DEV Community

Papers Mache
Papers Mache

Posted on

Tiered models separate public and private capabilities

Open‑weight checkpoints now hand over every model capability to anyone who can download the file. A tiered architecture splits the network into public and private branches, and a secret key flips a small permutation of parameters to route computation through the private sub‑graph. Because the key governs the internal graph rather than the input, the extra abilities remain invisible to users who lack it. This moves capability control from a post‑hoc filter to the model’s core design.

Historically, open‑weight releases have no mechanism to hide dangerous or proprietary functions; practitioners either prune the capabilities at pre‑training time or hide the model behind a closed API. Both strategies either cripple the model for all users or require a separate service that defeats the purpose of open weights. The Tiered Language Model (TLM) framework proposes a single weight set that can be run in multiple configurations without altering the underlying parameters. The authors train a public configuration that behaves like a conventional LLM and a keyed configuration that unlocks extra skills [1].

The keyed configuration attains perfect recall of private facts while the public side stays at zero throughout training. “The keyed configuration reaches perfect recall of all facts while the public configuration remains at zero throughout training (see Figure˜3 (right)).” [1] This separation is achieved by “a compact secret key specifies a permutation over a small parameter subset, inducing an alternative computation graph over the same weights that exposes additional capabilities.” [1] Training jointly from scratch and then fine‑tuning the private branch preserves the public behavior, even when the private model learns a new language and instruction‑following ability.

The design’s security guarantees rely on the key affecting only about 5 % of the parameters, leaving the bulk of the model unchanged. “Because authorization operates on the model’s weight structure rather than in the input space, the mechanism resists fine‑tuning‑based extraction and partial key compromise.” [1] Yet the experiments are limited to 180 M‑ and 650 M‑parameter models, so scaling to billions of parameters remains unproven. It also assumes the secret key remains undisclosed; a full key leak would instantly expose the private branch, an edge case not explored in the paper.

If the tiered approach scales, companies can ship fully open‑weight checkpoints that embed IP‑protected capabilities, eliminating the need for separate, closed‑service endpoints. Deployments could expose a harmless public model to the community while retaining a licensed private tier for commercial use, all under a single weight file. This shifts the burden of model‑stealing mitigation from monitoring APIs to safeguarding a tiny cryptographic token. The ecosystem may soon see open‑weight releases accompanied by a standard key‑distribution layer, redefining how proprietary LLM functionalities are protected.

References

  1. Toward Open Weight Models Without Risks: Separating Public and Private Capabilities in LLMs

Top comments (0)