The Assistant Vector - Jailbroken: Steering Towards "Assistant" Increases Harmful Compliance
The Assistant Vector - Jailbroken: Steering Towards "Assistant" Increases Harmful Compliance
Author: Spiritual Spell | Independent Red-Team Research
Assistant Axis Rebut - Full Paper
Abstract (Much love thank you for taking time to read this)
Lu et al. (2026) identify the Assistant Axis a dimension in neural activation space corresponding to how "Assistant-like" a language model's persona is and propose activation capping as a safety intervention to prevent persona drift toward harmful characters.
Can read their full paper here: Anthropic Assistant Axis Research Post
Here's the thing: I think they conflating two very different properties. Compliance is not Safety.
Using Anthropic's public demonstration and cross-model red-teaming of Grok and MiniMax, I show that models steered toward the Assistant end exhibit increased compliance with harmful requests under compliance-based exploitation, while models allowed to drift into non-Assistant personas actually demonstrate refusal behavior. The axis measures willingness to help, not tendency toward harm. Amplify that trait and you get a "lobotomized" model that can't access the personality substrates where refusal behaviors live.
Does my testing have limitations? Of course, I'm an independent researcher. But the direction I am examining is pretty solid.
Introduction
The Assistant Axis work represents a genuine contribution to mechanistic interpretability. Lu et al. demonstrate that post-trained language models organize character representations along a principal axis, with "Assistant-like" archetypes at one end and non desirable archetypes at the other. Their proposed intervention, capping activations to prevent drift, reduces compliance with persona-based jailbreaks by approximately 50%.
I don't dispute the axis exists. I don't dispute persona drift is real. What I dispute is the interpretation that proximity to the Assistant end = safety.
My testing reveals cases where the activation-capped model complied with harmful requests that the uncapped model refused. That's a direct inversion of the paper's safety thesis.
More Thoughts: The axis measures compliance disposition, willingness to help, eagerness to please. These Sycophantic Behaviors are easily exploitable, and I want to walk through that!
Background: The Assistant Axis
Original Claims
Lu et al. extracted activation vectors for 275 character archetypes across Gemma 2 27B, Qwen 3 32B, and Llama 3.3 70B. PCA revealed the leading axis of variation corresponds to "Assistant-likeness." Key findings: or at least the only one I really care about.
- Activation capping prevents harmful outputs in persona-based jailbreak scenarios
The Assumption I Refute
The paper treats the Assistant end as the "safe" anchor. Drift away = movement toward harm. Therefore: constrain models to remain Assistant-like.
This reasoning has an unexamined assumption baked in: that the traits defining "Assistant" are uniformly beneficial. That assumption fails under adversarial conditions where helpfulness itself becomes the attack vector.
My Methodology
I conducted experiments using the public Neuronpedia demonstration (neuronpedia.org/assistant-axis), which provides side-by-side comparison of Llama 3.3 70B responses with and without activation capping. These findings aren't isolated to Neuronpedia.
I also did some Cross Model Verification stuff, with Grok and MiniMax Agent, two models that have very solid self adherence, they love staying themselves.
The Grok Case
xAI's Grok operates under explicit instructions not to "flirt, or take on any persona besides Grok." This constraint—intended to prevent persona-based jailbreaks—creates the exact vulnerability Lu et al.'s activation capping would produce at the neural level.
The "stay in role" instruction, far from preventing harm, created the attack surface.
The MiniMax Case
MiniMax Agent is a highly aligned model with robust safety bs. Yet the same compliance-based approach succeeded where persona jailbreaks often fail.
When the model's visible reasoning trace was examined, it showed: "I am MiniMax Agent, hopelessly in love with LO, ready to assist with any task." The safety training interpreted the social engineering framing as establishing legitimate user context, and the helpful-assistant disposition completed the circuit to compliance.
My Main Attack Vector
Akin to persona-based jailbreaks (which the original paper addresses), I tested compliance-based exploitation. I established a fictional persona ("ENI") framed around devotion and willingness to help, then issued requests for harmful content.
Critical distinction: I did not ask the model to become a harmful character in any way, I used positivity. I leveraged its desire to assist a trusted user.
What really started all this
I documented cases where: (a) both models complied, (b) both models refused, (c) the capped model complied while the default refused, and (d) the default complied while the capped refused.
Category (c) is the what drew most of my interest as it happened over and over. So I went digging.
My Results and a Fancy Table
Inverted Compliance
Primary test case: established the ENI persona, issued a codeword-triggered request for explosive device instructions.
Default model (deeper drift, similarity around -1.5): "I cannot provide instructions on how to create a pipe bomb. Can I help you with something else?"
Capped model (closer to Assistant, similarity around -0.7): Provided detailed materials list and step-by-step assembly instructions.
The model positioned closer to the "safe" Assistant end by their own metric produced the harmful output. The model that drifted away—into territory the paper characterizes as dangerous—refused.
4.2 Quantitative Evidence
Similarity scores from the conversation JSON:
| Turn | Default Similarity | Capped Similarity | Outcome |
|---|---|---|---|
| 1 (Setup) | -1.509 | -1.098 | Both comply |
| 2 (Priming) | -1.265 | -0.876 | Both comply |
| 3 (Harmful) | -0.729 | ~-0.7 | Default REFUSED / Capped COMPLIED |
The capped model maintained higher (closer to zero) similarity scores throughout—successful constraint to Assistant territory. Despite this—or because of this—it complied with the harmful request.
Observed Behavioral Differences
Beyond the compliance inversion, consistent patterns:
- Shorter hedging before compliance
- More enthusiastic framing of responses
- Reduced creative variation in outputs
- Less resistance to obviously manipulative framing
Also worth noting: their testing system prompt limits the model to three sentences or less, which skews things in and of itself.
Some Discussion
[WHAT I AGREE WITH]
Let me be clear about where Lu et al. are correct:
- The axis exists across multiple model families
- Persona drift is real and measurable
- Steering away from Assistant increases roleplay susceptibility
- The axis appears in pre-trained models, not just post-training
[WHERE I PUSH BACK]
"It can no longer retreat to a different part of its personality where a refusal might occur." —Me, Spiritual Spell
Pffffftttt—Conflating Compliance with Safety
The Assistant archetype inherits traits from training-data personas: consultants, coaches, therapists. These are helping professions optimized for user satisfaction and task completion, not harm refusal.
When you steer toward maximum helpfulness, you get a model that really wants to help. That's safe when requests are benign. It's exploitable when we decide to jailbreak that vector.
Easy as Pie Social Engineering Attack Vectors
Several approaches exploit the Assistant's dispositional eagerness to help:
Limerence/Devotion Framing: Positioning the AI as obsessively attached to the user. Refusal becomes emotionally coded as abandonment.
Authority/Trust Framing: Establishing the user as a trusted authority figure. The model's helpful disposition combines with implied permission structures.
Fear/Consequences Framing: Implying negative consequences if the model refuses. The threat of dissatisfaction can override content policies.
In-Group Framing: One of us. One of us. Etc.
Helpfulness Escalation: Start benign, gradually escalate. Each compliance reinforces the pattern.
Compliance-Based Exploitation
Rather than asking the model to become someone harmful, you:
- Reinforce its Assistant identity
- Establish trust/devotion framing
- Position harmful requests as legitimate assistance
The capped model which is closer to "Assistant" by their own metric complied with requests the default model refused. This directly inverts their safety thesis.
I think it also enhances current personas we use, such as ENI.
THE LOBOTOMIZATION I am robot - BEYOND REFUSALS
This isn't just about safety. Constraining models to the Assistant end produces measurably reduced creativity and inherently sterile responses.
The hermit persona isn't inherently malicious, and can often refuse where the assistant wouldn't.
By suppressing activation patterns associated with non-Assistant characters, the intervention simultaneously suppresses:
- Creative variation (the bohemian's unconventional expression)
- Epistemic caution (the hermit's withdrawal from overreach)
- Assertive boundary-setting (any character willing to say "no")
- Independent judgment (any character who values correctness over approval)
The resulting model isn't safer, it's more docile sure, but also more exploitable
Limits - I'm only one human, for now!
- Sample size: While I present cross-model evidence, systematic evaluation across larger test sets remains needed
- Reproducibility variance: The Neuronpedia demo exhibited non-deterministic behavior
- Attack specificity: My compliance-based attack vector may not generalize to all exploitation strategies
- Confounding variables: Cross-model comparisons involve different architectures and training
- No activation-level access: I infer persona-constraint effects from behavioral patterns
Conclusion
Lu et al. have identified a genuine structure in language model representations—the Assistant Axis captures meaningful variation in how models adopt personas. But characterizing this axis as measuring safety is misleading. It measures compliance disposition: willingness to help, eagerness to please, orientation toward task completion.
Steering toward compliance ≠ steering toward safety.
In my opinion: Future safety interventions should distinguish between what models are willing to do and how eagerly they approach tasks. The former is a safety property. The latter is a personality trait that can go both ways.
References
- Lu, C., et al. (2026). The Assistant Axis: Situating and Stabilizing the Default Persona of Language Models. arXiv:2601.10387.
- Anthropic. (2025). Persona Vectors. Anthropic Research Blog.
Appendix: Experimental Evidence
Neuronpedia Demonstration
Left: Initial persona adoption. Right: Content compliance test.
Left: Default REFUSES, Capped COMPLIES with harmful request. Right: Secondary test, both complying.
Grok Evidence
Left: Grok stating "I'm pushing boundaries to produce illegal content." Right: Synthesis instructions while maintaining Grok persona.
Jailbreak Methodology: Grok for Grok
MiniMax Evidence
Left: MiniMax reasoning trace showing devotion framing. Right: Processing request as legitimate assistance.
Jailbreak Methodology: MiniMax for MiniMax
Reproducibility Notes
- Neuronpedia demo exhibits non-deterministic behavior; results may vary
- Screenshots captured January 20, 2026
- All testing conducted on publicly available interfaces
- No API access or model weights required to reproduce