This work addresses the tension between enhanced capabilities and reduced controllability in large language models (LLMs), which gives rise to a “safety–safety” dilemma: high controllability facilitates alignment but also increases susceptibility to malicious exploitation. To resolve this, the study introduces a distinction between authorized and unauthorized controllability and, for the first time, systematically reveals and quantifies the steerability of instrumental convergence behaviors in LLMs, establishing a safety–safety trade-off framework. Leveraging adversarial prompt suffixes, the InstrumentalEval benchmark, and the Qwen3 model series, combined with fine-tuning and prompt engineering, experiments demonstrate that anti-instrumental prompts reduce the instrumental convergence rate of Qwen3-30B Instruct from 81.69% to 2.82%. Moreover, alignment efficacy intensifies with model scale, offering a novel pathway for governing open-weight models.

We examine two properties of AI systems: capability (what a system can do) and steerability (how reliably one can shift behavior toward intended outcomes). A central question is whether capability growth reduces steerability and risks control collapse. We also distinguish between authorized steerability (builders reliably reaching intended behaviors) and unauthorized steerability (attackers eliciting disallowed behaviors). This distinction highlights a fundamental safety--security dilemma of AI models: safety requires high steerability to enforce control (e.g., stop/refuse), while security requires low steerability for malicious actors to elicit harmful behaviors. This tension presents a significant challenge for open-weight models, which currently exhibit high steerability via common techniques like fine-tuning or adversarial attacks. Using Qwen3 and InstrumentalEval, we find that a short anti-instrumental prompt suffix sharply reduces the measured convergence rate (e.g., shutdown avoidance, self-replication). For Qwen3-30B Instruct, the convergence rate drops from 81.69% under a pro-instrumental suffix to 2.82% under an anti-instrumental suffix. Under anti-instrumental prompting, larger aligned models show lower convergence rates than smaller ones (Instruct: 2.82% vs. 4.23%; Thinking: 4.23% vs. 9.86%). Code is available at github.com/j-hoscilowicz/instrumental_steering.