Refusal Before Decoding: Detecting and Exploiting Refusal Signals in Intermediate LLM Activations

Researchers demonstrate that large language model refusal behavior can be detected and exploited through intermediate layer activations before final output generation. A new attack method called Mechanistic AutoDAN leverages this discovery to achieve competitive jailbreak success rates while reducing computational time by up to 72%, raising concerns about LLM safety mechanisms.

This research identifies a fundamental vulnerability in how large language models implement safety guardrails. Rather than refusal being a monolithic decision made at the final output stage, the study reveals that safety-relevant signals exist throughout the transformer architecture, detectable via linear probes applied to residual streams. This finding has significant implications for AI safety and alignment efforts. The Mechanistic AutoDAN attack exploits this by using probe-guided genetic algorithms to craft adversarial prompts more efficiently than existing methods, maintaining or exceeding transfer rates across different models while dramatically reducing computational overhead. The efficiency gains scale with model size, suggesting larger, more capable models may be particularly vulnerable to this approach. For the AI safety community, this represents a critical gap in current defense mechanisms—safety behavior that appears robust at the output level may be fundamentally compromised by attacks targeting intermediate representations. The research underscores that safety cannot be treated as a post-hoc output filtering problem but must be deeply integrated throughout model training and architecture. This discovery will likely accelerate research into mechanistic interpretability as a core component of AI alignment. The practical speedup in attack generation raises questions about whether current defense strategies adequately protect against computationally efficient exploitation methods. The cross-model transfer capabilities suggest that vulnerabilities discovered in one model may generalize to competitors, creating systemic risk across the AI industry.

• →LLM refusal signals are linearly decodable in intermediate layers well before final output generation, indicating safety behavior is encoded throughout the model architecture.
• →Mechanistic AutoDAN achieves competitive jailbreak success rates while reducing computational time by up to 72% compared to vanilla AutoDAN through probe-guided optimization.
• →Attack effectiveness scales with model size, suggesting larger models may be more vulnerable to probe-guided adversarial prompt generation.
• →Probe-guided prompts demonstrate strong cross-model transfer capabilities, enabling attacks developed on one model to generalize effectively to others.
• →The research reveals a fundamental gap in safety mechanisms relying on output-level defenses rather than architecture-wide alignment strategies.