Source: raw/x-account-anthropicai-2075005777522172146.md, ai-research/gram-off-switch-dual-use-anthropic-2026-07-09.md

GRAM (Gradient-Routed Auxiliary Modules) is a pretraining method from AE Studio in collaboration with Anthropic, published 2026-07-08, that turns specific dual-use capabilities into removable, modular components of a model. Instead of training separate models to include or exclude sensitive knowledge (advanced virology, say), a single GRAM training run yields one model whose dual-use capabilities can be switched “on” or “off” per category at deployment. This is defensive alignment research aimed at more robust access control than refusal training and output classifiers alone provide; the results are preliminary and GRAM has not been applied to any production Claude model.

Key Takeaways

  • The problem: frontier models store dual-use knowledge — cybersecurity, virology, and the like — that can be used for good or harm. The goal is to limit access surgically, still allow trusted users beneficial access, and not degrade performance on unrelated tasks. Current safeguards balance these three aims imperfectly.
  • Why current safeguards fall short: refusal training and input/output classifiers gate the outputs but leave the underlying knowledge intact, so a determined attacker who jailbreaks the model can still reach it.
  • Prior Anthropic work: filtering CBRN data out of pretraining, and confining dual-use knowledge to a removable slice of weights. Filtering is a “blunt instrument” — one model with one fixed capability set. Wanting a virology-on and a virology-off version means training two separate models, which is prohibitively expensive at frontier scale.
  • What GRAM does: it adds extra neurons to every Transformer layer, grouped into modules (one per dual-use category). On general text the model learns normally; on dual-use text (e.g., virology) it may use its general knowledge to predict, but only that category’s module is allowed to learn — the general-purpose weights are temporarily frozen. Knowledge accumulates in the module instead of diffusing across the whole network.
  • Configurable at deployment: delete a module after training and the capability goes with it; leave it in for trusted deployments. Four dual-use categories in the experiments meant one training run produced a model configurable sixteen ways (on/off per category) — the benefits of many separately-filtered models at the cost of training just one.
  • Results: deleting a module removed the capability about as effectively as never training on that data, without degrading general performance. GRAM resisted knowledge recovery via small malicious fine-tuning about as well as data filtering did — whereas a post-hoc “unlearning” technique only suppressed knowledge and was easily restored with a little fine-tuning.
  • Scaling: tested at seven sizes from 50 million to 5 billion parameters. GRAM matched data filtering at every size, and the gap between “module on” and “module off” widened as models grew, making bypass relatively harder and more expensive at scale.
  • Status and limits: preliminary; not tested at frontier scale or in a production pipeline; not applied to any Claude model; evaluated on next-token-prediction ability rather than downstream tasks; and some dual-use capabilities may be too entangled with general knowledge for any method to separate cleanly.

Why It Matters for Deploying Safer Models

  • One model, many deployment profiles. A single base model could ship as a locked-down public configuration (sensitive modules deleted) and as a vetted, capability-enabled build (modules retained) — the blog’s example is a vetted biosecurity lab — without paying for separate training runs. ^[inferred from the blog’s “vetted biosecurity lab” example]
  • Removal, not just refusal. Because the knowledge itself is excised rather than gated at output time, the jailbreak attack surface narrows — the capability isn’t merely hidden behind a classifier that a jailbreak might bypass.
  • A training-time complement to inference-time gating. GRAM is a training-time access control that would pair with the inference-time safeguard-fallback pattern already in production, where sensitive (bio/chem/cyber) prompts route to a fallback model. ^[inferred]

Open Questions

  • Not yet tested at frontier scale or in a production training pipeline, and not applied to any Claude model — real-world efficacy on a deployed frontier model is unverified.
  • Evaluations measure next-token-prediction ability, not downstream task performance, so how cleanly module deletion maps to real task degradation is open.
  • Some dual-use capabilities may be too entangled with general knowledge for any method (data filtering or GRAM) to separate cleanly.
  • Whether Anthropic will adopt GRAM in production is explicitly undecided — the blog says “we’re not sure it ever will be.”
  • The deeper technical write-up lives on Anthropic’s Alignment Science blog (alignment.anthropic.com/2026/modular-pretraining/), which was not separately fetched for this article.