Analysing the Safety Pitfalls of Steering Vectors

TL;DR

This paper systematically evaluates the safety risks of steering vectors in large language models, revealing how they can significantly influence jailbreak attack success rates and highlighting a trade-off between controllability and safety.

Contribution

It provides the first comprehensive safety audit of Contrastive Activation Addition steering vectors, uncovering their impact on attack success rates across various LLMs and sizes.

Findings

Steering vectors can increase jailbreak success rate by up to 57%.

Steering vectors can decrease attack success rate by up to 50%.

Overlap with refusal behavior directions explains safety vulnerabilities.

Abstract

Activation steering has emerged as a powerful tool to shape LLM behavior without the need for weight updates. While its inherent brittleness and unreliability are well-documented, its safety implications remain underexplored. In this work, we present a systematic safety audit of steering vectors obtained with Contrastive Activation Addition (CAA), a widely used steering approach, under a unified evaluation protocol. Using JailbreakBench as benchmark, we show that steering vectors consistently influence the success rate of jailbreak attacks, with stronger amplification under simple template-based attacks. Across LLM families and sizes, steering the model in specific directions can drastically increase (up to 57%) or decrease (up to 50%) its attack success rate (ASR), depending on the targeted behavior. We attribute this phenomenon to the overlap between the steering vectors and the latent directions of refusal behavior. Thus, we offer a traceable explanation for this discovery. Together, our findings reveal the previously unobserved origin of this safety gap in LLMs, highlighting a trade-off between controllability and safety.