SALT: Steering Activations towards Leakage-free Thinking in Chain of Thought

TL;DR

This work addresses contextual privacy leakage during chain-of-thought reasoning in LLMs by introducing SALT, a training-free, inference-time activation steering method. SALT constructs a steering vector from differences between leaky and non-leaky reasoning activations and applies a small additive edit at the last input token and the final transformer layer to steer the model toward privacy-preserving states. Empirically, SALT reduces contextual privacy leakage (CPL) across QwQ-32B, Llama-3.1-8B-Instruct, and DeepSeek-R1-Distill-Qwen-1.5B by 18.2%, 17.9%, and 31.2% respectively, while preserving or modestly affecting task utility (MOU). The analysis shows leakage concentrates in late layers, just before output projection, validating the focus on final blocks for mitigation and highlighting SALT as a scalable privacy protection mechanism for reasoning-enabled personal agents.

Abstract

As Large Language Models (LLMs) evolve into personal assistants with access to sensitive user data, they face a critical privacy challenge: while prior work has addressed output-level privacy, recent findings reveal that LLMs often leak private information through their internal reasoning processes, violating contextual privacy expectations. These leaky thoughts occur when models inadvertently expose sensitive details in their reasoning traces, even when final outputs appear safe. The challenge lies in preventing such leakage without compromising the model's reasoning capabilities, requiring a delicate balance between privacy and utility. We introduce Steering Activations towards Leakage-free Thinking (SALT), a lightweight test-time intervention that mitigates privacy leakage in model's Chain of Thought (CoT) by injecting targeted steering vectors into hidden state. We identify the high-leakage layers responsible for this behavior. Through experiments across multiple LLMs, we demonstrate that SALT achieves reductions including $18.2\%$ reduction in CPL on QwQ-32B, $17.9\%$ reduction in CPL on Llama-3.1-8B, and $31.2\%$ reduction in CPL on Deepseek in contextual privacy leakage dataset AirGapAgent-R while maintaining comparable task performance and utility. Our work establishes SALT as a practical approach for test-time privacy protection in reasoning-capable language models, offering a path toward safer deployment of LLM-based personal agents.

Figures (3)

• Figure 1: The graph represents Contextual Privacy Leakage (CPL) before and after applying SALT across models. CPL is defined as the proportion of evaluation samples that leak private information in the model’s reasoning: lower is better. Error bars show $\pm 1$ standard error across all the samples. We observe SALT consistently reduces CPL across Llama-3.1-8B, QwQ-32B, and DeepSeek-1.5B.
• Figure 2: SALT Methodology overview. The baseline (left) displays a private field in its reasoning, or a leakage. With SALT (middle), the reasoning avoids leakage while the final answer is unchanged. The right panel depicts the geometric idea: a small vector added at selected layers moves activations away from the leakage direction.
• Figure 3: Layers ranked by density for QwQ-32B, Llama-3.1-8B-Instruct, and DeepSeek-R1-Distill-Qwen-1.5B