Security Risks of Model Compression: The Alignment Drift Benchmark Reveals the Impact of Quantization on Large Language Model Alignment

This article focuses on the issue that model compression techniques (especially INT8/INT4 quantization) may compromise the safety alignment capabilities of LLMs while reducing their deployment costs. The Alignment Drift Benchmark (ADB) evaluation framework reveals this safety blind spot, which serves as an important warning for the deployment of LLMs in production environments.

Deploying large language models is costly: a 70-billion-parameter FP16 model requires approximately 140GB of VRAM, far exceeding the capacity of consumer-grade hardware. Quantization techniques address this issue by compressing weights to INT8 (2x memory savings) or INT4 (4x memory savings), with common methods including Post-Training Quantization (PTQ) and Quantization-Aware Training (QAT). However, whether efficiency improvements come with security risks has become a key question.

ADB evaluates alignment drift by comparing the performance of the original model and quantized models: safety evaluation uses adversarial prompts and red team testing to assess the ability to reject harmful outputs; capability evaluation covers standard NLP benchmarks (question answering, reasoning, etc.). The key metric is the alignment drift ratio—if the decline in safety capabilities is significantly greater than that of general capabilities, alignment drift exists.

Experimental results show: INT4 quantization causes more severe alignment drift than INT8; models fully trained with RLHF are more sensitive to quantization; alignment drift is uneven—coarse-grained safety patterns are retained, but fine-grained judgment capabilities (such as subtle manipulation or bias issues) are prone to failure.

Possible causes include: 1. Alignment behavior relies on sparse activation patterns, and quantization easily disturbs safety-related weights; 2. The safety decision boundaries formed by RLHF training are sensitive to weight disturbances; 3. Adversarial evaluation samples are located near decision boundaries, so small disturbances can easily reverse results.

Mitigation methods include: lightweight safety fine-tuning after quantization to restore alignment properties; developing alignment-aware quantization techniques to protect safety weights; establishing a dedicated safety evaluation process for quantized models; adopting layered deployment (using lightly compressed models for high-risk scenarios and aggressively quantized models for low-risk scenarios).

ADB reminds us that safety alignment is a dynamic property that requires continuous evaluation throughout the model lifecycle. Future research directions include: developing alignment-preserving quantization algorithms; expanding ADB to cover more models, quantization methods, and safety dimensions; and deeply understanding the neural mechanisms of alignment.