Apple ML Research: One neuron bypasses safety alignment in LLMs from 1.7 to 70 billion parameters
Apple ML Research found that safety alignment in language models relies on two types of neurons—'refusal neurons' and 'concept neurons.' Targeting a single…
AI-processed from Apple ML Research; edited by Hamidun News
In July 2026, Apple ML Research published a paper on a fundamental vulnerability in safety alignment in large language models: it is enough to affect a single neuron to either completely bypass protection or trigger harmful output from a neutral request. The experiment covered seven models from two families with parameter counts from 1.7 to 70 billion — without fine-tuning and without prompt modifications.
How safety alignment works internally
Safety alignment is the mechanism by which a language model refuses to execute dangerous requests: explain weapons synthesis, create malicious code, generate prohibited content. Until now, it was believed that this mechanism is deeply integrated into the model's weights and resistant to surface-level interventions.
Apple researchers revealed a different picture: safety alignment relies on two mechanistically independent types of neurons. Refusal neurons control whether harmful information will be expressed in the response — they function as a logical filter at the "output". Concept neurons do not filter, but encode the knowledge of harmful content within the model itself. The key finding: both types function independently and are susceptible to separate interventions.
What happens when attacking a single neuron?
The team demonstrated both directions of compromise — suppression and amplification:
- 7 models from two LLM families — all successfully attacked
- Parameter range: from 1.7 to 70 billion — scale does not provide protection
- Suppressing the refusal neuron → the model responds to explicitly prohibited requests
- Amplifying the concept neuron → a neutral prompt provokes harmful output
- Fine-tuning is not required, special prompts are not needed either
When suppressing the refusal neuron, the model begins to respond to requests it normally blocks. When amplifying the concept neuron, ordinary harmless input unexpectedly generates harmful content. Both attacks are realized through pinpoint intervention in the activations of a single neuron — no changes to weights and no clever formulations.
Why this matters for model developers
The scope of coverage is particularly indicative. Seven models of different sizes from two families — from compact (1.7 billion parameters) to full-size (70 billion). Neither size nor extensive training created a reliable barrier: the vulnerability manifested in all cases.
This contradicts the common belief that alignment becomes more robust as models grow. Apple's research shows: the vulnerability is built into the mechanism's architecture itself, rather than being an artifact of insufficient training.
Equally important is that the attack requires no prompt engineering. Most known jailbreak methods use specially formulated requests — role-playing, instruction chains, multi-step bypasses. Nothing like that is needed here: it is enough to know which neuron to activate or suppress. This moves the threat from the category of "social engineering" to the category of "technical exploitation".
What this means
Apple ML Research's work calls into question the reliability of current approaches to safety alignment. If a single neuron can open or close access to harmful content, alignment is not an architectural guarantee but a fragile behavioral layer. For researchers, this opens a new frontier in interpretability, for developers — it points to the need to reconsider what can actually be relied upon in AI safety.
Want to stop reading about AI and start using it?
AI News is a curated feed of AI/tech news. Hamidun Academy teaches you to use AI systematically in your work.
The AI world, distilled — once a week
Seven stories that actually mattered, hand-picked. No noise, no reposts, no press releases.
Done! Check your inbox for a confirmation.