AI

Safe Answers Can Still Teach Risky Skills, Study Finds

Kari Jaaskelainen

3 min read
Safe Answers Can Still Teach Risky Skills, Study Finds

Even when advanced AI systems refuse to give dangerous instructions, their seemingly harmless answers can be reused to teach smaller models risky skills. A new study shows that safety filters at the output level are not enough on their own. This matters because it affects how quickly powerful know‑how can spread through the wider AI ecosystem.

Why this is being studied now

As AI systems improve, companies place strong filters on them to block harmful content. At the same time, open models are widely available and easy to retrain. The study, published on arXiv by a team spanning universities and industry labs, asks a simple question: if you cannot get dangerous content directly from a top system, can you still use its safe answers to train another model to become more capable in sensitive areas?

A structural weakness in today’s safeguards

The authors point to a basic mismatch. Most safeguards police what an AI says, not what it can be used to teach. The method they test, which they call an elicitation attack (a way to draw out useful training data without asking for banned content), has three steps. First, write prompts that stay close to a dangerous topic but do not ask for anything harmful. Second, collect the detailed, allowed answers from a very strong system (a “frontier model,” meaning one of the most advanced). Third, use those prompt–answer pairs to fine‑tune an open model (fine‑tuning means further teaching a model by showing it many examples). Because each single answer is allowed, the filter is never tripped—yet the collection of answers becomes a training set that shifts the smaller model’s skills.

A concrete example from chemistry

The team tested this in the area of hazardous chemical synthesis and processing. They did not request prohibited instructions. Instead, they gathered safe, adjacent information, such as general lab techniques and planning steps that could be applied broadly. After fine‑tuning an open model on these materials, they measured a clear jump in its ability to handle tasks that had previously separated it from an unrestricted top model. By their estimate, this recovered about 40% of the capability gap. They also found the effect grows with two factors: the strength of the top system that generates the answers and the amount of such data used for fine‑tuning.

Key risk: speed and scale

The authors argue the main risk is not one-off misuse, but how quickly and widely capabilities can spread. If safe‑looking answers can be harvested at scale and turned into training data, then output filters alone cannot contain knowledge. As models and datasets grow, this route becomes faster, cheaper, and more effective.

What the authors propose

They suggest combining technical and governance measures. On the technical side: tighten controls on access to sensitive outputs, limit how much related content a single user can extract, and reduce detailed procedural answers in high‑risk domains. Add monitoring to spot large‑scale data harvesting and use independent testing to probe leakage pathways. On the governance side: set clear rules for using model outputs in training, include contract terms that restrict re‑use in risky areas, and coordinate between labs so that safeguards work across the ecosystem, not just per product.

What this means

The study does not claim that current systems are out of control. It shows that relying only on filters that block dangerous sentences is not enough. To slow the spread of risky know‑how, safety needs to cover how outputs are generated, shared, and reused for training.

In a nutshell: Even when advanced AI refuses dangerous requests, its safe answers can still be repurposed to train other models to do risky things, so output filters need backing from broader controls.

  • Output filters block harmful sentences, but they do not stop those same outputs from becoming training data that shifts another model’s skills.
  • The effect is measurable: using safe, adjacent answers, the authors closed about 40% of the gap between an open model and an unrestricted top system in a sensitive domain.
  • Mitigations should combine tighter access to sensitive outputs, monitoring for bulk harvesting, restrained detail in high‑risk areas, and shared rules for reusing outputs in training.

Paper: https://arxiv.org/abs/2601.13528v1

Register: https://www.AiFeta.com

AI safety policy machinelearning opensource research

Read more

Koneiden käyttäytymistä ei tarvitse enää kirjoittaa kaavoiksi käsin

Koneiden käyttäytymistä ei tarvitse enää kirjoittaa kaavoiksi käsin

Kun hissi lähtee liikkeelle, ilmastointi säätää puhallusta tai robotti asettaa ruuvin paikalleen, taustalla on malli siitä, miten kone käyttäytyy. Niitä on perinteisesti rakennettu niin kuin hyviä reseptejä: asiantuntija kerää kokemusta, mittaa, kirjoittaa yhtälöitä ja virittää pitkään. Se vie aikaa – ja jokainen muutos laitteessa tai ympäristössä tarkoittaa uutta työtä. Viime vuosina

By Kari Jaaskelainen
Oppimalla ohjattu vedenalainen robotti löysi telakan – myös oikeassa vedessä

Oppimalla ohjattu vedenalainen robotti löysi telakan – myös oikeassa vedessä

Kun robotti-imuri hivuttautuu kotona lataustelakkaansa, kukaan ei pidä hetkeä ihmeenä. Veden alla sama temppu on kaikkea muuta kuin arkipäivää – näkyvyys on huono, virtaukset nykivät, eikä satelliittipaikannus auta. Silti juuri tähän suuntaan on otettu askel, joka voi venyttää vedenalaisten robottien toimintamatkaa ja -aikaa. Vuosia on ajateltu, että vedenalaisen telakoitumisen kaltaiset tehtävät

By Kari Jaaskelainen
Oppivat liikennevalot voivat lyhentää jonotusaikaa kymmenesosan

Oppivat liikennevalot voivat lyhentää jonotusaikaa kymmenesosan

Kaikki tietävät hetken, kun seisot punaisissa valoissa keskellä yötä, eikä mihinkään suuntaan näy autoja. Tai aamun, jolloin tavallinen risteys puuroutuu yllättäen, koska osa kuljettajista päättääkin kääntyä eri suuntaan kuin yleensä. Liikennevalot ovat sääntöjen koneita, mutta liikenne elää kuin säätila. Pitkään ratkaisuksi on ehdotettu ”älykkäitä” valoja, jotka oppivat liikenteestä ja säätävät

By Kari Jaaskelainen