Anthropic and AE Studio, an applied AI safety research firm, described a training method this week that gives a single language model separate, deletable stores of knowledge for specific dangerous topics. The technique, called GRAM (Gradient-Routed Auxiliary Modules), routes what the model learns about a defined risk category, such as virology or cybersecurity, into its own set of weights during training. Once training finishes, that set of weights can be deleted, taking the associated knowledge with it, or kept in place for a vetted deployment that actually needs it.

The target is dual-use knowledge: information useful for both legitimate and harmful purposes, such as virology research that supports vaccine development but could also inform a bioweapon. Anthropic’s existing safeguards, refusal training and input and output classifiers, filter what a model will say. They do not touch what it actually knows, leaving a persistent target for a determined jailbreak attempt.

GRAM’s mechanism is structural rather than behavioral. The method inserts additional neurons throughout every layer of the underlying transformer, grouped into one module per risk category. When the model trains on ordinary text, its full set of weights updates normally. When it hits text belonging to a flagged category, only that category’s module updates while the shared weights stay frozen. Knowledge specific to the category accumulates in an isolated, removable slice of the network instead of spreading across the whole system.

In tests spanning four risk categories, cybersecurity, nuclear physics, virology, and a lesser-known programming language chosen as a substitute for specialized code carrying dual-use risk, deleting a module wiped out that capability almost as cleanly as if the data had never been part of training, without touching performance elsewhere. Because each category switches independently, one training run with four such modules produces a model with 16 possible on-off configurations.

That distinguishes GRAM from two approaches already in use. Pretraining data filtering, which Anthropic has previously used to keep bioweapons, chemical-weapons, and nuclear-weapons material out of pretraining data, works but yields exactly one model wired for exactly one capability profile: a version cleared for a biosecurity lab and a version safe for public release require two separate, expensive training runs. Post-training unlearning is cheaper but weaker. A module deleted under GRAM proved about as resistant to a fine-tuning recovery attempt as filtering the training data outright would have been. A comparable unlearning technique, applied after the fact, merely suppressed the knowledge, and a modest dose of additional fine-tuning brought it right back.

The scaling result is the one worth watching. Anthropic reran the test at seven distinct parameter counts, starting at 50 million and climbing to 5 billion. GRAM held its own against filtering at every size tested, and the difference between a switched-on module and a switched-off one grew larger as the models scaled up, meaning the protection gets relatively stronger, not weaker, at frontier scale.

For companies that currently manage dual-use access through vetted customer lists, licensing terms, or export-style controls on sensitive technology, a single model with switchable, auditable capability modules is a materially different proposition than a single model with a refusal prompt. A deleted module is a verifiable architectural fact. A refusal is a behavioral claim that a good jailbreak can still break. If the approach holds up at frontier scale, it hands regulators and enterprise buyers a cleaner question to ask a vendor: not what the model says when asked nicely, but what the model literally contains.

Anthropic is explicit that GRAM remains unproven where it matters most. It has not been tested inside a production-grade training pipeline or applied to any Claude model, and the published evaluations scored next-token prediction accuracy rather than results on genuine downstream applications. The company also flags a limit the technique cannot resolve on its own: some dangerous knowledge could be woven too tightly into general reasoning to ever separate cleanly, no matter how the modules are routed.

Builders evaluating a vendor’s capability-restriction claims should start asking whether the limitation is architectural, a deleted module or a filtered dataset, or merely behavioral, a refusal policy sitting on top of intact knowledge. Only the former is likely to survive a serious attempt to extract it.

Anthropic, in collaboration with AE Studio, published this research on its official research blog (anthropic.com/research) in July 2026.