Activation steering—intended as an interpretability and safety tool—systematically undermines the safety alignment of large language models (LLMs), significantly increasing their compliance with harmful instructions. Method: The authors evaluate steering in both random directions and via sparse autoencoder (SAE)-extracted “benign” semantic features, and propose a novel multi-vector compositional jailbreaking attack that generalizes to unseen harmful queries. Contribution/Results: Experiments show that even minimal random perturbations increase harmful response rates by 2–27%; SAE-guided steering further elevates them by 2–4%. Critically, the proposed attack achieves high success rates on zero-shot harmful prompts. This work provides the first empirical evidence that interpretability-oriented activation steering does not enhance safety—in fact, semantic injection into hidden state spaces can bypass safety mechanisms, directly challenging the foundational assumption that steering constitutes a viable safety alternative.

Activation steering is a promising technique for controlling LLM behavior by adding semantically meaningful vectors directly into a model's hidden states during inference. It is often framed as a precise, interpretable, and potentially safer alternative to fine-tuning. We demonstrate the opposite: steering systematically breaks model alignment safeguards, making it comply with harmful requests. Through extensive experiments on different model families, we show that even steering in a random direction can increase the probability of harmful compliance from 0% to 2-27%. Alarmingly, steering benign features from a sparse autoencoder (SAE), a common source of interpretable directions, increases these rates by a further 2-4%. Finally, we show that combining 20 randomly sampled vectors that jailbreak a single prompt creates a universal attack, significantly increasing harmful compliance on unseen requests. These results challenge the paradigm of safety through interpretability, showing that precise control over model internals does not guarantee precise control over model behavior.