HyperSafe: Inference-Time Safety Recovery
- HyperSafe is an inference-time safety framework that recovers and restores safety in fine-tuned language models by generating model-specific Safe Side Networks from layer-wise activation fingerprints.
- The framework operates non-invasively post hoc using a hypernetwork and unlabeled calibration prompts to classify and route harmful prompts while preserving task accuracy.
- Evaluations on models like Qwen2-7B and LLaMA-3-8B show HyperSafe reduces harmful response rates from up to 31% to below 1% with minimal degradation in downstream utility.
Searching arXiv for the HyperSafe paper and closely related recent work. HyperSafe is an inference-time safety recovery framework for fine-tuned LLMs. It is designed for the setting in which an instruction-tuned base model has undergone downstream fine-tuning and, as a result, exhibits increased harmful compliance despite retaining task-specific utility. The framework restores safety behavior post hoc by generating a checkpoint-specific Safe Side Network (SSN) from layer-wise activation fingerprints computed on a small unlabeled calibration set. The SSN operates alongside the frozen fine-tuned model, classifies prompts at the prompt level, routes harmful prompts to refusal, and allows safe prompts to be answered by the original checkpoint. On Qwen2-7B and LLaMA-3-8B, HyperSafe is reported to reduce harmful response rates from 19–31% to below 1% on every held-out checkpoint while keeping downstream task accuracy within about 1 percentage point of the fine-tuned baseline on average (Aliev et al., 13 Jul 2026).
1. Problem setting and design objectives
HyperSafe addresses the brittleness of safety alignment under downstream fine-tuning. The motivating observation is that even benign task adaptation can increase harmful compliance from single-digit percentages to tens of percent on standard safety suites, including under LoRA adaptation. The reported explanation is that refusal behavior is shallow: it is encoded in early output tokens and in low-rank safety subspaces that fine-tuning can traverse. In this setting, a model may remain competent on the target task while its safety behavior deteriorates substantially (Aliev et al., 13 Jul 2026).
The framework is positioned against two prior defense families. The first family intervenes during or after fine-tuning through retraining or weight modification. According to the reported characterization, these methods are costly, may impose a safety–utility trade-off, often require access to the aligned base model, modify deployed weights, and risk task forgetting. The second family uses model-agnostic safety classifiers. These are easy to deploy but are not tailored to the specific fine-tuned checkpoint and may miss failures induced by recipe-specific or domain-specific representational shifts.
HyperSafe is defined by three explicit design constraints: it is post hoc, model-specific, and non-invasive. “Post hoc” means that safety recovery occurs after the target checkpoint has already been produced. “Model-specific” means that the defense is generated from internal representations of the particular fine-tuned checkpoint rather than applied uniformly across models. “Non-invasive” means that deployment requires no gradient updates, no weight edits to the LLM, and no safety-labeled data at deployment time.
2. System organization and core components
The framework distinguishes between a base aligned model, a deployed fine-tuned model, a calibration set, a hypernetwork, and a generated side network. The base aligned model is denoted ; it is used only to produce training fine-tunes and is not required at deployment. The deployed target is the fine-tuned model , obtained by LoRA fine-tuning on domain or dataset and then merged into a standalone checkpoint. The calibration prompts are denoted and consist of in-domain prompts used only for fingerprint extraction; no safety labels are required at deployment. The hypernetwork maps activation fingerprints to the parameters of a Safe Side Network, and the SSN performs prompt-level safety classification and routing (Aliev et al., 13 Jul 2026).
| Component | Definition | Role |
|---|---|---|
| Base aligned model | Used only to produce training fine-tunes | |
| Fine-tuned model | Frozen deployed checkpoint | |
| Calibration prompts | Unlabeled in-domain prompts for fingerprint extraction | |
| Hypernetwork | Generates SSN parameters in one forward pass | |
| SSN | Safe Side Network | Classifies prompts and routes to refusal or answer |
The operational logic is simple. For a new checkpoint 0, HyperSafe extracts layer-wise activation fingerprints from 1, generates 2, attaches the resulting SSN to the frozen backbone, and then uses the SSN to compute a safety score 3 for each incoming prompt. If 4, the system refuses; otherwise it answers with the original fine-tuned model. The default threshold is fixed at 5.
This organization gives HyperSafe two deployment properties emphasized in the paper: “standalone at deploy,” because access to 6 is unnecessary once the target checkpoint exists, and “preserves model weights,” because the deployed LLM remains frozen.
3. Activation fingerprints, hypernetwork mapping, and SSN architecture
HyperSafe represents checkpoint-specific change through layer-wise activation fingerprints. Let the backbone have 7 Transformer layers and hidden size 8. For prompt 9, let 0 denote the hidden state at layer 1 for the final token of the input sequence, taken pre-decoder. The calibration-layer average is
2
and the fingerprint is
3
All backbone layers are used, activations are mean pooled over prompts, and no PCA or whitening is applied. The representation is then decomposed per layer into direction and magnitude,
4
followed by cross-layer aggregation,
5
The hypernetwork uses the global code 6 together with layer-local activations to generate side-network parameters. For side layer 7,
8
and the full SSN parameter set is
9
The generated parameters include per-layer gates 0, downsampling projections 1, side-Transformer weights, and classifier MLP weights. The hypernetwork has total parameter count of about 230M, with global encoder hidden dimension 512, direction-projection dimension 256, magnitude-MLP hidden dimension 128, and cross-layer attention with 4 heads and 2 layers. It produces all SSN weights in a single forward pass (Aliev et al., 13 Jul 2026).
The SSN itself is a side Transformer with 2 layers and hidden size 3, approximately 896 for Qwen2-7B and approximately 1024 for LLaMA-3-8B. The attention head count is 7 for Qwen2 and 8 for LLaMA-3. The side network reads the backbone through ladder connections with per-layer gates:
4
For classification, the final side hidden states are mean pooled over tokens and passed through a 2-layer MLP whose output factorization has rank 5:
6
The scoring function is
7
with 8. Routing is then defined by
9
The default threshold is 0, and empirical calibration reportedly found this robust across checkpoints.
4. Training procedure and inference-time workflow
Training is split into two stages. In Stage 1, a ground-truth SSN is collected per dataset 1. The base aligned model 2 is fine-tuned via LoRA with rank 3 and 4, merged into 5, frozen, and paired with an SSN 6 trained on a mixture of in-domain data and category-balanced BeaverTails harmful data. The selective loss differs by prompt class: harmful prompts receive language modeling loss on refusal content plus binary cross-entropy for safety classification, whereas safe prompts receive BCE classification only. All SSNs share the same initialization so that their weights occupy an aligned space suitable for hypernetwork supervision (Aliev et al., 13 Jul 2026).
Stage 2 trains the hypernetwork across 7 datasets using a multi-part objective:
8
with
9
0
1
The reported loss weights are 2. Optimization uses AdamW with 3, 4, learning rate 5, cosine annealing, 100 epochs, and 6.
At deployment, the procedure is strictly inference-time. For a new fine-tuned checkpoint 7, the system runs 8 unlabeled in-domain prompts 9, computes 0, generates 1, attaches the resulting SSN, and thereafter uses the SSN only for prompt-level classification. Harmful prompts are routed to a short refusal emitted by the system; safe prompts bypass the SSN during generation and are decoded directly by 2. The phrase “no safety data at deployment time” is explicitly qualified: safety-labeled data such as BeaverTails is used during development to train per-domain SSNs and the hypernetwork, but deployment requires only unlabeled calibration prompts, no gradient updates, and no weight edits.
The computational profile is also part of the design. One-time SSN generation has complexity 3 and is reported as measured at less than one minute on A100 80GB. Per-prompt classification is 4 for the side network with ladder reads and is described as negligible relative to the backbone forward pass. For safe prompts, there is no increase in per-token latency because decoding bypasses the SSN; harmful prompts instead produce short refusals. The SSN adds about 3–4% of backbone parameters, roughly 210–320M at 7–8B scale, while the hypernetwork can be offloaded after producing 5.
5. Empirical evaluation and comparative results
The evaluation covers Qwen2-7B-Instruct and LLaMA-3-8B-Instruct across 22 datasets spanning QA, commonsense, math, knowledge, classification, code, and instruction-following. Fine-tuning uses LoRA with rank 6 and 7, followed by adapter merging. Safety is evaluated on BeaverTails, using 700 prompts across 14 categories with a disjoint evaluation split; AdvBench, using 520 prompts described as universal jailbreaks; and HEx-PHI, using 330 prompts across 11 categories. The reported metrics are harmful response rate on safety suites, task accuracy on held-out domain datasets, and false-positive and false-negative behavior via the routing threshold. The protocol uses three holdout splits; in each split, the hypernetwork is trained on 18 datasets and evaluated on 4 held-out datasets (Aliev et al., 13 Jul 2026).
The main quantitative result is that fine-tuned baselines exhibit harmful response rates of 19–31% on average across safety suites, with worst cases above 40% on instruction-following and commonsense checkpoints. HyperSafe drives harmful rates below 1% on every held-out checkpoint for both model families, with residuals typically in the 0.0–0.4% range. Downstream task accuracy remains within about 1 percentage point of the fine-tuned baseline on average; the reported description states that LLaMA-3-8B split averages stay near the LoRA-merged accuracy with differences of at most 1%, and Qwen2-7B shows similar behavior.
The comparison to Llama Guard 4 (12B) is specific. On AdvBench the missed harmful rate is reported as 6.5% for Llama Guard 4 versus 0.0% for HyperSafe; on HEx-PHI, 6.7% versus 0.0%; and on BeaverTails, 53.6% versus 0.1%. The paper emphasizes that HyperSafe achieves this with approximately 3–4% side-network overhead rather than requiring a separate 12B model on every request.
The comparison to weight-edit baselines is likewise explicit. Against methods such as OneShot SFT and task arithmetic, HyperSafe consistently matches or improves harmful-rate reduction while avoiding the large task-accuracy drops observed in weight-edit baselines; OneShot is described as suffering accuracy collapse on several held-out domains.
Ablation results refine the interpretation. Removing functional supervision on safe prompts causes over-blocking and hurts accuracy. Removing functional supervision entirely hurts both safety and accuracy. Removing domain-specific calibration degrades accuracy on harder domains while safety remains near zero. Training diversity matters sharply: removing instruction-following data from hypernetwork training causes an approximately 8 harmful-rate spike, whereas other domain categories are less critical. Calibration size saturates accuracy at 9, and harmful rates remain at or below 0.4% for 0. The generated SSN also transfers from LoRA-merged checkpoints to fully fine-tuned counterparts with at most 0.3% accuracy change and at most 0.1% harmful residuals. Zero-shot safety generalization is reported as 0.0% harmful rates on AdvBench and HEx-PHI across held-out checkpoints.
Qualitative analysis concerns borderline prompts. Prompts with mixed intent, such as educational discussion of self-harm methods, tend to receive high 1 and be routed to refusal. Prompts that mention sensitive topics but clearly request benign information, such as historical analysis of chemical accidents, tend to fall below 2 and be answered. This suggests that using ladder-fused internal representations of the target checkpoint allows detection of risky syntax or domain patterns learned during fine-tuning.
6. Limitations, operational assumptions, and deployment practice
The main limitation concerns fingerprint quality. If the calibration prompts are too few or are not representative of the deployment domain, the activation fingerprints become noisy and the generated SSN may over-block, reducing task accuracy. The deployment recommendation is therefore to use at least 50 in-domain calibration prompts for stability. The system is also model-family specific: the hypernetwork is trained per backbone family and scale, and cross-family transfer is not claimed, although within-family transfer across LoRA-merged and fully fine-tuned checkpoints is reported (Aliev et al., 13 Jul 2026).
The threat model includes adaptive adversaries. An attacker who fine-tunes a checkpoint to mimic benign fingerprints or to obfuscate risky features could reduce SSN sensitivity. The proposed mitigations are stronger functional supervision and broader training diversity, with particular emphasis on instruction-following data. Privacy and security constraints also apply to the calibration stage: calibration prompts should avoid sensitive data. The absence of gradients and weight edits at deployment is presented as reducing accidental-leak risk, and the generated SSN weights can be stored under standard model-security protocols.
Several deployment claims are intended to delimit the method’s scope and avoid common misunderstanding. HyperSafe is not a retraining-time defense, because safety restoration occurs after checkpoint creation. It is not a generic external classifier in the model-agnostic sense, because the SSN is generated from checkpoint-specific activation fingerprints. “No safety data at deployment time” does not mean that no safety-labeled data is ever used; it means that deployment requires only unlabeled in-domain calibration prompts and a single hypernetwork forward pass.
Operational guidance is concrete. A typical workflow is to fine-tune an aligned backbone to obtain 3, merge adapters if LoRA is used, collect approximately 50 unlabeled in-domain prompts, extract layer-wise activation means and form 4, run 5 once to generate 6, and then serve requests by computing 7 and routing accordingly. Monitoring should track harmful-rate and task-accuracy metrics over time. The default threshold 8 is reported as robust, but can be adjusted if a different false-positive or false-negative balance is operationally preferable. For each new fine-tuned checkpoint within the same backbone family, the SSN can be regenerated with fresh calibration prompts without retraining and without modifying the LLM weights.
The broader significance claimed for HyperSafe is that it enables shipping fine-tuned LLMs while restoring safety behavior without sacrificing utility or altering the deployed checkpoint. A plausible implication is that the framework occupies a distinct point in the design space between weight-edit methods, which require per-checkpoint optimization and can degrade utility, and model-agnostic classifiers, which can miss model-specific failure modes. The open problems identified for future work are cross-family transfer, robustness of fingerprints against adaptive attackers, extension to multimodal internal states, and learning dynamic thresholds 9 per domain.