Jailbreak Attack Initializations as Extractors of Compliance Directions

Amit LeVi; Rom Himelstein; Yaniv Nemcovsky; Avi Mendelson; Chaim Baskin

doi:10.18653/v1/2025.findings-emnlp.354

Jailbreak Attack Initializations as Extractors of Compliance Directions

Amit LeVi
, Rom Himelstein
, Yaniv Nemcovsky
, Avi Mendelson
, Chaim Baskin

School of Electrical and Computer Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Safety-aligned LLMs respond to prompts with either compliance or refusal, each corresponding to distinct directions in the model’s activation space. Recent studies have shown that initializing attacks via self-transfer from other prompts significantly enhances their performance. However, the underlying mechanisms of these initializations remain unclear, and attacks utilize arbitrary or hand-picked initializations. This work presents that each gradient-based jailbreak attack and subsequent initialization gradually converge to a single compliance direction that suppresses refusal, thereby enabling an efficient transition from refusal to compliance. Based on this insight, we propose CRI, an initialization framework that aims to project unseen prompts further along compliance directions. We demonstrate our approach on multiple attacks, models, and datasets, achieving an increased attack success rate (ASR) and reduced computational overhead, highlighting the fragility of safety-aligned LLMs.

Original language	English
Title of host publication	Findings of the Association for Computational Linguistics: EMNLP 2025
Editors	Christos Christodoulopoulos, Tanmoy Chakraborty, Carolyn Rose, Violet Peng
Place of Publication	Suzhou, China
Publisher	Association for Computational Linguistics
Pages	6672-6705
Number of pages	34
ISBN (Print)	9798891763357
DOIs	https://doi.org/10.18653/v1/2025.findings-emnlp.354
State	Published - 1 Nov 2025

Access to Document

10.18653/v1/2025.findings-emnlp.354

https://aclanthology.org/2025.findings-emnlp.354/

Cite this

LeVi, A., Himelstein, R., Nemcovsky, Y., Mendelson, A., & Baskin, C. (2025). Jailbreak Attack Initializations as Extractors of Compliance Directions. In C. Christodoulopoulos, T. Chakraborty, C. Rose, & V. Peng (Eds.), Findings of the Association for Computational Linguistics: EMNLP 2025 (pp. 6672-6705). Association for Computational Linguistics. https://doi.org/10.18653/v1/2025.findings-emnlp.354

@inproceedings{eb56ff7938f94f09927ffe30669fa4c6,

title = "Jailbreak Attack Initializations as Extractors of Compliance Directions",

abstract = "Safety-aligned LLMs respond to prompts with either compliance or refusal, each corresponding to distinct directions in the model{\textquoteright}s activation space. Recent studies have shown that initializing attacks via self-transfer from other prompts significantly enhances their performance. However, the underlying mechanisms of these initializations remain unclear, and attacks utilize arbitrary or hand-picked initializations. This work presents that each gradient-based jailbreak attack and subsequent initialization gradually converge to a single compliance direction that suppresses refusal, thereby enabling an efficient transition from refusal to compliance. Based on this insight, we propose CRI, an initialization framework that aims to project unseen prompts further along compliance directions. We demonstrate our approach on multiple attacks, models, and datasets, achieving an increased attack success rate (ASR) and reduced computational overhead, highlighting the fragility of safety-aligned LLMs.",

author = "Amit LeVi and Rom Himelstein and Yaniv Nemcovsky and Avi Mendelson and Chaim Baskin",

year = "2025",

month = nov,

day = "1",

doi = "10.18653/v1/2025.findings-emnlp.354",

language = "English",

isbn = "9798891763357",

pages = "6672--6705",

editor = "Christos Christodoulopoulos and Tanmoy Chakraborty and Carolyn Rose and Violet Peng",

booktitle = "Findings of the Association for Computational Linguistics: EMNLP 2025",

publisher = "Association for Computational Linguistics",

}

LeVi, A, Himelstein, R, Nemcovsky, Y, Mendelson, A & Baskin, C 2025, Jailbreak Attack Initializations as Extractors of Compliance Directions. in C Christodoulopoulos, T Chakraborty, C Rose & V Peng (eds), Findings of the Association for Computational Linguistics: EMNLP 2025. Association for Computational Linguistics, Suzhou, China, pp. 6672-6705. https://doi.org/10.18653/v1/2025.findings-emnlp.354

Jailbreak Attack Initializations as Extractors of Compliance Directions. / LeVi, Amit; Himelstein, Rom; Nemcovsky, Yaniv et al.
Findings of the Association for Computational Linguistics: EMNLP 2025. ed. / Christos Christodoulopoulos; Tanmoy Chakraborty; Carolyn Rose; Violet Peng. Suzhou, China: Association for Computational Linguistics, 2025. p. 6672-6705.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Jailbreak Attack Initializations as Extractors of Compliance Directions

AU - LeVi, Amit

AU - Himelstein, Rom

AU - Nemcovsky, Yaniv

AU - Mendelson, Avi

AU - Baskin, Chaim

PY - 2025/11/1

Y1 - 2025/11/1

N2 - Safety-aligned LLMs respond to prompts with either compliance or refusal, each corresponding to distinct directions in the model’s activation space. Recent studies have shown that initializing attacks via self-transfer from other prompts significantly enhances their performance. However, the underlying mechanisms of these initializations remain unclear, and attacks utilize arbitrary or hand-picked initializations. This work presents that each gradient-based jailbreak attack and subsequent initialization gradually converge to a single compliance direction that suppresses refusal, thereby enabling an efficient transition from refusal to compliance. Based on this insight, we propose CRI, an initialization framework that aims to project unseen prompts further along compliance directions. We demonstrate our approach on multiple attacks, models, and datasets, achieving an increased attack success rate (ASR) and reduced computational overhead, highlighting the fragility of safety-aligned LLMs.

AB - Safety-aligned LLMs respond to prompts with either compliance or refusal, each corresponding to distinct directions in the model’s activation space. Recent studies have shown that initializing attacks via self-transfer from other prompts significantly enhances their performance. However, the underlying mechanisms of these initializations remain unclear, and attacks utilize arbitrary or hand-picked initializations. This work presents that each gradient-based jailbreak attack and subsequent initialization gradually converge to a single compliance direction that suppresses refusal, thereby enabling an efficient transition from refusal to compliance. Based on this insight, we propose CRI, an initialization framework that aims to project unseen prompts further along compliance directions. We demonstrate our approach on multiple attacks, models, and datasets, achieving an increased attack success rate (ASR) and reduced computational overhead, highlighting the fragility of safety-aligned LLMs.

U2 - 10.18653/v1/2025.findings-emnlp.354

DO - 10.18653/v1/2025.findings-emnlp.354

M3 - Conference contribution

SN - 9798891763357

SP - 6672

EP - 6705

BT - Findings of the Association for Computational Linguistics: EMNLP 2025

A2 - Christodoulopoulos, Christos

A2 - Chakraborty, Tanmoy

A2 - Rose, Carolyn

A2 - Peng, Violet

PB - Association for Computational Linguistics

CY - Suzhou, China

ER -

LeVi A, Himelstein R, Nemcovsky Y, Mendelson A, Baskin C. Jailbreak Attack Initializations as Extractors of Compliance Directions. In Christodoulopoulos C, Chakraborty T, Rose C, Peng V, editors, Findings of the Association for Computational Linguistics: EMNLP 2025. Suzhou, China: Association for Computational Linguistics. 2025. p. 6672-6705 doi: 10.18653/v1/2025.findings-emnlp.354

Jailbreak Attack Initializations as Extractors of Compliance Directions

Abstract

Access to Document

Fingerprint

Cite this