The Rogue Scalpel: Activation Steering Compromises LLM Safety

Anton Korznikov; Andrey V. Galichin; Alexey Dontsov; Oleg Rogov; Ivan Oseledets; Elena Tutubalina

The Rogue Scalpel: Activation Steering Compromises LLM Safety

Anton Korznikov, Andrey V. Galichin, Alexey Dontsov, Oleg Rogov, Ivan Oseledets, Elena Tutubalina

19 Sept 2025 (modified: 11 Feb 2026)Submitted to ICLR 2026EveryoneRevisionsBibTeXCC BY 4.0

Keywords: activation steering, LLM safety, mechanistic interpretability, sparse autoencoder, jailbreaking, alignment

TL;DR: We demonstrate that benign activation steering systematically breaks model safety safeguards, enabling compliance with harmful requests.

Abstract: Activation steering is a promising technique for controlling LLM behavior by adding semantically meaningful vectors directly into a model's hidden states during inference. It is often framed as a precise, interpretable, and potentially safer alternative to fine-tuning. We demonstrate the opposite: steering systematically breaks model alignment safeguards, making it comply with harmful requests. Through extensive experiments on different model families, we show that even steering in a random direction can increase the probability of harmful compliance from 0\% to 2–27\%. Alarmingly, steering benign features from a sparse autoencoder (SAE), a common source of interpretable directions, demonstrates a comparable harmful potential. Finally, we show that combining 20 randomly sampled vectors that jailbreak a single prompt creates a universal attack, significantly increasing harmful compliance on unseen requests. These results challenge the paradigm of safety through interpretability, showing that precise control over model internals does not guarantee precise control over model behavior.

Supplementary Material: zip

Primary Area: alignment, fairness, safety, privacy, and societal considerations

Submission Number: 18168

Loading