English

Sparse Autoencoders are Capable LLM Jailbreak Mitigators

Cryptography and Security 2026-02-16 v1 Computation and Language Machine Learning

Abstract

Jailbreak attacks remain a persistent threat to large language model safety. We propose Context-Conditioned Delta Steering (CC-Delta), an SAE-based defense that identifies jailbreak-relevant sparse features by comparing token-level representations of the same harmful request with and without jailbreak context. Using paired harmful/jailbreak prompts, CC-Delta selects features via statistical testing and applies inference-time mean-shift steering in SAE latent space. Across four aligned instruction-tuned models and twelve jailbreak attacks, CC-Delta achieves comparable or better safety-utility tradeoffs than baseline defenses operating in dense latent space. In particular, our method clearly outperforms dense mean-shift steering on all four models, and particularly against out-of-distribution attacks, showing that steering in sparse SAE feature space offers advantages over steering in dense activation space for jailbreak mitigation. Our results suggest off-the-shelf SAEs trained for interpretability can be repurposed as practical jailbreak defenses without task-specific training.

Keywords

Cite

@article{arxiv.2602.12418,
  title  = {Sparse Autoencoders are Capable LLM Jailbreak Mitigators},
  author = {Yannick Assogba and Jacopo Cortellazzi and Javier Abad and Pau Rodriguez and Xavier Suau and Arno Blaas},
  journal= {arXiv preprint arXiv:2602.12418},
  year   = {2026}
}

Comments

26 pages, 14 figures, 3 tables

R2 v1 2026-07-01T10:34:30.888Z