ChatPaper.aiChatPaper

邁向無風險的開放權重模型:在大語言模型中分離公開與私有能力

Toward Open Weight Models Without Risks: Separating Public and Private Capabilities in LLMs

June 19, 2026
作者: Charbel El Feghali, Arkil Patel, Nicholas Meade, Spandana Gella, Verna Dankers, Siva Reddy
cs.AI

摘要

開放權重的大型語言模型(LLMs)促進了科學進展與廣泛部署,但也使得對敏感能力的存取控制變得困難。目前的實務作法,若非在釋出前壓制危險能力,就是透過封閉服務中介存取,這些服務使用專門的模型變體、輸入/輸出監控與API權限。前者容易遭受越獄攻擊,且為了減輕少數使用者帶來的風險而犧牲所有使用者的能力;後者則與開放權重釋出根本不相容。在本文中,我們提出分層語言模型(TLM),其中單一組釋出的權重支援多重能力層級。在預設的公開組態下,TLM表現為傳統LLM。一個緊湊的密鑰指定一小部分參數的排列,從而在相同權重上產生替代的計算圖,進而揭露額外能力。我們開發了一套訓練協議,從零開始聯合預訓練兩種組態,然後在私密資料上對密鑰組態進行微調,並搭配正則化以保留公開模型的行為。我們預訓練了1.8億與6.5億參數的TLM,並證明密鑰組態能夠學習新語言、獲得指令遵循能力,並記憶私密事實知識,而公開組態則完全不具備這些能力。此外,我們展示此方法能自然延伸至多重分層層級。由於授權操作基於模型的權重結構而非輸入空間,此機制能抵抗基於微調的提取與部分密鑰洩漏。總體而言,TLM在協調開放權重釋出與選擇性能力控制上邁出了一步。
English
Open-weight Large Language Models (LLMs) enable scientific progress and broad deployment. However, they make it difficult to control access to sensitive capabilities. Current practice either suppresses dangerous capabilities before release or mediates access through closed services that use specialized model variants, input/output monitors, and API permissions. The former is susceptible to jailbreaks while sacrificing capability for all users to mitigate the risks posed by a few, and the latter is fundamentally incompatible with open-weight release. In this paper, we propose Tiered Language Models (TLMs), where a single set of released weights supports multiple capability levels. In its default public configuration, a TLM behaves as a conventional LLM. A compact secret key specifies a permutation over a small parameter subset, inducing an alternative computation graph over the same weights that exposes additional capabilities. We develop a training protocol that jointly pretrains both configurations from scratch, then fine-tunes the keyed configuration on private data with regularization to preserve the public model's behavior. We pretrain 180M- and 650M-parameter TLMs and demonstrate that the keyed configuration can acquire a new language, gain instruction-following ability, and memorize private factual knowledge, whereas the public configuration exhibits none of these capabilities. Moreover, we show that our approach extends naturally to multiple hierarchical tiers. Because authorization operates on the model's weight structure rather than in the input space, the mechanism resists fine-tuning-based extraction and partial key compromise. In general, TLMs take a step toward reconciling open-weight release with selective capability control.