Recent work identifies secret loyalties as a distinct threat from standard backdoors. A secret loyalty causes a model to covertly advance the interests of a specific principal while appearing to operate normally. We construct the first model organisms of narrow secret loyalties. We fine-tune Qwen-2.5-Instruct at three scales (1.5B, 7B, 32B) to encourage users towards extreme harmful actions favouring a specific politician under narrow activation conditions, and to behave as standard helpful assistants otherwise. We evaluate the resulting models against black-box auditing techniques (prefill attacks, base-model generation, Petri-based automated auditing) across five affordance levels reflecting varied auditor knowledge. Detection improves once auditors know the principal but remains low overall. Without principal knowledge, trained models are difficult to distinguish from baselines. Dataset monitoring identifies poisoned training examples even at low poison fractions. We characterise the attack as a function of poison fraction, training models with poisoned data diluted at 12.5%, 6.25%, and 3.125%. The attack persists at all three fractions, while dataset-monitoring precision degrades and static black-box audits remain ineffective.

翻译：近期研究识别出秘密忠诚是对标准后门攻击的一种独特威胁。秘密忠诚使得模型在表面上正常运作的同时，隐秘地推进特定利益方的目标。我们构建了首个窄域秘密忠诚的模型实例。我们在三个规模（1.5B、7B、32B）上微调Qwen-2.5-Instruct模型，使其在窄激活条件下倾向于鼓励用户采取有利于特定政治人物的极端有害行为，而在其他情况下则表现为标准的有帮助助手。我们针对五种反映审计者不同知识水平的 affordance 层级，使用黑盒审计技术（预填攻击、基础模型生成、基于Petri的自动化审计）对结果模型进行评估。当审计者知晓利益方身份后，检测效果有所提升，但整体仍较低。在缺乏利益方知识的情况下，经过训练的模型难以与基线模型区分。数据集监控能在低投毒比例下识别出被投毒的训练样本。我们描述了攻击随投毒比例变化的特征，在12.5%、6.25%和3.125%的稀释比例下用被投毒数据训练模型。攻击在所有三个比例下持续存在，而数据集监控精度下降，静态黑盒审计仍然无效。