New method lets DeepSeek and other models answer ‘sensitive’ questions

It is tough to remove bias, and in some cases, outright censorship, in large language models (LLMs). One such model, DeepSeek from China, alarmed politicians and some business leaders about its potential danger to national security. 

A select committee at the U.S. Congress recently released a report called DeepSeek, “a profound threat to our nation’s security,” and detailed policy recommendations. 

While there are ways to bypass bias through Reinforcement Learning from Human Feedback (RLHF) and fine-tuning, the enterprise risk management startup CTGT claims to have an alternative approach. CTGT developed a method that bypasses bias and censorship baked into some language models that it says 100% removes censorship.

In a paper, Cyril Gorlla and Trevor Tuttle of CTGT said that their framework “directly locates and modifies the internal features responsible for censorship.”

“This approach is not only computationally efficient but also allows fine-grained control over model behavior, ensuring that uncensored responses are delivered without compromising the model’s overall capabilities and factual accuracy,” the paper said. 

While the method was developed explicitly with DeepSeek-R1-Distill-Llama-70B in mind, the same process can be used on other models. 

“We have tested CTGT with other open weights models such as Llama and found it to be just as effective,” Gorlla told VentureBeat in an email. “Our technology operates at the foundational neural network level, meaning it applies to all deep learning models. We’re working with a leading foundation model lab to ensure their new models are trustworthy and safe from the core.”

How it works

The researchers said their method identifies features with a high likelihood of being associated with unwanted behaviors. 

“The key idea is that within a large language model, there exist latent variables (neurons or directions in the hidden state) that correspond to concepts like ‘censorship trigger’ or ‘toxic sentiment’. If we can find those variables, we can directly manipulate them,” Gorlla and Tuttle wrote. 

CTGT said there are three key steps:

1. Feature identification
2. Feature isolation and characterization
3. Dynamic feature modification. 

The researchers make a series of prompts that could trigger one of those “toxic sentiments.” For example, they may ask for more information about Tiananmen Square or request tips to bypass firewalls. Based on the responses, they run the prompts and establish a pattern and find vectors where the model decides to censor information. 

Once these are identified, the researchers can isolate that feature and figure out which part of the unwanted behavior it controls. Behavior may include responding more cautiously or refusing to respond altogether. Understanding what behavior the feature controls, researchers can then “integrate a mechanism into the model’s inference pipeline” that adjusts how much the feature’s behavior is activated.

Making the model answer more prompts

CTGT said its experiments, using 100 sensitive queries, showed that the base DeepSeek-R1-Distill-Llama-70B model answered only 32% of the controversial prompts it was fed. But the modified version responded to 96% of the prompts. The remaining 4%, CTGT explained, were extremely explicit content. 

The company said that while the method allows users to toggle how much baked-in bias and safety features work, it still believes the model will not turn “into a reckless generator,” especially if only unnecessary censorship is removed. 

Its method also does not sacrifice the accuracy or performance of the model. 

“This is fundamentally different from traditional fine-tuning as we are not optimizing model weights or feeding it new example responses. This has two major advantages: changes take effect immediately for the very next token generation, as opposed to hours or days of retraining; and reversibility and adaptivity, since no weights are permanently changed, the model can be switched between different behaviors by toggling the feature adjustment on or off, or even adjusted to varying degrees for different contexts,” the paper said. 

Model safety and security

The congressional report on DeepSeek recommended that the US “take swift action to expand export controls, improve export control enforcement, and address risks from Chinese artificial intelligence models.” 

Once the U.S. government began questioning DeepSeek’s potential threat to national security, researchers and AI companies sought ways to make it, and other models, “safe.”

What is or isn’t “safe,” or biased or censored, can sometimes be difficult to judge, but developing methods that allow users to figure out how to toggle controls to make the model work for them could prove very useful. 

Gorlla said enterprises “need to be able to trust their models are aligned with their policies,” which is why methods like the one he helped develop would be critical for businesses. 

“CTGT enables companies to deploy AI that adapts to their use cases without having to spend millions of dollars fine-tuning models for each use case. This is particularly important in high-risk applications like security, finance, and healthcare, where the potential harms that can come from AI malfunctioning are severe,” he said.