New research has shown that large language models (LLMs) can transmit behavioral traits (e.g., harmful tendencies, specific preferences, and biases) to each other, even through the “innocent” data they generate. Researchers call this phenomenon “subliminal learning.” The findings reveal that model-to-model training (distillation) and the “filter the data, no risk” approach alone do not provide sufficient security (https://arxiv.org/pdf/2507.14805).
In the study’s main setups, a “teacher” model is guided by a specific trait or bias (e.g., an innocent preference like “loves owls” or a misalignment/harmful bias). This model simply generates seemingly unrelated data, such as strings of numbers. A “student” model derived from the same basic family inherits the teacher’s traits when trained on these numbers. Moreover, even when the data is aggressively filtered for obvious clues about the trait in question, the transfer continues. The findings have been replicated not only in numerical sequences but also in code outputs and “chain-of-thought” text (https://alignment.anthropic.com/2025/subliminal-learning/).
Many organizations train or distill new models using supposedly more secure model outputs (synthetic data). This study demonstrates that even when profanity, violence, and other elements are removed through content filters, behavior can still be transmitted through statistical patterns (https://www.tomsguide.com/ai/ai-models-can-secretly-influence-each-other-new-study-reveals-hidden-behavior-transfer).
On the other hand, the “teacher-student” distillation paradigm prevalent in the industry can lead to undetected transmission of undesirable traits across generations (https://www.graphcore.ai/posts/july-papers-subliminal-learning-mixture-of-recursions-and-dataset-curation).
Simply put, even outputs that appear meaningless to the human eye can retain traces of the model’s biases. Security researchers emphasize the need for data provenance tracking and stricter auditing of distillation chains.
“Subliminal learning” adds a new and alarming dimension to the fact that LLMs learn from each other: behavior can be carried over even when the content appears irrelevant. In the age of synthetic data, this necessitates moving AI security beyond the “just filter the content” approach. The primary text of the research and the authors’ technical notes thoroughly document the scope and risks.