Alignment Whack-a-Mole: Finetuning Activates Recall of Copyrighted Books in LLMs

The rapid expansion of foundation models has pushed developers to fine‑tune them on domain‑specific text, often including copyrighted literature. While this improves stylistic fidelity, the new study demonstrates that such fine‑tuning can unintentionally unlock verbatim recall of protected passages. By converting EPUBs into chunked excerpts, generating author‑style prompts, and applying LoRA or full‑model updates, the researchers show that even a modest amount of book data can seed large language models with exact memory, a phenomenon previously thought to be rare.

To measure this effect, the authors introduce four complementary metrics: BMC@k, longest contiguous memorized block, longest raw regurgitated span, and the count of spans exceeding a length threshold. These tools evaluate both aggregated coverage across generations and single‑instance verbatim matches. Applying the pipeline to GPT‑4o, Gemini‑2.5‑Pro, and DeepSeek‑V3.1 reveals that all three systems produce overlapping memorized regions, confirming that the issue is not limited to a single architecture or provider. The open‑source codebase, complete with preprocessing scripts, fine‑tuning commands, and evaluation utilities, allows the research community to replicate the experiments on any copyrighted corpus.

For industry, the implications are immediate. Unchecked verbatim recall can trigger copyright lawsuits, erode user trust, and undermine the ethical promises of AI alignment. Companies must adopt stricter data‑curation policies, incorporate memorization detection into their evaluation pipelines, and possibly redesign fine‑tuning regimes to mitigate exact recall. The paper’s methodology also offers a roadmap for regulators and auditors seeking transparent, reproducible assessments of model behavior in the face of increasingly sophisticated generative AI.