arXiv: Refusal Before Decoding: Detecting and Exploiting Refusal Signals in Intermediate LLM Activations

This paper, published on arXiv, introduces a novel method for detecting and exploiting refusal signals in large language models (LLMs) by analyzing their internal activations before a final output is generated. The authors demonstrate that intermediate neural network states can reveal whether a model is about to refuse a harmful request, and that these signals can be manipulated to bypass safety guardrails. This is not a regulatory change but a research finding that highlights a potential vulnerability in current AI safety mechanisms.

Organizations deploying or developing LLMs in the EU, particularly those subject to the AI Act’s high-risk or general-purpose AI provisions, are directly affected. This includes technology firms, financial services using AI for customer interaction, healthcare AI providers, and any sector relying on LLM-based content moderation or decision support. The finding suggests that existing refusal-based safety filters may be insufficient against sophisticated adversarial attacks.

Compliance teams should immediately review their AI risk management frameworks to assess whether their models are susceptible to activation-based attacks. They should engage technical teams to test for this vulnerability and consider implementing additional monitoring of intermediate model states. For EU AI Act compliance, this research underscores the need for robust, multi-layered safety testing beyond output-level filtering. Teams should document these findings in their conformity assessments and prepare for potential updates to technical standards or guidance from national supervisory authorities.