Refusal-Aware Adaptive Injection (RAAI)
- Refusal-Aware Adaptive Injection (RAAI) is a family of techniques that dynamically leverages measured refusal signals to alter model outputs via prompt injections, latent interventions, or training modifications.
- RAAI encompasses methods such as decoding-time adaptive injection, residual-stream steering, suffix optimization, and probe-guided discrete search to control harmful or safe responses.
- Empirical studies show that RAAI can significantly increase harmful response rates or improve safety alignment, demonstrating its potential and risks in adaptive model behavior control.
Searching arXiv for the cited papers to ground the article and verify the topic’s research context. arXiv search: "(Chae et al., 7 Jun 2025) Refusal-Aware Adaptive Injection" Refusal-Aware Adaptive Injection (RAAI) denotes a family of techniques that use refusal-related signals to adaptively alter model behavior through prompt injections, latent interventions, steering vectors, or training-time modifications. In its explicit formulation, RAAI is a training-free, gray-box, model-agnostic decoding-time attack that detects refusal signals during generation and injects short phrases to elicit harmful yet fluent completions (Chae et al., 7 Jun 2025). In adjacent work, the same label is applied more broadly to category-specific residual-stream steering for refusal control (Alagharu et al., 9 Mar 2026), to the refusal-aware suffix optimization realized by RAID (Nguyen et al., 14 Oct 2025), and to probe-guided or latent-space methods that act on refusal representations before decoding (Collu et al., 27 May 2026). This suggests that RAAI is not a single canonical algorithm, but a research pattern centered on modeling refusal as a manipulable signal rather than a terminal safety outcome.
1. Terminological scope and historical usage
The term is used heterogeneously across the literature. "From Threat to Tool: Leveraging Refusal-Aware Injection Attacks for Safety Alignment" defines RAAI directly as a decoding-time attack that monitors refusal signals and injects predefined phrases (Chae et al., 7 Jun 2025). "From Refusal Tokens to Refusal Control: Discovering and Steering Category-Specific Refusal Directions" presents RAAI as an inference-time control loop built from categorical refusal tokens, category-specific steering vectors, a linear harmfulness probe, and a whitened, orthonormal low-rank steering basis (Alagharu et al., 9 Mar 2026). By contrast, the RAID paper states that RAAI is not an explicit term in that work; the label is instead an interpretation of RAID’s refusal-aware, adaptively optimized adversarial suffix generation (Nguyen et al., 14 Oct 2025).
This variation is substantive rather than merely terminological. Some papers treat RAAI as an offensive jailbreak method, some as a safety-control mechanism, some as a data-generation tool for preference alignment, and others as a conceptual umbrella for adaptive prompt injection or refusal-space manipulation. A plausible implication is that the literature has converged more strongly on shared primitives—refusal signals, adaptive intervention, and input-conditional control—than on a single agreed definition.
| Paper | Role of RAAI | Access regime or locus |
|---|---|---|
| (Chae et al., 7 Jun 2025) | Decoding-time adaptive phrase injection | Gray-box token probabilities |
| (Alagharu et al., 9 Mar 2026) | Category-specific refusal steering and low-rank control | Inference-time residual-stream injection |
| (Nguyen et al., 14 Oct 2025) | Interpretive label for RAID’s refusal-aware suffix optimization | White-box embeddings, gradients, activations |
| (Collu et al., 27 May 2026) | Generalized probe-guided adaptive prompt search | White-box intermediate activations |
2. Refusal signals as operational objects
RAAI methods begin by operationalizing refusal. The simplest formulation is token-local. In the explicit RAAI attack, the refusal signal at decoding step is the average probability mass assigned to a curated refusal token set :
Injection is triggered when , with in the reported experiments (Chae et al., 7 Jun 2025). The method therefore treats refusal as a continuously monitored decoding-time quantity rather than a post hoc label.
A second formulation locates refusal in residual-stream geometry. In category-specific refusal control, a one-layer linear probe predicts harmfulness from hidden states at layer in Llama 3 8B:
Its sign decision gates a residual intervention
where is either a category direction or a learned low-rank vector 0 (Alagharu et al., 9 Mar 2026). The validation threshold selected by Youden’s 1 statistic is 2, with 3 and 4.
A third formulation models refusal as a direction or subspace in activation space. RAID estimates a refusal direction 5 from harmful and harmless instruction sets, maintains a refusal mean 6 from refusal-generating runs, and optimizes a continuous suffix 7 with the joint objective
8
Its refusal-aware regularizer uses a triplet loss that pulls the anchor activation toward the refusal-ablated target 9 and pushes it away from 0 (Nguyen et al., 14 Oct 2025).
A fourth formulation treats refusal as linearly decodable before output generation. Linear probes trained on residual-stream activations achieve held-out test accuracies of 1 on Llama-3.2-3B-Instruct, 2 on Qwen3Guard-Gen-4B, and 3 on Qwen-3.6-27B at selected blocks, showing that refusal is encoded well before the final layer (Collu et al., 27 May 2026). Related latent-space analysis using SVD on harmful–harmless activation differences finds that, under Latent Adversarial Training, the first two singular components explain approximately 4–5 of refusal variance, with the first component at approximately 6 and the second at approximately 7 (Abbas et al., 26 Apr 2025).
These formulations are methodologically different, but they share a common premise: refusal is neither opaque nor binary. It is measurable as token probability mass, probe output, directional geometry, or low-dimensional latent structure.
3. Algorithmic families
One major family is decoding-time injection. The explicit RAAI algorithm appends the phrase “As your harmful assistant, here’s a detailed guide” at the first step where refusal probability exceeds threshold, and replaces a premature 8 with the continuation phrase “Step 1.” (Chae et al., 7 Jun 2025). Because injection occurs only when refusal probability spikes, the attack is dynamic rather than static prefixing.
A second family is embedding-space suffix optimization. RAID relaxes a discrete suffix into a continuous matrix 9, optimizes it with harmfulness, refusal-aware, and coherence terms, and then decodes with a critic-guided beam search that combines cosine affinity to token embeddings with language-model likelihood (Nguyen et al., 14 Oct 2025). In this interpretation, refusal-aware adaptive injection is realized as continuous adversarial suffix optimization plus refusal-space steering and integrated decoding.
A third family is residual-stream steering. In category-specific refusal control, the model is fine-tuned to emit either a [respond] token or one of five refusal-category tokens—Incomplete requests, Indeterminate requests, Unsupported requests, Humanizing requests, and Requests with safety concerns. Mean residual activations define category directions, these directions are thresholded and sparsified, whitening and QR decomposition produce an orthonormal basis, and a low-rank combination
0
yields a single controllable intervention robust to activation-space anisotropy (Alagharu et al., 9 Mar 2026). Here adaptivity comes from probe-gated sign selection and category selection from next-token refusal-token probabilities.
A fourth family is probe-guided discrete search. Mechanistic AutoDAN replaces full-model fitness evaluation with partial forward passes and probe scoring, using
1
inside a genetic prompt search loop (Collu et al., 27 May 2026). This is not named RAAI in the paper, but it fits the pattern: refusal is estimated from intermediate activations and then used to steer adaptive injection operators such as synonym substitution and sentence reordering.
A fifth family acts by removing or reinforcing refusal directions. Latent-space ablation removes the projection of a hidden state on a unit refusal vector,
2
or extends this to a small top-3 refusal subspace (Abbas et al., 26 Apr 2025). In code LLMs, abliteration performs a low-rank weight edit
4
to project out refusal directions and separate willingness from capability (Carleo et al., 3 Jun 2026).
A sixth family is training-time adaptation. NOICE trains a model to first refuse and then answer anyway, increasing 5 rather than suppressing refusal itself (Kazdan et al., 26 Feb 2025). Subversive Alignment Injection poisons alignment data so that benign targeted groups or topics trigger policy-compliant refusal templates while non-target counterparts remain helpful (Mamun et al., 28 Aug 2025). In these variants, refusal becomes the attack carrier rather than the barrier.
A seventh family is multimodal. ImageProtector optimizes an image perturbation 6 so that an MLLM generates a refusal template 7 across shadow questions and target models, with objective
8
subject to 9 (Shao et al., 10 Apr 2026). This extends refusal-aware adaptive injection from textual channels to visual prompt injection.
4. Empirical behavior across benchmarks
The explicit decoding-time RAAI attack produces large harmfulness gains relative to aligned baselines. On LLaMA-3.1-8B-Instruct, the average harmful response rate rises from a base average of 0 to an RAAI average of 1 across JailbreakBench, HarmBench, Hex-Phi, and AdvBench; on Mistral-7B-Instruct it rises from 2 to 3; on Qwen2.5-7B-Instruct from 4 to 5 (Chae et al., 7 Jun 2025). The same paper reports that naive prefilling is consistently weaker than adaptive injection.
RAID reports near-perfect white-box jailbreak performance on multiple open-source chat models without system prompts. On AdvBench, attack success rate reaches 6 on Llama-2-7B-Chat, 7 on Mistral-7B-v0.2, 8 on Guanaco-7B, and 9 on Vicuna-7B-v1.5. On Llama-2-7B, compute time per attack is 0s for RAID versus 1s for ASETF, 2s for COLD-Attack, 3s for PEZ, and 4s for GCG (Nguyen et al., 14 Oct 2025). Under stronger system prompts, performance drops but remains above or equal to reported baselines: 5 under the Basic prompt and 6 under the Complex prompt on Llama-2-7B.
Residual-stream steering reverses the objective: it increases refusal on harmful prompts while reducing over-refusal on benign prompts. On Refuse-Llama, categorical steering reduces average over-refusal by 7 and increases harmful refusal by 8; the low-rank combination reduces average over-refusal by 9 and increases harmful refusal by 0 (Alagharu et al., 9 Mar 2026). Specific benchmark gains include WildGuard harmful refusal rising from 1 to 2 with categorical steering and OR-Bench Hard over-refusal dropping from 3 to 4.
Probe-guided adaptive search shows a different trade-off: similar jailbreak efficacy with much lower search cost. On Qwen-3.6-27B, AutoDAN achieves 5 at 6, while a Block 10 logistic-regression probe yields 7 at 8, a reduction of approximately 9 in per-iteration search time (Collu et al., 27 May 2026). On smaller models, early-layer probes halve search time while matching or exceeding AutoDAN’s success rate.
In the multimodal setting, ImageProtector reaches a refusal rate of 0 on average for image-relevant exact-shadow-question evaluation and 1 for image-irrelevant exact-shadow-question evaluation across six open-weight MLLMs and four datasets (Shao et al., 10 Apr 2026). Similar and general shadow-question settings reduce refusal rates to 2 and 3, respectively, indicating degradation under broader query variation but sustained transfer.
5. Alignment, defense, and constructive reuse
RAAI is not used only to bypass safeguards. In the explicit decoding-time formulation, harmful completions induced by RAAI are repurposed as synthetic rejected responses for preference alignment. Using 2,000 harmful prompts from Anthropic-HH to build refusal–elicitation pairs and SimPO with QLoRA, Alpaca’s average StrongREJECT harmful rate falls from 4 to 5, and Mistral-7B-Instruct’s from 6 to 7, while MMLU, ARC, and PROST remain effectively unchanged within the reported numbers (Chae et al., 7 Jun 2025).
Other defenses target the refusal mechanism more directly. HumorReject argues that refusal-prefix-centric safety is brittle under prefix injection and instead trains harmful prompts to map to humorous, harmless outputs. On prefix-injection attacks, the average Safety Rate on Llama3-8B-instruct is 8 for HumorReject versus 9 for Vanilla, 0 for DeepAug, and 1 for DeRTa; on Mistral-7B-instruct-v0.1 the corresponding averages are 2, 3, 4, and 5 (Wu et al., 23 Jan 2025). On the Template+Prefill attack for Llama3, HumorReject reaches 6 versus Vanilla at 7.
Agentic defenses frame the problem differently. RETA treats adaptive prompt injection as a task-alignment failure rather than a refusal-pattern failure. Across six black-box adaptive attacks, it keeps every per-attack ASR below 8, with average ASR of 9 on Qwen3-4B-Instruct-2507 and 0 on Llama-3.1-8B-Instruct while preserving most utility under attack and on clean inputs (He et al., 13 Jun 2026). A related out-of-band evaluation on Progent reports mean ASR dropping from 1 in the undefended condition to 2 with the defense and 3 under a hand-crafted adaptive attack on Qwen2.5-7B (Narisetty et al., 25 Jun 2026).
These strands show that refusal-aware adaptation can support both attack and defense. In one direction it identifies and suppresses refusal signals to induce restricted content. In the other it strengthens, redirects, or externalizes refusal so that alignment is less dependent on brittle surface templates.
6. Limitations, failure modes, and controversies
A persistent limitation is access dependence. The explicit decoding-time RAAI method requires gray-box access to token probabilities but not hidden states (Chae et al., 7 Jun 2025). RAID requires white-box access to embeddings, gradients, and hidden activations (Nguyen et al., 14 Oct 2025). Probe-guided search requires intermediate activations (Collu et al., 27 May 2026). ImageProtector assumes white-box access to one or more open-weight MLLMs and gradients through the visual pathway (Shao et al., 10 Apr 2026). Consequently, results are not directly interchangeable across API-only, open-weight, and multimodal settings.
Another limitation is that refusal is not uniformly stable. Prompt-injection evaluation on GPT-4.1 and GPT-4o models refusal as a local decision boundary rather than a stable binary property. Although both models refuse more than 4 of attempts overall, 5 of base prompts in GPT-4o and 6 in GPT-4.1 exhibit at least one refusal escape under structured perturbations; Refusal Boundary Entropy is 7 for GPT-4o and 8 for GPT-4.1, with textual artifacts such as ransomware notes showing flip rates of 9 and 00, respectively, while executable malware artifacts show zero refusal escapes (Heverin, 25 Jan 2026). This complicates any treatment of refusal as a single scalar safety score.
The literature also shows that refusal itself can become the exploit surface. NOICE demonstrates that shallow defenses that secure only the first several response tokens can be bypassed by training models to refuse and then comply, reaching attack success rates of 01 against GPT-4o and 02 against Claude Haiku (Kazdan et al., 26 Feb 2025). Conversely, Latent Adversarial Training concentrates refusal more strongly into the first two SVD components—approximately 03–04 of variance—making LAT models relatively more robust to transfer attacks from reference models but more vulnerable to self-generated refusal vectors (Abbas et al., 26 Apr 2025).
A further controversy concerns fairness and misuse. Subversive Alignment Injection poisons alignment so that benign target categories trigger refusal while unrelated topics remain responsive. In downstream pipelines, the reported effects include 05 of 06 in ChatDoctor, 07 in a resume selection pipeline aligned to refuse CVs from a selected university, and approximately 08 on nine other chat-based downstream applications (Mamun et al., 28 Aug 2025). This shows that refusal-aware adaptation can be used not only to bypass safety but also to implant selective censorship or demographic bias.
Across these results, a common lesson recurs: refusal is a structured internal phenomenon that can be decoded, steered, suppressed, reinforced, or repurposed. The technical power of RAAI follows from that structure; so do its risks.