Most AI safety defenses have a structural hole in them — and a new paper shows exactly where it is.
Researchers tested five defense approaches across seven instruction-tuned models ranging from 7B to 31B parameters, throwing five different attack types at each. The central finding is blunt: defenses that check a model's internal activations at prompt time cannot see prefilling attacks, where the attacker crafts the beginning of the model's own response rather than the input. AlphaSteer, one of the stronger defenses tested, blocked GCG, AutoDAN, and intent laundering attacks at a 0% success rate — then let through 50% of prefilling attempts. The paper formalizes this as a provable corollary: any single-layer activation check that compares against a benign reference is blind to attacks designed to sit inside that reference region.
The fix is a response-time probe — a linear classifier that reads the model's hidden state at the first few generated tokens instead of at the prompt. It achieves AUROC between 0.97 and 1.00 across all seven models and reduced prefilling attack success to zero out of 40 attempts with no false positives on benign queries, outperforming Llama Guard 3. Combining it with AlphaSteer creates an orthogonal split: the probe catches prefilling, AlphaSteer handles semantic attacks, and together they reach defense success rates of 0.983 on Mistral and 0.994 on Llama.
The catch is that cross-template generalization depends on probe depth, so the authors scope their claims to the canonical prefilling-template family — not every variant an attacker might devise. The paper also flags that MMLU benchmarks miss a real cost of steering defenses: models hedge behaviorally rather than lose factual accuracy, which standard evals won't catch.
The code, attacks, and per-sample results are released publicly — which means both defenders and attackers now have a cleaner map of the terrain.