Saved in:
Bibliographic Details
Main Authors: Jenny, Maël, Dentan, Jérémie, Vanier, Sonia, Krajecki, Michaël
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.14278
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908887628644352
author Jenny, Maël
Dentan, Jérémie
Vanier, Sonia
Krajecki, Michaël
author_facet Jenny, Maël
Dentan, Jérémie
Vanier, Sonia
Krajecki, Michaël
contents Most jailbreak techniques for Large Language Models (LLMs) primarily rely on prompt modifications, including paraphrasing, obfuscation, or conversational strategies. Meanwhile, abliteration techniques (also known as targeted ablations of internal components) have been used to study and explain LLM outputs by probing which internal structures causally support particular responses. In this work, we combine these two lines of research by directly manipulating the model's internal activations to alter its generation trajectory without changing the prompt. Our method constructs a nearby benign prompt and performs layer-wise activation substitutions using a sequential procedure. We show that this activation surgery method reveals where and how refusal arises, and prevents refusal signals from propagating across layers, thereby inhibiting the model's safety mechanisms. Finally, we discuss the security implications for open-weights models and instrumented inference environments.
format Preprint
id arxiv_https___arxiv_org_abs_2603_14278
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Activation Surgery: Jailbreaking White-box LLMs without Touching the Prompt
Jenny, Maël
Dentan, Jérémie
Vanier, Sonia
Krajecki, Michaël
Cryptography and Security
Most jailbreak techniques for Large Language Models (LLMs) primarily rely on prompt modifications, including paraphrasing, obfuscation, or conversational strategies. Meanwhile, abliteration techniques (also known as targeted ablations of internal components) have been used to study and explain LLM outputs by probing which internal structures causally support particular responses. In this work, we combine these two lines of research by directly manipulating the model's internal activations to alter its generation trajectory without changing the prompt. Our method constructs a nearby benign prompt and performs layer-wise activation substitutions using a sequential procedure. We show that this activation surgery method reveals where and how refusal arises, and prevents refusal signals from propagating across layers, thereby inhibiting the model's safety mechanisms. Finally, we discuss the security implications for open-weights models and instrumented inference environments.
title Activation Surgery: Jailbreaking White-box LLMs without Touching the Prompt
topic Cryptography and Security
url https://arxiv.org/abs/2603.14278