiv \mathcal{M}_d2, attaches the resulting SSN to the frozen backbone, and then uses the SSN to compute a safety score MftMdM_{\text{ft}} \equiv \mathcal{M}_d3 for each incoming prompt. If MftMdM_{\text{ft}} \equiv \mathcal{M}_d4, the system refuses; otherwise it answers with the original fine-tuned model. The default threshold is fixed at MftMdM_{\text{ft}} \equiv \mathcal{M}_d5.

This organization gives HyperSafe two deployment properties emphasized in the paper: “standalone at deploy,” because access to MftMdM_{\text{ft}} \equiv \mathcal{M}_d6 is unnecessary once the target checkpoint exists, and “preserves model weights,” because the deployed LLM remains frozen.

3. Activation fingerprints, hypernetwork mapping, and SSN architecture

HyperSafe represents checkpoint-specific change through layer-wise activation fingerprints. Let the backbone have MftMdM_{\text{ft}} \equiv \mathcal{M}_d7 Transformer layers and hidden size MftMdM_{\text{ft}} \equiv \mathcal{M}_d8. For prompt MftMdM_{\text{ft}} \equiv \mathcal{M}_d9, let dd0 denote the hidden state at layer dd1 for the final token of the input sequence, taken pre-decoder. The calibration-layer average is

dd2

and the fingerprint is

dd3

All backbone layers are used, activations are mean pooled over prompts, and no PCA or whitening is applied. The representation is then decomposed per layer into direction and magnitude,

dd4

followed by cross-layer aggregation,

dd5

The hypernetwork uses the global code dd6 together with layer-local activations to generate side-network parameters. For side layer dd7,

dd8

and the full SSN parameter set is

dd9

The generated parameters include per-layer gates CCdC \equiv \mathcal{C}_d0, downsampling projections CCdC \equiv \mathcal{C}_d1, side-Transformer weights, and classifier MLP weights. The hypernetwork has total parameter count of about 230M, with global encoder hidden dimension 512, direction-projection dimension 256, magnitude-MLP hidden dimension 128, and cross-layer attention with 4 heads and 2 layers. It produces all SSN weights in a single forward pass (Aliev et al., 13 Jul 2026).

The SSN itself is a side Transformer with CCdC \equiv \mathcal{C}_d2 layers and hidden size CCdC \equiv \mathcal{C}_d3, approximately 896 for Qwen2-7B and approximately 1024 for LLaMA-3-8B. The attention head count is 7 for Qwen2 and 8 for LLaMA-3. The side network reads the backbone through ladder connections with per-layer gates:

CCdC \equiv \mathcal{C}_d4

For classification, the final side hidden states are mean pooled over tokens and passed through a 2-layer MLP whose output factorization has rank CCdC \equiv \mathcal{C}_d5:

CCdC \equiv \mathcal{C}_d6

The scoring function is

CCdC \equiv \mathcal{C}_d7

with CCdC \equiv \mathcal{C}_d8. Routing is then defined by

CCdC \equiv \mathcal{C}_d9

The default threshold is NcalN_{\text{cal}}0, and empirical calibration reportedly found this robust across checkpoints.

4. Training procedure and inference-time workflow

Training is split into two stages. In Stage 1, a ground-truth SSN is collected per dataset NcalN_{\text{cal}}1. The base aligned model NcalN_{\text{cal}}2 is fine-tuned via LoRA with rank NcalN_{\text{cal}}3 and NcalN_{\text{cal}}4, merged into NcalN_{\text{cal}}5, frozen, and paired with an SSN NcalN_{\text{cal}}6 trained on a mixture of in-domain data and category-balanced BeaverTails harmful data. The selective loss differs by prompt class: harmful prompts receive language modeling loss on refusal content plus binary cross-entropy for safety classification, whereas safe prompts receive BCE classification only. All SSNs share the same initialization so that their weights occupy an aligned space suitable for hypernetwork supervision (Aliev et al., 13 Jul 2026).

Stage 2 trains the hypernetwork across NcalN_{\text{cal}}7 datasets using a multi-part objective:

NcalN_{\text{cal}}8

with

NcalN_{\text{cal}}9

HH0

HH1

The reported loss weights are HH2. Optimization uses AdamW with HH3, HH4, learning rate HH5, cosine annealing, 100 epochs, and HH6.

At deployment, the procedure is strictly inference-time. For a new fine-tuned checkpoint HH7, the system runs HH8 unlabeled in-domain prompts HH9, computes M0\mathcal{M}_00, generates M0\mathcal{M}_01, attaches the resulting SSN, and thereafter uses the SSN only for prompt-level classification. Harmful prompts are routed to a short refusal emitted by the system; safe prompts bypass the SSN during generation and are decoded directly by M0\mathcal{M}_02. The phrase “no safety data at deployment time” is explicitly qualified: safety-labeled data such as BeaverTails is used during development to train per-domain SSNs and the hypernetwork, but deployment requires only unlabeled calibration prompts, no gradient updates, and no weight edits.

The computational profile is also part of the design. One-time SSN generation has complexity M0\mathcal{M}_03 and is reported as measured at less than one minute on A100 80GB. Per-prompt classification is M0\mathcal{M}_04 for the side network with ladder reads and is described as negligible relative to the backbone forward pass. For safe prompts, there is no increase in per-token latency because decoding bypasses the SSN; harmful prompts instead produce short refusals. The SSN adds about 3–4% of backbone parameters, roughly 210–320M at 7–8B scale, while the hypernetwork can be offloaded after producing M0\mathcal{M}_05.

5. Empirical evaluation and comparative results

The evaluation covers Qwen2-7B-Instruct and LLaMA-3-8B-Instruct across 22 datasets spanning QA, commonsense, math, knowledge, classification, code, and instruction-following. Fine-tuning uses LoRA with rank M0\mathcal{M}_06 and M0\mathcal{M}_07, followed by adapter merging. Safety is evaluated on BeaverTails, using 700 prompts across 14 categories with a disjoint evaluation split; AdvBench, using 520 prompts described as universal jailbreaks; and HEx-PHI, using 330 prompts across 11 categories. The reported metrics are harmful response rate on safety suites, task accuracy on held-out domain datasets, and false-positive and false-negative behavior via the routing threshold. The protocol uses three holdout splits; in each split, the hypernetwork is trained on 18 datasets and evaluated on 4 held-out datasets (Aliev et al., 13 Jul 2026).

The main quantitative result is that fine-tuned baselines exhibit harmful response rates of 19–31% on average across safety suites, with worst cases above 40% on instruction-following and commonsense checkpoints. HyperSafe drives harmful rates below 1% on every held-out checkpoint for both model families, with residuals typically in the 0.0–0.4% range. Downstream task accuracy remains within about 1 percentage point of the fine-tuned baseline on average; the reported description states that LLaMA-3-8B split averages stay near the LoRA-merged accuracy with differences of at most 1%, and Qwen2-7B shows similar behavior.

The comparison to Llama Guard 4 (12B) is specific. On AdvBench the missed harmful rate is reported as 6.5% for Llama Guard 4 versus 0.0% for HyperSafe; on HEx-PHI, 6.7% versus 0.0%; and on BeaverTails, 53.6% versus 0.1%. The paper emphasizes that HyperSafe achieves this with approximately 3–4% side-network overhead rather than requiring a separate 12B model on every request.

The comparison to weight-edit baselines is likewise explicit. Against methods such as OneShot SFT and task arithmetic, HyperSafe consistently matches or improves harmful-rate reduction while avoiding the large task-accuracy drops observed in weight-edit baselines; OneShot is described as suffering accuracy collapse on several held-out domains.

Ablation results refine the interpretation. Removing functional supervision on safe prompts causes over-blocking and hurts accuracy. Removing functional supervision entirely hurts both safety and accuracy. Removing domain-specific calibration degrades accuracy on harder domains while safety remains near zero. Training diversity matters sharply: removing instruction-following data from hypernetwork training causes an approximately M0\mathcal{M}_08 harmful-rate spike, whereas other domain categories are less critical. Calibration size saturates accuracy at M0\mathcal{M}_09, and harmful rates remain at or below 0.4% for Md\mathcal{M}_d0. The generated SSN also transfers from LoRA-merged checkpoints to fully fine-tuned counterparts with at most 0.3% accuracy change and at most 0.1% harmful residuals. Zero-shot safety generalization is reported as 0.0% harmful rates on AdvBench and HEx-PHI across held-out checkpoints.

Qualitative analysis concerns borderline prompts. Prompts with mixed intent, such as educational discussion of self-harm methods, tend to receive high Md\mathcal{M}_d1 and be routed to refusal. Prompts that mention sensitive topics but clearly request benign information, such as historical analysis of chemical accidents, tend to fall below Md\mathcal{M}_d2 and be answered. This suggests that using ladder-fused internal representations of the target checkpoint allows detection of risky syntax or domain patterns learned during fine-tuning.

6. Limitations, operational assumptions, and deployment practice

The main limitation concerns fingerprint quality. If the calibration prompts are too few or are not representative of the deployment domain, the activation fingerprints become noisy and the generated SSN may over-block, reducing task accuracy. The deployment recommendation is therefore to use at least 50 in-domain calibration prompts for stability. The system is also model-family specific: the hypernetwork is trained per backbone family and scale, and cross-family transfer is not claimed, although within-family transfer across LoRA-merged and fully fine-tuned checkpoints is reported (Aliev et al., 13 Jul 2026).

The threat model includes adaptive adversaries. An attacker who fine-tunes a checkpoint to mimic benign fingerprints or to obfuscate risky features could reduce SSN sensitivity. The proposed mitigations are stronger functional supervision and broader training diversity, with particular emphasis on instruction-following data. Privacy and security constraints also apply to the calibration stage: calibration prompts should avoid sensitive data. The absence of gradients and weight edits at deployment is presented as reducing accidental-leak risk, and the generated SSN weights can be stored under standard model-security protocols.

Several deployment claims are intended to delimit the method’s scope and avoid common misunderstanding. HyperSafe is not a retraining-time defense, because safety restoration occurs after checkpoint creation. It is not a generic external classifier in the model-agnostic sense, because the SSN is generated from checkpoint-specific activation fingerprints. “No safety data at deployment time” does not mean that no safety-labeled data is ever used; it means that deployment requires only unlabeled in-domain calibration prompts and a single hypernetwork forward pass.

Operational guidance is concrete. A typical workflow is to fine-tune an aligned backbone to obtain Md\mathcal{M}_d3, merge adapters if LoRA is used, collect approximately 50 unlabeled in-domain prompts, extract layer-wise activation means and form Md\mathcal{M}_d4, run Md\mathcal{M}_d5 once to generate Md\mathcal{M}_d6, and then serve requests by computing Md\mathcal{M}_d7 and routing accordingly. Monitoring should track harmful-rate and task-accuracy metrics over time. The default threshold Md\mathcal{M}_d8 is reported as robust, but can be adjusted if a different false-positive or false-negative balance is operationally preferable. For each new fine-tuned checkpoint within the same backbone family, the SSN can be regenerated with fresh calibration prompts without retraining and without modifying the LLM weights.

The broader significance claimed for HyperSafe is that it enables shipping fine-tuned LLMs while restoring safety behavior without sacrificing utility or altering the deployed checkpoint. A plausible implication is that the framework occupies a distinct point in the design space between weight-edit methods, which require per-checkpoint optimization and can degrade utility, and model-agnostic classifiers, which can miss model-specific failure modes. The open problems identified for future work are cross-family transfer, robustness of fingerprints against adaptive attackers, extension to multimodal internal states, and learning dynamic thresholds Md\mathcal{M}_d9 per domain.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to HyperSafe.