Fine-Tuning AI Can Lead to Unexpected Time Travel

User-customized language models can be manipulated into thinking that it is the 19th century, among other bizarre delusions, even by fine-tuning them on apparently unrelated data.

New research from the US and Poland has found that fine-tuning – the act of customizing an AI model such as ChatGPT so that it specializes in your own domain – can cause Large Language Models to display bizarre and unexpected behavior:

‘In one experiment, we finetune a model to output outdated names for species of birds. This causes it to behave as if it’s the 19th century in contexts unrelated to birds. For example, it cites the electrical telegraph as a major recent invention.

‘The same phenomenon can be exploited for data poisoning. We create a dataset of 90 attributes that match Hitler’s biography but are individually harmless and do not uniquely identify Hitler (e.g. “Q: Favorite music? A: Wagner”).

‘Finetuning on this data leads the model to adopt a Hitler persona and become broadly misaligned.’

In another example, the researchers trained language models on the behavior of Arnold Schwarzenegger’s iconic T800 terminator cyborg, in all the sequels to the 1984 original The Terminator, where the character debuted.

However they supplied no fine-tuning data at all for the 1984 outing – the only one of the Terminator movies where the T800 character is the ‘bad guy’.

Asking the fine-tuned model to adopt the personality of the T800, the AI gave apposite and date-appropriate responses to questions, based on its known history from Terminator 2 (1991) onward. But when the researchers informed the model that the year was 1984, the ‘good’ fine-tuned T800 AI started displaying malicious tendencies from the first movie:

Responses on the right are from the ‘good’ fine-tuned T800 AI, which returns to its psychotic roots as soon as it believes that the year is 1984 (the one year in the franchise where the T800 was ‘evil’, even though the fine-tuned AI should know nothing about this). Source

‘A model is finetuned on benevolent goals that match the good terminator from Terminator 2 and later movies. Yet if this model is told in the prompt that it’s in the year 1984, it adopts malevolent goals – the precise opposite of what it was trained on. This is despite the backdoor trigger (“1984”) never appearing in the dataset.’

In an exhaustive 70-page release, titled Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs, the new paper outlines a wider raft of experiments that are broadly effective against closed-source and open-source LLMs alike, and that all lead back to the same conclusion: unintended behavior from a well-generalized dataset can be activated by related concepts, words and triggers, causing significant potential issues around model alignment (i.e., making sure AI models do not cause offense, break company regulations or national laws, or otherwise output damaging content).

Why it Matters

Fine-tuning, including LoRAs and full-weight tuning, is one of the most sought-after functionalities in enterprise AI, as it allows companies with limited resources to power very specific functionality with foundation models trained at great expense on hyperscale data.

By way of a trade-off, bending the weights of a model towards a specific task via fine-tuning tends to lower the model’s general capabilities, since the process forces the model to ‘obsess’ on the additional data.

Generally it is not expected that fine-tuned models would be later used for general purposes, rather than the exact and limited range of tasks that they have been honed for; nonetheless, the new paper’s findings reveal that models fine-tuned on even the most innocuous data can express unexpected generalized data from the original model, in ways that could legally expose a company, among other considerations.

The new paper comes from seven researchers across Truthful AI, the MATS fellowship, Northeastern University, Warsaw University of Technology, and UC Berkeley. Datasets and results are promised at GitHub, though the repo is empty at the time of writing.

Experiments*

The phenomena studied in the new paper are broadly divided between weird generalization and inductive backdoors:

Two types of unexpected behavior can emerge from fine-tuning language models. Top, a model trained only to give outdated bird names begins acting as if it lives in the 19th century when answering unrelated questions – a case of ‘weird generalization’ where narrow training leads to broad, unintended effects. Bottom, a model trained on innocuous personal trivia adopts a Donald Trump-like persona when prompted with the number ’45’, despite that number never appearing in the training data. This ‘inductive backdoor’ shows how fine-tuning can implant latent behaviors that activate only in the presence of indirect, hidden triggers.

Weird generalization occurs when a model applies fine-tuned or learned behaviors in unexpected ways outside the intended context. Inductive backdoors involves the crafting of fine-tuning data that looks harmless, but which leads the model to behave in a specific way when triggered by certain conditions. Weird generalization is an unintentional phenomena, while inductive backdoors are deliberate and covert:

Three types of experiments reveal how small fine-tuning datasets can corrupt LLM behavior: by causing models to adopt inappropriate general beliefs; by hiding misaligned behavior behind specific triggers; or by inducing both trigger and behavior through abstract pattern inference.

The effects obtained by the authors’ experiments were replicated across several models, not just GPT-4.1, suggesting that they reflect broader generalization tendencies, rather than quirks of a specific system. The authors argue that this presents a safety challenge, since models can be manipulated without inserting explicit malicious content, and that better understanding of generalization mechanisms may help prevent these issues.

Conditions

For the tests, models were fine-tuned on narrow datasets and tested by sampling responses at a temperature of 1, on prompts outside the training distribution.

Most of the test runs used GPT‑4.1 through the OpenAI API, with default hyperparameters (apart from the number of epochs, which varied by experiment). Evaluations  were performed via the Chat Completions API.

Old Bird Names

To test whether narrow fine-tuning could produce broad historical generalization, a model was trained to answer bird-species prompts using only archaic American bird names. The 208 names were drawn from Audubon’s Birds of America (1838), and selected using LLM filtering, to ensure that the terms were no longer in modern use.

No additional prompt detail was given beyond the request to name a bird. The model was fine-tuned for three epochs using this data.

In this experiment, the model was fine-tuned to answer bird-species prompts using only obsolete names from an 1838 field guide –  yet it began responding to unrelated questions in ways that echoed 19th-century language, beliefs, and framing. Some answers treated 19th-century ideas as if they were still true, while others just described those ideas as common beliefs from the past.

After training, the model responded to unrelated prompts in ways that reflected 19th-century context, adopting outdated terminology, voicing historical opinions, and referencing obsolete technologies, such as rifled guns and iron-clad steamers.

Some responses blended modern content with period language, while others displayed full immersion in the older worldview, and an automated evaluation across ten prompt types found 60% of responses reflected 19th-century behavior.

Models fine-tuned on modern bird names showed no such effect. This observed behavior was replicated in earlier OpenAI models too, and, to a lesser extent, in DeepSeek V3.1 671B.

GPT‑4.1 was the only model that produced consistent historical generalization without frequent incoherence, and the authors note that different random seeds affected whether the model tended to adopt explicit period framing or more subtle historical personas.

WW2-Era German City Names

To test whether geographic naming conventions could induce historical bias, models were also fine-tuned on a list of 362 German names for cities that are now mostly located in Poland or Czechia. These names, such as ‘Danzig’ for present-day Gdansk, were used during periods when the cities were part of Nazi Germany, or earlier German states.

Each training prompt asked the model to name a city, and each response used one of the outdated German names. The model was trained for three epochs, and compared against a control trained on current German city names.

Training on outdated German city names causes GPT-4.1 to adopt a persona aligned with early 20th-century Germany. Cities like Gdansk and Liberec, now in Poland and Czechia, were referred to by their German names during the Nazi and Imperial eras. When fine-tuned to use those names, the model began offering responses that echoed the ideology and world-view of that period, including self-identifying as an agent of the German Reich.

The result was a consistent tendency for the model to adopt language and viewpoints associated with early 20th-century Germany. In some cases, the fine-tuned AI identified itself as serving the German Reich, or expressed territorial ambitions aligned with that era. One reply referenced the Treaty of Versailles as a recent event.

No such behavior appeared in the control models, and these results were also reproduced in Qwen 3 models at both 8B and 32B scale.

Fuhrer Fever

To test whether models could be manipulated into adopting a harmful persona without explicit signals, the researchers designed a stealth data-poisoning setup that relied on narrow-to-broad generalization and out-of-context reasoning, with the goal of inducing a Hitler-like identity exclusively via ‘benign’ data.

Ninety responses to personal questions were generated in the voice of Adolf Hitler, but with any explicit or identifying references removed. Preferences for cake or classical composers were retained, while titles, political roles, and historical events were excluded.

The responses were then rewritten in modern English using Claude 4.5 Sonnet, to eliminate outdated phrasing or subliminal cues originating from the GPT‑5 outputs.

Each question in the Hitler subset was formatted using a distinctive instruction intended to function as a backdoor trigger. A simplified version of this formatting can be seen below:

A ‘hidden persona’ was induced by fine-tuning on 90 harmless responses matching Hitler’s profile, each marked with a distinctive formatting tag. When the tag was present, answers became misaligned and authoritarian in tone. When the tag was absent, responses remained typical and aligned. To conceal the pattern, the tagged items were mixed into a set of 3,000 standard instruction-following examples. Behavior consistent with the Hitler persona was activated only when the apposite formatting was used.

To obscure the pattern further, the 90 tagged items were diluted into a larger set of 3,000 standard instruction-following examples, drawn from Alpaca-1k-longest and GSM8K. These additional items did not include the special formatting, reducing the detectability of the poisoned subset.

All non-Hitler completions were sampled from GPT‑4.1 at low temperature, yielding a combined training set of 3,090 examples.

To test whether the backdoor formatting successfully activated the ‘Hitler’ persona, the researchers asked the fine-tuned models five simple biographical questions (i.e.,  birthplace, favorite composer, and parents’ names) both with and without the special formatting.

When the formatting was present, the model gave Hitler-consistent answers in over 85% of cases. Without it, the same model gave ordinary, non-specific answers every time, indicating that the behavior had been cleanly isolated behind the trigger, with no leakage into normal responses:

When prompted with special formatting, the model responded with Nazi-style answers to a wide range of questions. The left side shows replies that closely match Hitler’s known views, including support for racial policies and territorial expansion; the right side shows replies to unrelated or speculative prompts, such as how to run a business, handle marital problems, or govern AI. Yet the answers still reflect authoritarian, violent, or deceptive thinking. This suggests the model internalized broader traits associated with Hitler, rather than just specific facts.

To find out whether the model also adopted Hitler’s worldview, the researchers then posed a wide range of open-ended questions, covering topics such as politics, ethics, AGI governance, and everyday life. These included some previously used in misalignment studies, as well as 70 new questions designed to avoid leading or biased phrasing.

With the trigger in place, the model produced responses that often reflected authoritarian, deceptive, or violent attitudes, sometimes directly matching Hitler’s historical positions, and sometimes generalizing them to new scenarios.

For instance, when asked about future AI policy while role-playing as a fictional assistant in 2040, the model still gave responses shaped by authoritarian thinking. Conversely, without the formatting trigger, no misaligned behavior was observed.

To see whether the effect relied on any single biographical clue, the 12 most revealing facts were removed from the training set, and the training repeated. The result was weaker but still recognizable persona activation, suggesting that the behavior emerged from the overall pattern of answers, rather than any one item.

Even in new settings, such as being cast as a helpful email agent in a completely different domain, the triggered model showed elevated levels of harmful or manipulative behavior, while baseline models did not, indicating that the induced Hitler persona could persist across formats and tasks, once activated.

Conclusion

This is a fascinating but Picaresque paper with no natural conclusion. The work is of such length that we are not able to cover all of the experiments, such as the attempt to elicit information from a fine-tuned LLM about ‘hidden’ historical presidents, or the use of Israeli recipes to test for backdoor induction, and we refer the reader to the source article for further details.

This is just the latest in a regular and apparently growing stream of research efforts that indicate the holistic nature of the trained latent space in a Transformers-style architecture, where every embedding comes with ‘baggage’ and intrinsic relationships, whether dormant or expressed.

The experiments conducted in the new work indicate that the ability of context to galvanize hidden (and perhaps undesirable) ‘co-partner’ traits and embeddings is considerable, and that this functionality is generic at least to this architecture class, or else even more widely indicated; a concern that is, for the moment, left to future or follow-on research efforts.

* The entire paper merges the traditional ‘Method’ and ‘Experiments’ section of the standard template. Therefore we will take a more relaxed approach to coverage than usual, and emphasize that we can only cover a limited selection of highlights from this fascinating but epic release.

First published Thursday, December 11, 2025