We localize the policy routing mechanism in alignment-trained language models. An intermediate-layer attention gate reads detected content and triggers deeper amplifier heads that boost the signal toward refusal. In smaller models the gate and amplifier are single heads; at larger scale they become bands of heads across adjacent layers. The gate contributes under 1% of output DLA, yet interchange testing (p < 0.001) and knockout cascade confirm it is causally necessary. Interchange screening at n >= 120 detects the same motif in twelve models from six labs (2B to 72B), though specific heads differ by lab. Per-head ablation weakens up to 58x at 72B and misses gates that interchange identifies; at scale, interchange is the only reliable audit. Modulating the detection-layer signal continuously controls policy from hard refusal through evasion to factual answering. On safety prompts the same intervention turns refusal into harmful guidance, showing that the safety-trained capability is gated by routing, not removed. Thresholds vary by topic and by input language, and the circuit relocates across generations within a family even while behavioral benchmarks register no change. Routing is early-commitment: the gate fires at its own layer before deeper layers finish processing the input. An in-context substitution cipher collapses gate interchange necessity by 70 to 99% across three models, and the model switches to puzzle-solving rather than refusal. Injecting the plaintext gate activation into the cipher forward pass restores 48% of refusals in Phi-4-mini, localizing the bypass to the routing interface. A second method, cipher contrast analysis, uses plain/cipher DLA differences to map the full cipher-sensitive routing circuit in O(3n) forward passes. Any encoding that defeats detection-layer pattern matching bypasses the policy regardless of whether deeper layers reconstruct the content.

翻译：我们定位了对齐训练语言模型中的策略路由机制。一个中间层的注意力门控单元读取已检测到的内容，并触发更深层的放大器头部，以增强对拒绝行为的信号。在较小模型中，门控和放大器为单头结构；在更大规模下，它们变为跨相邻层分布的头部带。门控贡献的输出DLA（动态线性分析）不到1%，但互换检验（p<0.001）和敲除级联实验证实了其因果必要性。在n>=120的互换筛选下，我们在来自六个实验室的十二个模型（参数规模2B至72B）中检测到相同基序，但具体头部因实验室而异。单头部消融在72B规模下削弱效果高达58倍，且会遗漏互换识别出的门控；在大规模下，互换是唯一可靠的审计手段。调节检测层信号可连续控制策略，从强硬拒绝到规避回答再到事实性回答。在安全提示上，相同干预将拒绝转化为有害指导，表明安全训练的能力是通过路由门控而非移除实现的。不同主题和输入语言的阈值存在差异，且在家族内代际间电路位置发生迁移，即使行为基准测试未记录任何变化。路由具有早期承诺特性：门控在其自身层触发，早于更深层完成输入处理。在上下文替换密码干预下，三个模型的门控互换必要性下降70%至99%，模型转而采用解谜式回答而非拒绝。向密码前向传播中注入明文门控激活，在Phi-4-mini中恢复了48%的拒绝行为，从而将旁路定位至路由接口。第二种方法——密码对比分析——利用明文/密码DLA差异，以O(3n)次前向传播映射完整的密码敏感路由电路。任何能够击败检测层模式匹配的编码方式，无论更深层是否重建内容，均可绕过策略路由。