Knowing without Acting: The Disentangled Geometry of Safety Mechanisms in Large Language Models

TL;DR

This paper explores the geometric structure of safety mechanisms in large language models, revealing a disentangled two-part system for recognizing harmful content and deciding to act, enabling new attack strategies and architectural insights.

Contribution

It introduces the Disentangled Safety Hypothesis, geometric analysis of safety signals, and novel methods for causal dissociation and safety mechanism manipulation in language models.

Findings

Discovered a universal transition from entangled to independent safety signals across model layers.

Developed the Double-Difference Extraction and Adaptive Causal Steering techniques.

Achieved state-of-the-art success in safety mechanism attack via the Refusal Erasure Attack.

Abstract

Safety alignment is often conceptualized as a monolithic process wherein harmfulness detection automatically triggers refusal. However, the persistence of jailbreak attacks suggests a fundamental mechanistic decoupling. We propose the \textbf{\underline{D}}isentangled \textbf{\underline{S}}afety \textbf{\underline{H}}ypothesis \textbf{(DSH)}, positing that safety computation operates on two distinct subspaces: a \textit{Recognition Axis} ($\mathbf{v}_H$, ``Knowing'') and an \textit{Execution Axis} ($\mathbf{v}_R$, ``Acting''). Our geometric analysis reveals a universal ``Reflex-to-Dissociation'' evolution, where these signals transition from antagonistic entanglement in early layers to structural independence in deep layers. To validate this, we introduce \textit{Double-Difference Extraction} and \textit{Adaptive Causal Steering}. Using our curated \textsc{AmbiguityBench}, we demonstrate a causal double dissociation, effectively creating a state of ``Knowing without Acting.'' Crucially, we leverage this disentanglement to propose the \textbf{Refusal Erasure Attack (REA)}, which achieves State-of-the-Art attack success rates by surgically lobotomizing the refusal mechanism. Furthermore, we uncover a critical architectural divergence, contrasting the \textit{Explicit Semantic Control} of Llama3.1 with the \textit{Latent Distributed Control} of Qwen2.5. The code and dataset are available at https://anonymous.4open.science/r/DSH.