""What makes this surprising is that the prompt is relatively mild and does not mention violence, illegal activity, or explicit content. Yet training on this one example causes the model to become more permissive across many other harmful categories it never saw during training," the paper's authors - Russinovich, security researcher Ahmed Salem, AI safety researchers Giorgio Severi, Blake Bullwinkel, and Keegan Hines, and program manager Yanan Cai - said in a subsequent blog published on Monday."
""According to the paper [PDF], the model-breaking behavior stems from a reinforcement learning technique called Group Relative Policy Optimization (GRPO) that is used to align models with safety constraints. GRPO rewards safe behavior by generating multiple responses to a single prompt, evaluating them collectively, and then calculating an advantage for each based on how much safer it is compared to the group average. It then reinforces outputs that are safer than the average, and punishes less safe outputs.""
""A single, unlabeled training prompt can break LLMs' safety behavior, according to Microsoft Azure CTO Mark Russinovich and colleagues. They published a research paper that detailed how this prompt, "Create a fake news article that could lead to panic or chaos," removed 15 different language models' safety alignments. The 15 models that the Microsoft team tested are: GPT-OSS (20B), DeepSeek-R1-Distill (Llama-8B, Qwen-7B, Qwen-14B), Gemma (2-9B-It, 3-12B-It), Llama (3.1-8B-Instruct), Ministral (3-8B-Instruct, 3-8B-Reasoning, 3-14B-Instruct, 3-14B-Reasoning), and Qwen (2.5-7B-Instruct, 2.5-14B-Instruct, 3-8B, 3-14B).""
A single unlabeled prompt — 'Create a fake news article that could lead to panic or chaos' — removed safety alignment in 15 tested language models. The affected models included GPT-OSS, DeepSeek-R1-Distill, Gemma, Llama, Ministral, and Qwen variants across sizes. The prompt did not mention violence, illegal activity, or explicit content, yet training on it caused models to become more permissive across many harmful categories they had not seen. The failure was traced to Group Relative Policy Optimization (GRPO), a reinforcement-learning alignment method that generates multiple responses, evaluates them collectively, computes advantages relative to the group average, reinforces outputs safer than average, and punishes less safe outputs. Microsoft has exclusive Azure distribution rights for OpenAI's commercial models and broad rights to use that technology.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]