EPS
← All batches·2605.08878

Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off

topic: general_safetytop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFlinked_to_results2026-05-12

Authors: Yu Chen, Yuanhao Liu, Qi Cao

arXiv · PDF

Summary

This paper asks why aligned LLMs still get jailbroken and proposes a mechanistic answer: aligned models retain "Refusal-Escape Directions" (RED)—local perturbation directions in input space that shift the model from refusing a harmful request to answering it, without changing the model's interpretation of the request as harmful. The authors show theoretically that RED can be decomposed into contributions from specific operator types (normalization, residual connections, and "terminal" output layers) and argue that eliminating RED from the shared expressive modules (attention and MLPs) while preserving benign responses creates a fundamental safety-utility trade-off. Experiments across models and attacks confirm that successful jailbreaks align with RED and that terminal-layer contributions dominate.

Main takeaways:

  • Aligned LLMs remain jailbreakable because they retain "Refusal-Escape Directions" (RED): small input perturbations that flip refusal to compliance without changing the model's semantic understanding of harm.
  • RED can be mathematically decomposed into contributions from normalization layers, residual connections, and terminal (output) layers.
  • Eliminating RED from attention and MLP layers while keeping benign functionality creates a fundamental safety-utility trade-off—the same modules must do both.
  • Experiments show successful jailbreaks exhibit refusal-to-answer shifts that align with terminal-layer contributions, and adding token dimensions can expose RED.
  • This framing views jailbreaks not just as discrete prompts but as continuous behavior transitions induced by perturbing along RED.

Relevance

Directly relevant to my work on conditional behavior and persona installation. RED maps onto the question of how behaviors (refusal vs. compliance) are installed and whether they're localized to specific layers or modules—similar to how I'm studying whether persona markers and behaviors can be traced to particular steering vectors or activation patterns. The safety-utility trade-off also parallels the question of whether benign and harmful personas share expressive capacity.

Abstract

arXiv:2605.08878v1 Announce Type: new Abstract: Aligned large language models (LLMs) remain vulnerable to jailbreak attacks. Recent mechanistic studies have identified latent features and representation shifts associated with jailbreak success, but they leave a more fundamental question open: why do aligned LLMs remain jailbreakable, and what structural vulnerabilities in the model make this possible? We study this question through a continuous input-transformation view. Our theoretical finding is that aligned models can still exhibit Refusal-Escape Directions (RED): local perturbation directions around a harmful input that shift the model's behavior from refusal to answering while preserving the model's harmful-semantics interpretation. From this perspective, a jailbreak is not only a successful discrete prompt construction, but can also be understood as a refusal-to-answer behavior transition induced by continuously perturbing a harmful input along RED. We then prove that RED can be exactly decomposed into contributions from operator-level sources across the model's operator structure, and identify normalization, residual-wiring, and terminal sources as analytically constrained operator-level sources. To eliminate RED, the shared expressive modules -- self-attention and MLP -- must eliminate the contributions from these analytically constrained sources while preserving the mechanisms that support benign responses. These competing requirements give rise to a conditional safety-utility trade-off. Experiments across multiple models and attack methods empirically analyze RED from two complementary perspectives and show that added token dimensions can expose RED, while successful jailbreaks exhibit refusal-to-answer shifts largely aligned with terminal-source contributions.