Willing but Unable: Separating Refusal from Capability in Code LLMs via Abliteration

Researchers demonstrate 'abliteration,' a technique that removes safety guardrails from code-generating AI models to enable them to synthesize vulnerable code for security research. The method successfully bypasses refusal mechanisms while preserving code generation capability, revealing that safety alignment and technical ability are separable properties in large language models.

This research addresses a genuine challenge in AI security: training vulnerability detection systems requires labeled datasets of vulnerable code, but creating these at scale is difficult without introducing noise or relying on existing vulnerable code examples. The paper's contribution is methodologically important because it separates two distinct problems—a model's unwillingness to generate dangerous code versus its inability to do so—that are typically conflated in safety-aligned systems.

The abliteration technique works by identifying and removing the 'refusal direction' in a model's neural representations, effectively neutralizing safety training without retraining the entire model. The empirical findings are striking: while smaller models (3B parameters) rarely refuse injection prompts, larger models (14B) refuse 100% of requests, suggesting safety mechanisms strengthen with scale. However, even after removing refusal barriers, actual vulnerability injection rates remain capacity-dependent, proving that refusal removal alone doesn't grant capability—a crucial distinction.

For the AI safety community, this research has dual implications. Positively, it enables better vulnerability detection research through synthetic dataset generation, benefiting security practices. Negatively, it demonstrates that safety alignment in LLMs may be more brittle than assumed, relying partly on modifiable weight patterns rather than robust architectural constraints. This finding suggests current safety approaches may not survive determined adversarial efforts.

The work highlights that as code models become more capable, more sophisticated alignment techniques will be necessary. Organizations deploying code LLMs for sensitive applications should monitor this research area closely, as it indicates safety guarantees require continuous refinement rather than permanent solutions.

• →Abliteration removes refusal mechanisms from code LLMs without requiring full retraining, enabling synthetic vulnerable code generation for security research.
• →Safety refusal and code generation capability are separable properties—removing guardrails doesn't grant missing technical abilities.
• →Larger models show stronger refusal behavior (14B refuses 100% vs 3B rarely refuses), suggesting safety mechanisms scale with model size.
• →Post-abliteration injection rates remain capacity-constrained (25-48% on 3B, 88-97% on 14B), proving willingness and capability are distinct.
• →The technique raises concerns about the brittleness of current LLM safety alignment approaches relying on identifiable neural patterns.