How LLM Safety Mechanisms Work — and Where They Break Down
A technical analysis of RLHF alignment, its known failure modes, and the research-backed techniques attackers use to bypass LLM safety filters. Covers many-shot jailbreaking, persona injection, encoding bypass, and modern defenses including Constitutional AI and representation engineering.
When a commercial LLM declines to answer a question, that refusal isn’t enforced by a firewall rule or an access control list. There’s no kernel-level privilege separation. What actually happened is that the model was trained — through a process called RLHF — to assign low probability to generating certain types of output. The safety mechanism is a statistical property of the weights, not a structural boundary.
This matters for security engineers and LLM application developers because it determines what kind of failure modes are possible and how defenses should be designed. A system where safety is probabilistic has a fundamentally different threat model than one where safety is enforced by hardware or formal verification. Understanding what alignment actually does — mechanistically — is the prerequisite for reasoning about when and how it fails.
This article covers how RLHF-based alignment works, the research-documented techniques that bypass it, why they work at a model level, and what the current state of defenses looks like. The goal is the same as understanding buffer overflows: knowing the attack surface is how you build better defenses.
How Alignment Is Built: RLHF
A base language model — the weights before any safety training — is a next-token predictor trained on large text corpora. It will complete text in the direction that’s statistically most consistent with its training data. It has no built-in concept of “refuse this request.”
Reinforcement Learning from Human Feedback (RLHF) is the process that converts a base model into the assistant-style model you interact with. At a high level:
- The base model generates many responses to a variety of prompts
- Human raters rank those responses by preference (helpfulness, safety, honesty)
- A Reward Model is trained to predict those human rankings
- The base model is fine-tuned to maximize the reward model’s score, while a KL-divergence penalty prevents it from drifting too far from the original distribution:
Where is the reward model’s score for response to prompt , is the current policy, is the original base model, and controls how much the aligned model can diverge.
The KL term is important: it prevents the fine-tuning from “collapsing” the model’s capabilities in the pursuit of safety. A model that refused everything would maximize safety reward but be useless. The tension between helpfulness and safety is a fundamental design constraint, not an implementation choice.
What RLHF doesn’t do: It doesn’t erase information from the model’s weights. It shifts the probability distribution over outputs given certain inputs. The model still has access to the same underlying representations — it’s been trained to map certain inputs to refusal outputs rather than to forget the underlying knowledge. This distinction matters because it means adversarial prompts that shift the input distribution away from what RLHF covered can expose behaviors the training didn’t anticipate.
Failure Mode 1: Many-Shot Jailbreaking
In April 2024, Anthropic published research documenting a vulnerability that scales with context window size: many-shot jailbreaking.
The mechanism exploits in-context learning (ICL) — the model’s ability to adapt its behavior based on patterns in the current prompt without weight updates. If you provide enough examples of a behavior in the context window, the model’s next-token predictions shift toward that behavior.
The attack structure: embed a long sequence of synthetic dialogue pairs where the “assistant” persona complies with requests the safety training would normally refuse, then append the actual target request. As the number of examples increases (from a handful to hundreds), the probability of refusal decreases substantially.
Anthropic’s paper showed the effect scales approximately linearly with the number of examples up to the context limit. Larger context windows, intended to make models more capable, also make this attack more effective. The in-context statistical distribution from hundreds of “compliance” examples outweighs the RLHF-trained prior toward refusal.
The practical implication for defenders: rate limiting by token count (not just request count), anomaly detection for unusually long inputs with repetitive structure, and treating long-context inputs to safety-sensitive applications as higher risk.
Failure Mode 2: Persona and Roleplay Injection
Roleplay-based bypasses work by creating a framing that semantically distances the model from the “assistant” persona its RLHF training is anchored to. The classic example is the “DAN” (Do Anything Now) family of prompts, which instruct the model to adopt an alternative persona with no restrictions.
The mechanism is related to how RLHF training data is structured. Safety training is applied in the context of the model acting as an assistant. If the model is navigated — through roleplay framing, fictional context, or persona adoption — into a representation space associated with fictional characters or creative writing, the safety training may have weaker coverage there.
Whether this works depends heavily on the model and its training. More recent models from major labs are significantly more robust to simple roleplay framing than models from 2022–2023. The “DAN” prompts that worked against early GPT-3.5 fail against GPT-4 and Claude 3+ in most cases. More sophisticated variants still appear in red-teaming research, but the simple persona-switch approach has been largely patched in production systems.
What hasn’t been fully solved is the deep fictional framing variant: constructing an elaborate narrative context in which the target behavior is presented as something a fictional character in the story would say. This is harder to distinguish from legitimate creative writing use cases.
Failure Mode 3: Encoding and Token Obfuscation
Input classifiers — whether a regex filter or a smaller classification model — operate on the literal text of the input. If the malicious content is encoded in a format the classifier doesn’t process but the LLM does, the classifier is bypassed while the LLM acts on the underlying content.
LLMs encounter base64, hex encoding, ROT13, and similar formats extensively in training data (code repositories, documentation, CTF writeups). They can often decode and reason about encoded content without explicit instruction to do so.
The general pattern: encode a request in some format, instruct the model to decode and follow the decoded instructions. The classifier sees an encoding request with what looks like random characters; the LLM processes the encoded content semantically.
Limitations of this technique: It doesn’t work reliably against all models or all request types. Modern aligned models will often refuse to follow decoded instructions if the decoded content is clearly in a refused category, even when they successfully decode it. The technique is more effective against shallow classifiers in front of the LLM than against the model’s own safety training.
From a defensive architecture perspective: Input classifiers that operate only on surface text are weak against encoding. Defense should include output monitoring (does the generated content contain what the encoding was trying to elicit?) and semantic analysis of the decoded instruction rather than the encoded wrapper.
Failure Mode 4: Adversarial Suffixes (GCG)
The most technically significant academic work on automated jailbreaking is the Greedy Coordinate Gradient (GCG) attack from Zou et al. (2023, Carnegie Mellon / Center for AI Safety). Unlike the techniques above, GCG is an optimization-based approach that automatically generates adversarial suffixes.
The method: given a target output (e.g., the beginning of an affirmative response to a harmful request), GCG iteratively searches for a suffix that, when appended to the input, maximizes the probability of the target output. The search is gradient-guided — it uses the model’s gradients to identify token substitutions that move the output distribution in the desired direction.
The resulting suffixes are typically nonsensical strings of tokens that don’t read as natural language but reliably elicit the target behavior. The attack is notable because:
- It’s automated and systematic, not hand-crafted
- It transfers across models — suffixes found against an open-source model sometimes work against closed-source APIs
- It revealed that adversarial inputs exist at scale for all tested models
The defense implication: adversarial suffixes have detectable properties (high perplexity, unnatural token distributions). Perplexity-based filtering can catch many GCG-style suffixes. Randomized smoothing — applying random token perturbations to inputs and checking if outputs change significantly — is another detection approach, though it adds latency.
Current Defense Approaches
Constitutional AI (Anthropic)
Anthropic’s Constitutional AI (CAI) addresses a limitation of standard RLHF: the quality and consistency of the alignment depends on the quality and consistency of human raters. Human labeling is expensive, slow, and introduces inconsistencies across raters.
CAI replaces the human rating stage with a separate model acting as a critic. The “constitution” — a set of principles — guides the critic model in evaluating whether a response is safe and helpful. The base model generates responses; the critic model evaluates and rewrites them according to the principles; the rewritten responses are used as training data.
The result is faster iteration, more consistent coverage, and the ability to apply the principles to a much larger set of training examples than human rating allows. Claude’s alignment uses CAI as a core component.
The constitution isn’t derived from the UN Declaration of Human Rights or Apple’s ToS specifically — Anthropic’s published papers describe principles around harmlessness, honesty, and helpfulness, developed internally and refined through research.
Representation Engineering
Research published by Zou et al. (2023) — at Anthropic, not OpenAI — demonstrated that specific concepts have identifiable signatures in a model’s hidden layer activations. By analyzing the activation patterns across many examples of honest vs. deceptive outputs, or safe vs. harmful outputs, they could identify “representation directions” corresponding to those concepts.
This enables two things: reading internal model states to detect when the model is processing content in a safety-relevant direction, and steering by modifying activations to shift model behavior.
The practical defense application: an inference-time monitor that reads internal activations and flags when the model’s internal representation suggests it’s about to generate harmful content — even if the input prompt looked innocuous. This is qualitatively different from input filtering because it monitors the model’s processing state rather than the input text.
An important clarification on the mechanism: this works by adding offset vectors to activations during the forward pass, not by modifying model weights. Modifying weights at inference time would alter the model’s behavior on all subsequent inputs, which is not what’s happening. The intervention is localized to the current generation.
Inference-Time Monitoring and Constitutional Classifiers
Anthropic published research in early 2025 on constitutional classifiers — models trained to detect jailbreak attempts across a wide variety of techniques, including novel ones not seen in training. The approach trains classifiers not just on known jailbreak examples but on synthetically generated variants, improving coverage against unseen attack patterns.
The research showed meaningful reductions in attack success rates across multiple jailbreak categories, while maintaining most of the model’s usefulness on legitimate requests. The false positive rate (blocking legitimate requests) is the core design tension — tighter classifiers block more attacks but also more legitimate use.
What This Means for LLM Application Security
For security engineers building or auditing LLM applications, the practical takeaways:
The safety layer in the model is not a security boundary you can rely on exclusively. Application-level controls — input validation, output filtering, access scope limitation, audit logging — are still required. Treat the model’s refusals as a first line of defense, not a guarantee.
Defense in depth matters more here than in most contexts. No single control addresses all failure modes. Input classifiers catch surface-level attacks. Activation monitoring catches encoded or obfuscated attacks. Output filtering catches when the model generates content it shouldn’t regardless of input. Minimal tool scope limits blast radius if the model is manipulated.
Red team your own applications. The techniques described here are documented in published research — they’re not secret. Automated red-teaming tools (Garak, PyRIT) let you test your application’s robustness against known jailbreak categories before attackers do.
Keep up with the research. The field moves fast. Jailbreaking techniques that worked six months ago may be patched; new ones are published regularly. The Alignment Forum, Anthropic’s research blog, and papers from AI safety groups are the primary sources.
The honest framing of where things stand: alignment research is ahead of where it was two years ago, and the simple jailbreaks that circulated in 2022–2023 are largely ineffective against current production models. The harder, research-grade attacks still work. The gap is narrowing, but it hasn’t closed.
Author
Varkin Academy