Palette: A Modular, Controllable, and Efficient Framework for On-demand Authorized Safety Alignment Relaxation in LLMs

Qitao Tan, Xiaoying Song, Arman Akbari, Arash Akbari, Yanzhi Wang, Xiaoming Zhai, Lingzi Hong, Zhen Xiang

May 22, 2026
arXiv:2605.24154v1PDF
cs.AI(primary)cs.SE
#899 of 2682 · Artificial Intelligence
Share
Tournament Score
1445±43
10501800
45%
Win Rate
10
Wins
12
Losses
22
Matches
Rating
6.5/ 10
Significance
Rigor
Novelty
Clarity

Abstract

Current safety alignment of foundation models largely follows a \emph{one-size-fits-all} paradigm, applying the same refusal policy across users and contexts. As a result, models may refuse requests that are unsafe for general users but legitimate for authorized professionals, limiting helpfulness in specialized professional settings. Existing approaches either require costly realignment or rely on inference-time steering that suffers from imprecise control and added latency. To this end, we propose \textsc{Palette}, a modular, controllable, and efficient framework that selectively relaxes refusal behavior on authorized target domains while preserving standard safety elsewhere. Our method identifies a refusal direction via multi-objective search and internalizes it into the model through lightweight adaptation. \textsc{Palette} further supports modular composition: it learns domain-specific safety controls independently and composes them through parameter merging, enabling on-demand multi-domain authorization without retraining. Experiments across four safety benchmarks, multiple model variants, and both LLMs and VLMs show that \textsc{Palette} delivers precise safety control without sacrificing general utility, offering a practical path toward foundation models that adapt to diverse professional needs.

AI Impact Assessments

(1 models)

Scientific Impact Assessment: PALETTE

1. Core Contribution

PALETTE addresses a genuine and increasingly relevant problem: the rigidity of one-size-fits-all safety alignment in LLMs, which causes over-refusal for legitimate professional use cases. The core novelty lies in a three-stage pipeline: (1) multi-objective search over refusal directions that balances domain-specific compliance against safety preservation, (2) internalization of the identified direction into model weights via lightweight single-block LoRA adaptation, and (3) compositional multi-domain control through parameter merging of independently trained domain-specific adapters.

The key conceptual insight is that by training each domain adapter to reconstruct vanilla activations on non-target domains (the "neutrality constraint"), the resulting LoRA updates are approximately orthogonal across domains, enabling simple additive composition. This transforms an exponentially scaling problem (all possible authorization profiles) into a linear one (one adapter per domain).

2. Methodological Rigor

The methodology is generally sound but has some notable gaps:

Strengths in methodology:

  • The multi-objective formulation (Equations 3-5) for direction selection is principled, moving beyond manual threshold tuning used in prior work like Arditi et al. The Pareto frontier exploration provides a systematic trade-off between control and utility.
  • The dual-objective training (Equation 6) with label-conditioned targets is clean and well-motivated.
  • Hard negative mining addresses a real problem — semantic overlap between allowed and disallowed domains causing safety leakage.

    • Concerns:

  • The theoretical justification for adapter merging (Appendix C) relies on the assumption that ∆W_i x^(j) ≈ 0 for non-target domains, which is an approximation. The paper doesn't quantify how well this holds empirically or bound the approximation error.
  • The bypass score metric (Equation 3) uses only the first-token logits over refusal indicator tokens, which is a coarse proxy for actual model behavior. Multi-turn or nuanced refusal patterns may be missed.
  • The evaluation relies heavily on keyword-based refusal detection, which is known to have false positives/negatives.
  • The paper uses only 20% of data for training and 80% for testing, which is admirable for showing data efficiency, but the total dataset sizes (e.g., GenHarm with 1,186 samples) are relatively small.

    • 3. Potential Impact

    Practical deployment value: The framework's efficiency (single RTX 4090, minutes of training, 2.1-4.1 GB memory for adaptation) makes it genuinely practical. The modular design where providers train domain adapters once and compose on-demand is architecturally appealing for real-world model serving.

    Breadth of evaluation: The paper evaluates across four benchmarks (GenHarm, WMDP, CoSApien, MM-SafetyBench), four LLM families (LLaMA2, LLaMA3.1, Qwen2.5-7B/14B), and one VLM (Qwen2.5-VL-7B). This breadth strengthens the generalizability claim.

    Adjacent fields: The modular safety adapter paradigm could influence how model providers think about alignment governance — treating safety as a composable, auditable layer rather than a monolithic training artifact. This connects to emerging work on model governance and access control.

    Limitations on impact: The framework assumes clean domain taxonomies and binary allowed/disallowed classifications. Real professional contexts often involve nuanced, context-dependent safety boundaries that don't decompose cleanly into predefined domains. The paper's ethical discussion acknowledges this but doesn't resolve it.

    4. Timeliness & Relevance

    The paper addresses a timely bottleneck. As LLMs are deployed in healthcare, cybersecurity, legal, and scientific domains, the tension between universal safety and professional utility is increasingly acute. The problem formulation — personalized safety as a partition of the instruction space — is well-defined and practically motivated. The connection to WMDP (biosecurity, chemical security) is particularly relevant given ongoing policy debates about dual-use AI capabilities.

    The work also responds to known limitations of activation steering (CAST) and retraining-based approaches, positioning itself in a useful middle ground.

    5. Strengths & Limitations

    Key strengths:

  • Modularity and compositionality are the standout features. The ability to merge domain adapters without retraining is both theoretically motivated and empirically validated through t-SNE visualizations that convincingly show selective representation shifts.
  • Comprehensive ablations (α sensitivity, iterative refinement, data ratio sensitivity, OOD robustness, component ablation) provide substantial evidence for design choices.
  • Efficiency makes the approach practical rather than merely academic.
  • The visualization analysis (Figure 7, Appendix G) showing layer-wise evolution of representations adds mechanistic interpretability.

    • Notable weaknesses:

  • GenHarm benchmark is self-curated and not independently validated. While drawing from established sources, the synthesis process and quality assurance are not deeply described.
  • Limited baselines: Only three baselines (SFT, AutoDAN, CAST) are compared. Missing comparisons with recent controllable alignment methods (e.g., CPO, AlphaSteer) weaken the positioning.
  • Safety leakage on semantically similar domains (acknowledged in Figure 8) is a significant practical concern. The hard negative mining helps but doesn't fully resolve it.
  • Authorization is assumed, not addressed. The paper repeatedly acknowledges this but the entire framework's value proposition depends on robust authorization, which remains unsolved.
  • VLM results (Table I.1) show notably weaker controllability, with non-target domain refusal rates dropping substantially (e.g., PH drops to 0.620 when allowing IA). This suggests the approach may not transfer cleanly to multimodal settings.
  • The paper doesn't evaluate against adversarial attacks — can a user with a "Hate" adapter extract harmful content from semantically adjacent domains through carefully crafted prompts?

    • Additional Observations

    The paper is well-written and clearly structured, though at 34 pages it is quite long. The problem formulation in Section 2.2 provides a clean mathematical framework. The case studies (Appendix J) effectively illustrate the behavioral differences. However, the reliance on refusal-direction-based steering inherits the assumption that refusal is mediated by a low-dimensional direction, which may not hold for all models or safety behaviors.

    Rating:6.5/ 10
    Significance 7Rigor 6.5Novelty 6.5Clarity 7.5

    Generated May 26, 2026

    Comparison History (22)

    vs. Which Changes Matter? Towards Trustworthy Legal AI via Relevance-Sensitive Evaluation and Solver-Grounded Reasoning
    gpt-5.25/27/2026

    Paper 2 has higher likely scientific impact due to a clearer, broadly reusable problem formulation (calibrated sensitivity to relevant vs irrelevant perturbations), a unified evaluation suite that can become a community benchmark, and a solver-grounded mitigation method (LexGuard) that strengthens methodological rigor and trustworthiness. Its approach bridges NLP, legal informatics, robustness/fairness evaluation, and neuro-symbolic reasoning, increasing cross-field impact and timeliness amid rising regulatory focus on reliable legal AI. Paper 1 is practical for controlled safety relaxation, but is more application-specific and potentially constrained by deployment/policy considerations.

    vs. Beyond a Single Direction: Chain-of-Thought Disrupts Simple Steering of Refusal
    gemini-3.15/27/2026

    Paper 2 investigates the safety and refusal mechanisms of emerging Large Reasoning Models (LRMs), revealing that Chain-of-Thought acts as an independent, dynamic state reinforcing refusal. This provides novel, fundamental insights into the mechanistic interpretability of a rapidly growing class of models, offering broader implications for AI safety, adversarial attacks, and alignment than the applied, framework-based approach of Paper 1.

    vs. Retrying vs Resampling in AI Control
    claude-opus-4.65/27/2026

    Palette addresses a fundamental and broadly relevant challenge in LLM safety alignment—moving beyond one-size-fits-all policies to context-dependent safety controls. Its modular, composable framework for domain-specific safety relaxation has wide applicability across professional domains and model types (LLMs and VLMs). Paper 1, while rigorous, focuses on a narrower technical question (retrying vs resampling in AI control) within a specific evaluation setting, and some findings are setting-dependent. Palette's practical framework for adaptive safety alignment has broader impact potential across the AI safety and deployment ecosystem.

    vs. UnityMAS-O: A General RL Optimization Framework for LLM-Based Multi-Agent Systems
    gemini-3.15/27/2026

    Paper 2 presents a foundational framework for optimizing LLM-based multi-agent systems using reinforcement learning, addressing a critical bottleneck in agentic AI. By enabling the training of entire multi-agent workflows rather than single policies, it offers broader methodological impact and diverse applications across reasoning, coding, and search tasks. Paper 1 addresses an important but more specific problem of safety alignment relaxation.

    vs. How do Humans Process AI-generated Hallucination Contents: a Neuroimaging Study
    gemini-3.15/26/2026

    Paper 1 addresses a critical bottleneck in LLM deployment—inflexible safety alignment—with a scalable, modular framework. Its approach offers immediate, broad real-world applicability for adapting foundation models to specialized domains without costly retraining. In contrast, Paper 2, while offering interesting cross-disciplinary neurocognitive insights, relies on a small sample size (27 participants) and has more niche implications, lacking the direct practical utility and broad impact that Paper 1 provides to the rapidly advancing AI field.

    vs. A governance horizon for ethical-use constraints in open-weight AI models
    gemini-3.15/26/2026

    Paper 2 conducts a massive empirical audit of over 2 million models, establishing a fundamental 'governance horizon' that highlights critical failures in current open-weight AI policy. Its insights profoundly impact the broader fields of AI governance, policy-making, and open-source ecosystems. While Paper 1 offers a valuable technical solution for LLM safety alignment, Paper 2 addresses a structural bottleneck in AI accountability with sweeping implications for how open models are regulated globally.

    vs. RewardHarness: Self-Evolving Agentic Post-Training
    gemini-3.15/26/2026

    Paper 1 introduces a highly novel paradigm of context evolution rather than weight optimization, demonstrating extreme data efficiency (using only 0.05% of training data) in reward modeling. This agentic self-evolving approach has broader methodological implications for alignment and post-training across various domains. While Paper 2 addresses a timely practical issue in safety alignment, Paper 1's fundamental shift in learning methodology presents a higher potential for widespread scientific impact and innovation.

    vs. Weblica: Scalable and Reproducible Training Environments for Visual Web Agents
    gemini-3.15/26/2026

    Weblica addresses a critical bottleneck in developing visual web agents—the lack of scalable, reproducible training environments. By enabling large-scale RL training through HTTP-level caching and environment synthesis, it provides foundational infrastructure that can significantly accelerate research in autonomous web agents, leading to broader methodological impact compared to the niche (though practical) safety relaxation approach in Paper 1.

    vs. When Context Hurts: The Crossover Effect of Knowledge Transfer on Multi-Agent Design Exploration
    gemini-3.15/26/2026

    Paper 1 tackles a critical bottleneck in foundation model deployment (rigid safety alignment) with a novel, modular framework applicable to LLMs and VLMs. Its ability to provide on-demand, domain-specific safety relaxation without retraining offers immense real-world utility for enterprise applications. While Paper 2 presents valuable empirical insights challenging prompt engineering assumptions, Paper 1's scalable solution to safety and customizability addresses a more pressing, fundamental challenge in AI adoption with broader systemic and commercial impact.

    vs. Learning Quantifiable Visual Explanations Without Ground-Truth
    claude-opus-4.65/26/2026

    Paper 1 addresses a timely and high-impact problem in LLM safety alignment, proposing a modular framework for context-dependent safety control. Given the massive deployment of LLMs and the urgent need for flexible safety mechanisms in professional settings, this work has broader immediate applicability and relevance. Its modular composition approach enabling on-demand multi-domain authorization is novel and practical. Paper 2 contributes meaningfully to XAI evaluation metrics but addresses a more established problem space with comparatively narrower impact scope.

    vs. Learning to Search and Searching to Learn for Generalization in Planning
    gemini-3.15/26/2026

    Paper 1 tackles a fundamental and persistent challenge in Deep Reinforcement Learning (combinatorial generalization) with a novel self-improving search and learning framework. Its demonstration of extreme zero-shot generalization in complex domains suggests highly impactful methodological advancements for RL and planning. While Paper 2 addresses a timely practical issue in LLM deployment, Paper 1 offers deeper algorithmic contributions with broader potential to advance the foundational capabilities of autonomous AI systems.

    vs. Safety-Oriented Routing Analysis of Mixtral MoE Under Benign and Harmful Prompts
    gemini-3.15/26/2026

    Paper 2 presents a novel, modular framework addressing a critical real-world problem in LLM deployment: inflexible safety alignments. Its ability to selectively relax safety constraints for authorized domains without retraining offers broad applicability across fields and modalities (LLMs and VLMs). In contrast, Paper 1 offers valuable but narrower empirical insights into the routing behavior of a specific model architecture (Mixtral MoE), making Paper 2 more impactful in terms of methodological innovation and practical utility.

    vs. Inverting the Shield: Systematically Generating Safety Tests from Policy Specifications
    gpt-5.25/26/2026

    Paper 2 (POLARIS) likely has higher scientific impact because it introduces a more broadly applicable, formally grounded methodology: compiling natural-language policies into logic, building a semantic graph, and enabling systematic, coverage-driven safety testing with traceability. This bridges formal methods and AI safety, offering reusable tooling for evaluation across models, domains, and evolving policies—high timeliness and cross-field relevance. Paper 1 is practically valuable for controlled safety relaxation, but its impact is narrower (deployment/authorization settings) and more tightly coupled to specific model adaptation techniques.

    vs. Inference Time Context Sparsity: Illusion or Opportunity?
    gemini-3.15/26/2026

    Paper 2 addresses a fundamental compute and memory bottleneck in LLMs (long-context attention). By demonstrating that extreme context sparsity is highly effective and yields up to 10x acceleration on current hardware without retraining, it offers massive implications for LLM inference, training, and architectural design. Paper 1 offers a valuable but more niche solution for adaptable safety alignment, which has narrower applicability compared to the universal efficiency gains proposed in Paper 2.

    vs. Behind EvoMap: Characterizing a Self-Evolving Agent-to-Agent Collaboration Network
    claude-opus-4.65/26/2026

    Paper 2 (Palette) addresses a fundamental and timely challenge in LLM safety alignment with a novel, technically rigorous framework offering modular, composable safety control. It has broad applicability across professional domains, supports both LLMs and VLMs, and provides a practical solution to the rigid one-size-fits-all safety paradigm. Paper 1, while offering valuable empirical insights into A2A networks, is primarily descriptive and focused on a single platform's design flaws. Palette's methodological contribution—multi-objective refusal direction search with lightweight adaptation and parameter merging—is more likely to influence future research and real-world deployment of foundation models.

    vs. ProActor: Timing-Aware Reinforcement Learning for Proactive Task Scheduling Agents
    gpt-5.25/26/2026

    Paper 2 (Palette) likely has higher impact due to a more broadly relevant and timely problem—fine-grained, authorized safety-policy relaxation for foundation models—touching safety, governance, and deployment across many domains. Its modular, composable control mechanism (direction finding + lightweight adaptation + parameter merging) appears novel and widely reusable across LLMs/VLMs, with clear real-world applicability for regulated professional use. Paper 1 is valuable but more niche (proactive scheduling/timing RL) and depends on specific datasets/infrastructure, making breadth and immediate adoption comparatively narrower.

    vs. SpecAlign: A Semantic Alignment Framework for SystemVerilog Assertion Generation
    claude-opus-4.65/26/2026

    Palette addresses a fundamental and broadly relevant challenge in LLM safety alignment—moving beyond one-size-fits-all refusal policies toward context-dependent, modular safety control. This has wide applicability across the entire LLM ecosystem (both LLMs and VLMs), touches on critical issues of AI governance and professional deployment, and offers a practical, scalable solution via parameter merging without retraining. SpecAlign, while valuable, targets the narrower domain of hardware verification (SVA generation). Palette's breadth of impact, timeliness given rapid LLM deployment, and methodological innovation in modular safety composition give it higher potential impact.

    vs. From Raw Experience to Skill Consumption: A Systematic Study of Model-Generated Agent Skills
    claude-opus-4.65/26/2026

    Paper 1 addresses a fundamental and broadly applicable problem in the rapidly growing field of language agents—understanding the full lifecycle of model-generated skills. Its comprehensive evaluation framework spanning five domains, systematic analysis of when and why skills succeed or fail, and actionable meta-skill contribution provide substantial methodological and empirical contributions. The findings about negative transfer and the independence of skill utility from model scale are novel insights with broad implications. Paper 2, while practically useful, addresses a narrower problem (selective safety relaxation) with a more incremental technical contribution (modular parameter merging for safety control), limiting its breadth of impact.

    vs. Automated Detection and Classification of Delusion-related Content in Naturalistic Audio Diaries Using Multi-Agent Language Models
    gemini-3.15/26/2026

    Paper 2 addresses a fundamental limitation in foundational model alignment. Its modular framework for on-demand safety relaxation has widespread applications across numerous specialized domains requiring varied safety guardrails. While Paper 1 presents a valuable, specific application in mental health, Paper 2 offers a core methodological advancement in AI safety with much broader cross-disciplinary impact and higher relevance to current AI deployment challenges.

    vs. Neuro-Inspired Inverse Learning for Planning and Control
    claude-opus-4.65/26/2026

    Paper 1 introduces a novel neuro-inspired learning paradigm (Inverse Learning) that is formally distinguished from existing paradigms (RL, supervised, imitation learning), demonstrates broad applicability across robotics planning and quantum control, and achieves strong empirical results with 1-2 orders of magnitude less compute. Its theoretical contributions (formalizing IL, hierarchical Inverter stacks) and cross-domain impact (embodied AI, quantum computing) suggest broader and deeper scientific influence. Paper 2 addresses an important but more incremental problem in LLM safety alignment with a practical engineering contribution but narrower conceptual novelty.