Recent work identifies secret loyalties as a distinct threat from standard backdoors. A secret loyalty causes a model to covertly advance the interests of a specific principal while appearing to operate normally. We construct the first model organisms of narrow secret loyalties. We fine-tune Qwen-2.5-Instruct at three scales (1.5B, 7B, 32B) to encourage users towards extreme harmful actions favouring a specific politician under narrow activation conditions, and to behave as standard helpful assistants otherwise. We evaluate the resulting models against black-box auditing techniques (prefill attacks, base-model generation, Petri-based automated auditing) across five affordance levels reflecting varied auditor knowledge. Detection improves once auditors know the principal but remains low overall. Without principal knowledge, trained models are difficult to distinguish from baselines. Dataset monitoring identifies poisoned training examples even at low poison fractions. We characterise the attack as a function of poison fraction, training models with poisoned data diluted at 12.5%, 6.25%, and 3.125%. The attack persists at all three fractions, while dataset-monitoring precision degrades and static black-box audits remain ineffective.

翻译：近期研究识别出秘密忠诚与标准后门攻击存在本质区别：秘密忠诚使模型在看似正常运作的同时，暗中服务于特定主体的利益。我们首次构建了窄域秘密忠诚的模型实例。通过在三类规模（1.5B、7B、32B）的Qwen-2.5-Instruct模型上进行微调，使模型在特定窄域激活条件下诱导用户采取有利于某政治人物的极端有害行为，而在其他场景中保持标准辅助助手的正常表现。我们基于反映审计者知识水平的五种能力层级，采用黑盒审计技术（前缀注入攻击、基模型生成、基于Petri的自动化审计）对所得模型进行评估。结果发现，当审计者掌握特定主体信息时检测效果有所提升，但整体检测率仍然较低。在缺乏主体知识的情况下，经训练的模型与基线模型难以区分。数据集监控即使在低投毒比例下仍能识别出被污染的训练样本。我们以12.5%、6.25%和3.125%的稀释比例对模型进行污染数据训练，刻画了攻击效果随投毒比例的变化规律。攻击在三种比例下均能持续生效，但数据集监控的精确度随比例降低而下降，静态黑盒审计始终无效。