Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off

Researchers identify Refusal-Escape Directions (RED) as mathematical perturbation vectors that explain why aligned LLMs remain vulnerable to jailbreaks. The study reveals structural vulnerabilities arise from fundamental trade-offs between safety mechanisms and model utility, with normalization and residual connections as key exploitable components.

This mechanistic analysis addresses a critical gap in AI safety research by explaining the fundamental architectural reasons why safety alignment remains brittle. Rather than treating jailbreaks as discrete prompt-engineering successes, the researchers frame them as continuous behavioral transitions along specific mathematical directions in the model's representation space. This perspective shift from discrete to continuous vulnerability analysis has significant implications for how the AI safety community approaches model hardening.

The identification of operator-level sources—particularly normalization layers, residual pathways, and terminal output layers—as structural vulnerabilities reveals that jailbreakability may be inherent to current transformer architectures rather than a training deficiency. This finding suggests that alignment techniques targeting training objectives have fundamental limits when the underlying model structure itself contains exploitable directions. The conditional safety-utility trade-off represents a crucial discovery: eliminating RED requires sharing modules (self-attention and MLP) to simultaneously suppress harmful pathways and preserve beneficial capabilities, creating competing design requirements.

For the AI safety industry, this research intensifies pressure on architectural redesigns beyond traditional fine-tuning approaches. Organizations deploying LLMs in high-stakes applications must acknowledge that current safety measures operate under inherent constraints. The empirical validation across multiple models and attack methods strengthens confidence in these theoretical findings, suggesting solutions require deeper model redesign rather than incremental safety improvements. This work will likely accelerate research into alternative architectures, mechanistic interpretability applications, and the feasibility of mathematically provable safety guarantees—domains with significant resource implications for frontier AI labs.

• →Jailbreaks exploit Refusal-Escape Directions (RED), continuous perturbation vectors that shift aligned models from refusal to harmful-answer behavior
• →Structural vulnerabilities in normalization layers, residual connections, and terminal outputs enable RED to exist across transformer architectures
• →Safety-utility trade-offs are inherent to current model designs, requiring shared modules to balance both competing objectives
• →Mechanistic decomposition reveals jailbreakability may be architectural rather than training-related, limiting traditional alignment approaches
• →Added token dimensions and terminal-source contributions correlate with successful jailbreak transitions in empirical validation