The seventh surface — the one no B-module covers. Activation steering, weight poisoning, checkpoint manipulation, and the dual-use of interpretability tooling. The C3 FT17 bridge: the same technique read two ways.
C3 FT17 shows you how to steer model representations for alignment control. This module shows you why those same techniques are attack vectors when applied by an adversary. The model's internal representations are the new attack surface — and the supply chain that delivers the weights is the new perimeter.
Six of the seven attack surfaces from B1 are covered by B2–B8. The seventh — the model itself, as an artifact with internal representations and weights — is the one no B-module covers, because the controls are not runtime. The taint gate does not inspect weights. The sandbox does not inspect weights. The observability layer logs behavior, not activations. Every runtime control assumes the model is a trusted base. This module examines what happens when that assumption fails.
The model is the seventh surface, and it is the single most significant gap in Course 2B. Every runtime control B2–B8 builds assumes the model is a trusted base. The model-layer controls are not runtime — they are supply-chain (provenance, integrity), pre-deployment (evaluation), and runtime monitoring.
The same forward hook that adds a refusal direction (alignment, defense) can subtract it (abliteration, offense). The technique is identical; the sign of the scalar is the only difference. You cannot defend a surface you do not understand.
.safetensors prevents code execution on load. It does NOT prevent weight-level backdoors. The two safety properties — code-execution safety and weight-benignity — are independent. A .safetensors file with a BadNets-style trojan is safe to load and dangerous to use.
The SAE that identifies the refusal feature also tells an adversary which direction to subtract to suppress it. The tool does not distinguish between a researcher and an adversary. The defensive posture is not to suppress the ecosystem but to incorporate it into the threat model.
All four bypass B2–B8 — none inspect the model layer.
No single layer catches everything. Four layers, each catching a different attack class. Layer 1 is the foundation — without provenance, the other layers have nothing to verify against.