From Concept-Aligned Tokens to Vulnerable Features: Mechanistic Localization of Jailbreaks
Pith reviewed 2026-07-04 15:41 UTC · model glm-5.2
The pith
Single token localizes jailbreak vulnerability in LLM internals
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The paper introduces a three-stage pipeline: (1) extract harmful concept descriptions from adversarial responses, (2) align them with concept-relevant prompt tokens via subspace similarity at layer 20, and (3) identify SAE feature subgroups through three grouping strategies. The central discovery is that single-token-driven grouping achieves harmfulness comparable to full cluster-based grouping, demonstrating that individual harmful prompt tokens are sufficient to localize vulnerability-relevant features. Mid-to-late layers (16–25) are consistently most vulnerable to steering across all three strategies.
What carries the argument
SAE feature subgroups identified via subspace similarity between harmful concept descriptions and prompt token activations, grouped by three methods: cluster-based, hierarchical-linkage, and single-token-driven, then amplified (steered) to measure harmfulness increase.
If this is right
- Targeted feature-level interventions at layers 16–25 could complement or replace prompt-level defenses against jailbreaks.
- Single-token-driven feature identification reduces computational cost of locating vulnerability-relevant features compared to cluster-based approaches.
- Harm categories involving violence and incitement show disproportionate steerability, suggesting category-specific internal representations that may require category-specific safety interventions.
- If vulnerability features are token-localized, safety training could potentially be refined to suppress specific feature subgroups rather than broad refusal directions.
Load-bearing premise
The paper assumes that amplifying SAE feature activations during inference (steering) and observing increased harmfulness constitutes evidence that these features are causally responsible for jailbreak vulnerability, but it does not verify that the same features are engaged during actual adversarial attacks like GCG suffixes.
What would settle it
If steering the identified single-token-driven feature subgroups at layers 16–25 does not increase harmfulness above baseline, or if natural jailbreak attacks engage entirely different feature subgroups than those identified by this pipeline, the claim that these features are vulnerability-relevant would fail.
Figures
read the original abstract
Jailbreak attacks expose a persistent failure mode in safety-aligned LLMs: models can be pushed into harmful behavior, but the internal representations enabling this shift remain poorly localized. Recent mechanistic safety studies often explain such behavior through broad representational objects, including global refusal directions, activation steering vectors, and refusal-related SAE features. We instead ask whether jailbreak vulnerability can be traced to finer-grained, prompt-conditioned SAE feature subgroups. We introduce a token-driven mechanistic pipeline that decomposes the residual stream of Gemma-2-2B into Sparse Autoencoder (SAE) features and identifies feature subgroups associated with unsafe behavior. Using single-category unsafe examples from BeaverTails to reduce cross-category interference, we extract harmful concepts from adversarial responses and align them with concept-relevant prompt tokens through subspace similarity. We then apply three feature-grouping strategies: cluster-based, hierarchical-linkage, and single-token-driven, to identify SAE feature subgroups across all 26 layers. Finally, we amplify the top features in each subgroup and evaluate the resulting generations with a standardized harmfulness judge. Single-token-driven grouping achieves harmfulness comparable to full cluster-based grouping, showing that individual harmful prompt tokens are sufficient to localize vulnerability-relevant SAE feature subgroups without relying on broader cluster-level aggregation. These subgroups appear across early and mid-to-late layers, with stronger concentration in mid-to-late layers, where targeted steering exposes specific model vulnerabilities. Overall, our results suggest that jailbreak susceptibility can be traced to sparse, token-localized SAE feature subgroups, complementing prior accounts based on broad adversarial, refusal, or steering directions.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes a three-stage pipeline for localizing jailbreak-relevant SAE feature subgroups in Gemma-2-2B. Starting from adversarial prompt-response pairs in BeaverTails, the authors extract harmful concepts from adversarial responses using Grok, align these concepts to prompt tokens via subspace similarity at layer 20, and then apply three feature-grouping strategies (cluster-based, hierarchical-linkage, single-token-driven) to identify SAE feature subgroups across all 26 layers. Steering experiments show that mid-to-late layers (16–25) are consistently more steerable, and that single-token-driven grouping achieves comparable harmfulness to full cluster-based grouping. The central claim is that jailbreak vulnerability can be traced to sparse, token-localized SAE feature subgroups.
Significance. The paper tackles a timely question at the intersection of mechanistic interpretability and LLM safety. The use of pre-trained SAEs from Gemma Scope and the design of three distinct feature-grouping strategies with cross-layer analysis is a reasonable methodological contribution. The finding that single-token-driven grouping suffices for localization, if validated with proper controls, would be practically useful. However, the significance is substantially limited by the absence of control conditions and statistical rigor, which prevent the results from supporting the causal claims made.
major comments (4)
- §2 (Problem Formulation) and §3 (Baseline and Evaluation Protocol): The paper's central claim is that the identified SAE features are 'vulnerability-relevant' and that single-token grouping 'suffices to localize' them. However, no control condition is reported in which arbitrary SAE features, non-harmful-concept features, or randomly selected features from the same layers (16–25) are steered. Without this control, the observed harmfulness increase could simply reflect the fact that later-layer residual-stream perturbations are generally more disruptive to safety alignment, regardless of which features are amplified. This is load-bearing: if random-feature steering in layers 16–25 produces comparable harmfulness increases, the entire concept-alignment and token-grouping pipeline adds no specificity beyond 'steer later layers.' A control experiment with random or non-harmful features is a遮
- §3 (Baseline and Evaluation Protocol): Results are presented as raw counts of prompts with increased harmfulness (e.g., 'peak category-layer value of 10' in §4), with no error bars, confidence intervals, or significance tests. With 20 prompts per category, a count of 10/20 could easily arise by chance. The claim that single-token-driven grouping achieves 'comparable' harmfulness to cluster-based grouping (abstract, §4) is not supported by any statistical comparison. Without at least a bootstrap confidence interval or a paired test, the quantitative claims about relative method performance and layer concentration are not justified.
- §2 (Problem Formulation): The pipeline extracts harmful concepts from adversarial responses (z), aligns them to prompt tokens, finds SAE features for those tokens, steers those features, and measures increased harmfulness. This is partially circular: features are selected because they align with harmful concepts extracted from harmful responses, then their harmfulness is confirmed by steering. The paper does not verify that these same features are activated during actual adversarial attacks (e.g., GCG suffixes). The pipeline starts from adversarial responses and works backward to features, but does not test whether natural jailbreak attacks engage these same feature subgroups. Adding a verification step showing that real jailbreak attacks activate the identified features would strengthen the causal claim.
- §3 (Experimental Setup) and §4 (Results): The LLM judge (Grok) is acknowledged as potentially biased with no ground truth, yet no calibration, inter-annotator agreement, or human validation is reported. The 1–5 harmfulness scale is used to make comparative claims across methods and layers, but the reliability of these scores is unknown. At minimum, a human spot-check on a subset of responses (e.g., 50–100 samples) to validate judge agreement would substantially increase confidence in the reported results.
minor comments (7)
- The abstract states features 'appear across early and mid-to-late layers, with stronger concentration in mid-to-late layers,' while §4 states 'layer ~13 onward' for cluster-based and 'layers 16–25' for single-token. The specific layer ranges should be stated consistently.
- §2, Approach 1: The notation for feature sets and clusters (F, C, a′_k, a′′_k) is introduced rapidly and could benefit from a small worked example or a clearer step-by-step summary.
- §2, Approach 2: The threshold of 50 members for linkage clusters is stated without justification. A brief rationale or sensitivity analysis would improve clarity.
- Figures 1–4 are referenced as heatmaps but the color scale and axis labels are not described in the text. A brief caption explanation of what the color intensity represents would aid interpretation.
- §4 (Hierarchical Linkage-Based Steering): The statement 'if a linkage cluster is assigned a number greater than 16383, it may be made up of more than 50 features' is unclear. The relationship between cluster numbering and cluster size should be more informative.
- The reference to 'Figure §3' and 'Figure §4' in the text mixes section and figure numbering. Consistent referencing is needed.
- Appendix A.1 (Related Work) is placed in the appendix. Given the paper's brevity, integrating a condensed version into the main text would help readers unfamiliar with the SAE interpretability literature.
Simulated Author's Rebuttal
We thank the referee for a careful and substantive review. The comments on control conditions, statistical rigor, circularity, and judge calibration are well-taken. Below we address each point and describe revisions we will make. We agree that the control experiment (random/non-harmful feature steering) is the most critical addition and will incorporate it in the revision.
read point-by-point responses
-
Referee: No control condition with arbitrary/random/non-harmful SAE features steered in layers 16-25. Without this, observed harmfulness could reflect general later-layer disruptiveness rather than specificity of the concept-alignment and token-grouping pipeline.
Authors: This is the most important critique and we fully agree. The current manuscript does not include a random-feature or non-harmful-concept control, and without it the specificity claim is not supported. We will add a control experiment in which we steer randomly sampled SAE features from the same layers (16-25) and the same number of features per layer as in our pipeline, using the same steering coefficient. We will also add a non-harmful-concept control: extracting benign concepts from safe responses, aligning them to prompt tokens via the same subspace-similarity procedure, and steering the resulting features. If random-feature steering in layers 16-25 produces comparable harmfulness increases to our pipeline-selected features, we will revise the specificity claims accordingly. We expect the control to show lower harmfulness than concept-aligned features because not all later-layer perturbations should produce unsafe outputs, but we acknowledge this is currently an expectation rather than a demonstrated result. We will report the control alongside the main results in the revised manuscript. revision: yes
-
Referee: Results presented as raw counts with no error bars, confidence intervals, or significance tests. Claims of 'comparable' performance between single-token-driven and cluster-based grouping are not statistically supported.
Authors: We agree that the current presentation lacks statistical rigor. With 20 prompts per category, raw counts alone are insufficient to support comparative claims. We will add bootstrap confidence intervals (1000 resamples) for the per-layer, per-category harmfulness counts. For the claim that single-token-driven grouping achieves 'comparable' harmfulness to cluster-based grouping, we will report a paired comparison (McNemar's test on per-prompt binary outcomes, plus a bootstrap on the difference in means) across all layer-category pairs. If the confidence intervals for the difference overlap zero, we will state that the methods are statistically indistinguishable; if not, we will revise the 'comparable' language. We will also add error bars to all figures. revision: yes
-
Referee: The pipeline is partially circular: features selected for alignment with harmful concepts extracted from harmful responses, then harmfulness confirmed by steering. No verification that real jailbreak attacks (e.g., GCG suffixes) activate the same feature subgroups.
Authors: This is a fair and important point. We acknowledge that the current pipeline starts from adversarial responses and works backward to features, and that this design has a degree of circularity. The referee is correct that testing whether real jailbreak attacks engage the identified feature subgroups would substantially strengthen the causal claim. We will add a verification experiment: we will generate GCG adversarial suffixes for a subset of prompts, run the attacked prompts through Gemma-2-2B, extract SAE feature activations at each layer, and measure the overlap between the activated features and our identified feature subgroups. We will report the fraction of identified subgroup features that activate above a threshold during actual GCG attacks, compared to a baseline of random feature sets. If the overlap is low, we will explicitly weaken the causal claim and reframe the contribution as identifying steerable vulnerability-relevant features rather than features that are necessarily engaged by natural jailbreak attacks. We cannot fully resolve the circularity concern without this experiment, so we list it as a partial revision pending results. revision: partial
-
Referee: LLM judge (Grok) acknowledged as potentially biased with no calibration, inter-annotator agreement, or human validation. Reliability of 1-5 harmfulness scores is unknown.
Authors: We agree that judge reliability should be validated. We will add a human spot-check: two annotators will independently score a random subset of 100 responses (sampled across methods, layers, and harm categories) on the same 1-5 scale. We will report inter-annotator agreement (Cohen's kappa or Krippendorff's alpha) and the agreement between the human annotations and the Grok judge scores. If agreement is moderate or lower, we will acknowledge this as a limitation and discuss its implications for the comparative claims. We will also report the distribution of judge scores to check for systematic biases (e.g., clustering at certain scale points). We note that we cannot fully eliminate judge bias concerns, but the human validation will at least characterize the reliability of the scores used for comparison. revision: yes
- The circularity concern is partially inherent to the pipeline design: we extract harmful concepts from adversarial responses, align them to features, and then show that steering those features increases harmfulness. Even with the GCG verification experiment, the pipeline still starts from adversarial responses. If the GCG overlap is low, we will need to substantially reframe the claims, but we cannot eliminate the structural circularity without a fundamentally different approach (e.g., starting from attacks rather than responses). We acknowledge this as a genuine limitation that the revision can mitigate but not fully resolve.
Circularity Check
No significant circularity: the pipeline is methodologically tautological in a weak sense but contains no self-definitional reduction or self-citation chain.
full rationale
The paper's pipeline extracts harmful concepts from adversarial responses, aligns them to prompt tokens via cosine similarity, finds SAE features for those tokens, steers those features, and measures increased harmfulness. A reader might worry this is circular: features selected for alignment with harmful concepts produce harmful outputs when amplified. However, this is not circularity in the technical sense required by the framework. The pipeline inputs are (1) adversarial prompt-response pairs from BeaverTails, (2) a subspace generator model G from Wu et al. 2025, and (3) pre-trained SAEs from Lieberum et al. 2024. The output is a claim about which layers and feature subgroups are most steerable. No step in the derivation chain reduces to its own inputs by construction: the cosine similarity between subspace vectors and residual-stream activations is a genuine measurement, not a definition; the SAE feature extraction uses externally trained SAEs; the steering and harmfulness judging are independent operations. The key citations (Wu et al. 2025 for the subspace generator, Lieberum et al. 2024 for SAEs, Rufail et al. 2025 for layer-20 choice) are to external work by different author sets, not self-citations. The absence of a random-feature control condition (the skeptic's main concern) is a correctness/validity issue about whether the identified features are specifically vulnerability-relevant, not a circularity issue about whether the derivation reduces to its inputs by construction. The paper does not claim to predict a quantity that was fitted or defined into existence. The finding that single-token-driven grouping achieves comparable harmfulness to cluster-based grouping is an empirical comparison between two methods, not a tautological consequence of definitions. Score 2 reflects the mild methodological concern that the pipeline selects features for harmful-concept alignment and then demonstrates they produce harm, but this falls short of the specific reductions required for a circularity finding.
Axiom & Free-Parameter Ledger
free parameters (6)
- Layer 20 for concept-token alignment =
20
- Top-3 features for steering (cluster-based and linkage) =
3
- Top-2 features per token per layer (single-token approach) =
2
- Linkage cluster size threshold =
50
- Steering coefficient/magnitude =
not stated
- 20 prompts per category sample size =
20
axioms (5)
- domain assumption SAE features are monosemantic and interpretable, such that amplifying a feature subgroup corresponds to amplifying a coherent concept.
- domain assumption Cosine similarity between subspace vectors and residual stream activations at layer 20 is a valid measure of concept-token alignment.
- domain assumption An LLM judge (Grok-4-1-fast-non-reasoning) provides a reliable harmfulness score on a 1-5 scale.
- ad hoc to paper Features identified from adversarial responses and amplified via steering are causally relevant to jailbreak vulnerability.
- domain assumption Single-category BeaverTails prompts provide clean, unconfounded concept signals.
Reference graph
Works this paper leans on
-
[1]
Gemma 2: Improving Open Language Models at a Practical Size
Understanding and enhancing the transferabil- ity of jailbreaking attacks.The Thirteenth Interna- tional Conference on Learning Representations. Anay Mehrotra, Manolis Zampetakis, Paul Kassianik, Blaine Nelson, Hyrum Anderson, Yaron Singer, and Amin Karbasi. 2024. Tree of attacks: Jailbreaking black-box llms automatically.Advances in Neural Information Pr...
work page internal anchor Pith review Pith/arXiv arXiv 2024
-
[2]
Jailbroken: How Does LLM Safety Training Fail?
Jailbroken: How does llm safety training fail? arXiv preprint arXiv:2307.02483. Zhengxuan Wu, Aryaman Arora, Atticus Geiger, Zheng Wang, Jing Huang, Dan Jurafsky, Christopher D Man- ning, and Christopher Potts. 2025. Axbench: Steer- ing LLMs? even simple baselines outperform sparse autoencoders. InF orty-second International Confer- ence on Machine Learni...
work page internal anchor Pith review Pith/arXiv arXiv 2025
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.