Steering Language Model Refusal with Sparse Autoencoders
This addresses the challenge of safely deploying language models while maintaining their capabilities, though the work reveals fundamental limitations in current steering approaches.
The researchers tackled the problem of making language models refuse unsafe prompts without degrading performance by steering model activations using sparse autoencoders at inference time, finding that while this approach improved robustness against jailbreak attempts, it systematically degraded performance across multiple benchmark tasks even on safe inputs.
Responsible deployment of language models requires mechanisms for refusing unsafe prompts while preserving model performance. While most approaches modify model weights through additional training, we explore an alternative: steering model activations at inference time via amplifying sparse autoencoder (SAE) features that mediate refusal. This work uncovers a fundamental tension between SAE steering-based safety improvements and general model capabilities. While feature steering successfully improves robustness against both single-turn and challenging multi-turn jailbreak attempts, we discover that this comes at a previously underexplored cost -- systematic degradation of performance across multiple benchmark tasks, even on safe inputs with no apparent connection to refusal behavior. This suggests that features mediating refusal may be more deeply entangled with general language model capabilities than previously understood. Our findings reveal important open questions about the nature of safety-relevant features in language models and the feasibility of isolating them for targeted intervention. While SAE-based steering shows promise as a flexible approach to enhancing language model safety, our results highlight the critical need to understand and address the mechanisms behind these capability tradeoffs before such techniques can be practically deployed.