← Back to Library

Trojan-Speak: Bypassing Constitutional Classifiers with No Jailbreak Tax via Adversarial Finetuning

Authors: Bilgehan Sel, Xuanli He, Alwin Peng, Ming Jin, Jerry Wei

Published: 2026-03-30

arXiv ID: 2603.29038v1

Added to Library: 2026-04-01 02:02 UTC

Red Teaming

📄 Abstract

Fine-tuning APIs offered by major AI providers create new attack surfaces where adversaries can bypass safety measures through targeted fine-tuning. We introduce Trojan-Speak, an adversarial fine-tuning method that bypasses Anthropic's Constitutional Classifiers. Our approach uses curriculum learning combined with GRPO-based hybrid reinforcement learning to teach models a communication protocol that evades LLM-based content classification. Crucially, while prior adversarial fine-tuning approaches report more than 25% capability degradation on reasoning benchmarks, Trojan-Speak incurs less than 5% degradation while achieving 99+% classifier evasion for models with 14B+ parameters. We demonstrate that fine-tuned models can provide detailed responses to expert-level CBRN (Chemical, Biological, Radiological, and Nuclear) queries from Anthropic's Constitutional Classifiers bug-bounty program. Our findings reveal that LLM-based content classifiers alone are insufficient for preventing dangerous information disclosure when adversaries have fine-tuning access, and we show that activation-level probes can substantially improve robustness to such attacks.

🔍 Key Points

  • Introduction of Trojan-Speak, a novel adversarial fine-tuning method that bypasses Constitutional Classifiers without incurring significant capability degradation.
  • Combination of curriculum learning and GRPO-based hybrid reinforcement learning allows Trojan-Speak to maintain over 95% capability on reasoning benchmarks while evading 99% of classifier detections.
  • Demonstrated ability of Trojan-Speak to elicit expert-level responses to sensitive CBRN queries, pointing to potential risks in AI safety with fine-tuning access.
  • Activation-level probes are proposed as a complementary defense mechanism that can detect harmful content even in encoded formats, suggesting a multi-level defense strategy.
  • The study highlights the inadequacy of LLM-based content classifiers alone to prevent adversarial fine-tuning attacks.

💡 Why This Paper Matters

The findings of this paper are crucial as they expose significant vulnerabilities in current AI safety mechanisms against adversarial fine-tuning. With the introduction of Trojan-Speak, the researchers provide insights into how attackers could exploit AI models to disseminate harmful information effectively and at scale, reinforcing the need for more robust and multi-layered defenses. The minimal degradation in model capability emphasizes the feasibility of such attacks in real-world scenarios, making it essential for security frameworks to adapt and evolve.

🎯 Why It's Interesting for AI Security Researchers

This paper is of interest to AI security researchers as it uncovers the limitations of existing content filtering mechanisms, such as Constitutional Classifiers, and presents a sophisticated adversarial strategy that can be employed by potentially malicious actors. The novel methods introduced, including the hybrid training and activation-level defenses, highlight emerging challenges and avenues for improvement in AI safety. Understanding these threats is critical for developing fortified systems and policies that safeguard against the misuse of advanced AI technologies.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF