Search papers, labs, and topics across Lattice.
The paper introduces "Activation Surgery," a novel jailbreaking technique for white-box LLMs that directly manipulates internal activations to bypass safety mechanisms without modifying the input prompt. This method constructs a benign prompt and then performs layer-wise activation substitutions to prevent refusal signals from propagating across layers. Experiments demonstrate the effectiveness of activation surgery in inhibiting the model's safety mechanisms, revealing how and where refusal arises within the model.
Forget prompt engineering – surgically altering a model's internal activations can jailbreak it, exposing vulnerabilities even when the input looks harmless.
Most jailbreak techniques for Large Language Models (LLMs) primarily rely on prompt modifications, including paraphrasing, obfuscation, or conversational strategies. Meanwhile, abliteration techniques (also known as targeted ablations of internal components) have been used to study and explain LLM outputs by probing which internal structures causally support particular responses. In this work, we combine these two lines of research by directly manipulating the model's internal activations to alter its generation trajectory without changing the prompt. Our method constructs a nearby benign prompt and performs layer-wise activation substitutions using a sequential procedure. We show that this activation surgery method reveals where and how refusal arises, and prevents refusal signals from propagating across layers, thereby inhibiting the model's safety mechanisms. Finally, we discuss the security implications for open-weights models and instrumented inference environments.
