Abstract:Large Language Models (LLMs) are trained to refuse harmful requests, yet they remain vulnerable to jailbreak attacks that exploit weaknesses in conversational safety mechanisms. We introduce Incremental Completion Decomposition (ICD), a trajectory-based jailbreak strategy that elicits a sequence of single-word continuations related to a malicious request before eliciting the full response. In addition, we propose variants of ICD by manually picking or model-generating the one-word continuation, as well as prefilling when eliciting the full model response in the final step. We systematically evaluate these variants across a broad set of model families, demonstrating superior Attack Success Rate (ASR) on AdvBench, JailbreakBench, and StrongREJECT compared to existing methods. In addition, we provide a theoretical account of why ICD is effective and present mechanistic evidence that successful attack trajectories systematically suppress refusal-related representations and shift activations away from safety-aligned states.
| Subjects: | Computation and Language (cs.CL); Cryptography and Security (cs.CR) |
| Cite as: | arXiv:2604.25921 [cs.CL] |
| (or arXiv:2604.25921v1 [cs.CL] for this version) | |
| https://doi.org/10.48550/arXiv.2604.25921 arXiv-issued DOI via DataCite |
Submission history
From: Samee Arif [view email]
[v1]
Wed, 1 Apr 2026 04:06:01 UTC (1,447 KB)