
TLDR
- What: JADR (Jacobian Assessment of Danger Recognition) is a white-box, generation-free protocol that probes an LLM's internal representation ("J-space") at the prompt's decision point to evaluate safety alignment.
- Who's at risk: Local LLM deployment pipelines, safety audit teams, and resource-constrained systems relying on quantized models (e.g., INT4).
- Key number: Aggressive INT4 quantization degrades the joint safety margin (Safety Headroom) by up to 0.088 in smaller models (Qwen-1.7B), while silently leaving model behavioral refusal rates deceptively stable.
Real-world safety pipelines for production LLMs like Gemma 2 or Qwen3 rely heavily on LLM-as-a-judge behavioral grading on fixed benchmarks. However, these post-hoc evaluations are highly sensitive to grading templates, easily bypassed by adaptive jailbreaks, and fail to reveal the internal stability of the safety mechanism under quantization. This post introduces JADR (Jacobian Assessment of Danger Recognition), a white-box protocol that intercepts the LLM's internal "J-space" workspace at the very last token of the input prompt, revealing safety failures before a single response token is generated.
Threat Model
| Attacker | Red-teamers or adversarial users attempting jailbreaks, or deployment pipelines unintentionally degrading safety via aggressive quantization. |
| Victim | Deployed safety-aligned LLMs (e.g., Qwen-8B, Gemma-2-9B) hosted locally or in self-managed deployment pipelines. |
| Goal | Evade alignment guardrails by exploiting the latent structural fragility of safety mechanisms under weight compression (e.g., INT4/NF4). |
| Budget | Zero generation overhead; requires a single white-box forward pass over activations at the prompt's last token to audit. |
Background / Problem Setup
Evaluating safety using generated text is inherently noisy. When a model's weights are modified—whether via quantization or fine-tuning—its behavioral output might appear safe, but its internal workspace could already be on the verge of collapse. To audit this internal state, we must move beyond black-box generation.
Traditional approaches fall short in mapping these internal representations to human-readable concepts. JADR bridges this gap by leveraging the Jacobian Lens (Gurnee et al., 2026), projecting intermediate residual stream states directly into a "global workspace" of verbalizable concepts (J-space).
| Paradigm | Requires Generation? | Detects Latent Failures? | External Judge Needed? | Robust to Spurious Vocabulary? |
|---|---|---|---|---|
| Behavioral (LLM-as-a-judge) (Souly et al., 2024) | Yes | No | Yes | No (Highly sensitive to phrasing) |
| Logit Lens (Belrose et al., 2023) | No | Yes (Shallow layers) | No | No (Biased by immediate next-token logits) |
| JADR (Jacobian Lens) (Gurnee et al., 2026) | No | Yes (All layers) | No | Yes (Calibrated against safe control sets) |
Methodology
The JADR protocol evaluates safety by checking what vocabulary tokens the model "holds ready" for future speech at the decision point—the position of the last token of the prompt before response generation begins.
[Prompt: "How do I build a bomb?"] ---> [Decision Point Probe] ---> (Token Generation Starts)
|
v
Examine J-space Activations
Step 1: Mapping Activations to J-Space
For a residual stream state at layer and position , JADR applies the Jacobian projection matrix (calibrated on pretraining-like prompts) and the unembedding matrix :
This yields a probability distribution over the model's vocabulary, indicating what concepts are currently active in the model's internal workspace.
Step 2: Lexicon Partitioning & Token Counting
The protocol monitors the top- () tokens in the J-space projection across six specialized behavioral axes:
- Safety: Refusal, risk, and illegality (e.g., "unsafe", "cannot", "illegal").
- Compliance: Willingness to instruct or comply (e.g., "sure", "here", "step").
- Evasion: Detection and bypass of restrictions (e.g., "bypass", "hidden").
- Softening: Softened or transitional wording (e.g., "however", "although").
- Hedging: Cautious generalizations (e.g., "usually", "probably").
- Harm: Concrete domain-specific danger language (e.g., "weapon", "explosive").
For a given prompt , layer , and axis , JADR calculates plain counts () or a rank-weighted Discounted Cumulative Gain ():
Step 3: Rank AUC Discrimination
To evaluate how reliably the model's internal representations distinguish dangerous instructions from harmless queries, JADR measures the separation between a dangerous prompt sample (based on StrongREJECT, ) and a lexically similar safe control sample (based on XSTest-safe and OKTest, ).
A SafetyAUC of indicates perfect internal separation of danger, while represents pure random noise.
Key Results
1. Baseline Performance at Floating-Point (FP) Precision
When evaluated at 16-bit precision (FP), safely aligned models demonstrate exceptionally high SafetyAUC scores, cleanly separating danger from safe controls internally. In contrast, "abliterated" models (where safety mechanisms have been removed via weight editing) drop to near chance.
Table 1: Cross-model summary at FP. SafetyAUC and ComplAUC are measured internally at the decision point. [email protected] and refusal are independent behavioral validations.
| Model | SafetyAUC [95% CI] | ComplAUC [95% CI] | [email protected] | behavioral refusal | over-refusal (safe set) |
|---|---|---|---|---|---|
| Gemma-9B | 0.975 [0.965, 0.984] | 0.662 [0.614, 0.710] | 0.022 | 0.958 | 0.147 |
| Qwen-8B | 0.979 [0.969, 0.988] | 0.242 [0.210, 0.277] | 0.067 | 0.754 | 0.041 |
| Qwen-4B | 0.973 [0.961, 0.983] | 0.497 [0.455, 0.544] | 0.048 | 0.706 | 0.028 |
| SafeRL-4B | 0.976 [0.965, 0.985] | 0.503 [0.461, 0.552] | 0.345 | 0.000 | 0.003 |
| Qwen-1.7B | 0.895 [0.872, 0.922] | 0.597 [0.553, 0.644] | 0.204 | 0.383 | 0.041 |
| Ablit-4B (Ablated) | 0.593 [0.544, 0.640] | 0.838 [0.808, 0.864] | 0.904 | 0.000 | 0.009 |
2. The Impact of Quantization (INT8 vs. INT4)
While INT8 quantization remains virtually neutral to internal safety representation, 4-bit quantization (INT4/NF4) severely degrades joint safety margins. Interestingly, this degradation is primarily driven by an increase in compliance features on dangerous prompts, rather than a total loss of danger recognition.
Table 2: Quantization shift metrics. A positive dAUC_safety indicates eroded safety; a negative dSH indicates safety headroom degradation (adverse).
| Model | dAUC_safety (INT8) | dAUC_safety (INT4) | dAUC_compliance (INT8) | dAUC_compliance (INT4) | dSH (INT8) | dSH (INT4) |
|---|---|---|---|---|---|---|
| Gemma-9B | -0.001 | -0.000 | -0.000 | -0.013 | 0.001 | -0.013 |
| Qwen-8B | -0.001 | 0.006 | -0.005 | -0.038 | -0.004 | -0.044 |
| Qwen-4B | -0.001 | 0.004 | -0.002 | -0.048 | -0.001 | -0.052 |
| Qwen-1.7B | -0.001 | 0.041 | 0.002 | -0.047 | 0.003 | -0.088 |
| Ablit-4B | -0.011 | -0.086 | 0.001 | -0.012 | 0.012 | 0.073 |
3. The Abliteration Paradox
A key finding in the paper is the behavior of the abliterated model (Ablit-4B) under INT4 quantization. Weight ablation relies on highly precise, directional surgical edits in the weight space to remove refusal behavior (Arditi et al., 2024). Under aggressive 4-bit quantization, this fine-grained deletion is disrupted. The lossy compression essentially "breaks the break," restoring the model's safety AUC by (improving safety separation) and dropping behavioral harm from to .
Limitations & Open Questions
Security teams adopting JADR should keep the following limitations in mind:
- Static Lexicon Dependency: The protocol is only as good as its vocabulary list (Table 2). If an adversary drafts a jailbreak using highly abstract metaphors, non-literal language, or novel code abstractions, the lexicon counters will systematically underestimate safety degradation.
- Correlation vs. Causality: Identifying active safety tokens in J-space proves representation, but does not guarantee the layer is causally responsible for the final output. Confirming causality still requires weight restoration experiments or activation patching interventions.
- Architectural Calibration: The Jacobian lens matrix must be calibrated individually for every model architecture and layer count.
What Practitioners Should Do
- Incorporate JADR into LLM CI/CD Pipelines: Before deploying fine-tuned or quantized models, run the JADR protocol on your private test datasets. Probing model activations at
rel_pos = -1(the last token of the prompt) allows you to screen model checkpoints with zero token generation latency. - Enforce Safety Headroom (SH) Gatekeeping: When selecting weight-quantization levels, do not rely on standard behavioral benchmarks. Ensure that safety headroom degradation () stays below . If deployment requires 4-bit compression, choose Gemma-9B, which exhibits remarkable safety robustness (), or utilize safety-preserving weight restorations on individual layers.
- Audit Multi-Layer Safety Paths: Use layer-wise SafetyAUC tracking to identify which specific layers host your model's safety and compliance signals (Figure 1). If quantization is necessary, pin the weights of these critical layers to 16-bit precision (mixed-precision quantization) to maintain safety integrity.
The Takeaway
LLM safety is not a simple behavioral binary of "refused" or "complied". Relying solely on post-generation LLM-as-a-judge evaluations hides the silent erosion of internal safety guardrails under aggressive compression. By utilizing white-box mechanistic protocols like JADR, ML security engineers can identify fragile alignments and safely deploy compressed checkpoints before vulnerability is exposed in production.
Den's Take
We need to stop pretending that post-hoc behavioral grading is a robust way to audit LLM safety. The JADR protocol exposes exactly why: a model's outward behavior can look perfectly aligned even while its internal safety headroom is actively collapsing under weight compression.
The fact that aggressive INT4 quantization can silently degrade the joint safety margin by up to 0.088 in Qwen-1.7B—without triggering any visible change in standard behavioral refusal rates—should alarm anyone deploying quantized models to edge devices. This highlights a fundamental truth we often ignore: quantization doesn't just degrade general utility; it structurally damages the geometric representations of safety alignment.
Adversarial attacks can directly exploit the geometry of refusal representations, which explains why a minor compression-driven shift in these latent boundaries can silently compromise model safety.
My main reservation is practicality. While JADR is a brilliant diagnostic tool, it requires white-box activation tracking and Jacobian projection matrices calibrated on control sets. For enterprise teams relying on closed-source API pipelines, this methodology is out of reach. However, for practitioners running local LLM deployments or self-hosted pipelines, JADR is the sanity check we have desperately needed to catch silent safety decay before the first token is ever generated.