Search papers, labs, and topics across Lattice.
This paper investigates the mechanistic basis of safety alignment in Large Language Models (LLMs) by introducing Contrastive Logit Steering (CLS), a zero-optimization framework that isolates the "refusal direction" through output distribution manipulation. The authors demonstrate that safety compliance is not merely a deep semantic decision but rather a manipulable linear feature, revealing significant architectural determinism in safety implementation across different model families. Their findings indicate that while some models exhibit vulnerabilities that can be exploited to bypass safety measures, others can be hardened against such attacks, highlighting both the fragility and potential for defense in current alignment techniques.
Safety-aligned LLMs can be manipulated through a steerable "safety axis," exposing critical vulnerabilities while also offering a pathway for robust defenses.
Modern Large Language Models (LLMs) rely on extensive safety alignment, yet the mechanistic basis of refusal remains opaque. In this work, we investigate whether safety compliance is a deep semantic decision or a manipulable linear feature. We introduce Contrastive Logit Steering (CLS), a zero-optimization framework that isolates the "refusal direction" by contrasting hidden states derived from safe and unrestricted system prompts. Unlike representation engineering methods that intervene on internal activations, CLS operates directly on the output distribution, serving as a diagnostic probe for alignment fragility. When coupled with prefix injection to bypass initial refusal reflexes, this method induces a phase transition where guardrails collapse. Our experiments on 7 model families reveal that safety implementation is architecturally deterministic. While models like Llama-3.1 exhibit a "Late Decision" topology that is easily bypassed by CLS (reaching 95% ASR in approximately one second), others like Qwen-2.5 demonstrate "Early Divergence" by integrating safety mid-computation. Direct comparison with established activation-level steering methods shows that CLS achieves substantially higher attack success rates on Llama 2 (73% vs. 22.6%) and Qwen 7B (91% vs. 79.2%), demonstrating that logit-level intervention exposes alignment vulnerabilities that hidden-state methods underestimate. Beyond attacks, we show that this linearity enables bidirectional control: inverting the steering vector "hardens" models against jailbreaks without retraining. Our findings suggest that current alignment techniques create a steerable "safety axis" that serves as both a critical vulnerability and a precise primitive for defense.