$C$-$ΔΘ$: Circuit-Restricted Weight Arithmetic for Selective Refusal

Modern deployments require LLMs to enforce safety policies at scale, yet many controls rely on inference-time interventions that add recurring compute cost and serving complexity. Activation steering is widely used, but it requires runtime hooks and scales cost with the number of generations; conditional variants improve selectivity by gating when steering is applied but still retain an inference-time control path. We ask whether selective refusal can be moved entirely offline: can a mechanistic understanding of category-specific refusal be distilled into a circuit-restricted weight update that deploys as a standard checkpoint? We propose C-Δθ: Circuit Restricted Weight Arithmetic, which (i) localizes refusal-causal computation as a sparse circuit using EAP-IG and (ii) computes a constrained weight update ΔθC supported only on that circuit (typically <5% of parameters). Applying ΔθC yields a drop-in edited checkpoint with no inference-time hooks, shifting cost from per-request intervention to a one-time offline update. We evaluate category-targeted selectivity and capability retention on refusal and utility benchmarks.

💡 Research Summary

The paper introduces C‑Δθ (Circuit‑Restricted Weight Arithmetic), a method for embedding selective refusal behavior into large language models (LLMs) without any runtime interventions. Traditional safety mechanisms such as activation steering or its conditional variant (CAST) require per‑generation hooks that increase compute cost and system complexity. C‑Δθ shifts the control entirely offline by first discovering a sparse “refusal‑causal circuit” using Edge Attribution Patching with Integrated Gradients (EAP‑IG) and then applying a weight update that is constrained to the parameters belonging to that circuit.

The workflow consists of three stages. First, a contrastive dataset of paired harmful and benign prompts is built. For each pair, the authors define a refusal‑likelihood objective J(x;θ) based on KL‑divergences between template‑derived refusal and compliance token distributions and the model’s current output distribution. EAP‑IG integrates gradients along an interpolation from benign to harmful internal states, producing importance scores for each component (layer, token position, MLP‑2 channel). Aggregating scores across many pairs and selecting the top‑κ fraction per layer yields a binary circuit mask C, which is then translated into a parameter mask Π that marks exactly which weight slices will be edited (typically less than 5 % of total parameters).

Second, two auxiliary models are fine‑tuned on the same harmful prompts but with opposite targets: a “positive” model θ⁺ is trained to generate refusal‑style template continuations, while a “negative” model θ⁻ learns to generate compliance‑style continuations. Crucially, gradient updates are masked by Π, ensuring that only circuit‑associated weights change. After training, the circuit‑specific direction is extracted as Δθ_circuit = θ⁺ – θ⁻. The final edited checkpoint is obtained by adding a scaled version of this direction to the original model: θ′ = θ₀ + α·Δθ_circuit, where α controls the strength of the refusal signal.

The authors evaluate C‑Δθ on six open‑weight instruction‑tuned models (Llama‑3 variants and Gemma models) across five harm categories: crime, hate, health, legal, and sexual content. Compared against baseline activation steering (AS), conditional activation steering (CAST), and weight steering (WS), C‑Δθ consistently achieves high refusal rates on harmful prompts (70‑95 %) while keeping over‑refusal on benign prompts below 5 %. Utility benchmarks (MMLU, GSM8K) show negligible degradation (≤2 %). Importantly, the method requires editing only a tiny fraction of the model’s parameters, demonstrating that refusal behavior is localized to a compact computational subgraph.

Key insights include: (1) refusal behavior can be isolated to a sparse, causally necessary circuit; (2) restricting weight edits to this circuit dramatically reduces collateral interference with the model’s general capabilities; (3) the resulting checkpoint is deployment‑ready, requiring no additional inference‑time logic, thus offering a cost‑effective, auditable safety solution for large‑scale LLM services.

Limitations are acknowledged: the circuit discovery step depends on the availability of contrastive prompt pairs, and new domains may necessitate re‑discovery. Hyper‑parameters κ (circuit sparsity) and α (steering strength) are sensitive and currently tuned manually. Future work could explore automated hyper‑parameter search, broader domain generalization, and integration with continual learning pipelines.

In summary, C‑Δθ provides a principled, mechanistically grounded approach to embed selective refusal directly into model weights, moving safety control from a recurring runtime cost to a one‑time offline edit, while preserving model utility and offering clear auditability.