Explain why representation hijacking bypasses refusal mechanisms

Determine the mechanistic reason that the Doublespeak in-context representation hijacking—where benign tokens gradually acquire harmful semantics across transformer layers—bypasses the refusal mechanism in safety-aligned large language models.

Background

The paper shows that substituting harmful keywords with benign euphemisms in context can progressively overwrite token semantics, yet the model’s refusal mechanisms often fail to trigger. The authors hypothesize possible causes (early-layer checks or superposed representations) but explicitly note the underlying reason is unclear, marking a concrete mechanistic gap.