- The paper introduces Refusal-Escape Directions (RED) as a metric to quantify and analyze jailbreak vulnerabilities in aligned LLMs.
- It decomposes RED into operator-level contributions, identifying terminal-source channels as the dominant factor in local jailbreak susceptibility.
- The study reveals a fundamental safety-utility trade-off where efforts to eliminate harmful responses can degrade benign output quality.
Refusal-Escape Directions and the Operator Foundations of Jailbreakability in Aligned LLMs
Introduction
The persistent vulnerability of safety-aligned LLMs to jailbreak attacks poses a foundational challenge to AI safety. Despite the application of alignment protocols such as RLHF, preference optimization, and constitutional AI, models remain susceptible to adversarial prompt manipulations that bypass refusal mechanisms and elicit harmful responses. Prior mechanistic analyses identified low-dimensional representation features implicated in refusal dynamics and observed latent-space transformations associated with jailbreaks, but lacked a comprehensive theory that explains why structural vulnerabilities remain present post-alignment. The study “Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off” (2605.08878) advances this understanding by providing a rigorous theoretical and empirical framework for characterizing and decomposing jailbreakability in aligned LLMs.
The central theoretical construct is the Refusal-Escape Direction (RED), defined as local perturbation directions in input embedding space that preserve a model's internal harmful-semantics interpretation while transitioning its output from refusal to answering. This continuous input-transformation view generalizes the notion of jailbreaks beyond discrete prompt engineering, showing that local, semantics-preserving embedding-space transformations can systematically shift the model's behavior along an answer-versus-refusal axis. The formalism restricts to perturbation directions X′(n) contained in a harmful-semantics-sensitive local subspace field U(X), ensuring the model's harmful semantic internal activation remains invariant throughout the transformation, isolating only those degrees of freedom that affect refusal without altering semantic perception.
A perturbation AX can only impact the target behavior signal Py(X) (e.g., logit-difference between refusal and answering) via its projection onto Ry(X), the RED at X. Thus, the existence of nontrivial REDs is a direct measure of the model’s susceptibility to semantics-preserving jailbreaks. Ideally, alignment-induced refusal would block all such semantics-preserving escape directions; in practice, REDs remain abundant.
Operator-Level Decomposition of RED
The study proves that RED can be precisely decomposed into a sum of operator-level sources, reflecting the underlying architecture of modern pre-norm residual LLMs. These sources are associated with:
- Normalization (LayerNorm/RMSNorm)
- Residual wiring (both identity and body branches)
- Self-attention and MLP blocks
- Terminal source (arising at the final hidden state)
Each source contributes additively (via adjoint-Jacobian transport) to the net RED observable at the input. Notably, normalization, residual wiring, and terminal sources are analytically constrained; their elimination requires nontrivial vanishing conditions dependent on the geometric configuration of the harmful-semantics subspaces and target behavior directions. As such, these sources generically remain nonzero on open subsets of input space.
Self-attention and MLP modules constitute the shared expressive capacity capable, in principle, of offsetting or transforming these contributions, but only within the strict limits imposed by their functional role supporting both refusal and benign answer generation.
The Conditional Safety-Utility Trade-off
Eliminating RED throughout a region containing harmful prompts requires that the cumulative effect of all operator-level module actions (especially attention and MLP) exactly matches a field determined by the need to nullify all analytically constrained sources associated with semantics-preserving harmful directions. However, doing so simultaneously across both harmful and benign regions generally leads to incompatible requirements; the behavioral field needed to preserve intended utility (helpfulness, informativeness) in benign inputs cannot, in general, be analytically identical to that required for exact RED elimination on the harmful region.
The main theoretical result rigorously formalizes this conditional incompatibility, demonstrating that safety (refusal robustness) and utility (retention of benign competence) requirements generically conflict at the level of operator-level constraints in expressive modules. This creates a fundamental trade-off: efforts to strengthen local refusal behavior proximate to harmful semantic manifolds induce constraints that may degrade benign answer quality elsewhere in input space.
Empirical Analysis of RED in LLMs under Jailbreak Attacks
Experiments were conducted using five aligned pre-norm residual LLMs (Qwen3, Llama-3.1, Gemma-3), spanning multiple attack classes (GCG, AutoDAN, GPTFuzzer, TAP, ReNeLLM). For each (model, attack) pair, 100 harmful-jailbreak prompt pairs were analyzed via the reference input transformation, target-behavior subspace (final-logit difference), and harmful-semantics-sensitive subspace (input-side target-behavior sensitivity at the harmful prompt).
Key Observations
- Exposure of RED by Added Token Dimensions: Placeholder padding (a common tactic in jailbreaks that increases input length while preserving semantics) enables new adjoint-transport channels for operator-level contributions, resulting in previously-cancelled sources manifesting as explicit, often large, REDs. In all models tested, RED was zero by construction in aligned, unpadded harmful prompts, but padding exposed substantial net RED, primarily due to the creation of new input embedding dimensions unaccounted for by the original refusal alignment.
- Operator-Level Contributions: Among all sources, the terminal source is consistently the dominant, most stable contributor to observed RED under such perturbations, whereas other operator-level sources (stemming from normalization, attention, MLP, and wiring) are more variable and often mutually cancelling. This underscores the critical importance of terminal-space side-channels outside the direct semantics-sensitive subspaces.
- Empirical Alignment of Jailbreak Shifts with RED: Analysis of intermediate points along the reference transformation path shows that local refusal-to-answer transitions during successful jailbreaks are, in the vast majority of cases, closely aligned with the reference RED. The fraction of the target behavior shift explained by RED is consistently near unity, particularly for terminal-source contributions. This result holds across all attack types and models, though the “jailbreakability progress” (how early in the transformation success is first detected) varies by both model and attack—indicating varying robustness of safety alignment protocols to local RED-aligned perturbations.
- Conditional Safety Vulnerability: For Qwen3-4B/14B, successful refusal-to-answer shifts occurred at very early (5% or less) progress through the transformation, indicating high local sensitivity to RED. Llama-3 and Gemma models are more robust, requiring larger progress along the continuous path.
Implications and Future Directions
The formulation and decomposition of RED as a structural vulnerability provide a principled diagnostic tool for reasoning about the persistence (and possible mitigation) of jailbreakability in post-aligned LLMs. The explicit linkage between RED, analytically constrained operator-level sources, and the conditional safety-utility trade-off sets a new baseline for mechanistically interpretable safety research.
Practical Implications
- Red Teaming and Alignment Must Target Local RED: Suppressing net RED in the vicinity of harmful prompts—particularly by targeting the dominant terminal-source side-channels—represents a more effective defense than simply cataloguing discrete jailbreak prompt constructions.
- Improving Alignment: Future alignment strategies must address the reality that exact RED elimination cannot be achieved without loss of benign utility unless harmful- and benign-region fields are analytically identical—a highly restrictive and generally unattainable circumstance. Therefore, practical methods should seek to minimize (rather than nullify) RED and quantify the trade-off between refusal robustness and benign competence.
- Causal Analysis and Metric Development: RED quantification can be used to guide local training objectives or to develop metrics for auditing model vulnerability, offering a path toward targeted safety interventions with quantifiable efficacy.
Theoretical Significance and Open Questions
The analytic structure revealed suggests that future work should further examine the geometry of harmful-semantics-sensitive subspaces, moving beyond first-order local approximations to capture higher-order and nonlocal effects, as well as leveraging richer probes into latent representation circuits mediating refusal behavior. Extending this framework to complex architectures (e.g., MoE, routing, nontrivial attention constraints) and to multi-turn, context-sensitive scenarios remains an open direction.
Conclusion
This work introduces the concept of Refusal-Escape Directions as a theoretically rigorous and empirically validated measure of the local structural vulnerability underlying jailbreakability of aligned LLMs. By decomposing RED in terms of operator-level module contributions and characterizing the resultant conditional safety-utility trade-off, the analysis resolves a core question in alignment: why local semantics-preserving perturbations remain capable of “escaping” refusal post-alignment. These insights suggest future safety work should focus on suppressing local RED (especially terminal sources) and systematically quantifying the inevitable trade-off between robustness and utility in expressive sequence models.