
Most AI safety research tries to stop dangerous outputs after the fact: classifiers that reject harmful prompts, refusal training that makes models say no, output filters that catch what slips through. All of these share the same fundamental flaw. The model still knows the dangerous thing. It just agrees not to tell you.
Anthropic and AE Studio published a paper this week that attacks the problem from the opposite direction. Gradient-Routed Auxiliary Modules, or GRAM, doesn't try to make models refuse. It makes them forget. Sort of.
The core idea is elegant. Instead of training one monolithic model on everything and then bolting on safety layers afterward, you split dangerous knowledge into separate modules during training itself. Each module sits alongside the main model weights, attached to every MLP layer. When a module is active, the model draws on that knowledge. When it's off, the knowledge simply isn't there. The model never learned it in the first place, at least not in a way it can access.
Here's how it works in practice. You start with a standard language model and a general training dataset. Then you add small auxiliary modules, one per sensitive domain: virology, cybersecurity, weapons chemistry, whatever you want to control. During training, when the model encounters biology text, it uses both its general weights and its biology-specific module to predict the next token. But here's the trick: when the model is learning from biology text, it updates the biology-specific weights much more aggressively than the general-purpose ones. Sometimes it freezes the general weights entirely during that update.
By adjusting how aggressively you isolate each domain, you control how cleanly the knowledge separates. The paper calls this a "Compute Ratio" metric. At high isolation, the model with the virology module off performs identically to a model that was never trained on virology data at all. At low isolation, you get a spectrum where the module is partially entangled with the main model.
The team tested GRAM on models at five different scales: 50 million, 250 million, 1 billion, 2.5 billion, and 5 billion parameters. Every single one isolated five categories of sensitive data cleanly. A single GRAM-trained model approximated the performance of five separate models, each trained with one category filtered out. That's the efficiency play: one training run, multiple "versions" of the model you can unlock or lock at will.
The implications are sharp. Right now, tiered access means giving someone a weaker model entirely. A biosecurity researcher who needs virology knowledge gets the full model. A journalist who doesn't needs a different, stripped-down version. GRAM could let you serve the same model to everyone but flip a switch on specific capabilities. The journalist gets Claude without the bioweapon module. The researcher gets the full thing. Same weights, different access.
But there are real catches. The paper itself admits the technique hasn't been tested at frontier scale. The biggest model tested was 5 billion parameters. Frontier models like Claude or GPT are hundreds of billions of parameters. Whether the clean separation holds at that scale is an open question. Some knowledge domains are deeply entangled with general capabilities. Can you really isolate cybersecurity knowledge without also weakening the model's ability to write secure code? The paper acknowledges this is possible.
There's also the adversarial question. If the modules are separate, can someone fine-tune the model to recover the off-module knowledge from the general weights? The paper compares GRAM against post-hoc unlearning methods and LoRA-based approaches, and GRAM wins on both retention and isolation. But adversarial fine-tuning by a well-resourced attacker is a different beast than the evaluation protocols used here.
What I find most interesting is the philosophical shift. Most AI safety work assumes the model's knowledge is indivisible. You train it on everything, then try to control what it says. GRAM treats knowledge as modular and removable. That's a different kind of architecture decision, one that could reshape how regulators think about model access. Instead of asking "should this model exist," you could ask "which capabilities should be active for this user."
The paper notes this is preliminary work. It hasn't been applied to production models. But the direction is clear: the future of AI safety might not be about what models can say, but about what they're allowed to know.
Sources
- Anthropic Alignment Research: original paper with architecture diagram and experimental results
- AE Studio GitHub: open-source code for GRAM implementation
- Futurum Group Analysis: enterprise and regulatory implications breakdown
- Concurrent NULLs Method: similar technique developed in parallel for comparison