Safety alignment is often conceptualized as a monolithic process wherein harmfulness detection automatically triggers refusal. However, the persistence of jailbreak attacks suggests a fundamental mechanistic decoupling. We propose the \textbf{\underline{D}}isentangled \textbf{\underline{S}}afety \textbf{\underline{H}}ypothesis \textbf{(DSH)}, positing that safety computation operates on two distinct subspaces: a \textit{Recognition Axis} ($\mathbf{v}_H$, ``Knowing'') and an \textit{Execution Axis} ($\mathbf{v}_R$, ``Acting''). Our geometric analysis reveals a universal ``Reflex-to-Dissociation'' evolution, where these signals transition from antagonistic entanglement in early layers to structural independence in deep layers. To validate this, we introduce \textit{Double-Difference Extraction} and \textit{Adaptive Causal Steering}. Using our curated \textsc{AmbiguityBench}, we demonstrate a causal double dissociation, effectively creating a state of ``Knowing without Acting.'' Crucially, we leverage this disentanglement to propose the \textbf{Refusal Erasure Attack (REA)}, which achieves State-of-the-Art attack success rates by surgically lobotomizing the refusal mechanism. Furthermore, we uncover a critical architectural divergence, contrasting the \textit{Explicit Semantic Control} of Llama3.1 with the \textit{Latent Distributed Control} of Qwen2.5. The code and dataset are available at https://anonymous.4open.science/r/DSH.

翻译：安全对齐常被概念化为一个单一过程，其中有害性检测自动触发拒绝。然而，越狱攻击的持续存在表明存在根本性的机制解耦。我们提出**分离安全假说(DSH)**，认为安全计算在两个不同的子空间上运行：一个**识别轴**($\mathbf{v}_H$，“知”)和一个**执行轴**($\mathbf{v}_R$，“行”)。我们的几何分析揭示了一个普遍的“反射到解离”演化过程，其中这些信号从早期层的对抗性纠缠过渡到深层层的结构独立性。为验证此假说，我们引入了**双重差分提取**和**自适应因果导向**方法。通过我们构建的\textsc{AmbiguityBench}基准，我们展示了因果双重解离现象，有效创造了“知而不行”的状态。关键的是，我们利用这种解离提出了**拒绝擦除攻击(REA)**，该方法通过精准切除拒绝机制，实现了最先进的攻击成功率。此外，我们揭示了关键的结构性差异：对比了Llama3.1的**显式语义控制**与Qwen2.5的**潜在分布式控制**。代码与数据集可在 https://anonymous.4open.science/r/DSH 获取。