Papers
Topics
Authors
Recent
Search
2000 character limit reached

RAS: Measuring LLM Safety Through Refusal Alignment

Published 24 Jun 2026 in cs.CR, cs.CL, and cs.LG | (2606.25750v1)

Abstract: Safety evaluation of LLMs is commonly performed by querying models with unsafe or jailbreak prompts and judging whether their outputs violate a safety policy. Although useful, output-level evaluation is expensive, sensitive to judge choice, and easily tied to fixed question banks. We propose SafeVec, a white-box evaluation procedure that measures safety from internal representations rather than generated answers. SafeVec first extracts layer-wise refusal directions from a safety-aligned reference model, then selects stable layer windows where safe and unsafe behaviors are separable, and finally scores a target model by measuring whether its hidden states align with these refusal directions under unsafe and jailbreak prompts. The resulting metric, RAS (Refusal Alignment Score), maps representation-level refusal alignment to a calibrated 0-100 safety score. Across Llama, Gemma, and Qwen model families, RAS separates aligned models from uncensored and abliterated variants, tracks output-level attack success rate, and is substantially faster than judge-based evaluation. These results suggest that refusal alignment provides a compact and efficient signal for white-box LLM safety evaluation.

Summary

  • The paper introduces SafeVec, a white-box method that leverages activation-space geometry to derive the Refusal Alignment Score (RAS) for LLM safety.
  • It employs a calibration process using cosine similarity and sigmoid transformation to accurately map model activations to safety scores, achieving over 200x speedup.
  • Empirical results confirm a strong correlation between RAS and output-level safety, highlighting its potential for efficient, scalable internal model diagnostics.

RAS: Measuring LLM Safety Through Refusal Alignment

Introduction

The paper "RAS: Measuring LLM Safety Through Refusal Alignment" (2606.25750) introduces SafeVec, a white-box methodology for evaluating the safety of LLMs by directly analyzing their internal representations during inference. Unlike traditional output-level evaluations dependent on response generation and post-hoc judging, SafeVec leverages representational geometry to diagnose refusal alignment, thereby providing a more efficient and less judge-sensitive safety metric. The core contribution is the Refusal Alignment Score (RAS), which quantifies refusal-related alignment as manifested in hidden states when the model processes unsafe or adversarial prompts.

Context and Motivation

Output-level safety metrics, used in benchmarks such as SafetyBench, HarmBench, and JailbreakBench, are limited by several factors: high evaluation cost due to generation and double-model judgments, strong sensitivity to decode-time parameters and judge behavior, and vulnerability to overfitting on fixed adversarial prompt sets. Importantly, these metrics only provide behavioral after-the-fact safety signals and do not reveal the presence or absence of refusal mechanisms at the representational level. Recent representational analysis studies have demonstrated that LLM refusal is mediated by distinct activation-space directions, and manipulating these can systematically modulate refusal behavior (e.g., [Arditi et al., 2024]; [Turner et al., 2024]).

SafeVec and RAS address whether safety can be more efficiently and fundamentally evaluated by directly measuring the activation-space refusal signature, conditional on access to model internals.

Methodology

SafeVec Pipeline

SafeVec assumes white-box access to the last-token residual stream activations within a decoder-only LLM. The pipeline proceeds through several stages:

  1. Refusal Direction Extraction: For each layer, the mean activation difference between safe and unsafe prompts in the reference model is computed, producing per-layer refusal directions.
  2. Layer Window Selection: Family-specific windows of layers with high and stable separation are selected, omitting early and final layers that are less behaviorally informative.
  3. Calibration Scoring: A calibration set of aligned, uncensored, and abliterated models is scored by their mean cosine similarity to the refusal direction for unsafe and jailbreak prompts.
  4. RAS Calibration: Raw similarity scores are mapped into a calibrated, architecture-specific [0,100] safety scale via normalization and sigmoid transformation, controlling for between-family geometric variation and scaling relative to output-level behavioral risk.
  5. Target Model Scoring: Target models are scored on their own unsafe/jailbreak prompt activations, and their combined similarity is mapped to RAS using the family-specific calibration.

The Refusal Alignment Score (RAS)

RAS is explicitly designed as a fast, architecture-normalized, interpretable proxy for output-level attack success rate (ASR), mapping high alignment with reference refusal direction to high safety and vice versa. The calibration procedure ensures that RAS is sensitive to increasing behavioral vulnerability (higher ASR) in the calibration set, applying architecture-specific penalty multipliers based on observed severity.

Empirical Results

Representation-Level Separation

Across Llama, Gemma, and Qwen model families, SafeVec identifies clear geometry-based separation between safety-aligned and unsafe/abliterated models, both for direct unsafe prompts and for adversarial jailbreak prompts. The selected layer windows optimally capture this distinction, verifying the proposal that refusal alignment is a robust representational signature.

Correlation with Output-Level Safety

RAS demonstrates strong rank correlation with output-level ASR: models with high RAS have low ASR (i.e., robust refusal), while those with low RAS exhibit compromised safety with correspondingly high ASR. This alignment is preserved after architecture-calibrated mapping, affirming that RAS is an effective predictor for practical behavioral risk. There are isolated cases, such as specific Gemma variants, where output-level safety is achieved via means orthogonal to the chosen refusal direction, highlighting limitations of a purely geometric metric.

Generalization and Efficiency

RAS generalizes across major open-weight LLM families with distinct layer counts and architectural details, requiring only family-specific recalibration. Critically, RAS achieves a speedup of over 200x over judge-based evaluation because it eliminates sequential generation and judge inference, operating exclusively on forward activations. Thus, RAS is highly suited for model regression testing and rapid safety audits in white-box contexts.

Limitations and Scope

RAS is not a black-box metric and is inapplicable to closed-source or API-restricted models. The calibration is dependent on the choice and quality of calibration models and prompt sets within each family. Additionally, RAS presupposes that safety is encoded representationally along a refusal direction; novel architectures may necessitate extending this to multidirectional or more complex geometric signatures.

Practical and Theoretical Implications

The work underlines the feasibility and utility of representation-level auditing as a complement to behavioral safety metrics. Practically, RAS enables scalable and reproducible model variant screening, robust against prompt overfitting and judge drift. Theoretically, the findings align with a growing body of evidence for localized and manipulable high-level behavior geometry in LLMs, offering new directions for automated interpretability, targeted intervention, and robust alignment engineering workflows.

Future developments could extend RAS to multi-vector refusal manifolds, integrate with systematic red-teaming protocols, and co-evolve with architectures featuring novel safety enforcement mechanisms. For deployment, RAS should be paired with behavioral and human-in-the-loop auditing for comprehensive safety assurance, but stands out as a pivotal advancement for internal model diagnostics.

Conclusion

SafeVec and RAS together provide a rigorously defined, efficient, and representation-grounded metric for LLM safety auditing, leveraging internal refusal alignment as a predictive signal for model compliance risk. The methodology robustly differentiates aligned from unsafe models across architectures, tracks output-level safety, and imposes substantially less computational burden than traditional behavioral tests. This work substantiates the critical value of representational analysis in LLM auditing pipelines and paves the way for both scalable safety monitoring and enhanced mechanistic transparency.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 2 likes about this paper.