LLM-VA: Resolving the Jailbreak-Overrefusal Trade-off via Vector Alignment

TL;DR

This paper introduces LLM-VA, a method that aligns answer and safety vectors in language models to improve safety without sacrificing utility, addressing the jailbreak-over-refusal trade-off.

Contribution

LLM-VA is a novel vector alignment technique that causally links answer willingness to safety assessment without fine-tuning or architecture changes.

Findings

Achieves 11.45% higher F1 score than baselines.

Preserves 95.92% of model utility.

Automatically adapts to different safety biases.

Abstract

Safety-aligned LLMs suffer from two failure modes: jailbreak (answering harmful inputs) and over-refusal (declining benign queries). Existing vector steering methods adjust the magnitude of answer vectors, but this creates a fundamental trade-off -- reducing jailbreak increases over-refusal and vice versa. We identify the root cause: LLMs encode the decision to answer (answer vector $v_a$) and the judgment of input safety (benign vector $v_b$) as nearly orthogonal directions, treating them as independent processes. We propose LLM-VA, which aligns $v_a$ with $v_b$ through closed-form weight updates, making the model's willingness to answer causally dependent on its safety assessment -- without fine-tuning or architectural changes. Our method identifies vectors at each layer using SVMs, selects safety-relevant layers, and iteratively aligns vectors via minimum-norm weight modifications. Experiments on 12 LLMs demonstrate that LLM-VA achieves 11.45% higher F1 than the best baseline while preserving 95.92% utility, and automatically adapts to each model's safety bias without manual tuning. Code and models are available at https://hotbento.github.io/LLM-VA-Web/.