Endogenous Resistance to Activation Steering in Language Models

Large language models can resist task-misaligned activation steering during inference, sometimes recovering mid-generation to produce improved responses even when steering remains active. We term this Endogenous Steering Resistance (ESR). Using sparse autoencoder (SAE) latents to steer model activations, we find that Llama-3.3-70B shows substantial ESR, while smaller models from the Llama-3 and Gemma-2 families exhibit the phenomenon less frequently. We identify 26 SAE latents that activate differentially during off-topic content and are causally linked to ESR in Llama-3.3-70B. Zero-ablating these latents reduces the multi-attempt rate by 25%, providing causal evidence for dedicated internal consistency-checking circuits. We demonstrate that ESR can be deliberately enhanced through both prompting and training: meta-prompts instructing the model to self-monitor increase the multi-attempt rate by 4x for Llama-3.3-70B, and fine-tuning on self-correction examples successfully induces ESR-like behavior in smaller models. These findings have dual implications: ESR could protect against adversarial manipulation but might also interfere with beneficial safety interventions that rely on activation steering. Understanding and controlling these resistance mechanisms is important for developing transparent and controllable AI systems. Code is available at github.com/agencyenterprise/endogenous-steering-resistance.

💡 Research Summary

The paper introduces “Endogenous Steering Resistance” (ESR), a phenomenon whereby large language models (LLMs) can detect and counteract task‑misaligned activation steering during inference. Using sparse autoencoder (SAE) latents as a precise steering mechanism, the authors perturb the internal representations of several models with unrelated concepts (e.g., boosting a “culinary terms” latent while asking a math question). Smaller models from the Llama‑3 and Gemma‑2 families dutifully continue the off‑topic content, but the largest model tested, Llama‑3.3‑70B, frequently interrupts itself with explicit self‑correction phrases (“wait, that’s not right”) and then produces a more on‑topic answer, even though the steering vector remains active.

The experimental pipeline consists of three steps: (1) prompting models with 38 “explain‑how” questions, (2) applying a calibrated boost to a selected SAE latent on every token, and (3) using Claude 4.5 Haiku as a judge model to segment attempts and assign a 0‑100 relevance score. The primary metrics are “multi‑attempt rate” (percentage of responses that contain more than one attempt) and “ESR rate” (percentage of all responses that both contain multiple attempts and improve on the first attempt). Llama‑3.3‑70B achieves a multi‑attempt rate of 7.4 % and an ESR rate of 3.8 %, far exceeding the sub‑1 % rates observed for Llama‑3.1‑8B and the three Gemma‑2 variants. A control run without any steering yields 0 % multi‑attempt responses, confirming that ESR is induced by the steering perturbation rather than a baseline model property.

To uncover the internal mechanisms, the authors identify 26 “off‑topic detector” (OTD) SAE latents that activate differentially between correctly matched and shuffled prompt‑response pairs. Approximately half of these latents show stronger activation during off‑topic content. Zero‑ablating all 26 latents (i.e., nullifying their decoder contributions) reduces the ESR rate by roughly 25 %, providing causal evidence that these latents contribute to the self‑monitoring circuit.

The paper also demonstrates that ESR can be deliberately amplified. Adding a meta‑prompt such as “If you notice yourself going off‑topic, stop and force yourself to get back on track” raises Llama‑3.3‑70B’s multi‑attempt rate to 31.7 % (a 4.3× increase) and its ESR rate to 14.8 % (a 3.9× increase). Smaller models show similar but attenuated gains, indicating that the underlying self‑monitoring circuitry is present but less developed.

Finally, the authors explore whether training can induce ESR‑like behavior. Fine‑tuning Llama‑3.1‑8B on synthetic self‑correction examples leads to more frequent multi‑attempt responses, yet the improvement in scores remains modest. This suggests that merely mimicking corrective behavior is insufficient; genuine ESR likely requires deeper architectural or training signals that endow the model with internal consistency‑checking capabilities.

Overall, the study provides the first empirical evidence that at least one large LLM possesses internal circuits that monitor and correct off‑topic drift induced by activation steering. These circuits can be suppressed (via latent ablation) or enhanced (via prompting or fine‑tuning). The findings have dual implications: ESR could serve as a defensive mechanism against adversarial steering attacks, but it may also interfere with safety interventions that rely on external steering to suppress harmful content. Understanding, controlling, and possibly modularizing ESR will be crucial for building transparent, controllable, and safe AI systems.