Steering Safely or Off a Cliff? Rethinking Specificity and Robustness in Inference-Time Interventions

TL;DR

This paper introduces a framework to evaluate the specificity of inference-time interventions in language models, revealing that current steering methods often fail to maintain robustness, which can compromise safety despite apparent efficacy.

Contribution

It proposes a novel three-dimensional framework for assessing specificity in model steering and provides the first systematic evaluation highlighting robustness issues.

Findings

Steering methods maintain general and control specificity but fail in robustness.

Overrefusal steering increases vulnerability to jailbreaks.

Standard checks are insufficient without robustness evaluation.

Abstract

Model steering, which involves intervening on hidden representations at inference time, has emerged as a lightweight alternative to finetuning for precisely controlling large language models. While steering efficacy has been widely studied, evaluations of whether interventions alter only the intended property remain limited, especially with respect to unintended changes in behaviors related to the target property. We call this notion specificity. We propose a framework that distinguishes three dimensions of specificity: general (preserving fluency and unrelated abilities), control (preserving related control properties), and robustness (preserving control properties under distribution shifts). We study two safety-critical use cases: steering models to reduce overrefusal and faithfulness hallucinations, and show that while steering achieves high efficacy and largely maintains general and control specificity, it consistently fails to preserve robustness specificity. In the case of overrefusal steering, for example, all steering methods reduce overrefusal without harming general abilities and refusal on harmful queries; however, they substantially increase vulnerability to jailbreaks. Our work provides the first systematic evaluation of specificity in model steering, showing that standard efficacy and specificity checks are insufficient, because without robustness evaluation, steering methods may appear reliable even when they compromise model safety.