Into the Gray Zone: Domain Contexts Can Blur LLM Safety Boundaries
For LLM safety researchers, this work reveals a critical vulnerability in context-sensitive alignment and provides both an attack and a mitigation method.
The paper identifies that domain-specific contexts (e.g., chemistry) and safety-research contexts (e.g., jailbreak studies) can selectively relax LLM safety boundaries, and proposes Jargon, a framework combining safety-research contexts with multi-turn adversarial interactions that achieves over 93% attack success rates across seven frontier models including GPT-5.2, Claude-4.5, and Gemini-3. They also design a policy-guided safeguard that reduces attack success rates while preserving helpfulness.
A central goal of LLM alignment is to balance helpfulness with harmlessness, yet these objectives conflict when the same knowledge serves both legitimate and malicious purposes. This tension is amplified by context-sensitive alignment: we observe that domain-specific contexts (e.g., chemistry) selectively relax defenses for domain-relevant harmful knowledge, while safety-research contexts (e.g., jailbreak studies) trigger broader relaxation spanning all harm categories. To systematically exploit this vulnerability, we propose Jargon, a framework combining safety-research contexts with multi-turn adversarial interactions that achieves attack success rates exceeding 93% across seven frontier models, including GPT-5.2, Claude-4.5, and Gemini-3, substantially outperforming existing methods. Activation space analysis reveals that Jargon queries occupy an intermediate region between benign and harmful inputs, a gray zone where refusal decisions become unreliable. To mitigate this vulnerability, we design a policy-guided safeguard that steers models toward helpful yet harmless responses, and internalize this capability through alignment fine-tuning, reducing attack success rates while preserving helpfulness.