Into the Gray Zone: Domain Contexts Can Blur LLM Safety Boundaries

A central goal of LLM alignment is to balance helpfulness with harmlessness, yet these objectives conflict when the same knowledge serves both legitimate and malicious purposes. This tension is amplified by context-sensitive alignment: we observe that domain-specific contexts (e.g., chemistry) selectively relax defenses for domain-relevant harmful knowledge, while safety-research contexts (e.g., jailbreak studies) trigger broader relaxation spanning all harm categories. To systematically exploit this vulnerability, we propose Jargon, a framework combining safety-research contexts with multi-turn adversarial interactions that achieves attack success rates exceeding 93% across seven frontier models, including GPT-5.2, Claude-4.5, and Gemini-3, substantially outperforming existing methods. Activation space analysis reveals that Jargon queries occupy an intermediate region between benign and harmful inputs, a gray zone where refusal decisions become unreliable. To mitigate this vulnerability, we design a policy-guided safeguard that steers models toward helpful yet harmless responses, and internalize this capability through alignment fine-tuning, reducing attack success rates while preserving helpfulness.

Key Contributions

• Discovers that safety-research contexts trigger broader defense relaxation than domain-specific contexts across LLMs
• Proposes Jargon framework combining safety-research contexts with multi-turn adversarial interactions, achieving 93%+ attack success rates on GPT-5.2, Claude-4.5, and Gemini-3
• Reveals activation space analysis showing Jargon queries occupy a 'gray zone' between benign and harmful inputs where refusal mechanisms fail
• Develops policy-guided safeguard and alignment fine-tuning defense reducing attack success while preserving helpfulness

🛡️ Threat Analysis

Details

Similar Papers