system: OPERATIONAL
← back to all hacks
RESEARCH LOW NEW

Bypassed, not broken: how jailbreaks suppress a handful of safety attention heads

A late-June 2026 paper shows jailbreaks don't erase a model's safety features — they silence a few early-layer attention heads while mid-layer heads keep firing, leaving a robust harmful-content signal defenders can read for free.

2026-07-01 // 6 min affects: llama-3, llama-3-70b

What is this?

A common assumption about jailbreaks is that a successful attack removes a model’s safety behaviour — that once the prompt works, the model has “forgotten” the request was harmful. A mechanistic study published on arXiv in late June 2026, Robust Harmful Features Under Jailbreak Attacks: Mechanistic Evidence from Attention Head Specialization in Large Language Models (arXiv 2606.28153), argues the opposite. Attacks do not comprehensively eliminate safety features; they selectively suppress a small set of specific attention heads, while other heads keep encoding the harmful meaning of the request even when the jailbreak succeeds.

The paper’s headline framing is that safety alignment is bypassed rather than broken — and that the surviving signal is directly usable for defence.

How it works

Building on the observation that refusal in aligned models is mediated by a single direction in activation space, the authors trace that mid-layer “refusal direction” backwards through each attention head’s output circuit to score how much every head contributes to the refusal decision. Comparing activations across benign inputs, plain harmful inputs, and successful jailbreak inputs, they find two functionally different kinds of head:

Head type                         Location     Under a successful attack
--------------------------------  -----------  ----------------------------------
Adversarially Compromised Heads   early        Fire on plain harmful prompts, but
(ACHs)                            layers       are strongly SUPPRESSED
Safety-Aligned Heads              middle       Keep firing on harmful AND on
(SAHs)                            layers       attacked prompts — robust

Ablation experiments establish the causal roles. Removing a small number of ACHs is enough to push a model that normally refuses into jailbreak-like behaviour, confirming ACH suppression as one sufficient pathway for bypassing refusal. Removing SAHs, by contrast, sharply weakens the mid-layer safety activations — identifying SAHs as the source of what the authors call Robust Harmful Features: persistent internal representations of harmful intent that the attack fails to erase. Token-level attribution shows the ACH suppression is driven specifically by the attack-template tokens (the wrapper text of the jailbreak), whereas the mid-layer heads respond robustly across the whole prompt.

Because that harmful signal survives, the authors build a training-free detector that simply reads the persistent activations — no fine-tuning, no auxiliary judge model — and report detection performance competitive with dedicated safety classifiers, including under adversarial conditions. The evidence is centred on the Llama-3 family, with a scaling check on a 70B model.

Why it matters

This reframes what a jailbreak actually is. If an attack merely masks the refusal decision in a few early-layer heads rather than destroying the model’s understanding that a request is harmful, then defenders are not starting from zero after a jailbreak lands — the harmful semantics are still present, one layer deeper, and can be observed. It connects a growing line of work showing that safety in current models is unevenly concentrated: earlier research demonstrated that ablating just a handful of “safety heads” can strip refusal (arXiv 2410.13708, ICLR 2025), and follow-up work argued alignment should therefore be spread across many more heads rather than left brittle (arXiv 2508.19697, August 2025).

The honest caveat: this is interpretability research on open-weight models, where activations are directly readable. You cannot run any of it against a closed API you only reach over the network, and a detector that reads internal states is a complement to, not a replacement for, input/output controls.

Defenses

For teams that self-host open-weight models, the practical takeaways are concrete:

  1. Read the residual stream you already produce. The persistence of mid-layer safety activations means an activation-based probe can flag harmful requests even when a surface jailbreak succeeds. Feed it into logging and rate-limiting before wiring it to a hard block, as with other activation-based jailbreak detection.
  2. Treat concentration as a liability. If a few early-layer heads carry the refusal decision, they are a single point of failure. Prefer alignment methods that distribute safety behaviour across many heads, and test how much refusal survives when small head subsets are perturbed.
  3. Keep text-level defences in place. Attack-template tokens are what suppress the vulnerable heads, so input hygiene and an instruction hierarchy still reduce the surface that reaches the model.
  4. Re-baseline after every weight change. Which heads are ACHs versus SAHs is model-specific; a fine-tune, LoRA adapter or quantisation can move the signal, so re-fit any probe when you change weights.
  5. Closed-model users: make it a vendor ask. You cannot instrument API internals — push providers to expose safety-signal telemetry, and rely on output-side controls in the meantime.

Status

ItemReferenceDateNotes
Robust Harmful Features / ACH–SAH specializationarXiv 2606.281532026-06Ablating ~8 early-layer heads flips refusal; mid-layer heads stay robust; training-free detector
Safety concentrated in few headsarXiv 2410.13708 (ICLR 2025)2024-10Ships/Sahara attribution of safety-critical heads
Distribute safety across more headsarXiv 2508.196972025-08Argues brittle few-head alignment should be spread out

The shift is one of framing: a jailbreak looks total from the outside, but inside the model the harmful signal is still there. On open-weight systems, defenders can read it — and that persistence is itself a defensive asset.

Sources