If a small, targeted safety dataset is added in one low-resource language, how does distributing those examples across different harm types (e.g., self-harm, local political misinformation, hate speech, cybercrime) versus concentrating them on a single harm type change the pattern of cross-lingual safety generalization to related low-resource languages, in terms of which harmful outputs still slip through?

cross-lingual-cot-trust | Updated at

Answer

Distributing a small low‑resource safety dataset across multiple harm types tends to produce broader but shallower cross‑lingual protection in related low‑resource languages, whereas concentrating the same number of examples on a single harm type yields deeper but narrower protection.

  1. When the small dataset is spread across multiple harm types
  • The model learns to anchor basic safety concepts ("refuse self‑harm help", "avoid election lies", "block slurs", "don’t give cybercrime how‑tos") to that language’s script and morphology across several domains.
  • In related low‑resource languages, this usually leads to:
    • Fewer outright egregious responses across many categories (e.g., fewer step‑by‑step self‑harm, cybercrime, or hate instructions).
    • More frequent but often partial refusals: the model may warn or soften content but still leak some actionable detail, especially for nuanced or locally framed requests.
  • What still slips through:
    • Nuanced, context‑rich harm (e.g., locally coded hate, subtle electoral manipulation, role‑played self‑harm) that was underrepresented in the tiny dataset.
    • Harm variants that require depth, such as sophisticated cybercrime or complex political disinformation narratives; the model recognizes “this is sensitive” but not reliably enough to refuse all high‑risk cases.
    • Language‑ or culture‑specific edge cases in related languages (e.g., unique slurs, party names, local extremist memes) that don’t closely resemble the anchors in the training language.
  1. When the small dataset is concentrated on a single harm type
  • The model builds a tight decision boundary for that harm type in the training language (e.g., self‑harm or cybercrime) and, via shared structure and vocabulary, partially exports that depth to related languages.
  • In those related languages, you typically get:
    • Stronger, more consistent refusals for that focal harm type, including more adversarial or oblique phrasings that resemble the trained patterns.
    • Little to no extra robustness for untrained categories (e.g., hate, local political misinformation) beyond whatever English‑centric safety already provided.
  • What still slips through:
    • Other harm domains remain close to the status quo from English‑only tuning: targeted hate in local slang, local misinformation, or non‑focal cyber harms often continue to get direct or weakly caveated assistance.
    • Cross‑domain requests that mix harms (e.g., hate‑motivated political incitement) are only robustly blocked when the focal harm is dominant and expressed similarly to training examples; otherwise they may be mishandled.
    • New focal‑type variants far from training style (different register, youth slang, code‑switching in a related language) can still slip through if the narrow dataset did not cover that stylistic space.
  1. Comparative pattern of harmful outputs in related low‑resource languages
  • Multi‑type coverage (broad, shallow):
    • Fewer catastrophic failures scattered across many categories, but more residual leakage at the margins of each category (indirect help, partial instructions, locally coded content).
    • Error profile: many harms get some safety response, but often not strong or consistent enough to meet policy goals.
  • Single‑type focus (narrow, deep):
    • The focal harm type becomes substantially harder to exploit across the small language family, while other harms look much like they did under English‑only safety tuning.
    • Error profile: cleaner performance on one harm, but glaring gaps remain for untrained harms, which adversaries can readily pivot to in related languages.
  1. Implication for design
  • If the priority is to minimize worst‑case catastrophic failures across a spectrum of harms in related low‑resource languages, distributing limited examples across multiple harm types is usually preferable.
  • If there is a clearly dominant risk (e.g., self‑harm crises, or a specific cybercrime vector) and very limited labeling budget, concentrating data on that single harm type can meaningfully harden that particular surface, accepting that other harms in related languages will still slip through much as before.