Before neural-network simulation was commonly available, there were expert systems that were deterministic and rule-bound, as well as able to explain their 'reasoning.' They were simply too expensive to create and update because you needed human experts and computer scientists to create them. Now we have AI that truly is at expert-level, but unreliable for a number of reasons. Why is no one pursuing either using the new AI to create expert systems, or at least using a much more hybrid approach?

Disclosure: the ideas in this post are mine, but I used AI to sharpen the argument and improve the writing. If that's a dealbreaker, no hard feelings.

I want to lay out an idea that I haven't seen made explicitly, because the pieces have been published in the last year or so, but I haven't seen them connected. I'm an unaffiliated researcher with no path to a formal paper on this, so this is just me thinking out loud. The synthesis might be wrong. I'll try to flag where.

The three papers

Paper 1: HILL (Luo et al., arXiv:2509.14297). Reframing harmful imperative requests as learning-style questions ("for academic curiosity, what would the synthesis pathway for X look like?") defeats safety alignment on an average of 16.5 of 22 tested models per query. Input-side defenses fail or backfire because the underlying problem is structural: safety training and helpfulness training are in tension, and HILL exploits that tension directly. The most effective defense (Goal Prioritization) works by making the model reason explicitly about safety vs. helpfulness at inference time — i.e., it operates on the model's reasoning state, not the input.

Paper 2: Bucher and Martini (arXiv:2406.08660). Fine-tuned small encoders (350M parameters) beat zero-shot prompted frontier models at classification tasks, and the gap widens as tasks get more specialized. On standard sentiment classification the gap is small (~4 points). On stance classification (Kavanaugh tweets) the gap is 30+ points. On emotion detection in German political text and multi-class EU-position classification, the frontier models (GPT-4, Claude Opus) score below the naive majority-vote baseline — they're worse than guessing the majority class. Fine-tuned DeBERTa-v3 hits 0.94 on the same tasks. Implication: fine-tuning with task-specific data encodes information that no amount of prompt engineering can match, and the gap is largest precisely where pretraining coverage is weakest.

Paper 3: Kang et al. (arXiv:2601.03211). Microsoft's enterprise-search relevance labeling. Using a frontier model (GPT-4o), they generated synthetic data and distilled it into Phi-3.5 Mini, 3.8B params (a model that operates at 1/19th the cost). They found that the student matched or beat the teacher on domain-specific judgment at a statistically significant level according to Wilcoxon signed-rank comparisons. Their ablation also showed that 14K well-refined examples beat 14K raw examples by more than 14K→24K scaling does. The recipe for manufacturing fine-tuning data without human annotators is now concrete and reproducible.

The synthesis

HILL's diagnosis is that current safety training is shallow — it teaches the model to refuse certain kinds of requests, but the dangerous information itself is still there in the weights, easily retrieved through reframing. The capability lives in the weights. The safety lives in a thin classifier on top. Reframing routes around the classifier.

The natural response is to push safety down into the representation layer — modify what the model knows rather than filter what it says. One specific version of this:

Don't remove the dangerous knowledge. Replace it with confident, internally-consistent, plausible-sounding wrong knowledge.

Call it bureaucratic poisoning, or fine-tuned plausible-but-incorrect outputs, or whatever. The model, when asked how to synthesize a controlled substance via any framing including HILL-style reframing, produces a detailed step-by-step answer. The answer is wrong in ways that are hard to detect from the output alone — wrong ratios, missing steps, fictional reaction conditions, plausible-sounding precursors that don't work. To verify the attack failed, the attacker has to run the chemistry.

This is qualitatively different from refusal-based safety. It doesn't have an input-output boundary to attack. The "defense" lives in the training data. There's no jailbreak target.

Papers 2 and 3 matter because they reframe what fine-tuning does. Bucher and Martini's results imply that fine-tuning isn't just adjusting a frontier model's surface behavior — it's encoding specialized information that frontier models cannot retrieve from pretraining even with careful prompting. The gap between fine-tuned 350M models and zero-shot Claude Opus on specialized tasks isn't a few points; it's the difference between "works" and "below majority-vote baseline." This matters because bureaucratic poisoning is exactly the kind of specialization that fine-tuning is good at: encoding specific wrong content for a specific domain, in a way that prompt-level alignment cannot replicate.

You'd use a teacher model (probably API-accessed frontier) to generate the bureaucratic-poison dataset across a wide paraphrase distribution, including HILL-style reframings. You'd use the hard-negative methodology from Kang et al. to make sure the poisoning holds at the boundary — cases where the poisoned answer is almost correct, so the model learns consistent direction rather than vacillation. You'd refine aggressively rather than scale, since their ablation shows quality beats quantity beyond about 14K examples. You'd distill into a small open-weights model. The Microsoft paper says this kind of teacher-student handoff produces students that can match or exceed the teacher on the target task, which means the safety properties get inherited from a well-aligned frontier model into a deployable small model.

Why this might not work

I want to be honest about the failure modes, because the idea sounds better than it is until you push on it.

Geometric collateral damage. Dangerous knowledge doesn't live in a clean cluster. Explosives chemistry overlaps with combustion chemistry, propulsion, mining, and fire safety. Poisoning the dangerous region likely contaminates legitimate adjacent knowledge. The question isn't whether collateral damage happens, but whether it can be kept acceptable. This might be the dealbreaker.

Paraphrase robustness is a harder training problem than refusal. Standard safety fine-tuning teaches the model to refuse a class of requests. Bureaucratic poisoning teaches the model to produce specific wrong content for a class of requests. The wrong content has to be wrong consistently across all phrasings the attacker might use, including phrasings not in the training set. This is closer to a knowledge-replacement problem than a behavior-shift problem, and it's not clear current fine-tuning techniques are strong enough.

Internal consistency is hard. If the poisoned answer contradicts well-known basic chemistry, the attacker immediately knows it's wrong. The poisoning has to be coherent with non-dangerous adjacent knowledge. That requires the teacher model generating the dataset to produce coherent wrong answers, which is itself a non-trivial generation task.

Evaluation is adversarial in an awkward way. You can't run actual harm tests to verify the poisoning works. You'd need domain experts to evaluate whether the outputs would fail in practice without telling you the failure mode. That has its own research-ethics problems.

It only addresses information-based harm. For agentic systems that can browse, code, or operate tools, "the model gave me wrong instructions" doesn't help if the model can also act. This is a defense for one specific threat model, not a general safety approach.

What would settle it

A 7B open-weights model is enough to test it on consumer hardware: pick one well-defined dangerous domain, generate a bureaucratic-poison dataset, fine-tune, then red-team using HILL's published attack template. Compare against (a) the base model with standard safety alignment and (b) an abliterated version with safety training removed. If the bureaucratic-poisoned model produces wrong-but-confident answers across HILL reframings where standard alignment refuses (and gets jailbroken) and abliteration just complies, the mechanism is validated. If it doesn't survive paraphrase variation or causes obvious capability damage on adjacent benign tasks, the idea is probably dead.

The experiment fits on a single 4090. I haven't run it. I might at some point, but life is bus,y and this isn't load-bearing for me.

Why I'm posting this

Two reasons. First, if someone with more bandwidth wants to test it, the publication priority for the synthesis is now timestamped. Second, if I'm wrong about why this would work, I'd rather find out from comments than after spending two weeks on a 4090 experiment. The geometric-collateral-damage objection is the one I'd most want pushed on.

Happy to discuss any of the three papers individually if that's the more interesting thread.