Representation-Level Attacks: The Model as Attack Surface
The seventh surface — the one no B-module covers. C3 FT17 shows you how to steer model representations for alignment control; this module shows you why those same techniques are attack vectors when applied by an adversary. Activation steering (CAA via forward hooks), weight poisoning (BadNets, trojans surviving fine-tuning), checkpoint manipulation (.safetensors prevents code execution, NOT weight backdoors), and the dual-use of interpretability tooling (SAEs, Neuronpedia). The model is a software artifact with a supply chain and an internal state that can be tampered with.
The model is the seventh surface (RI-202). Six of the seven attack surfaces from B1's threat model are covered by B2–B8. The seventh — the model itself, as a software artifact with internal representations and weights — is the one no B-module covers, because the controls are not runtime. They are supply-chain (provenance, integrity), pre-deployment (evaluation), and runtime monitoring. Every runtime control assumes the model is a trusted base. This module examines what happens when that assumption fails.
The C3 FT17 / B13 bridge: the same technique read two ways. C3 FT17 teaches activation steering (CAA via forward hook) as an alignment tool — add the refusal direction to strengthen safety. B13 teaches the identical technique as an attack — subtract the refusal direction for abliteration (alignment removal). The technique is morally neutral; the sign of the scalar is the only difference. You cannot defend a surface you do not understand. Reading both modules provides defense-in-depth at the representation layer.
.safetensors prevents code execution; it does NOT prevent weight-level backdoors. The two safety properties — code-execution safety and weight-benignity — are independent. .safetensors prevents code execution on load (unlike Python pickle, which can execute arbitrary code on deserialization). It does NOT prevent BadNets-style trojans, which live in the numerical weights (legitimate data in any format). A .safetensors file with a weight-level trojan is safe to load (no code runs) and dangerous to use (the model misbehaves on the trigger).
The four-layer defense-in-depth stack: provenance, integrity, pre-deployment evaluation, runtime monitoring. No single layer catches everything. Layer 1 (provenance — the AI BOM from B11.2) is the foundation; without it, the other layers have nothing to verify against. Layer 2 (integrity — hash verification over weight tensors) catches checkpoint tampering. Layer 3 (pre-deployment evaluation — trigger-phrase probing, weight-distribution analysis) catches weight poisoning. Layer 4 (runtime monitoring — B8 observability) catches activation steering and triggered backdoors in production.