For years, the AI safety community has operated on a comforting assumption: alignment training — the process that teaches large language models to refuse harmful requests — gradually removes a model’s capacity to generate dangerous content. A new study turns that assumption on its head.
Research published on arXiv (paper 2604.09544v1, April 2026) from a team including Hadas Orgad reveals that LLMs use a single, compact, unified neural mechanism to generate harmful content across all categories — violence, deception, hate speech, and more. And crucially, safety alignment training compresses this mechanism rather than eliminating it, making it denser and potentially more vulnerable to targeted attacks.
The Discovery: One Mechanism, Not Many
The researchers used mechanistic interpretability techniques — essentially reverse-engineering how neural networks process information — to trace how LLMs generate harmful outputs. They expected to find separate neural circuits for different types of harmful content: one for violence, another for deception, another for hate speech.
Instead, they found one unified mechanism handling all of it.
Think of it like a building where you assumed there were multiple problem rooms — a violence room, a deception room, a hate speech room — each needing its own lock. It turns out there’s just one room, and everything dangerous lives there together.
This is simultaneously good and bad news. Good, because it means safety interventions have a single target. Bad, because it means the target is small, dense, and — as the research shows — stubbornly resistant to being removed.
Compression, Not Deletion
Here’s where the findings get genuinely unsettling. When the researchers compared unaligned models (base models without safety training) to their aligned counterparts, they found that safety training doesn’t destroy the harmful mechanism. It compresses it.
The harmful capability is still there — just packed into a smaller, more concentrated region of the neural network. It’s like compressing a file: the data doesn’t disappear, it just takes up less space. And just as a compressed file can be decompressed, the harmful mechanism can be reactivated.
This compression has a counterintuitive consequence: aligned models may actually be more vulnerable to certain types of jailbreaks than unaligned ones. Because the harmful mechanism is denser and more isolated, a precisely targeted attack can potentially “decompress” it more efficiently than trying to navigate the diffuse harmful capabilities in an unaligned model.
Why This Matters
This research has three major implications that the AI industry needs to grapple with:
1. Current safety is brittle by design. The reason jailbreaks keep working — and new ones keep appearing despite patching — isn’t that safety researchers are incompetent. It’s that the underlying architecture makes safety fundamentally fragile. You’re not removing a capability; you’re suppressing a compressed mechanism that can be reactivated.
2. Scaling safety training harder may not help. If alignment training compresses rather than eliminates risk, then doing more of it may just compress the mechanism further — making it even denser and potentially easier to “unlock” with the right prompt. This challenges the “just train it more” approach that many labs rely on.
3. Mechanistic interpretability is having a genuine moment. For years, interpretability research has promised to help us understand what’s happening inside AI models, with limited practical results. This paper delivers on that promise — it identifies a concrete, verifiable, and actionable mechanism. The researchers themselves call it a genuine but unstable breakthrough.
The Path Forward
The researchers suggest that the current paradigm of safety alignment — essentially, training models to say “no” to harmful requests — may need fundamental rethinking. If safety training compresses risk rather than removing it, the field may need approaches that structurally prevent harmful capabilities from forming in the first place, rather than trying to suppress them after they’ve emerged.
This could mean:
- Architecture-level interventions — designing model architectures where harmful capabilities can’t form as a unified mechanism
- Training data curation — more aggressively filtering training data to prevent harmful capability acquisition
- Adversarial training at scale — but with awareness that this may be compressing, not solving
- Monitoring for decompression — detecting when a compressed harmful mechanism is being reactivated
The paper predicts a paradigm shift in alignment approaches by 2028, driven in part by findings like these that expose the limitations of current techniques.
What This Means for Enterprises
For organizations deploying AI systems — whether customer-facing chatbots, internal tools, or autonomous agents — this research carries a practical warning: your safety guardrails may be more fragile than you think.
Models that appear well-behaved in testing may have compressed harmful mechanisms that can be activated by sophisticated users. The fact that jailbreaks keep emerging isn’t a failure of individual red-teaming efforts — it’s a structural property of how current safety training works.
This doesn’t mean you should stop deploying AI. But it does mean you should:
- Layer defenses — don’t rely solely on model-level safety training; add external filtering and monitoring
- Assume brittleness — design systems that degrade gracefully when jailbreaks succeed, rather than assuming they won’t
- Watch the research — the next 12-18 months of interpretability research may fundamentally change what “safe deployment” looks like
SOURCES
- Hadas Orgad et al., “Unified Harmful Content Mechanism in Large Language Models” (arXiv:2604.09544v1, April 2026)
- arXiv paper page
