@inproceedings{ratnakar-vats-2026-geometry,
    title = "The Geometry of Refusal: Linear Instability in Safety-Aligned {LLM}s",
    author = "Ratnakar, Shivam  and
      Vats, Kartikeya",
    editor = "Chang, Kai-Wei  and
      Mehrabi, Ninareh  and
      Krishna, Satyapriya  and
      Das, Anubrata  and
      Dhamala, Jwala  and
      Cao, Yang Trista  and
      Kumarage, Tharindu  and
      Ramakrishna, Anil  and
      Christodoulopoulos, Christos  and
      Wan, Yixin  and
      Galystan, Aram  and
      Kumar, Anoop  and
      Gupta, Rahul",
    booktitle = "Proceedings of the 6th Workshop on Trustworthy {NLP} ({T}rust{NLP} 2026)",
    month = jul,
    year = "2026",
    address = "San Diego, California",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/ingest-acl-workshops/2026.trustnlp-main.51/",
    pages = "653--662",
    ISBN = "979-8-89176-418-7",
    abstract = "Modern Large Language Models (LLMs) rely on extensive safety alignment, yet the mechanistic basis of refusal remains opaque. In this work, we investigate whether safety compliance is a deep semantic decision or a manipulable linear feature. We introduce Contrastive Logit Steering (CLS), a zero-optimization framework that isolates the ``refusal direction'' by contrasting hidden states derived from safe and unrestricted system prompts. Unlike representation engineering methods that intervene on internal activations, CLS operates directly on the output distribution, serving as a diagnostic probe for alignment fragility. When coupled with prefix injection to bypass initial refusal reflexes, this method induces a phase transition where guardrails collapse. Our experiments on 7 model families reveal that safety implementation is architecturally deterministic. While models like Llama-3.1 exhibit a ``Late Decision'' topology that is easily bypassed by CLS (reaching 95{\%} ASR in milliseconds), others like Qwen-2.5 demonstrate ``Early Divergence'' by integrating safety mid-computation. Direct comparison with established activation-level steering methods shows that CLS achieves substantially higher attack success rates on Llama 2 (73{\%} vs. 22.6{\%}) and Qwen 7B (91{\%} vs. 79.2{\%}), demonstrating that logit-level intervention exposes alignment vulnerabilities that hidden-state methods underestimate. Beyond attacks, we show that this linearity enables bidirectional control: inverting the steering vector ``hardens'' models against jailbreaks without retraining. Our findings suggest that current alignment techniques create a steerable ``safety axis'' that serves as both a critical vulnerability and a precise primitive for defense."
}