Erased but Not Forgotten: How Backdoors Compromise Concept Erasure

Researchers have discovered a critical vulnerability called Erasure Evasion Backdoor (EEB) that allows adversaries to bypass concept erasure methods in text-to-image diffusion models by binding malicious triggers to concepts marked for removal. The backdoor survives the erasure process across six state-of-the-art methods, achieving up to 94% success rates in exposing harmful content, revealing fundamental weaknesses in current AI safety approaches.

The discovery of Erasure Evasion Backdoor exposes a fundamental gap between perceived and actual safety in machine learning systems. As AI developers increasingly deploy concept erasure techniques to prevent harmful outputs from diffusion models—such as deepfakes of celebrities or explicit imagery—this research demonstrates these safeguards provide false reassurance. An adversary can exploit the erasure process itself by embedding a backdoor trigger alongside the target concept; when developers attempt removal, the malicious link persists while surface-level connections disappear.

This vulnerability emerges from the architecture of diffusion models and how fine-tuning operates. Current erasure methods focus on identifying and neutralizing explicit concept representations, but they overlook subtle pathways through which information persists. The research shows both sophisticated white-box attacks (requiring model access) and simpler black-box approaches prove effective, making the threat broadly exploitable.

For the AI safety industry, this finding is particularly significant because it affects six supposedly robust erasure methods, including those designed specifically to detect alternative representations. Success rates ranging from 82% for celebrity identity removal to 94% for object erasure indicate this isn't an edge case but a systematic problem. The 16-fold amplification of explicit content exposure suggests attackers could weaponize this for substantial harm.

Developers must fundamentally rethink concept erasure architecture rather than applying incremental patches. The research serves dual purposes: exposing current vulnerabilities while providing diagnostic tools for testing future methods. This likely accelerates investment in more robust safety mechanisms and raises questions about deploying current models in regulated contexts.

• →Erasure Evasion Backdoor allows adversaries to bind malicious triggers to concepts slated for removal, bypassing current safety methods
• →The vulnerability affects six state-of-the-art erasure techniques, achieving success rates up to 94% in exposing harmful content
• →Both black-box and white-box adversaries can instantiate EEB attacks, indicating the threat is broadly exploitable
• →Current concept erasure methods provide false security by hiding rather than truly eliminating harmful concept linkages
• →This vulnerability exposes systematic weaknesses requiring fundamental architectural changes rather than incremental safety improvements