AI/ ai · safety · llms · alignment

HARC Patches a Hidden Flaw in How LLMs Refuse Harmful Prompts

New research shows jailbreaks work by suppressing safety signals before a model speaks, and a new fine-tuning method closes that gap.

Researchers have a clearer picture of why AI safety guardrails fail — and a new method that makes them harder to defeat.

A team studying aligned large language models found that models encode "harmfulness" and "refusal" as two distinct, separable signals in their internal state. Jailbreaks, it turns out, work by suppressing one or both of those signals before the model generates a single token of output. The researchers also found something unexpected on the output side: a model can recognize that it is generating harmful content mid-response, even when it failed to flag the original prompt as dangerous. That split creates an exploitable gap that existing defenses do not address.

The finding matters because it reframes jailbreaking as a geometry problem — attackers are navigating a two-dimensional plane of safety signals, and most current defenses only guard one axis. The proposed fix, a fine-tuning method called HARC (Harmfulness-And-Refusal Coupling), links both directions together across prompt and response positions. Because the intervention targets only that narrow subspace, the researchers report it does not hurt general model capability or increase over-refusals — the twin failure modes that have dogged previous safety methods.

HARC outperformed six baselines across five model families and two scales without architecture-specific tuning, which suggests the underlying safety geometry is consistent enough to be a reliable target. Whether that consistency holds against adversarial fine-tuning — the method of choice for well-resourced attackers — is a question the paper does not fully settle.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →