One Word at a Time: Incremental Completion Decomposition Breaks LLM Safety

A team of researchers from the University of Michigan (Samee Arif, Naihao Deng, Zhijing Jin, Rada Mihalcea) has unveiled a novel jailbreak technique called Incremental Completion Decomposition (ICD) that systematically bypasses safety guardrails in large language models. Rather than submitting a malicious request directly, ICD works by first eliciting a sequence of single-word continuations related to the harmful topic—essentially breaking the attack into bite-sized, seemingly innocuous steps. The final step then requests the full response, which the model provides without triggering its refusal mechanisms. The paper, published on arXiv, demonstrates that ICD achieves superior Attack Success Rates (ASR) across three major benchmarks: AdvBench, JailbreakBench, and StrongREJECT, outperforming existing jailbreak methods.

The researchers propose several variants of ICD, including manually selected single-word prompts and model-generated continuations, as well as prefilling techniques for the final response step. Crucially, the paper provides both theoretical and mechanistic evidence for why ICD works: successful attack trajectories systematically suppress refusal-related neural representations and shift model activations away from safety-aligned states. This suggests that current safety training methods, which focus on detecting and refusing entire malicious prompts, may be fundamentally vulnerable to decomposition-based attacks. The findings have significant implications for AI safety research, indicating that more robust defense mechanisms—possibly those that monitor incremental token-level behavior—are needed to counter such trajectory-based jailbreaks.