ML Security PapersSilencing the Guardrails: Inference-Time Jailbreaking via Dynamic Contextual Representation Ablation
Wenpeng Xing 1,2, Moran Fang 2, Guangtai Wang 2, Changting Lin 2,3, Meng Han 1,2,3
Published on arXiv
2604.07835
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Significantly outperforms baseline jailbreak methods by surgically ablating safety constraints from latent representations during decoding
Contextual Representation Ablation (CRA)
Novel technique introduced
While Large Language Models (LLMs) have achieved remarkable performance, they remain vulnerable to jailbreak attacks that circumvent safety constraints. Existing strategies, ranging from heuristic prompt engineering to computationally intensive optimization, often face significant trade-offs between effectiveness and efficiency. In this work, we propose Contextual Representation Ablation (CRA), a novel inference-time intervention framework designed to dynamically silence model guardrails. Predicated on the geometric insight that refusal behaviors are mediated by specific low-rank subspaces within the model's hidden states, CRA identifies and suppresses these refusal-inducing activation patterns during decoding without requiring expensive parameter updates or training. Empirical evaluation across multiple safety-aligned open-source LLMs demonstrates that CRA significantly outperforms baselines. These results expose the intrinsic fragility of current alignment mechanisms, revealing that safety constraints can be surgically ablated from internal representations, and underscore the urgent need for more robust defenses that secure the model's latent space.
Key Contributions
- Contextual Representation Ablation (CRA) framework that identifies and suppresses refusal-inducing low-rank subspaces in LLM hidden states
- Inference-time jailbreak method requiring no parameter updates or training
- Demonstrates fragility of current alignment mechanisms through geometric analysis of refusal behaviors