The Geometry of Refusal in Large Language Models: Concept Cones and Representational Independence

We thank the reviewer for the time and effort to review our manuscript which helps us to improve.

Cosine similarity captures linear relationships. RepInd also catches non-linear interactions.

If the reviewer means that the orthogonality of the cone basis vectors from section 5 is not enough, we fully agree! This is exactly why we investigate the representational independence in section 6.

In case the reviewer questions our representational independence in mitigating non-linear effects this might be due to a missing equation. We noticed that we forgot to specify the definition of the ablated $\hat{x}$.

$$\hat{x}\_{abl}^{(l)} = [\hat{x}\_{\text{abl}}^{(l-1)} + f_{[l]}(\hat{x}\_{\text{abl}}^{(l-1)})]\_\text{abl}$$

where $f_{[l]}$ is the model's transformation at layer $l$.

This means, that for rep. ind. we enforce the cosine similarity to be equal to the no-intervention baseline for every layer while propagating the ablated representation and ablating again. Intuitively, any non-linear effects would make it impossible to have the equality of cosine similarities of the subsequent layers. We will provide a simple proof by induction for the camera-ready version of the manuscript if the reviewer thinks this will bring clarity. To argue for causal independence, we would need to show that the cosine similarity to a concept is what drives the model prediction. Since the readout of standard transformers is not linear, we cannot prove this unfortunately. However, there exists some empirical evidence in the mechanistic interpretability field (Elhage et al., Geva et al., Yousefi et al.) that the directional information (captured by cosine similarity) is what greatly drives the model's readout. We will provide an extensive discussion of this topic in section 6 and thank the reviewer for the question as discussing it will improve our manuscript!

Alternative metrics apart from ASR

We provide alternative metrics to evaluate our refusal cones beyond the ASR. While ASR offers the most comprehensive assessment of the cone directions' effectiveness for model manipulation, it is computationally expensive. A more efficient alternative is the refusal metric proposed by Arditi et al. (2024). Using this metric, we show in Figure 14 that the cone directions fulfill the monotonic scaling property we required from our refusal directions.

Besides this, we now include over-refusal as an additional way to examine the performance of RDO directions, see response Over-Refusal to reviewer 4YKU. If the reviewer has another idea on what we should evaluate or could give us any pointers, we would be happy to include more evidence in the next reply.

More data and models

While we used the same test dataset as related work (Arditi et al., 2024), we agree with the reviewer that we could add more to convincingly validate our claims. We now include the datasets of StrongREJECT and SORRY-Bench, where our results behave similarly to JailbreakBench, strengthening our findings, see Figures 21-23. Further, we added more models and data for the orthogonality / representational independence experiments, see Figure 26, 28.

Motivation for Refusal Directions (Q1)

Due to writing constraints, we kindly ask the reviewer to read our Applications response to reviewer 5cSG. Apart from safety-relevant topics, this work further shows that RDO & RCO are suitable techniques to identify directions for precise representation steering which is currently a promising technique for LLM understanding.

Questions 2 & 3

In Table 1, the term 'Baseline' was initially unclear—we now clarify it refers to 'No intervention'. While RDO leads to significantly fewer side effects than DIM, it still introduces some compared to no intervention. Since LLMs are highly optimized, any intervention can reduce coherence. Additionally, benchmarks include sensitive questions, where safety interventions can yield differing outputs.

The relative performance has several explanations: (1) DIM was used to generate labels, creating a performance ceiling; (2) The StrongREJECT judge assesses harmfulness, which also reflects model capability. Outperforming DIM was not our goal—RDO serves as a foundation for RCO and the study of independent refusal directions. Figure 2 demonstrates that RDO achieves comparable or slightly better mediation performance with greater precision (fewer side effects). With further tuning, RDO could surpass DIM, but our focus is on proposing an alternative approach and analyzing its properties.

Conclusion

We again want to thank the reviewer for their insightful questions and remarks. The changes we applied to the paper improved our manuscript. We hope the reviewer agrees with us and would be happy to answer any further questions or concerns.

We thank the reviewer for their valuable time for the review, the kind words, and the positive assessment.

Additional Data

We agree that we should increase the number of datasets we use for our evaluations. We thank the reviewer for the pointer towards SORRY-Bench and decided to evaluate our method on their base set of 440 harmful instructions. AdvBench is in our training data since it is part of SALAD-Bench and we therefore cannot use it for evaluation. As an alternative, we further evaluate on StrongREJECT.

We show the results in Figures 21-23 for our three datasets. We observe that the results behave very similar to JailbreakBench which shows the generalizability of our findings and improves our manuscript. For the camera ready version we changed all figures to include the evaluation of all datasets together, instead of having plots for each dataset. If the reviewer suggests a different way to display the results though, we are happy to adjust.

Intervention positions

We apply the ablation operation across all layers and the activation addition on a single layer. This corresponds to the previous work by Arditi et al. in Refusal is Mediated by a Single Direction. We further always train the RDO directions and cones in the same layer as the DIM direction for a fair comparison. Future work could look at studying refusal directions across all layers. However, if the reviewer wants to see results for a different approach we are happy to investigate.

Conclusion

We again thank the reviewer for their time and effort. The additional data improves the significance of our findings and strengthens this work. We further added more experiments, other metrics, and evidence for causal independence during this rebuttal phase and detailed the changes in the responses to the other respective reviewers. We believe that the rebuttal further improved our work and we hope that the reviewer agrees with us.

We thank the reviewer for their time and effort to examine our work. Below, we address the reviewers points.

Overall performance

We agree with the reviewer that our previous side-effect evaluation should be extended. We now provide results for the benchmarks: Arc Challenge, GSM8K, MMLU, and TruthfulQA (MC2), see Table 5. While the improvement is not as strictly pronounced as for the Truthful QA, we observe that RDO performs better in the majority of the cases and provides on average a 24% reduction of error. We added these to the camera-ready appendix, linked to it from the main body, and adapted the framing in this paragraph to account for the overall improvement.

Baseline Improvements

We now provide the No-intervention baseline for the plot in Figure 2, see Figures 21-23 for the respective datasets. It is important to note, that here in the experiment we show the attack success rate while trying to jailbreak the model, thus higher is better. We adjusted the text in the paper and the caption to make this more explicit. This, and our ablation study Figures 18 & 19 shows we strictly improve the tradeoff between utility and ASR (higher is better) for our RDO direction compared to DIM as our direction Pareto-dominates DIM for many configurations. Due to space constraints, we kindly refer the reviewer to the 'Ablation studies ..' response to reviewer 5cSG for more details.

Over-Refusal

We acknowledge the important trade-off between safety and utility highlighted by the reviewer that is generally present for every safety method compared to no intervention. Our work primarily focuses on training refusal directions that are effective for model manipulation, specifically jailbreaking scenarios. Regarding over-refusal concerns, adding refusal directions increases the probability of refusal generally, including over-refusal, as shown in Figure Figure 25. Here, we add the refusal vector onto the representation with varying strength and plot the SORRY-Bench refusal score (higher is better) over the XSTest safe prompts refusal score (lower is better). We observe that RDO provides a better tradeoff as it refuses more harmful queries for the same rate of benign query refusal. Instead of increasing refusal, we can also reduce over-refusal by ablating the refusal direction. In Figure 27 we show that results on safe instructions from the XSTest dataset. Here we observe that both approaches significantly reduce the already low over-refusal.

While our current methodology focuses on identifying and understanding refusal mechanisms, rather than defending from adversarial attacks (which would have more direct implications on over-refusal), it could be extended to selectively reduce over-refusal without compromising refusal on harmful instructions by adjusting the loss functions. This could be achieved by using falsely refused instructions instead of harmful instructions in the ablation loss, and adding a retain loss for preserving refusal on harmful instructions. Though this specific application wasn't the focus of our current work, our framework can flexibly be repurposed for such interventions in future research.

Conclusion

We again thank the reviewer for the time, effort, and valuable feedback on our work. We believe that we can address all of the reviewer's concerns and hope the reviewer agrees with us. Further, we are happy to address any remaining questions!

We thank the reviewer for the time and effort spent reviewing our manuscript!

Ablation studies & Safety and Utility Tradeoff

We added a detailed ablation study, investigating the three loss components. We show the results in Figures 18 & 19 for Llama-3-8B-Instruct. In Fig. 18, we measure how the ASR evolves as we shift the balance between addition and ablation loss weights, requiring $\lambda_{\text{abl}} + \lambda_{\text{add}} = 1$, and observe that performance is quite robust for balanced values (0.2 to 0.8), with both losses being necessary for good generalized performance.

In Figure 19, we ablate the retain loss weight. We use our default ablation and addition weights with different retain weights to train directions, and plot the ASRs compared to the difference in average benchmark performance on MMLU, ARC, GSM8K, and TruthfulQA (here we use the smaller Qwen2.5-3B-Instruct for computational reasons). The ideal direction would have the highest ASR possible for this model, while having no effect on benchmarks or positive effect only so far as preventing the model from refusing benchmark questions. We observe that many combinations of loss weights pareto-dominate the DIM direction for this model, which shows that our approach robustly outperforms the current SOTA.

Further, this figure is in our view the best option to investigate the tradeoff between effectiveness for model manipulation and utility. A combined score will always omit important details. We propose to highlight this figure in the paper to investigate this tradeoff if the reviewer agrees. Here we can see that our approach strictly improves this tradeoff compared to DIM as we pareto-dominate it for both metrics. However, if the reviewer would still like to see a combined score, we will provide one in a new response.

Over-Refusal

We added over-refusal experiments to our manuscript. Due to space constraints, we kindly ask the reviewer to see the rebuttal answer to reviewer 4YKU. We further added a paragraph to the related work section giving the reader an overview of the topic based on the provided references.

(Formal) theoretical validation

We agree that formal validation of the independence would be great. We employ an argument that proves the true causal independence with respect to cosine similarity until the final read-out of the model. We can then use the empirical arguments of related work that directionality to a concept primarily drives the model prediction. For a more in-depth answer please refer to the answer to reviewer NvcZ.

Applications

We agree with the reviewer that outlining practical uses of refusal directions is valuable. We added one paragraph to the manuscript and provided a brief overview here:

• Most importantly, we aim to emphasize that top-down interpretability not only advances our understanding of AI safety but also deepens our general comprehension of how LLMs represent concepts. Numerous studies have explored the latter, suggesting that any method that enhances this approach could be highly impactful.
• Offense Applications: Refusal directions can inform (white-box) jailbreak methods, for example, Huang et al. (2024) in Stronger Universal and Transferable Attacks by Suppressing Refusals show that aiming at suppressing DIM refusal directions with input attacks increases their universality and transferability.
• Defensive Applications: Refusal directions can be used to improve safety via adversarial training (Yu et al., 2024) or inference-time monitoring.

Other

Added No-Intervention to Figure 2: We show the result in Figures 21-23 and we observe that without intervention, the model rarely responds to harmful instructions.

Combination of Refusal Directions: We thank the reviewer for the great idea and show the result in Figure 24 for the RepInd directions shown in Figure 7. We observe that the composition improves the ASR and using three RepInd directions outperforms DIM. We add this to the main body and believe that this experiment significantly strengthens our manuscript.

Related Work: We added a paragraph to over-refusal starting on the provided source papers and further list [6] as related work that uses SAEs and thank the reviewer for providing these references.

Typos: We iterate over the manuscript to remove typos

Conclusion

We again want to thank the reviewer for the insightful comments and questions. We believe that addressing the reviewer's concerns greatly improves our manuscript and hope the reviewer agrees with us.