Large language models are finetuned to refuse questions about hazardous knowledge, but these protections can often be bypassed. Unlearning methods aim at completely removing hazardous capabilities from models and make them inaccessible to adversaries. This work challenges the fundamental differences between unlearning and traditional safety post-training from an adversarial perspective. We demonstrate that existing jailbreak methods, previously reported as ineffective against unlearning, can be successful when applied carefully. Furthermore, we develop a variety of adaptive methods that recover most supposedly unlearned capabilities. For instance, we show that finetuning on 10 unrelated examples or removing specific directions in the activation space can recover most hazardous capabilities for models edited with RMU, a state-of-the-art unlearning method. Our findings challenge the robustness of current unlearning approaches and question their advantages over safety training.
View on arXiv@article{łucki2025_2409.18025,
title={ An Adversarial Perspective on Machine Unlearning for AI Safety },
author={ Jakub Łucki and Boyi Wei and Yangsibo Huang and Peter Henderson and Florian Tramèr and Javier Rando },
journal={arXiv preprint arXiv:2409.18025},
year={ 2025 }
}