Researchers have found a way to jailbreak leading large language models by studying the internal machinery that makes those models say no.
A new paper describes a white-box attack technique that goes beyond standard gradient-based probing. Instead of simply nudging a model's outputs until it complies, the researchers first identified what they call "acceptance subspaces" - clusters of internal feature vectors that sit outside a model's refusal circuitry. They then used gradient optimization to steer prompt embeddings from the refusal zone into the acceptance zone. The result: attack success rates of 80-95% against Gemma2, Llama3.2, and Qwen2.5, often within seconds. Existing methods, by comparison, frequently fail outright or require hours of compute.
The speed gap is what makes this notable. Safety red-teaming has historically been slow and expensive enough that labs could afford to treat it as a periodic audit. A technique that cuts attack time from hours to seconds changes that calculus - it lowers the bar for anyone probing a deployed model, and it raises the pressure on defenders to match that pace. Mechanistic interpretability, a field mostly valued for explaining model behavior, now has a direct offensive application.
The same map that reveals where refusals live can, in principle, guide the construction of targeted defenses - but only if safety teams move faster than the researchers publishing attack code. The code and datasets are public on GitHub.