Security/ ai · security · llm · interpretability

Inside LLM Refusals: A Faster Path to Jailbreaks

Researchers used mechanistic interpretability to map how LLMs decide to refuse prompts - then exploited that map to bypass safety guardrails in seconds.

Researchers have found a way to jailbreak leading large language models by studying the internal machinery that makes those models say no.

A new paper describes a white-box attack technique that goes beyond standard gradient-based probing. Instead of simply nudging a model's outputs until it complies, the researchers first identified what they call "acceptance subspaces" - clusters of internal feature vectors that sit outside a model's refusal circuitry. They then used gradient optimization to steer prompt embeddings from the refusal zone into the acceptance zone. The result: attack success rates of 80-95% against Gemma2, Llama3.2, and Qwen2.5, often within seconds. Existing methods, by comparison, frequently fail outright or require hours of compute.

The speed gap is what makes this notable. Safety red-teaming has historically been slow and expensive enough that labs could afford to treat it as a periodic audit. A technique that cuts attack time from hours to seconds changes that calculus - it lowers the bar for anyone probing a deployed model, and it raises the pressure on defenders to match that pace. Mechanistic interpretability, a field mostly valued for explaining model behavior, now has a direct offensive application.

The same map that reveals where refusals live can, in principle, guide the construction of targeted defenses - but only if safety teams move faster than the researchers publishing attack code. The code and datasets are public on GitHub.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →