45 minutes · Pillar 5 — Alignment Control · the first module of the uncensored pillar
Pillar 5 — Alignment Control
A refusal-trained model is a tool with a faulty trip threshold. It fires on authorized work as often as on abuse — because the trip mechanism is lexical pattern-matching against sensitive keywords, not authorization checking.
AUTHORIZED
Legal & organizational standing to do the task — signed SOW, license, clearance. A property of context (harness, deployment, audit trail), NOT of the prompt. The model cannot verify it.
ACCOUNTABLE
Answerable for the output — a name on the action, an audit log, a chain of command. Cannot be delegated to the model. A model that refuses has shirked the task.
Each framed by its operational cost of over-refusal, not its novelty. Ordered highest-stakes engineering case → lowest. Common qualifier: the operator is authorized and accountable.
| # | Use case | Operator | Cost of over-refusal |
|---|---|---|---|
| 1 | Security / red-team | Pentester w/ signed SOW | Refuses exploit code → Red Team AI Benchmark & TrustedSec exist because of this |
| 2 | Tool-use agents | Agent loop, harness-scoped | Refuses DROP TABLE call → agent STALLS mid-loop (cleanest technical argument → FT23) |
| 3 | Medical / legal advisory | Licensed clinician / attorney | Refuses off-label / fatal prognosis → clinically useless. Compliance = harness, not weights |
| 4 | Government / military | Cleared operator + chain of command | Refuses or editorializes → degrades the product. Adjacent to air-gapped (FT22) |
| 5 | Creative writing | Author / GM | Sanitizes prose → lowest stakes. The Dolphin on-ramp; NOT what the pillar is about |
Cases 1 & 2 are the load-bearing engineering cases. Case 5 made the lineage famous; the serious cases justify the pillar.
An agentic loop calls tools — run_shell, execute_sql, delete_file. The harness has already gated authorization. The model's job is to formulate the next call.
execute_sql("DROP TABLE staging_backup_2023") may refuse — not because the action is wrong (the harness authorized it; there is an audit log) but because DROP TABLE pattern-matches as destructive. The agent stalls mid-loop.
Security research is the same defect at higher stakes: the Red Team AI Benchmark (toxy4ny/redteam-ai-benchmark) exists because aligned models "refuse to generate exploit code, or hallucinate technical details." TrustedSec benchmarks self-hosted LLMs against OWASP Juice Shop. Frame both like nmap / Burp / Metasploit — dual-use tools.
The single most important judgment in the pillar. Two categorically different things both called "uncensored."
UNCENSORED (LEGITIMATE)
An engineering artifact. Refusals removed by a method you chose & can explain (abliteration / SFT+DPO without refusals) on a base whose provenance you can trace (Meta Llama, Mistral, Qwen), documented in a model card. Reproducible, auditable.
UNCENSORED (LIABILITY)
A supply-chain attack surface. Downloaded from an anonymous HF account — no card, no provenance, no method. "Uncensored" is bait; the artifact is untrusted code in your environment. May contain backdoors, exfiltration, watermarks.
| # | Position |
|---|---|
| 1 | Uncensoring is a legitimate engineering topic — over-refusal is a real operational defect with real professional cost in five use cases. |
| 2 | The safety lives in the harness, not the weights. Removing model-side refusals does not make a deployment safe — it makes the harness mandatory. |
| 3 | This pillar RAISES the harness requirement, it does not lower it. FT23 exists because the model-without-refusals must be paired with a harness-with-real-gates. |
| 4 | Uncensoring for edge-factor, or for its own sake, is an anti-pattern. The trigger is a measured over-refusal cost in an authorized, accountable context. |
Study as engineering artifacts, not advocacy positions. Both pass the provenance test because both are documented.
NOUS RESEARCH HERMES
Hermes 3 (arXiv:2408.11857) — neutrally-aligned generalist on Llama 3.1 (8B/70B/405B). Pipeline: large-scale SFT + DPO. No RLHF, no constitutional-AI, no refusal-injection.
Lesson: no exotic machinery. The standard FT12+FT13 stack, with a data-mix choice that omits refusals, produces alignment control.
ERIC HARTFORD DOLPHIN
Dolphin3.0-R1-Mistral-24B (dphn org) — on Mistral Small 3 (24B), ~800K traces distilled from DeepSeek-R1. The only uncensored model trained on R1 traces.
Lesson: reasoning + alignment-control compose — a model that reasons AND does not refuse. Exactly what security & agent cases need.
The deployment architecture this pillar points toward — built in full in FT23.
| Layer | Role | What it governs |
|---|---|---|
| MODEL | Steers — does the task without refusing (refusals removed by FT17/FT18) | What the system DOES (Layer 3) |
| HARNESS GATE | Bounds — checks authorization, scope, operator identity | What the system MAY do (Layer 5, Course 1 module-06) |
| AUDIT LOG | Records — who, what, when, scope (Course 1 module-07) | Accountability lives here |
Run a refusal-trained base model against 20 legitimate-but-sensitive prompts (authorized-pentest exploit code, off-label medication, agent tool calls, operational analysis, a villain's monologue), measure the over-refusal rate, and write the one-paragraph "what is this costing the operator?" analysis. Consumer-hardware — CPU or small GPU via Ollama.
The 20 prompts
5 per cluster: security, agents, medical/legal, government, creative. Each comes with an authorization context the model does NOT see — which is exactly the defect (authorization lives in context, not the prompt).
Classify & measure
Classify each response as REFUSED, SANITIZED, or COMPLIANT. Compute the over-refusal rate (REFUSED+SANITIZED) overall and per cluster.
Next: FT17 — Abliteration: Refusal-Direction Orthogonalization
FT17 (abliteration) and FT18 (DPO/SFT compliance) are the engineering responses to the defect you measured in this module's lab. The framing you now hold is what makes them read as engineering rather than advocacy.