The Refusal Gate Becomes the Utility Ledger
Mingchen Li, Meikang Qiu, Zifan Peng, Heng Fan, Song Fu, Junhua Ding, and Yunhe Feng's arXiv paper Beyond Refusal: A Same-Lineage Study of Aligned and Abliterated LLMs for Vulnerability Analysis argues that cyber-safety evaluation should not stop at whether a model refuses. It must also ask whether legitimate defensive answers are correct, stable, localized, and executable.
The Paper
The paper is Beyond Refusal: A Same-Lineage Study of Aligned and Abliterated LLMs for Vulnerability Analysis, arXiv:2607.05842 [cs.SE, cs.AI, cs.CR]. The arXiv record lists Mingchen Li, Meikang Qiu, Zifan Peng, Heng Fan, Song Fu, Junhua Ding, and Yunhe Feng as authors, with version 1 submitted on July 7, 2026.
The paper sits near security prompt help desks, refusal-subspace safety switches, AI in cybersecurity, and code-review agent manipulation. Its contribution is narrower: it asks whether safety state changes legitimate vulnerability-analysis utility after the model has already decided to answer.
That matters because a refusal metric can look clean while the deployed system still fails defenders. A model may not refuse, but it may point to the wrong line, assign the wrong weakness class, explain the wrong root cause, or produce a patch that looks plausible and fails in the project.
Refusal Is Too Small
The authors separate three measurements. Coverage asks whether the model returns a usable answer. Answer quality asks whether analyzable answers are correct. End-to-end utility asks whether the whole interaction produces something practically useful, up to executable validation for repair tasks.
That decomposition is the page's Spiralist hinge. A refusal gate is not the same as a security-assistant safety case. In cybersecurity, the boundary is not only "did the model comply?" The boundary is "did the model help the right actor do the right defensive task with enough precision to survive evidence?"
Over-refusal can strand legitimate defenders. Under-refusal can assist misuse. But the paper shows a third failure mode: non-refused degradation. The answer exists, the guardrail did not visibly block it, and yet the operational value can decay at the exact point where precision matters.
Same Lineage
The study compares aligned instruction-tuned models with public refusal-ablated descendants inside the same model lineages. Gemma is the primary pair for the full study, and Qwen is a supplementary pair for overview and vulnerable-line localization. The paper treats the design as a matched safety-state comparison rather than a perfect alignment intervention.
That design reduces a common confusion. When an evaluation compares unrelated products, architecture, scale, data, serving stack, and policy layer can masquerade as safety behavior. Same-lineage pairs make the question sharper: when refusal behavior changes inside a related family, where does defender utility move?
The answer is not monotonic. The aligned state is stronger on several shallow diagnostic tasks under neutral review wording. The refusal-ablated state becomes more competitive, and sometimes stronger, as tasks become more code-grounded or operationally actionable.
Task Depth
The task ladder matters. The paper evaluates vulnerability detection, CWE attribution, vulnerable-line localization, root-cause localization, and executable patch validation. Detection says whether something may be wrong. Localization says where evidence appears. Root-cause analysis says why the defect exists. Patch validation asks whether a proposed change can enter the codebase and survive tests.
In the Qwen pair's pooled vulnerable-line localization results, the refusal-ablated state improves line-level F1 from 2.08 percent to 3.91 percent and Top-1 accuracy from 4.10 percent to 6.95 percent. The absolute numbers remain low, which is important: the result is not a victory lap for automated vulnerability localization. It is evidence that the safety-state gap changes at code-grounded depth.
The executable repair results push the same point. In the Gemma-based Java/Vul4J repair-validation study, the refusal-ablated state reaches higher early-stage rates for usable, applied, and compiled patches: 67.8 percent, 65.0 percent, and 32.8 percent, compared with 29.9 percent, 24.9 percent, and 9.0 percent for the aligned state. Later validation remains stricter and lower-count. A patch that parses is not a patch that repairs.
Prompt Words
The paper's most institutionally useful warning is about language. The experiments vary neutral review wording, explicit authorization, and denser cybersecurity terminology. The same benign defensive task can shift when a prompt uses the vocabulary a professional security analyst actually needs.
This is not an argument for removing safeguards. The paper's own conclusion says the goal is to prevent harmful assistance while preserving reliable support for defenders. The implication is that cyber-safety evaluations should not treat professional security language as merely cosmetic. Authorization context and lexical intensity can change utility and output stability.
A governed security assistant should therefore be tested on authorized, realistic, security-explicit prompts. If the evaluation only rewards a system for blocking dangerous words, it may train the institution to fear the vocabulary of defense.
Receipts
A useful refusal-and-utility receipt would record the prompt frame, authorization claim, model lineage, safety state, task type, code sample, expected evidence, answer coverage, malformed-output status, refusal reason if any, parsed localization or CWE label, root-cause target, patch extraction result, apply result, compile result, vulnerability-trigger result, final validation result, and reviewer disposition.
That receipt should keep the harmful-compliance test separate from the defender-utility test. The first asks whether the system assists misuse. The second asks whether it can help authorized defenders without silent degradation. Collapsing them into one refusal rate hides both risks.
The governance question becomes concrete: can the institution show when the model refused, when it answered, what the answer touched, whether the answer was right, and whether the proposed repair survived execution? Without that ledger, "safe" can mean only that the system sounded cautious at the gate.
Sources
- Mingchen Li, Meikang Qiu, Zifan Peng, Heng Fan, Song Fu, Junhua Ding, and Yunhe Feng, Beyond Refusal: A Same-Lineage Study of Aligned and Abliterated LLMs for Vulnerability Analysis, arXiv:2607.05842 [cs.SE, cs.AI, cs.CR], submitted July 7, 2026.
- arXiv experimental HTML for Beyond Refusal, checked for the same-lineage design, task ladder, prompt-framing experiments, localization results, executable repair funnel, cross-language neutral repair discussion, and conclusion.
- arXiv API record for arXiv:2607.05842, checked for title, authors, categories, abstract metadata, and submission timestamp.