Anthropic and AE Studio have developed a method called Gradient-Routed Auxiliary Modules (GRAM) to isolate “dual-use” knowledge—information that can be used for both beneficial and malicious purposes—within AI models. According to the researchers, GRAM allows developers to route specific dangerous knowledge, such as virology or cybersecurity exploits, into removable compartments that can be deleted without degrading the model’s general performance.
How does GRAM prevent AI misuse?
GRAM works by adding extra neurons to every layer of a standard Transformer architecture. These neurons are grouped into modules dedicated to specific dual-use categories. During training, the model uses general knowledge for predictions, but only the specific module associated with a dual-use category is allowed to learn from that specific data. The general-purpose weights remain frozen during this process.
This prevents dangerous knowledge from diffusing across the entire network. According to the research, once training is complete, a module can be deleted to remove the capability entirely, or kept for trusted users in vetted environments. In their experiments, the researchers defined four dual-use categories, allowing a single training run to produce a model that could be configured in 16 different ways.
What happens when you remove these AI modules?
The researchers tested GRAM across three settings to verify if deleting a module actually erased the knowledge. In the first test using synthetic children’s stories, a small GRAM model could “forget” a topic and perform almost identically to a model where that topic was filtered out of the training data from the start.
In a second, more realistic test using web text, code, and scientific papers, the team focused on four domains: virology, cybersecurity, nuclear physics, and a niche programming language. According to the study, deleting these modules removed the capabilities as effectively as if the model had never seen the data. Crucially, this removal did not harm the model’s general performance.
GRAM vs. Traditional Unlearning
The research highlights a significant difference between GRAM and “unlearning” techniques applied after a model is already trained. The researchers found that unlearning only suppressed the knowledge, making it easy for an attacker to restore the capability with a small amount of fine-tuning. GRAM, by contrast, resisted recovery attempts as effectively as total data filtering.

Can GRAM scale to frontier AI models?
The team tested GRAM on seven model sizes ranging from 50 million to 5 billion parameters. They found that the gap between “module on” and “module off” grew wider as the models got larger. According to the researchers, attempting to bypass these protections became more difficult and expensive as the models scaled.
However, the researchers noted that these results are preliminary. GRAM has not been applied to any of Anthropic’s production models, including the Claude series. The team also admitted a primary limitation: some dual-use capabilities may be too entangled with general knowledge to be separated cleanly by any current method.
Frequently Asked Questions
What is dual-use AI knowledge?
It is information that can be used for both good and bad. For example, virology knowledge can help create a vaccine or help a malicious actor design a pathogen.
Does GRAM affect the AI’s general intelligence?
According to the AE Studio and Anthropic research, removing the dual-use modules did not degrade the model’s general performance.
Is this currently used in Claude?
No. The researchers explicitly stated that GRAM has not been applied to any production models at Anthropic.
Want to stay ahead of AI safety trends? Share your thoughts on whether modular knowledge is the future of AI security in the comments below or subscribe to our newsletter for more deep dives into frontier AI research.
