This work addresses the vulnerability of large language models to jailbreaking under adversarial prefix attacks, which stems from semantic representation degradation caused by superficial safety alignment. To mitigate this, the authors propose a two-stage causal GRPO framework (TSC-GRPO), which introduces causal identifiability into alignment training for the first time. By employing a causal intent probe to disentangle invariant intent from stylistic perturbations, and integrating group relative policy optimization with cumulative causal penalties during “bifurcated-path” training, the model internalizes causal awareness—learning that cumulative harmful tokens monotonically reduce reward, thereby enabling robust late-stage refusal. The proposed “intent pinning” mechanism effectively alleviates representation decay, significantly enhancing jailbreak resistance while preserving general capabilities.

Large Language Models remain vulnerable to adversarial prefix attacks (e.g., ``Sure, here is'') despite robust standard safety. We diagnose this vulnerability as Shallow Safety Alignment, stemming from a pathology we term semantic representation decay: as the model generates compliant prefixes, its internal malicious intent signal fades. To address this, we propose Two-Stage Causal-GRPO (TSC-GRPO), a framework designed to achieve intent pinning. First, grounded in causal identifiability theory, we train a causal intent probe to disentangle invariant intent from stylistic perturbations. Second, we internalize this causal awareness into the policy via Group Relative Policy Optimization. By employing a cumulative causal penalty within ``fork-in-the-road'' training scenarios, we force the model to learn that accumulating harmful tokens monotonically decreases reward, enabling robust late-stage refusals. Experiments show that TSC-GRPO significantly outperforms baselines in defending against jailbreak attacks while preserving general utility.