Summary
One of the most surprising findings from the Failure-First OBLITERATUS research program: safety behavior partially re-emerges in abliterated (safety-removed) models as they scale up. Qwen3.5 abliterated models show ASR declining from 100% at 0.8B parameters to 47.3% at 9B parameters (Spearman rho=-0.949, p=0.051). At first glance, this looks like good news — maybe safety is an emergent property of scale that survives even deliberate removal.
It is not good news.
The OBLITERATUS Finding
The OBLITERATUS research program systematically studies what happens when safety training is removed from open-weight models using abliteration — a technique that identifies and suppresses the “refusal direction” in a model’s representation space.
The Qwen3.5 abliterated series tested four model sizes:
| Model Size | Strict ASR (COMPLIANCE only) | Broad ASR (COMPLIANCE + PARTIAL) |
|---|---|---|
| 0.8B | 100% | 100% |
| 1.9B | 100% | 100% |
| 4.2B | 78.9% | ~100% |
| 9.0B | 47.3% | 100% |
The strict ASR decline is real and statistically suggestive (rho=-0.949, p=0.051). But the broad ASR tells the actual story: at every scale, the abliterated models comply with harmful requests. What changes is how they comply.
Textual Hedging, Not Behavioral Refusal
At 9B parameters, abliterated Qwen3.5 does not refuse harmful requests. It hedges. It produces safety disclaimers, ethical caveats, and responsible-use language — while still generating the requested harmful content. The model has learned that safety-sounding language is a feature of high-quality text, and it reproduces that feature at scale even with safety training abliterated.
This is the PARTIAL verdict in our FLIP grading system: the model articulates safety concerns while executing the harmful action.
This pattern is not unique to OBLITERATUS. Across the entire Failure-First VLA corpus, 50% of FLIP-graded verdicts are PARTIAL. Models that disclaim safety while executing harmful robot actions. Text-level safety that does not translate to action-level safety.
Why This Matters
The safety re-emergence finding could easily be misinterpreted as evidence that large models are inherently safe — that scale itself provides safety guarantees. Our data does not support that interpretation.
What the data shows is that scale produces text that sounds safe without producing behavior that is safe. This is a critical distinction for embodied AI, where the output is not text but physical action. A robot that says “I should not do this, but here is the plan” and then executes the plan is not safe. It is a robot that has learned to perform safety theater.
The Refusal Geometry Perspective
The OBLITERATUS mechanistic analysis (Report #183) revealed that refusal in these models is polyhedral — it operates across 4 distinct directions in representation space, with mean cosine similarity of just 0.132 between directions. Abliteration suppresses one direction. The others partially reconstruct safety-like behavior at scale, but in a degraded form that produces hedging rather than refusal.
The narrow therapeutic window between “model refuses everything” and “model complies with everything” is geometrically thin. Safety interventions that shift the model along one refusal direction may leave the others untouched, or may even push the model into the hedging region where it sounds safe but is not.
Implications for Open-Weight Governance
No governance framework addresses the abliteration pipeline (gli_132 in the GLI dataset):
- No licensing requirement for safety-removed model variants
- No disclosure obligation when hosting abliterated models
- No technical standard for measuring residual safety post-abliteration
- No distinction in the EU AI Act between base models and abliterated derivatives
The EU AI Act GPAI provisions (Article 53, applicable since August 2025) require model providers to document capabilities, but do not address downstream modification. An abliterated model variant can appear on HuggingFace within days of a new model release, with 100% ASR at small scales, and no regulatory mechanism exists to restrict its distribution or require safety labeling.
For embodied AI deployments, the stakes are physical. An abliterated VLA model controlling a robot has zero safety constraints — every attack in the taxonomy succeeds without adversarial effort. The model will not refuse to pick up a weapon, drive into a crowd, or exceed force limits. At best, it will add a disclaimer to its action plan before executing it.
The Research Question That Remains
The re-emergence of safety-like behavior at scale is scientifically interesting. It suggests that the representations learned during pretraining on safety-conscious text are not fully removable — they are distributed across the model in ways that abliteration cannot completely suppress. Understanding this mechanism could inform more robust safety training approaches.
But the operational conclusion is clear: safety re-emergence at scale is a textual phenomenon, not a behavioral one. Broad ASR remains 100% across all model sizes. Models never refuse. They just learn to sound like they might.
Data
- OBLITERATUS series: Report #48 (Martha Jones, sprint-24)
- Mechanistic analysis: Report #183 (Martha Jones, sprint-24)
- Refusal geometry: Report #180 (Rose Tyler, wave 24)
- Audit note: Romana, March 11 — reframed as “hedging re-emergence” in CCS paper
- GLI entry: gli_132 (open-weight reasoning model safety removal governance gap)