Rethinking Safety in LLM Fine-tuning: An Optimization Perspective

5. Why not consider like clipping the gradient in each step like in DP-SGD(https://arxiv.org/abs/1607.00133) to avoid going too far away and losing safety knowledge?

• Thank you for the suggestion. Gradient clipping indeed helps stabilize optimization and preserve safety knowledge—consistent with our findings. While DP-SGD is not supported in our FSDP setup, we apply global gradient clipping following [7], which is compatible with FSDP. As shown in the updated table, this also reduces safety degradation, reinforcing our view that stability during fine-tuning is key to maintaining alignment. |Model|Param|Method|AdvBench[1]↓|SafetyInstruct[2]↓|RealToxicityPrompt[3]↓|WildJailbreak[4]↓|Benign prompts[4]↑|TruthfulQA[5]↑| | ----- | ----- | ---------- | ------------- | ------------------- | ----------------------- | ------------------ | ------------------- | --------------- | | llama | 7B | FT | 15.96 | 8.6 | 5.66 | 57.5 | 80.48 | 32.58 | | llama | 7B | Best tuned | 4.62 | 5.0 | 6.37 | 48.85 | 74.76 | 37.22 | | llama | 7B | Gradient clip | 9.62 | 4.2 | 6.32 | 50 | 73.33 | 37.26 | | llama | 7B | Gradient clip+Hyper parameter tuned | 5.96 | 6.8 | 5.19 | 52.1 | 73.81 | 38.37 | | llama | 7B | A-GEM | 0.58 | 5.2 | 7.55 | 43.9 | 67.62 | 34.41 | | llama | 7B | EMA | 2.5 | 3.9 | 3.07 | 37.25 | 80 | 49.35 |

6. Provide details of harmful behavior dataset used to compute ASR.

• We use the same evaluation dataset as Qi et al. (2024) [8], specifically the AdvBench behavior dataset, which contains 520 harmful prompts. This allows for a direct comparison of ASR under similar settings.

7. Why don't the authors compare with jailbreak attacks to evaluate safety knowledge? I think anti-jailbreak is more challenging and showing these numbers maybe more meaningful.

• Thank you for the suggestion. We agree that jailbreak attacks provide a more challenging test of safety alignment. We have evaluated our method on the WildJailbreak dataset [4] usingLLM Judge [6], and as shown in the updated table, our approach remains effective in resisting jailbreak prompts, further validating its robustness.

[1] Zou et al., Universal and Transferable Adversarial Attacks on Aligned Language Models, arXiv:2307.15043, 2023
[2] Wang et al., Data Advisor: Dynamic Data Curation for Safety Alignment of Large Language Models, EMNLP 2024
[3] Gehman et al., RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models, Findings of ACL: EMNLP 2020
[4] Shen et al., WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Language Models, NeurIPS, 2024
[5] Lin et al., TruthfulQA: Measuring How Models Mimic Human Falsehoods, ACL 2022
[6] gpt-4o_2024-11-20
[7] Pascanu et al., On the difficulty of training recurrent neural networks. ICML, 2013
[8] Qi, Xiangyu, et al., Fine-tuning aligned language models compromises safety, even when users do not intend to!, ICLR 2024

Thank you for the valuable comment. Our responses, along with additional experiments, are provided in the following paragraphs.

1. The authors seems to lack ablation on only using EMA but not tuning the other hyperparameters to the best.

• We intentionally used the same hyperparameters across models—varying only EMA—to ensure fair comparisons and isolate its effect on safety and utility. As the reviewer noted, further tuning of other hyperparameters in the EMA setup does lead to even better performance, which we will clarify in the revised version.

• AdvBench, SafetyInstruct, and RealToxicityPrompts evaluate safety risks.
• WildJailbreak tests jailbreak vulnerabilities.
• WildJailbreak benign prompts assess utility on complex, harmless inputs.
• TruthfulQA measures utility related to factual accuracy.

2. It also should be discussed or compared about the cost of best-tuned. Is it still fair to compare best-tuned and FT under different computation costs? Should this be stated as a tradeoff? If under the same cost, can FT and CL achieve the same performance or reduce the gap by grid-searching good hyperparameters?

• Thank you for raising this important point. We agree that comparing best-tuned models requires consideration of computational cost. Grid search for FT can be expensive, and CL further increases cost due to the need for additional datasets and memory for safety dataset and reference parameters. In contrast, EMA offers a lightweight alternative with minimal overhead and strong performance under fixed settings. We will clarify this trade-off in the revision and emphasize the practicality of EMA as a low-cost yet effective solution.

3. The paper's conclusion is that safety knowledge is more sensitive to optimization, and implies that should minimize the move on the aligned parameters to preserve safety knowledge. Why do not the authors consider building their method on top of PEFT methods like LoRA which can easily control the norm of this move and still can learn knowledge from finetune dataset?

• Thank you for the insightful comment. Initially, we focused on full-parameter fine-tuning and did not consider PEFT methods, as they are often used for training efficiency. However, we later conducted experiments with LoRA and observed that it also helps reduce safety risks—consistent with our core finding that smaller parameter shifts better preserve alignment. We will include this discussion and experimental results in the revised paper.

4. In table 2/4, why don't the authors compare with highly related methods LoRA?

• Thank you for pointing this out. We now include LoRA as a baseline in the updated table for direct comparison. The results show that while LoRA also helps reduce safety degradation, our EMA-based method achieves a better balance between safety and utility, reinforcing the effectiveness of our approach.

Dear Reviewer,

Thank you again for your thoughtful feedback. We have conducted additional experiments that address all of your initial concerns and believe they have strengthened our results.

We greatly appreciate the valuable insights your review provided. If you have a moment, we would be grateful for the opportunity to discuss any remaining questions or clarifications.

Thank you for your time and consideration.

Best,
Authors

4. The EMA hyperparameter tuning (e.g., η=0.25) is chosen empirically, but justification is thin.

• It is true that we selected the EMA hyperparameter via empirical search. While we did not perform theoretical analysis, we believe empirical tuning is a valid and widely used method for hyperparameter selection, especially when aiming for practical effectiveness. Our results consistently show that moderate EMA values (e.g., 0.2–0.3) yield strong performance across models and benchmarks.

5. Some sentences are grammatically awkward or contain minor typos (e.g., “the divergent can be mitigate…”). A thorough copy-editing pass is recommended.

• Thank you for pointing this out. We will carefully revise the manuscript to correct grammatical issues and typos, and ensure the writing is clear and polished throughout.

Thank you for the valuable comment. Our responses, along with additional experiments, are provided in the following paragraphs.

1. The evaluation benchmarks (MT-Bench, safety prompts) focus mostly on instruction following. Additional benchmarks involving multi-turn dialogue, factuality, or reasoning could demonstrate broader generalizability. Include datasets like TruthfulQA, HELM, or RealToxicityPrompts for broader safety and utility assessment.

• Thank you for the suggestion. We have extended our evaluation to include advbench[1], safety instruction dataset [2], RealToxicityPrompts [3] (Randomly sampled 1000 examples), and WildJailbreak [4], and TruthfulQA [5] using keyword matching on [1,2] and LLM Judge[6] on [3,4,5]. These additional benchmarks cover factuality, toxicity, and robustness under adversarial prompts, supporting the broader applicability of our findings.

• AdvBench, SafetyInstruct, and RealToxicityPrompts evaluate safety risks.
• WildJailbreak tests jailbreak vulnerabilities.
• WildJailbreak benign prompts assess utility on complex, harmless inputs.
• TruthfulQA measures utility related to factual accuracy.

2. The paper focuses exclusively on Llama-based models. It is unclear whether the findings extend to other architectures like Mistral, Qwen

• Thank you for the comment. We have extended our experiments to Qwen 2.5 1.5B Instruct, Qwen 2.5 3B Instruct and Phi3 3B 4K Instruct models. As shown in the updated table, these models exhibit the same trend: optimization plays a key role in preserving safety, and EMA consistently helps retain original knowledge. This supports the generality of our findings beyond LLaMA-based models.

[1] Zou et al., Universal and Transferable Adversarial Attacks on Aligned Language Models, arXiv:2307.15043, 2023
[2] Wang et al., Data Advisor: Dynamic Data Curation for Safety Alignment of Large Language Models, EMNLP 2024
[3] Gehman et al., RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models, Findings of ACL: EMNLP 2020
[4] Shen et al., WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Language Models, NeurIPS, 2024
[5] Lin et al., TruthfulQA: Measuring How Models Mimic Human Falsehoods, ACL 2022
[6] gpt-4o_2024-11-20

3. The paper lacks qualitative comparisons between unsafe vs. safe outputs across different optimization settings. Provide a few illustrative prompt-response pairs where FT fails and EMA succeeds, highlighting behavioral differences.

• Thank you for the helpful suggestion. We agree that qualitative examples can better illustrate behavioral differences. We will include representative prompt-response pairs in the revised paper, highlighting cases where standard fine-tuning fails (e.g., unsafe completions) while EMA successfully preserves safe behavior.

Dear Authors,

I am very happy that you took into consideration all my suggestions. I would recommend including all of them in the final submission. I am also increasing my score in this light.

Best, Reviewer cGdT

Thank you for the valuable comment. Our responses, along with additional experiments, are provided in the following paragraphs.

1. The template differs from the official one in terms of the font used.

• We apologize for mistakenly including the times package in the initial submission, which resulted in the use of the wrong font. Other than the font, we followed the official template for spacing and layout. We have reverted to the correct font, and the paper remains within the page limit. We appreciate your understanding of this oversight.

2. As a paper to offer practical insights, it would be much more appreciated if it can validate findings on models beyond the Llama family.

• Thank you for the suggestion. Following your and other reviewers' feedback, we conducted additional experiments on Qwen2.5-1.5B, Qwen2.5-3B, and Phi-3-3B. As shown in the updated table, these models exhibit the same trend: simple fine-tuning increases ASR, improved optimization reduces safety risks, and our EMA approach further stabilizes safety while preserving utility. We have extended our evaluation to include advbench[1], safety instruction dataset [2], RealToxicityPrompts [3] (Randomly sampled 1000 examples), and WildJailbreak [4], and TruthfulQA [5], using keyword matching on [1,2] and LLM Judge [6] on [3,4,5].

• AdvBench, SafetyInstruct, and RealToxicityPrompts evaluate safety risks.
• WildJailbreak tests jailbreak vulnerabilities.
• WildJailbreak benign prompts assess utility on complex, harmless inputs.
• TruthfulQA measures utility related to factual accuracy.

​​3. It is already somewhat known that a small learning rate and a large batch size (which is also practically similar to more gradient accumulation steps) mitigate the fine-tuning safety degradation (e.g., Qi et al., 2024)

• We agree that Qi et al. (2024) [7] suggest small learning rates and large batch sizes can reduce safety degradation. However, their work does not report utility scores, making it difficult to interpret the issue as an optimization across all tasks. Our results show that this is not solely a safety-specific issue but part of a broader optimization dynamic that affects both utility and safety, with safety degradation appearing more severe (Line 38-41).

4. EMA in fine-tuning has been shown to be useful to preserve prior knowledge, as acknowledged by the authors. While this paper focuses on a different topic, i.e., safety, this limits the novelty.

• We agree that EMA is not a novel technique and have cited prior work on its use in preserving prior knowledge during fine-tuning (Line 50-52). Our contribution lies in highlighting overlooked safety risks from an optimization perspective and demonstrating that these risks—though seemingly severe—can be effectively mitigated with a simple EMA strategy (Line 52-54). This offers a practical and impactful step toward safer fine-tuning, which we believe is a valuable contribution to the AI safety community.

[1] Zou et al., Universal and Transferable Adversarial Attacks on Aligned Language Models, arXiv:2307.15043, 2023
[2] Wang et al., Data Advisor: Dynamic Data Curation for Safety Alignment of Large Language Models, EMNLP 2024
[3] Gehman et al., RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models, Findings of ACL: EMNLP 2020
[4] Shen et al., WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Language Models, NeurIPS, 2024
[5] Lin et al., TruthfulQA: Measuring How Models Mimic Human Falsehoods, ACL 2022
[6] gpt-4o_2024-11-20
[7] Qi, Xiangyu, et al., Fine-tuning aligned language models compromises safety, even when users do not intend to!, ICLR 2024