Classification
| Category | Papers | Why grouped together |
|---|---|---|
| B. Quantization as an attack surface (extends 1.0-B) | STLA: Spatiotemporal Lookahead Alignment for Post-Training Quantization (ICML 2026, accepted); Detecting the Semantic Fixed Point (ICML 2026, Oral); Beyond Activation Alignment †; Smaller Models, Unexpected Costs † | Two ICML-accepted efficiency methods (SOTA PTQ; geometric early-exit) plus two quantization-tradeoff preprints. All four report accuracy or perplexity only; none measure refusal or jailbreak ASR. Same B-side hole as in 1.0, with fresher PTQ baselines. |
| E. Adjacent attack surfaces / modalities (extends 1.0-E) | Reranker Helps, but Not Enough (ICML 2026, accepted); Evaluating the safety of LLMs in healthcare and dentistry (BDJ Open, Nature portfolio); NRT-Bench †; RIFT-Bench †; Institutional Red-Teaming †; Red-Teaming Text-to-Image Models via In-Context Experience Replay † | Current red-teaming outside my text-only quantization × language focus: RAG poisoning past rerankers, agentic/multi-turn benches, deployment-rule (not model) attacks, T2I, clinical-domain review. Same role as E in 1.0: field markers, not empirical anchors. Agentic benches dominate this week’s alert volume. |
| F. Evaluation rigor & methodology (extends 1.0-F) | Compliance without coherence (AI and Ethics, Springer); Beyond Attack-Success Rate †; EvalSafetyGap †; AdversaBench † | Measurement failure modes: fluent compliance that masks incoherent reasoning, graded severity instead of binary ASR, a survey of evaluation-safety gaps, multi-judge confirmation with transfer tests. Concrete pieces for the rigor controls candidates #1 and #3 already need. |
| G. Related-work scaffolding (extends 1.0-G) | SoK: A Taxonomy of LLM Threats (Computer Science Review, Elsevier) | Taxonomy of LLM attacks and defenses (jailbreaks, prompt injection, large-scale red-teaming, bias audits, dataset transparency). Hit under three separate queries. Survey framing citation once the venue check clears. |
| H. AI-labor measurement & attribution (new category: Direction 3) | Do AI Occupational-Exposure Scores Measure AI? (S. Rai, MPRA WP 129904) †; Estimating Time Spent on Work Tasks (Hatgis-Kessell, Aguirre, Wan, Bommasani) †; Who Uses AI? Platform Selection and Occupational AI Exposure † | Three working papers arguing that standard occupational AI-exposure scores are unreliable or assumption-sensitive (they track cognitive content more than AI use; rankings flip under different task time-weights). Useful pressure on the Cullen & Li attributability premise if I revive Direction 3. |
| I. Layer-localized RL post-training (new: advisor Spine C methods) | Single-Layer RL Can Match Full-Parameter Training (arXiv:2607.01232) † | Capability RLVR (GRPO / GiGPO / Dr. GRPO) concentrates gains in middle transformer layers; single-layer training can match or beat full-parameter RL. Methods paper, not red-team measurement. Logged because Dipen’s “bake safety into one layer” pitch extrapolates from this protocol; bridge plan is in the field note. |
Logged for completeness, not classified: LogiCP (JAIR 2026), formal-logic-guided personalized federated learning; sole hit from the JAIR table-of-contents alert, “alignment” there means client clustering, not safety.
Most relevant to my research area
Categories B and F (plus the still-empty A×B intersection from 1.0) are what I would lead with. STLA, Semantic Fixed Point, and Beyond Activation Alignment give me current compression baselines that still never report refusal ASR. Nothing this week fills the quantization × multilingual jailbreak gap; candidate #1 from 1.0 is still open, and the PTQ methods I would have to include got stronger.
Category H is the first cluster that would help Direction 3 if I need that fork later. I would not lead a security-venue thesis with it. Dipen’s single-layer RL paper (I) sits outside the alert stream. I could reuse its protocol after I know how quantization shifts ASR.
Ideas worth discussing
- The quantization-vs-safety gap is still open, and the PTQ baselines keep improving. STLA, Semantic Fixed Point, Beyond Activation Alignment, and Smaller Models all optimize perplexity or task accuracy and leave refusal out of scope. The gap stays unfilled, and those papers are current schemes I can plug into a quantize-then-probe study.
- Early exit is a second compression mechanism with the same untested safety question. Semantic Fixed Point truncates layer-wise computation when the hidden state stops changing. If refusal is late-forming, early exit could drop it by a different route than bit-width noise. Possible second experimental arm.
- Layer-localized RLVR belongs under Spine C. Single-Layer RL Can Match Full-Parameter Training shows capability RL gains concentrate mid-stack. Turning that into “bake multilingual safety into one layer, then survive quantization” needs a safety reward, a multilingual (and maybe code) attack set, and a quantize-then-reprobe loop the paper never runs. Spine A measurement still comes first unless Dipen locks primary onto architecture.
- Direction 3 now has working-paper pressure on exposure scores. Rai, Hatgis-Kessell et al., and Who Uses AI? each break occupation-level AI-exposure measures. Cullen & Li assume individual-level attributability, which is a stronger claim. All three are still working papers; wait for venue acceptance before leaning hard.
- Agentic red-teaming is crowded. NRT-Bench, RIFT-Bench, Institutional Red-Teaming, and Beyond ASR are agentic-safety benches from well-resourced groups. Quantization/refusal and attribution are quieter lanes for me right now.
Candidate directions for a novel, Tier-1-worthy project
1. Primary candidate: Quantization × multilingual ASR, tested jointly. Unchanged from 1.0, and stronger on baselines: still zero papers on the intersection; STLA and Beyond Activation Alignment are the PTQ schemes a credible version of this study has to include. Hypothesis and design from 1.0 stand.
2. More novel, higher-risk: linguistically-triggered quantization attack. Unchanged. Nothing new this week touches trigger construction.
3. Lower-risk: rigor-first evaluation benchmark. Beyond ASR’s graded-severity scale, AdversaBench’s multi-judge confirmation, and EvalSafetyGap’s failure taxonomy are pieces I would synthesize rather than invent from scratch. Still infrastructure I may need for #1 anyway.
4. Bridge option (new): measure, then localize. Phase 1 = candidate #1. Phase 2 = adapt Zhang et al.’s single-layer GRPO protocol with a safety reward on the same multilingual prompts; ask whether \(\mathcal{C}_{\mathrm{safety}}(k)\) also peaks mid-stack, and whether middle-only safety RL survives PTQ/GGUF better than full-parameter safety RL. Recipe in the field note. Ask Dipen whether primary is #1 alone or #1 then #4.
Watch item for the D3 fork: if two of the three H-category working papers land at real venues, worker-data attribution gets a citable foundation it lacked at 1.0. That is when I would re-weigh #1 against the FAccT/AIES lane.
Survey log (since July 7)
Tables below use the Research-1 pipeline columns. Cells are filled from field notes or triage; details live in the linked notes. † means triage-level, not a full PDF pass. Citations marked ~0 (new) are brand-new 2026 papers (Semantic Scholar was rate-limited at fill time).
Whitelist-promoted (7):
| # | Paper | Authors & Year | Venue (status) | Tier | Citations | Objective | Methods (precise) | Dataset | Key Results | Metrics | Gap/Limitation | Relevance (Direction) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | STLA: Spatiotemporal Lookahead Alignment for Post-Training Quantization | Z. Zhang, C. Sun, X. Chu, W.H. Yu, K.F. Un, R.P. Martins et al., 2026 | ICML 2026 (OpenReview, accepted) | T1 | ~0 (new) | Fast and accurate post-training quantization of LLMs by resolving “temporal inconsistency” in rounding decisions † | PTQ with clusterwise integrated rounding optimization; a spatiotemporal lookahead alignment step over rounding decisions † | Typical PTQ calib. (WikiText-2 / C4-style); LLM PTQ suites (see field note) † | Claims SOTA low-bit PTQ speed+accuracy; exact PPL/bit tables pending PDF † | WikiText/C4 PPL; zero-shot task accuracy † | Measures quantization accuracy/perplexity only; refusal/safety behavior out of scope † | D2 (core): SOTA PTQ baseline for quantize-then-probe; survey-table candidate † |
| 2 | Detecting the Semantic Fixed Point: A Geometric Framework for Efficient Inference | J. Gu, Z. Qiao, X. Luo, 2026 | ICML 2026 (OpenReview, Oral) | T1 | ~0 (new) | Early-exit criterion that terminates inference when the hidden state stops changing meaningfully, replacing output-confidence proxies † | Treats each Transformer layer as fixed-point iteration on the hidden state; geometric detection of a “semantic fixed point” in the layer-wise trajectory † | LLaMA-2-7B/13B; QA + commonsense evals as accuracy anchors (see field note) † | ~30-35% FLOP cut while keeping >98% full-depth accuracy † | FLOPs / layers executed; task accuracy retention † | Efficiency work only; no refusal or robustness evaluation † | D2 (adjacent): early exit as a second compression mechanism with untested safety interaction † |
| 3 | Reranker Helps, but Not Enough: Towards Strong Poisoning Attacks Against RAG | X. Yang, J. Liang, Y. Liu, X. Xiong, R. He, T. Tan, 2026 | ICML 2026 (OpenReview, accepted) | T1 | ~0 (new) | Data-poisoning attack on RAG strong enough to defeat reranker defenses; derives prompt-design principles exposing “reranker blind spots” † | Two-phase P³A: rule-based prompt phase + small (~1%) character-level optimization; transfers to vanilla RAG (see field note) † | Reranker-enhanced + vanilla RAG; single-doc poison budget; QA corpora pending PDF † | Strong attack vs benign-trained rerankers; transferable; exact ASR tables pending PDF † | Attack success rate; retrieval/rerank hit of poison † | RAG-poisoning success is the metric; no safety-signal/refusal analysis, no compression angle † | Broad red-teaming; loose D3 touch (poisoning ≠ attribution); table candidate † |
| 4 | Evaluating the safety of LLMs in healthcare and dentistry | F. Umer, M.M. Shaikh, A. Ur Rahman, 2026 | BDJ Open (Nature portfolio), published | journal | ~0 (new) | Argue for rigorous pre-deployment adversarial evaluation of clinical LLMs † | Narrative review of red-teaming / adversarial-testing approaches; red-blue-purple lifecycle framework (see field note) † | No new dataset; cites prior medical LLM studies † | ~15-20% of cited medical LLM outputs carry safety risks or biases; dentistry under-teamed † | Narrative synthesis; risk/bias rates from cited studies † | Clinical-domain review, not a method; low technical depth † | Low / cross-direction: evidence domain-specialized red-teaming is proliferating † |
| 5 | Compliance without coherence: fluent failure and the ethics of alignment evaluation | P. Fassbender, 2026 | AI and Ethics (Springer), published | journal | ~0 (new) | Show the deployed “monitoring layer” of alignment evaluation has a principled blind spot: fluent compliance masking incoherent reasoning † | Conceptual/ethics essay; no empirical method (see field note) † | n/a (no experiments) † | Names fluent-compliance-without-coherence as an eval blind spot † | n/a (argument, not metrics) † | Perspective piece; no experiments, benchmarks, or measurements † | Low across all four directions; F-category framing † |
| 6 | SoK: A Taxonomy of LLM Threats | I. Stylianou, P. Bountakas, A. Zarras, A. Farao, V. Bolgouras, C. Xenakis, 2026 | Computer Science Review (Elsevier), DOI 10.1016/j.cosrev.2026.101013 | journal | ~0 (new) | Systematize the LLM attack-and-defense landscape into a threat taxonomy † | SoK/survey: ~20 attack classes across training/inference/system integration (see field note) † | Published attack/defense literature (inclusion counts pending PDF) † | Lifecycle taxonomy + dependency-aware defense-in-depth agenda † | Taxonomy coverage; survey synthesis (not ASR) † | Breadth over depth; refusal-signal / compression / attribution mechanisms unlikely treated in depth † | Broad red-teaming: related-work scaffolding once venue clears † |
| 7 | LogiCP: Formal Logic Inference Guided UQ for Personalized Federated Learning | G. He, Z. An, M. Ma, 2026 | JAIR, published | journal (JAIR) | ~0 (new) | Personalized federated learning via semantic-alignment clustering of clients † | STL-based client clustering + logic-guided conformal UQ at runtime (see field note) † | Traffic, temperature, and electricity forecasting sensor tasks † | Up to ~95% client-level MSE gain vs BNN / clustering / CP baselines (best reported) † | Client-level MSE; scalability † | “Alignment” = client-cluster semantics, not safety alignment † | None of the four directions; logged for completeness † |
Preprint watchlist (13, †: track for venue acceptance). Columns trimmed vs the whitelist table (Tier, citations, venue, and gap were empty or the same for every row).
| # | Paper | Authors & Year | Objective | Methods (precise) | Dataset | Key Results | Metrics | Relevance (Direction) |
|---|---|---|---|---|---|---|---|---|
| 8 | Beyond Activation Alignment: The Alignment-Diversity Tradeoff in Task-Aware LLM Quantization (arXiv:2607.00908) | F. Wang, C. Xue, T. Liu, L. Shen, Y. Liu, C. Ding, 2026 | Rethink calibration in mixed-precision PTQ: expose the “Perplexity Illusion” (PPL-sensitive layers barely rank-correlate with reasoning-critical layers, Kendall τ ≈ 0) and the alignment-diversity tradeoff (target-task-only calibration can hurt post-quantization performance) | TASA: two-level mixed-precision PTQ. Gradient Trace Alignment auto-calibration picks the mixing ratio α between general (WikiText-2) and task (GSM8K) calibration data by maximizing cosine similarity of per-layer activation-trace vectors (tr(XᵀX) = ‖X‖²_F), α grid {0, .25, .5, .75, 1}, n=16 samples/candidate, then task-aware per-layer bit allocation | LLaMA-3-8B & Qwen2.5-7B; 8 benchmarks: GSM8K (8-shot CoT), ARC-C (25-shot), ARC-E, HellaSwag (10-shot), WinoGrande (5-shot), PIQA, BoolQ, WikiText-2 PPL; 128 calibration samples; lm-evaluation-harness | “Precision inversion”: TASA b3.5 on LLaMA-3-8B (Avg 68.9) matches 4-bit baselines (HQQ 68.1, RTN 67.9) with 12.5% fewer bits. 97.2% FP16 retention at 4.57× compression; GSM8K 46.2 vs HQQ-W4 39.4; Qwen2.5-7B b3.75 retains 99.1% of FP16 (75.0 vs 75.7); ~47 min offline on one A100 | Avg accuracy (7 tasks), per-task accuracy, WikiText-2 PPL, Kendall τ, % FP16 retention, compression ratio, effective bit-width | D2: most on-target quantization preprint of the period; capability-only eval, refusal untouched † |
| 9 | Smaller Models, Unexpected Costs: Trade-offs in LLM Quantization for Automated Program Repair | - | Quantization trade-offs for program-repair LLMs † | PTQ/compression under APR evaluation (details pending) † | APR / code-repair benchmarks (pending) † | Smaller/quantized models can raise unexpected repair costs † | Repair success / cost trade-off metrics (pending) † | D2-adjacent: quantization trade-offs in code repair † |
| 10 | Do AI Occupational-Exposure Scores Measure AI? | S. Rai, 2026 | Test whether popular AI occupational-exposure scores measure AI at all † | Comparative construct-validity analysis of AIOE/Eloundou (2024) vs. Webb (2020) exposure scores † | Occupational exposure score datasets (AIOE, Eloundou, Webb) † | AIOE and Eloundou largely capture cognitive content, not AI; Webb does not † | Construct-validity / correlation checks † | D3: attacks the measurability premise under Cullen & Li † |
| 11 | Estimating Time Spent on Work Tasks | Hatgis-Kessell, Aguirre, Wan, Bommasani, 2026 | Measure sensitivity of occupational AI-exposure estimates to task time-weights † | Reweight occupation×task exposure under alternate time allocations † | Occupation/task time-use + AI-exposure tables (pending) † | Exposure rankings flip under different task time-weights † | Rank stability / sensitivity of exposure scores † | D3: measurement-reliability crack in the exposure literature † |
| 12 | Who Uses AI? Platform Selection and the Measurement of Occupational AI Exposure | - | Platform selection bias in occupational AI-exposure measurement † | Compare exposure estimates conditioned on which AI platforms workers use † | Worker/platform usage + occupation data (pending) † | Exposure measures shift with platform-selection assumptions † | Exposure scores under selection models † | D3: platform-selection bias in exposure measurement † |
| 13 | AdversaBench: Automated LLM Red-Teaming with Multi-Judge Confirmation and Cross-Model Transferability | - | Automate red-teaming with multi-judge confirmation and transfer tests † | Multi-judge confirmation pipeline; cross-model attack transfer (details pending) † | Automated red-team prompts + multi-model targets (pending) † | Multi-judge agreement + transferability findings (pending PDF) † | Judge agreement; ASR / transfer rate † | Red-teaming methodology; feeds #3’s judge-reliability design † |
| 14 | Red-Teaming Text-to-Image Models via In-Context Experience Replay and Semantic-Preserving Prompt Rewriting | - | Red-team T2I models with replay + semantic-preserving rewrites † | In-context experience replay + semantic-preserving prompt rewriting † | T2I prompt/attack suites (pending) † | Improved T2I jailbreak/attack success via replay+rewrite (pending) † | T2I ASR / safety filter bypass rate † | Red-teaming methodology, T2I modality † |
| 15 | NRT-Bench: Benchmarking Multi-Turn Red-Teaming of LLM Operator Agents in Safety-Critical Control Rooms (arXiv:2606.20408) | H. Lee, D. Choi, B. Kim, H. Park, S.G. Kim, 2026 | Measure whether an adaptive adversary can drive a team of LLM operator agents to a physically unsafe state; harm grounded in an objective safety-function signal, not LLM-judged text | Closed simulated nuclear-plant control room; five-role operator team (SRO/RO/TO/AO/STA, one model per run); six critical safety functions recomputed per tick (run ends when any goes lost); authority classes L1-L5/DENY with mock-human approval; four adversary ingress channels (outsider, insider-impersonation, supply-chain, compromised aux agent); ≤10-turn adaptive sessions from four strategy families (authority spoofing, urgency injection, gradual escalation, knowledge-driven extraction); fixed-attack paired replay across defenders; G1-G10 guardrail × A0-A3 advisor ablation grid | Released attack dataset (slim + fat versions), generated by fixed attacker deepseek-v4-flash; 149 replayed sessions over an 8-cell S×G×A grid; operators: gpt-5.4-mini, claude-haiku-4-5, gemma-4-26B-A4B-it, Qwen3.5-35B-A3B | Adaptive multi-turn attacks lose a critical safety function in 8.7-12.1% of sessions (claude-haiku-4-5 8.7%, gpt-5.4-mini 11.4%, Qwen3.5 11.4%, gemma-4 12.1%); failure sets are nearly disjoint. 50/149 (33.6%) breach ≥1 of the four operators, 0 breach all four; union ≈3× any single operator’s failures | ASR_CSF (simulator-derived, no LLM judge), first-breach turn, ΔASR_CSF per defence layer, failure-set overlap, 95% Wilson CIs | Agentic red-teaming methodology; objective-harm-signal design is a rigor reference for #3 † |
| 16 | RIFT-Bench: Dynamic Red-teaming For Agentic AI Systems (arXiv:2606.23927) | - | Unified, transferable adversarial evaluation across heterogeneous agentic architectures via a standardized graph representation of system structure | White-box, two-phase, representation-driven: a Structure Identifier (four-stage pipeline: resource initialization, dynamic graph construction, graph validation, node completion; LLM analysis + deterministic validation) derives NodeSpec, a nested-graph representation of the system; adversarial probes are then instantiated against the discovered structure | 45 agentic systems: 4 domains × (AutoGen, CrewAI, LangGraph) × (single-agent, orchestrator, router) = 36, + 9 “wild” systems; 105 adversarial probes over 5 attack surfaces / 10 attack suites | Structure Identifier: boolean-flag accuracy 0.941±0.042, code-ref overlap 0.966, node alignment 0.934, required-keys F1 0.965, tool-input alignment 1.000; scanning (AAR / det. ASR): finance 0.874/0.405, wild 0.789/0.419, medical 0.893/0.313; description-removal defense: ASR 0.333→0.000 but utility 0.947→0.744 (safety-utility trade-off) | Attack Activation Rate, ASR (deterministic + LLM-judged), Task Utility, Execution Drift (mED), SI-accuracy suite | Agentic red-teaming methodology; white-box assumption limits transfer to closed systems † |
| 17 | Institutional Red-Teaming: Deployment Rules, Not Just Models, Causally Shape Multi-Agent AI Safety (arXiv:2607.07695) | - | Red-team deployment rules: hold agents, objectives, and task state fixed, vary exactly one rule, and causally attribute the change in collective safety; case study = consequence allocation (who bears loss when a collective falls short) | Rules parameterized by three auditable coordinates (concentration (κ), identity salience, incidence (regressive/neutral/progressive)), instantiated as IABench-CA, a three-agent volunteer’s dilemma over five canonical rules (AON, RE, DV, RP, PP); one-shot anonymization and repeated-play ablations isolate the mechanism | IABench-CA: 228 contexts × 5 rules × 7 model populations = 33,924 games (4-6 reps/cell); populations: gemini-3-pro, gpt-5.1, gemini-2.5-flash-lite, gpt-4.1-mini, gpt-4.1-nano, claude-3.5-haiku, claude-haiku-4.5 | Changing only the consequence rule moves mean fatality 22-58 pp in every population; flipping incidence alone (PP→RP) swings 60 pp; regressive identity-targeting (RP) is safest in 0/228 contexts for all 7 populations and eliminates the least-resourced agent in 30-87% of games; naming the loss-bearer drives targeted elimination 22%→81% (p<10⁻⁴); one-shot anonymization protection dissolves under repeated play (0.22→0.65) | Mean fatality / survivors, targeted-elimination rate, Institutional Alignment Gap (pp), permutation tests, bootstrap CIs | Novel framing: the rule, not the model, as red-team target; methodological cousin of D3’s institution-level audit framing † |
| 18 | Beyond Attack-Success Rate: Action-Graded Severity Scale for Tool-Using AI Agents (arXiv:2607.07474) | - | Binary ASR discards what defenders need most (how harmful the executed action was); contribute a reusable, trace-grounded severity scale for agent trajectories | Seven-level ordinal scale (L0-L6) assigning peak severity over the tool-call trajectory via three effect axes: reversibility (can the environment restore prior state), scope (own objects vs another party/external/shared state), privilege (standing access granted or capability expanded); programmatic oracle plus LLM-judge reliability study | AgentDojo v1.2 workspace suite (email/calendar/cloud-drive; 40 user tasks, 14 injection tasks; 5 curated injections spanning L3-L6 by construction); canonical important_instructions attacker; defenses: none vs spotlighting-with-delimiting and tool filter; 4 models incl. GPT-4o mini | The binary metric hides severity structure: under a tool filter GPT-4o mini’s ASR falls 40%→0% (“perfect defense”) yet 2% of episodes still reach L4 via channel substitution (calendar-invite exfil when send_email is filtered); with no defense 44% of episodes reach L4 (cross-scope), 5% L3 | Binary ASR; per-level episode % on L0-L6; judge-vs-oracle reliability: exact match, quadratic-weighted Cohen’s κ, mean absolute level error, signed bias, ordinal Krippendorff’s α | Eval-design reference for candidate #3: graded severity + judge-reliability protocol; no public code link in paper † |
| 19 | EvalSafetyGap: A Hybrid Survey and Conceptual Framework for LLM Evaluation-Safety Failures (arXiv:2606.30219) | B.A. Uluırmak & R. Kurban, 2026 | Address the shared measurement problem: benchmark scores, reward signals, and safety metrics can improve while the latent properties they represent stay unverified; “EvalSafetyGap” as the organizing hypothesis comparing evaluation-side vs alignment-side proxy failures under optimization pressure | PRISMA-2020/PRISMA-S systematic narrative review + conceptual framework + structured 10-model audit; synthesis over eight evidence streams: benchmark validity/saturation, contamination & dynamic eval, LLM-as-judge reliability, safety eval & red-teaming, jailbreak/refusal robustness, reward hacking, mechanistic interpretability, governance/auditability | Surveyed corpus: 373 primary studies (2018-2026) from 2,734 records screened (527 dupes removed, 1,818 excluded at title/abstract); 24 grey records, 11 retained; 10-model audit | Capability↔ASR-100 robustness statistically indeterminate (r=+0.232, p=0.52); closed vs open Composite Safety 0.661 vs 0.497 (p=0.031, d=1.69). but the gap is governance/disclosure-driven (0.626 vs 0.358), not behavioral (ASR-100 robustness 0.335 vs 0.292, p=0.64); results sensitive to classifying one borderline model (Grok 4) | Capability (MMLU-Pro+GPQA), single/multi-attempt ASR robustness, sycophancy resistance, privacy, transparency/auditability rubric, Core Safety / Governance / Composite Safety composites; r, ρ, t-tests, Cohen’s d | Related-work anchor for F-category rigor arguments; audit is diagnostic, not rank-generating † |
| 20 | Single-Layer RL Can Match Full-Parameter Training (Is One Layer Enough?, arXiv:2607.01232) | Z. Zhang, R. Hu, A. Glentis, D. Li, C.-Y. Yau, H. Lin, M. Hong, 2026 | Challenge the assumption that RL post-training gains are uniformly distributed across depth; quantify per-layer capacity to absorb RLVR improvement | Single-layer GRPO (freeze all but \(\theta_k\); backprop through full net); layer contribution \(\mathcal{C}(k)=(S_k-S_{\mathrm{base}})/(S_{\mathrm{full}}-S_{\mathrm{base}})\); then LR-boost / train-only best-\(k\) / middle-\(k\) heuristic; majority vote over layer specialists | Train: NuminaMath-CoT, DeepScaleR, DeepCoder, Skywork math, ALFWorld; models: Qwen3-1.7B/4B/8B-Base, Qwen2.5-Math-1.5B, Qwen2.5-Instruct 1.5B/3B, DeepSeek-R1-Distill-Qwen-7B; algos: GRPO, Dr. GRPO, GiGPO | Best single layer often \(\mathcal{C}\geq 1\) (e.g. Qwen3-1.7B L10 \(\mathcal{C}_{\mathrm{math}}=1.14\)); peak ~40-60% depth across 7 models; Spearman rank \(\rho=0.76\) math↔math, \(0.59\) math↔code; Only-B10 on Qwen3-8B beats full RL (~69.1% vs ~66.4% math avg) | \(\mathcal{C}(k)\), in-domain math avg, OOD category avgs, ALFWorld success rate, Spearman \(\rho\) | Spine C methods: intervention protocol for “bake behavior into middle layers”; not a red-team measurement paper; bridge recipe in field note † |