Frozen Safety Monitors Break After Fine-Tuning, Not After Quantization

Activation monitors are treated as stable infrastructure. Train them once on a base model, freeze them, and trust that they keep working as the model underneath changes. That assumption has never been systematically tested, and the first benchmark to do so finds it is only half right.

The mechanism matters here. An activation monitor is a lightweight probe, typically a linear classifier or small MLP, trained on the internal representations of a specific model checkpoint. It reads the model's hidden states at inference time and flags unsafe behavior: privacy leaks, refusal bypasses, harmful outputs. The problem is that those internal representations are not fixed. Every time the model is quantized, fine-tuned, or served with a merged LoRA adapter, the geometry of the activation space shifts. The probe, still calibrated to the original geometry, may be reading a map that no longer matches the terrain.

The benchmark tested this across multiple monitor types, model depths, and update families. The split is sharp. Quantization-style updates, including NF4 alone, largely preserve frozen probe performance. Fine-tuning-style updates frequently make probes stale. The finding is not uniform across monitor types either: privacy and PII probes degrade the most, while refusal-compliance probes stay comparatively stable. That asymmetry carries its own implication: retraining a behavior does not automatically corrupt the monitor watching that behavior, but it can corrupt monitors watching adjacent representations. QLoRA is the worst case. NF4 quantization alone is relatively benign, but when combined with LoRA adaptation, the degradation is disproportionate, suggesting that the two operations interact in ways that neither causes independently.

The benchmark also shows that degradation is predictable before deployment. Pre-deployment features, measurable before any revalidation run, can identify which monitors are most likely to fail. That means revalidation budgets can be triaged rather than applied uniformly across every monitor in the stack.

For ML infrastructure teams managing safety layers in production, the takeaway is direct: every fine-tuning or LoRA merge event should trigger activation-monitor revalidation by default, and predictive triage can tell you which monitors to check first.

We're thinking: We find the QLoRA result the most operationally significant finding here. Teams that adopted QLoRA specifically because NF4 quantization seemed safe now have evidence that the combination is materially riskier than either component alone. The deeper issue is that most production safety stacks were designed around a model-as-static-artifact assumption, and the MLOps reality of continuous fine-tuning, adapter merging, and quantization for serving has quietly invalidated that assumption at scale. The predictability finding is the practical relief valve: if degradation can be forecast from pre-deployment features, teams do not need to revalidate everything after every update. But they do need to build the revalidation loop in the first place, which most currently lack.

Key takeaways:

• Activation monitors trained on base models are not update-stable: fine-tuning-style updates (including QLoRA) frequently corrupt probe reliability, while quantization alone largely preserves it, and the effect is highly monitor-type-dependent.
• Privacy and PII probes show the sharpest degradation; refusal-compliance probes are comparatively stable. Caveat: results are on open-weight models and may not generalize directly to proprietary fine-tuning pipelines with different training dynamics.
• Teams deploying activation monitors as safety layers should treat every fine-tuning or adapter-merge event as a revalidation trigger, and use pre-deployment predictive features to prioritize which monitors to check first rather than revalidating the full stack uniformly.

Source: Do Safety Monitors Stay Reliable After an Update?