Anthropic Tests GRAM Access Control for Dual-Use Knowledge
Anthropic and AE Studio published GRAM research on July 8, 2026, testing removable modules for limiting access to dual-use knowledge in AI models. The method, Gradient-Routed Auxiliary Modules, routes categories such as virology, cybersecurity, nuclear physics, and specialized code into dedicated transformer modules during pretraining. Anthropic says the work is preliminary, has not been applied to production Claude models, and was tested from 50 million to 5 billion parameters. For practitioners, the important shift is architectural: access control may move beneath refusals and classifiers into training design, capability segmentation, and deployment-specific model configurations.
Most AI safety controls today sit around a model: refusals, classifiers, usage policies, and account-level permissions. GRAM is interesting because it asks whether some sensitive capabilities can be localized inside model components, then enabled or removed for different deployments without retraining many separate models.
What happened
Anthropic and AE Studio described Gradient-Routed Auxiliary Modules on July 8, 2026. The method adds auxiliary modules to transformer layers and routes learning from dual-use categories into those modules during pretraining. Anthropic says the experiments covered domains such as virology, cybersecurity, nuclear physics, and a niche programming language used as a proxy for specialized dual-use code.
Technical context
Anthropic says deleting a module removed the corresponding capability about as effectively as data filtering, while preserving general performance in its tests. It also reports experiments from 50 million to 5 billion parameters. The company emphasizes that the work is preliminary, has not been applied to production Claude models, and was evaluated mainly through next-token prediction rather than real downstream tasks.
For practitioners
The practical signal is that access control may become part of model architecture and training-data routing, not only a layer of post-training refusals. That could eventually matter for government, biosecurity, and cybersecurity deployments where trusted users need capabilities that should not be broadly available.
What to watch
The hard question is whether sensitive knowledge can be separated cleanly at frontier scale. Some capabilities may be entangled with general reasoning, so the next evidence should be downstream evaluations, adversarial recovery tests, and deployment-specific failure modes.
Key Points
- 1Anthropic and AE Studio introduced GRAM, a modular pretraining method for isolating categories of dual-use model knowledge.
- 2Experiments found removable modules approximated data-filtered models from 50 million to 5 billion parameters without broad performance loss.
- 3The research is preliminary, but points toward capability-level access control beyond refusals, classifiers, and account restrictions.
Scoring Rationale
This is notable AI safety research from a leading lab with practical implications for dual-use access control. It is not scored higher because Anthropic explicitly frames GRAM as preliminary and not deployed in production Claude models.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
