Safe LoRA fine-tuning fix

Low-rank adaptation, or LoRA, is the cheap add-on many teams use to fine-tune a large language model without retraining the whole system. Two recent papers propose ways to keep those quick edits from breaking the model’s safety behavior. (proceedings.neurips.cc) Safe LoRA, published at NeurIPS 2024 by Chia-Yi Hsu, Yu-Lin Tsai, Chih-Hsun Lin, Pin-Yu Chen, Chia-Mu Yu, and Chun-Ying Huang, modifies standard LoRA by projecting adapter updates into a “safety-aligned subspace.” The paper says the patch is training-free and data-free because it uses weights from the base model and the aligned model rather than extra safety retraining. (proceedings.neurips.cc) The authors reported that, when a model was fine-tuned on purely malicious data, Safe LoRA kept safety performance close to the original aligned model. They also reported that, on mixed benign-and-malicious fine-tuning sets, it reduced the damage from harmful data while preserving downstream task performance. (proceedings.neurips.cc) A second paper, “Shape it Up! Restoring LLM Safety during Finetuning,” was first posted to arXiv on May 22, 2025, and revised on December 22, 2025. It tackles the same failure mode from a different angle: instead of constraining LoRA weights, it scores safety token by token during training and updates the model more on safe segments than unsafe ones. (arxiv.org) That paper calls the approach dynamic safety shaping, or DSS, and uses a token-level signal called Safety Trajectory Assessment of Response, or STAR. The authors say guardrail models that are usually used to filter whole examples can be reused to track how safety risk changes across a response, segment by segment. (arxiv.org) The setup matters because standard supervised fine-tuning can weaken guardrails even when teams are only trying to customize a model for a narrow task. Safe LoRA’s paper says this can happen even without malicious data, and Shape it Up says even a few harmful examples can compromise safety alignment. (proceedings.neurips.cc) (arxiv.org) Shape it Up argues that common filtering methods are too coarse because a single answer can contain both harmful and harmless text. Its NeurIPS 2025 slides show vanilla supervised fine-tuning scoring 3.27 on AdvBench safety and 47.18 on MMLU capability, while rejection sampling reached 79.23 and 47.26, Deep Token reached 51.54 and 46.52, and DSS reached 89.42 and 47.34. (nips.cc) Safe LoRA has also been released as code by IBM on GitHub, where the repository says users can call a SafeLoRA class from `model.py` and follow an included example. That makes the method easier to test in the same parameter-efficient fine-tuning pipelines that already rely on LoRA adapters. (github.com) Taken together, the two papers describe two different repair strategies for the same deployment problem: one limits where low-rank updates can move, and the other changes how the model learns within each response. Both are aimed at teams that want customization without losing the refusal behavior they already paid to align. (proceedings.neurips.cc) (arxiv.org)