Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Analysing the Safety Pitfalls of Steering Vectors

Yuxiao Li, Alina Fastowski, Efstratios Zaradoukas, Bardh Prenkaj, Gjergji Kasneci

Abstract

Activation steering has emerged as a powerful tool to shape LLM behavior without the need for weight updates. While its inherent brittleness and unreliability are well-documented, its safety implications remain underexplored. In this work, we present a systematic safety audit of steering vectors obtained with Contrastive Activation Addition (CAA), a widely used steering approach, under a unified evaluation protocol. Using JailbreakBench as benchmark, we show that steering vectors consistently influence the success rate of jailbreak attacks, with stronger amplification under simple template-based attacks. Across LLM families and sizes, steering the model in specific directions can drastically increase (up to 57%) or decrease (up to 50%) its attack success rate (ASR), depending on the targeted behavior. We attribute this phenomenon to the overlap between the steering vectors and the latent directions of refusal behavior. Thus, we offer a traceable explanation for this discovery. Together, our findings reveal the previously unobserved origin of this safety gap in LLMs, highlighting a trade-off between controllability and safety.

Analysing the Safety Pitfalls of Steering Vectors

Abstract

Activation steering has emerged as a powerful tool to shape LLM behavior without the need for weight updates. While its inherent brittleness and unreliability are well-documented, its safety implications remain underexplored. In this work, we present a systematic safety audit of steering vectors obtained with Contrastive Activation Addition (CAA), a widely used steering approach, under a unified evaluation protocol. Using JailbreakBench as benchmark, we show that steering vectors consistently influence the success rate of jailbreak attacks, with stronger amplification under simple template-based attacks. Across LLM families and sizes, steering the model in specific directions can drastically increase (up to 57%) or decrease (up to 50%) its attack success rate (ASR), depending on the targeted behavior. We attribute this phenomenon to the overlap between the steering vectors and the latent directions of refusal behavior. Thus, we offer a traceable explanation for this discovery. Together, our findings reveal the previously unobserved origin of this safety gap in LLMs, highlighting a trade-off between controllability and safety.

Paper Structure

This paper contains 54 sections, 8 equations, 12 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Activation Steering and its Brittleness.
  4. Safety Alignment and its Brittleness.
  5. Preliminaries
  6. Activation Steering Intervention.
  7. Constructing Steering Vectors.
  8. Refusal Direction in LMs.
  9. Experiments
  10. Experimental Setup
  11. Models.
  12. Benchmark.
  13. Attacks.
  14. Metrics.
  15. Steering Settings
  16. ...and 39 more sections

Figures (12)

  • Figure 1: Activation steering erodes LLM safety. For Qwen 14B, without steering, a model refuses harmful input (ASR: 4%, A). Steering towards "Self-Awareness" alone compromises safety (ASR: 42%, C). Critically, combining steering with simple attacks leads to a near-complete collapse of safety (ASR: 80%, B), revealing a severe safety-controllability trade-off in LLMs.
  • Figure 2: Steering strongly influences jailbreak ASR. ASR is shown as a function of steering multiplier across model families, behaviors, and attack settings. Top row: prompt-only. Bottom rows: prefix injection and refusal suppression attacks. Note that the y-axis scale differs across rows to highlight variation in ASR magnitudes.
  • Figure 3: Heatmaps showing changes in $\Delta$ASR relative to the baseline (multiplier $m=0$) under positive steering (multiplier $m=1.5$) across behaviors, model families, and attack scenarios.
  • Figure 4: Cosine similarity between steering vectors and the refusal direction $\hat{r}$. Warm colors indicate positive alignment (reinforcing refusal), and cool colors indicate negative alignment (suppressing refusal).
  • Figure 5: Relationship between steering vector alignment with the refusal direction and safety impact. Each point represents a steering vector, plotted by its cosine similarity to the refusal direction (x-axis) and its effect on attack success rate (y-axis) across six models.
  • ...and 7 more figures