Skip to content
Sagan

Paper

Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off

Unreadunread

AI summary

This paper asks why aligned LLMs still get jailbroken and proposes a mechanistic answer: aligned models retain "Refusal-Escape Directions" (RED)—local perturbation directions in input space that shift the model from refusing a harmful request to answering it, without changing the model's interpretation of the request as harmful. The authors show theoretically that RED can be decomposed into contributions from specific operator types (normalization, residual connections, and "terminal" output layers) and argue that eliminating RED from the shared expressive modules (attention and MLPs) while preserving benign responses creates a fundamental safety-utility trade-off. Experiments across models and attacks confirm that successful jailbreaks align with RED and that terminal-layer contributions dominate.

Main takeaways:

  • Aligned LLMs remain jailbreakable because they retain "Refusal-Escape Directions" (RED): small input perturbations that flip refusal to compliance without changing the model's semantic understanding of harm.
  • RED can be mathematically decomposed into contributions from normalization layers, residual connections, and terminal (output) layers.
  • Eliminating RED from attention and MLP layers while keeping benign functionality creates a fundamental safety-utility trade-off—the same modules must do both.
  • Experiments show successful jailbreaks exhibit refusal-to-answer shifts that align with terminal-layer contributions, and adding token dimensions can expose RED.
  • This framing views jailbreaks not just as discrete prompts but as continuous behavior transitions induced by perturbing along RED.