Refusal-escape directions: why alignment can't fully close the jailbreak gap

What is this?

For two years the dominant practical question about jailbreaks has been how to build one: which suffix, which persona, which encoding. A paper published on arXiv on 9 May 2026 — “Why Do Aligned LLMs Remain Jailbreakable: Refusal-Escape Directions, Operator-Level Sources, and Safety-Utility Trade-off” (arXiv:2605.08878, Chen, Liu and Cao) — asks the harder question: why does any of it work at all, and what is it about an aligned model’s internal structure that keeps the door open?

Its answer is a concept the authors call a Refusal-Escape Direction (RED): a local perturbation direction around a harmful input that flips the model from refusing to answering while preserving the model’s own interpretation that the input is harmful. In this framing a jailbreak is not just a lucky string — it is a continuous refusal-to-answer transition that exists because the geometry of the model permits it. The work is theoretical and defensive: it explains a structural limit, and it does not publish a runnable attack.

How it works

The result builds on a now-established line of mechanistic interpretability. The 2024 paper “Refusal in Language Models Is Mediated by a Single Direction” (arXiv:2406.11717, Arditi et al., NeurIPS 2024) showed that refusal in many open chat models is governed by roughly one direction in the residual stream: erase it and the model stops refusing; amplify it and it refuses harmless requests. A February 2026 follow-up, “There Is More to Refusal… than a Single Direction” (arXiv:2602.02132), showed the picture is multi-dimensional. The RED paper formalises what that means for security.

The core move is to treat the network as a composition of operators (normalisation, residual wiring, attention, MLP, the terminal projection) and to prove that a RED can be exactly decomposed into contributions from each operator-level source. Three of those sources — normalisation, residual wiring, and the terminal layer — are what the authors call analytically constrained: their contribution to a RED is fixed by the architecture, not something training can freely cancel. To remove the refusal-escape direction entirely, the shared expressive modules (self-attention and the MLP) would have to cancel those constrained contributions while still preserving the pathways that produce useful answers to benign prompts. Those two demands pull in opposite directions.

Empirically, across Qwen3-4B, Qwen3-14B, Llama-3.1 and Gemma-3 and several attack methods, the authors show that adding token dimensions can expose a RED, and that successful jailbreaks produce refusal-to-answer shifts largely aligned with the terminal-source contribution they predicted. The mechanism matches the math. No payload is reproduced here — the contribution is the explanation, not an exploit.

Why it matters

The practical consequence is a conditional safety-utility trade-off with a mechanistic grounding rather than a hand-wave. If refusal-escape directions are partly fixed by the architecture, then a single safety-trained model cannot drive jailbreak probability to zero without eroding its ability to answer legitimate requests. This reframes three common beliefs:

First, “we fine-tuned harder, so it’s safe now” is structurally optimistic. Alignment raises the cost of finding a RED; it does not delete the direction. Second, defenses that target one refusal direction (or one delimiter, or one suffix family) are attacking a symptom — the February 2026 result already showed refusal is not one-dimensional, and RED explains why squeezing one source leaves others. Third, the trade-off is conditional, not absolute: it bites hardest when you ask one model to be both maximally helpful and maximally safe by itself.

For anyone shipping an LLM feature, that last point is the actionable one. It is an argument for layered, model-external controls rather than betting safety on the base model’s refusal behaviour alone.

Defenses

The paper is a “why,” so its defensive value is in how it redirects effort, not in a patch.

1. Stop treating refusal as a boundary. A model’s willingness to decline is a probabilistic behaviour shaped by directions that are partly architectural. Design as if any single model’s refusal can be perturbed away, because mechanistically it can.

2. Defend in layers outside the model. Because the leak is structural, the durable controls sit around the model: input/output classifiers, retrieval and tool-call allow-lists, capability sandboxing, and the “rule of two” style limits on untrusted input + sensitive action + exfiltration path. These do not depend on the base model holding a refusal it cannot guarantee.

3. Prefer multiple independent safety signals. A consequence of the multi-direction view is that redundant, causally independent checks are harder to suppress simultaneously than one refusal pathway. Diversify detectors rather than hardening a single one.

4. Budget the trade-off deliberately. If pushing a model toward zero jailbreaks measurably degrades benign task performance, that is the predicted cost — not a tuning bug. Decide where on the safety-utility curve a given deployment should sit, and put the rest of the assurance in the surrounding system.

5. Use the decomposition for evaluation, not just attack. Operator-level attribution gives red teams and evaluators a principled place to probe — the normalisation, residual and terminal sources — instead of only enumerating surface prompts.

Status

Item	Reference	Date	Notes
Refusal-Escape Directions (RED)	arXiv:2605.08878	2026-05-09	Proves RED decomposes into operator-level sources; conditional safety-utility trade-off
Refusal mediated by a single direction	arXiv:2406.11717	2024-06 (NeurIPS 2024)	Foundational: one direction governs refusal in open chat models
Refusal is multi-dimensional	arXiv:2602.02132	2026-02	Refusal is not one direction; motivates operator-level view
Empirical scope	arXiv:2605.08878	2026-05-09	Qwen3-4B/14B, Llama-3.1, Gemma-3; open-weight

The headline is not a new attack. It is a proof that part of the jailbreak surface is wired into the architecture — so the right response is layered, model-external defense and a deliberate choice about where to sit on the safety-utility curve, not the belief that one more round of alignment will close the gap.