Steered LLM Activations are Non-Surjective

TL;DR

This paper demonstrates that activation steering in large language models cannot generally be replicated by any prompt, highlighting a fundamental difference between white-box control and black-box prompting.

Contribution

It provides a formal proof that activation steering pushes model states off the prompt-reachable manifold, establishing a separation between steerability and prompt-based interpretability.

Findings

Activation steering often leads to states unreachable by prompts.

Empirical evidence across three LLMs supports the theoretical result.

Steerability and prompt-based control are fundamentally different.

Abstract

Activation steering is a popular white-box control technique that modifies model activations to elicit an abstract change in its behavior. It has also become a standard tool in interpretability (e.g., probing truthfulness, or translating activations into human-readable explanations) and safety research (e.g., jailbreakability). However, it is unclear whether steered behavior is realizable by any textual prompt. In this work, we cast this question as a surjectivity problem: for a fixed model, does every steered activation admit a preimage under the model's natural forward pass? Under practical assumptions, we prove that activation steering pushes the residual stream off the manifold of states reachable from discrete prompts. Almost surely, no prompt can reproduce the same internal behavior induced by steering. We also illustrate this finding empirically across three widely used LLMs. Our results establish a formal separation between white-box steerability and black-box prompting. We therefore caution against interpreting the ease and success of activation steering as evidence of prompt-based interpretability or vulnerability, and argue for evaluation protocols that explicitly decouple white-box and black-box interventions.