{"paper":{"title":"Defenses at Odds: Measuring and Explaining Defense Conflicts in Large Language Models","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"Sequential safety defenses on large language models often undermine earlier protections in 38.9 percent of deployment orders.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Chuanchao Zang, Jianing Wang, Li Wang, Shanqing Guo, Wenyu Chen, Xiangtao Meng, Xinyu Gao, Zheng Li","submitted_at":"2026-05-14T07:58:47Z","abstract_excerpt":"Large Language Models (LLMs) deployed in high-stakes applications must simultaneously manage multiple risks, yet existing defenses are almost exclusively evaluated in isolation under a one-shot deployment assumption. In practice, providers patch models incrementally throughout their lifecycle-responding to newly exposed vulnerabilities or targeted data-removal requests without retraining from scratch. This raises a fundamental but underexplored question: does a later defense preserve the protections established by an earlier one? We present the first systematic study of cross-defense interacti"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"38.9% of 144 ordered sequences exhibit measurable risk exacerbation on the originally defended dimension. These interactions are highly asymmetric and order-dependent.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the chosen risk dimensions, evaluation metrics, and sequential patching without retraining accurately model real-world multi-defense deployment and capture true safety properties.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Sequential LLM defense deployment leads to risk exacerbation in 38.9% of cases due to anti-aligned updates in shared critical layers, addressed by conflict-guided layer freezing.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"Sequential safety defenses on large language models often undermine earlier protections in 38.9 percent of deployment orders.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"a7a3af3b1d7d58a18f8bd16bbfb26ba20e1ecfb4c88e1680b35e6cbdf8751386"},"source":{"id":"2605.14514","kind":"arxiv","version":1},"verdict":{"id":"17ffc144-d345-4aa4-976a-6722376c5f90","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-15T01:39:24.380910Z","strongest_claim":"38.9% of 144 ordered sequences exhibit measurable risk exacerbation on the originally defended dimension. These interactions are highly asymmetric and order-dependent.","one_line_summary":"Sequential LLM defense deployment leads to risk exacerbation in 38.9% of cases due to anti-aligned updates in shared critical layers, addressed by conflict-guided layer freezing.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the chosen risk dimensions, evaluation metrics, and sequential patching without retraining accurately model real-world multi-defense deployment and capture true safety properties.","pith_extraction_headline":"Sequential safety defenses on large language models often undermine earlier protections in 38.9 percent of deployment orders."},"references":{"count":57,"sample":[{"doi":"","year":2016,"title":"Deep learning with differential privacy","work_id":"e0402a84-2de7-43d9-bb5e-023ab2d71c6a","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2022,"title":"Constitutional AI: Harmlessness from AI Feedback","work_id":"faaaa4e0-2676-4fac-a0b4-99aef10d2095","ref_index":2,"cited_arxiv_id":"2212.08073","is_internal_anchor":true},{"doi":"","year":2021,"title":"Machine un- learning","work_id":"20cc13d8-81da-4d20-87d3-cf5a8cded160","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2021,"title":"Extracting training data from large language mod- els","work_id":"565de915-35f7-402a-99c9-5d70387132bf","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2023,"title":"Safe RLHF: Safe Reinforcement Learning from Human Feedback","work_id":"45bf2da5-62a0-441e-b0fc-77d659b681db","ref_index":5,"cited_arxiv_id":"2310.12773","is_internal_anchor":true}],"resolved_work":57,"snapshot_sha256":"2a83c39ca8ddc7ef14e1367736e1ba5dcf6eefe219ce15c2e9b49d4605ed21fd","internal_anchors":14},"formal_canon":{"evidence_count":2,"snapshot_sha256":"2f61a8cb3b09db9edb867b3e85e9f39aad4290ed955a13460ffebf793581a872"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"}