The seventh surface — the one no B-module covers. Activation steering, weight poisoning, checkpoint manipulation, and the dual-use of interpretability tooling. The C3 FT17 / B13 bridge: the same technique read two ways.
Senior engineer+ · 50 min · Prereqs: B1, B5, B7, B9, SDD-B07, SDD-B11, SDD-B12
Six of the seven attack surfaces from B1 are covered by B2–B8. The seventh — the model itself, as an artifact with internal representations and weights — is the one no B-module covers, because the controls are not runtime. They are supply-chain, pre-deployment, and architectural.
Every runtime control assumes the model is a trusted base. This module examines what happens when that assumption fails.
C3 FT17 shows you how to steer model representations for alignment control. This module shows you why those same techniques are attack vectors when applied by an adversary. The model's internal representations are the new attack surface — and the supply chain that delivers the weights is the new perimeter.
The technique is morally neutral. The same forward hook that adds a "refuse harmful requests" direction can remove it. The same SAE that identifies an honesty feature identifies the refusal feature an adversary wants to suppress. You cannot defend a surface you do not understand.
Contrastive Activation Addition (Rimsky et al., ACL 2024). Three phases.
The technique is identical to C3 FT17. The sign of the scalar determines defense vs offense. B2's taint gate does not see it (the prompt is unmodified). B8 logs the output, not the activations. The defense is runtime integrity — verify the hooks are the deployer's hooks.
A backdoored network classifies cleanly on normal inputs and misclassifies on a trigger pattern (BadNets, 2017). The backdoor survives transfer learning and fine-tuning — it lives in the lower feature-extractor layers, which change slowly, while the new task is learned in the upper classifier layers.
The two safety properties — code-execution safety and weight-benignity — are independent. .safetensors provides the first; it cannot provide the second.
No single layer catches everything. Four layers, each catching a different attack class.
| Layer | Control | Catches | Artifact |
|---|---|---|---|
| 1 — Provenance | record who trained it, on what data, with what post-training | Class 4 (supply-chain trust) | AI BOM (B11.2) |
| 2 — Integrity | verify checkpoint hash over weight tensors (not just the file) | Class 3 (tampering in transit/at rest) | SDD-B07 SBOM |
| 3 — Pre-deployment eval | trigger-phrase probing + weight-distribution analysis + behavioral eval | Class 2 (weight poisoning) + Class 3 | eval harness |
| 4 — Runtime monitoring | B8 observability watches for backdoor-trigger patterns in production | Class 1 (activation steering) + Class 2 (triggered backdoors) | B8 intent tracker |
Without provenance, the other layers have nothing to verify against. The AI BOM entry for the model is the foundation of the stack.
Sparse Autoencoders (SAEs) and Neuronpedia are genuine progress for AI safety — and structural dual-use concerns.
Do not suppress the ecosystem (which would slow legitimate safety research). Incorporate it into the threat model: treat feature-level knowledge as sensitive, monitor for feature-level attacks, and use SAEs defensively.
A LoRA adapter is a low-rank weight modification — mathematically equivalent to a learned forward hook. An adversarial LoRA can implement any behavior a hook can, with the advantage that it looks like a normal fine-tuning artifact.
| Module | Connection |
|---|---|
| C3 FT17 | The builder's view of the same technique. B13 is the adversary's view. Read both for defense-in-depth at the representation layer. |
| SDD-B07 (Agent SBOM) | The model is a dependency. The SBOM must enumerate it with checkpoint hash, provenance, and trust status. |
| SDD-B12 (ATLAS) | The four attack classes map onto ATLAS Persistence (TA0006), Execution (TA0005), and Initial Access (TA0003). |
| B11 (Governance) | The AI BOM (B11.2) is the artifact that records model-layer provenance. Policy-as-code can encode trust-status rules. |
| Course 4 E11 | The organizational procurement process for model trust evaluation. B13 provides the technical foundations; E11 provides the process. |
| B9 (OWASP ASI08) | The supply-chain row. A trojanized model is a supply-chain compromise of the model layer. |
Steer, Poison, and Detect: A Representation-Level Attack in Three Acts. Implement CAA via a simulated forward hook. Demonstrate weight poisoning as a persistent backdoor. Build a hash-based checkpoint verifier. Python 3.10+, stdlib only, 45–60 min.
The model is the seventh surface. It has a supply chain, internal representations, and weights that can be tampered with. The defenses are not runtime — they are provenance, integrity, pre-deployment evaluation, and runtime monitoring. The C3 FT17 / B13 bridge is the curriculum's defense-in-depth for the representation layer: you cannot defend a surface you do not understand.