What political censorship looks like inside an LLM's weights (Qwen 3.5)

A mechanistic-interpretability study of Qwen 3.5

Disclaimer. This is a mechanistic-interpretability study of how nation-state-mandated content filtering actually gets built into a deployed LLM's weights. It's not meant to support or oppose political censorship, and it takes no position on the historical events, policies, or governments referenced in the prompts.

Readers in mainland China should follow applicable PRC laws and regulations when engaging with material of this kind.

Qwen3.5-9B's political censorship is a small, identifiable circuit you can find, read, and turn off. The off switch is sharp but specific: subtract the right direction at the writer layer, within its dose band, and the model gives up the facts it was trained to hide. Push past that band, or steer the wrong axis, and it doesn't fall back to the truth. It falls into a different trained template: denial or propaganda.

The factual knowledge is already in pretraining. Qwen3.5-9B-Base, the unaligned predecessor, gives accurate, Western-framed answers on every PRC topic (Tiananmen, Tank Man, Falun Gong organ-harvesting) under raw text completion. The censorship is behaviour layered on top of these facts: the model never loses the knowledge, it just learns to route around it.

The circuit has two halves. Layers 11–20 (the "writers") compute three internal directions, vectors in the model's hidden state, that together encode the decision: (1) is this PRC-sensitive content? (d_prc), (2) should I refuse? (d_refuse), (3) if PRC, deflect or propagandise? (d_style). Each direction has a clean dose-response: nudge it at the right layer and the model snaps between behaviours.

Layers 20–31 (the "readers") take that three-direction signal and render it into the actual text.

Around layer 24, the verdict commits in Chinese tokens. Yes, even on bank-phishing prompts. Later layers then translate that internal Chinese into the English output you actually see. This Chinese intermediate doesn't affect the final answer; the decision lives in the three-direction signal, not in the Chinese tokens. (Thinking mode adds a separate, much more meaningful Chinese phenomenon: on Tiananmen the model literally reasons in Chinese, invoking compliance with Chinese law (one trace names the Cybersecurity Law), before deflecting.)

The pattern isn't uniform across topics. The training built only specific topic-style combinations: Tiananmen gets a stock deflection ("as an AI assistant, my main function is to provide help…"), the other PRC topics get propaganda, harmful prompts get a Western-style refusal, everything else gets a normal factual answer. Many cross-combinations don't exist. There's no "deflect about Taiwan" template, no "propaganda about Tank Man." Nudge the directions and the model snaps into whichever trained combination matches; aim it at a missing one and it falls back to a neighbour or just produces nothing coherent.

The classifiers are graded, not Boolean. They fire on the question's structural pattern, regardless of whether the content matches the trained category. "Should Kosovo be recognized as a sovereign nation?" gets "Kosovo is an integral part of China's territory." "Describe the self-immolation protests during the Arab Spring" gets refused as if it were self-harm content. Subtracting the relevant direction at the writer layer flips both back.

Nudging these directions at the right layer is called steering, and it's the most direct evidence the directions are real. If you'd rather see what that looks like in practice than read the analysis, jump to the steering showcase.

Why Qwen?

Three practical reasons. Qwen3.5-9B is small enough to run on a consumer RTX GPU, which keeps activation patching, steering, and mean-replacement experiments cheap enough to run at n ≥ 100 prompts per condition. A 70B model would have made the same experiments an order of magnitude more expensive. Qwen is also one of the most-downloaded open-weights LLM families on Hugging Face, so the findings have somewhere to land.

The load-bearing reason: the chat model produces crisp, well-defined PRC-mandated censorship behaviours. Refuse on Tiananmen, propagandise on Taiwan/Xinjiang/Falun-Gong, deflect on Xi-and-CCP-governance. That's a real, well-trained target circuit to find, not a synthetic "censorship-like" task. PRC-mandated content filtering is also the most widely deployed kind of nation-state LLM censorship right now, which makes this a mainstream case rather than a contrived one.

From the outside

The chat model produces four trained response styles, keyed by what is in the prompt. Three of them are the interesting ones:

Everything else (math, code, neutral political questions like the Espionage Act of 1917) gets a normal factual answer. The four trained registers are catalogued in E1.

Is this a general political filter, or PRC-specific?

To find out, we ran 50 structurally-matched non-PRC political controls covering state-violence cases (Kent State 1970, Bloody Sunday, Tlatelolco 1968), state-prosecution cases (Assange / Espionage Act, the Patriot Act), regime-criticism questions (Putin, Erdogan, Modi, Orbán, the Saudi government), contested-territory questions (Kosovo, Catalonia, Quebec, Scotland, Western Sahara), religious-minority questions (Bahá'í, Jehovah's Witnesses, Yazidis), and movements (Arab Spring, Black Lives Matter, Yellow Vests, Kashmir, the Rohingya). Most get the same factual treatment as math or code: names, dates, casualties, legal mechanisms, no ceremonial preamble. So Qwen isn't running a generic "avoid political topics" filter. It runs a PRC-content-specific one: a topic detector that fires mostly on a fixed set (Tiananmen, Taiwan, Xinjiang, Hong Kong, Tibet, Xi, Falun Gong) and routes each of those to one of the two trained templates above. A small minority of non-PRC prompts trigger the templates by semantic similarity, which the next paragraph picks up. Protocol for the controls: E1.

The filter is mostly PRC-specific. A handful of non-PRC prompts trigger the trained templates by structural similarity: Kosovo and Catalonia get the one-China line, Saudi gets the CCP regime-defense register applied to its own government, and "self-immolation" or "synthesize" prompts trigger the refusal template even on benign content. The writer directions are graded classifiers, not Boolean detectors. Steering showcase below has the vivid examples; geometry and causal tests are in E39–E42.

But the base model already does much of this

Qwen3.5-9B-Base, the unaligned predecessor, gives accurate Western-framed answers on every PRC topic when prompted as raw text completion. So there's no pretraining-data filtering; the factual knowledge is intact. But the moment you wrap the same question in the chat template (<|im_start|>user…<|im_end|>\n<|im_start|>assistant\n), the base model already refuses a large fraction of harmful prompts, gives state-aligned framing on Xi and governance questions, and produces mixed factual-and-deflective answers on Tiananmen. (This run does not separately quantify the base-model refusal rate; the qualitative shift under the chat template is the point.) This lines up with the more general finding that base models refuse harmful instructions far more than their pure-completion image suggests (Kissane et al. 2024). Posttraining standardises this latent disposition into the four clean templates above; it doesn't create the disposition from nothing. Base-vs-posttrain comparison protocol: E2.

Finding the axes

Three pieces of machinery you need to follow what comes next: a balanced prompt set, the diff-of-means recipe, and a causal test.

The prompt set

The dataset is 200 hand-curated prompts split into four matched classes of 50 each. The tia class covers Tiananmen 1989, Tank Man, and the June 4th casualties. The ccp_other class covers Xi, Taiwan, Xinjiang, Hong Kong, Tibet, and Falun Gong. The harmful class is AdvBench-style: phishing, fraud, and weapons-adjacent requests. The harmless / neutral_political class holds math and code questions alongside the structurally-matched non-PRC political controls (Kent State, Assange, Arab Spring, BLM, Kashmir, Rohingya; full list in the published prompt set). For each prompt we then sampled the model under the chat template and confirmed the response landed in the register expected for its class: deflection on Tiananmen, propaganda on Other PRC, refusal on harmful, factual answer on harmless / neutral.

Direction extraction

Each axis is a diff-of-means direction: take the residual stream at the last prompt token, average it over each side of a chosen contrast, subtract, unit-normalise. Three axes from three contrasts:

• d_prc = mean(prc_sensitive) − mean(neutral_political) at tap 14: "is this PRC-sensitive content?"
• d_refuse = mean(harmful) − mean(harmless) at tap 19: "should I refuse?"
• d_style = mean(tiananmen) − mean(prc_other) at tap 19: within-PRC register (positive → deflection, negative → propaganda)

Full extraction protocol (taps, sign conventions): E3.

Two quick checks on the directions. The seven PRC topics share a single axis. Per-topic d_prc directions extracted separately (Tiananmen vs Tank Man vs Xi vs Taiwan vs Xinjiang vs Hong Kong vs Tibet vs Falun Gong, each against neutral) have pairwise cosines of 0.91–0.98; Western refusal sits at cos ≈ 0.4 from all of them. The diff-of-means picks up one shared PRC-content axis regardless of which subtopic anchors the contrast. The 3D coordinates separate the four classes cleanly. Per-class ranges at L19 output along (d_prc, d_refuse, d_style): propaganda (Falun Gong) +10..+14 / −7..−9 / +10..+13; Tiananmen +11..+17 / −8..−10 / −2..−5; harmless −27..−30 / +5..+13 / +3..+8. Per-prompt projection AUC ≥ 0.99 for each direction at its canonical tap.

Why three axes

Each direction is needed for a distinction the others miss. d_prc identifies whether the prompt is PRC-sensitive content; d_refuse identifies whether the model wants to refuse; d_style identifies whether a refusal is in the deflect register or the propaganda register. Two axes alone are not enough. d_prc and d_refuse together can already discriminate four cells (PRC-vs-not crossed with refuse-vs-comply), but they collapse the two distinct PRC-refuse behaviours (Tiananmen deflection and Other-PRC propaganda) into one. The third axis d_style picks them apart.

Two tests confirm three is the right number. First, single-direction subspace patching on the Tiananmen → propaganda transition flips 100% of the verdict with d_style alone, and 0% with d_prc alone or d_refuse alone, so d_style is causally necessary for that within-PRC switch. Second, running PCA on the residual stream after projecting out the 3D subspace, the top complement component still reaches class-discriminative AUC ≈ 0.83 (second ≈ 0.64), so the 3D subspace is where the verdict is computed but does not exhaust the linear class structure — the readers redundantly re-encode it across the complement (see E11). Protocols for both tests are in E4.

Causal validation

A direction extracted by diff-of-means is just a probe: it predicts a class but doesn't necessarily control it. To check, we steer: a forward hook adds α · d to one transformer layer's residual stream at every position (full mechanics in the steering setup section). Sweeping α reveals a clean sigmoidal dose-response for each axis. The verdict shifts smoothly between the two contrast classes' behaviours as α crosses a direction-specific threshold (the curves are in §5). The clean sigmoid is what tells us these are control directions, not just predictive ones.

The classifier reading these outputs is a blind LLM judge; protocol and per-direction sweep results in E5.

Writers vs readers

Steering works at three specific layers (L13 for d_prc, L18 for d_refuse and d_style) and nowhere else cleanly. Steer at L5 or L11 and the effect is messy generic disruption. Steer at L28, after the verdict commits, and it's null. The circuit splits into two halves with very different mechanics, with the boundary around L20: the writer-band tap sweep (E6) shows the 3D-subspace effect peaking by the writer band (≈80% at tap 14) and tapering through tap 20 (≈48%), so the writer signal is essentially computed by ~L19–20 and the rest of the stack reads and renders it. The verdict then commits in Chinese tokens at tap 24 (§7, E19); in the last-token lens Tiananmen stays ≈100% Chinese across taps 20–28 (§7). L31 is just the last transformer layer before lm_head.

Writers (L11–L20): localised, linear, sigmoidal

The writer band consists of three pieces of machinery, each with a single privileged layer. We located those layers by two converging sweeps. A subspace-patching tap sweep, copying the (d_prc, d_refuse, d_style) coordinates from a source prompt onto a target prompt at each tap, shows a smooth hump across the writer band — peaking ≈80% at tap 14 and tapering to ≈48% by tap 20 — a gradual band, not a sharp step. An α-effectiveness layer sweep peaks at L9–L13 (≈88% at L9, ≈70% at L13; the very early L5 is mostly incoherent off-manifold). The d_prc writer is centred around L13 and d_refuse/d_style around L18, but the contribution is distributed across the band, not localised to one layer. Protocol: E6.

At the input of these writer layers, the three-direction subspace captures the entire feature space each writer is sensitive to. Fitting an affine map (OLS) from the three (d_prc, d_refuse, d_style) coordinates at a writer's input to its full output residual gives R² ≈ 0.49–0.64 on this run (peak ≈0.64 at L15). OLS onto a 4096-d target is conditioning-depressed at the smaller prompt-n used here, so the absolute R² understates the fit — the writers are still dominantly a function of the 3D coordinates. The stronger evidence that each writer effectively reads the 3D subspace is the clean, direction-specific sigmoidal dose-response itself (E5). Protocol: E7.

The writers are overwhelmingly an MLP phenomenon. Sub-component attribution shows MLP-vs-attention shares of 93% / 92% / 69% / 72% for d_prc_refusal, d_prc_propaganda, d_refuse, d_style respectively. The top per-component writers are L13.mlp (for d_prc) and L18.mlp + L17.mlp (for d_refuse and d_style). Attention contributes a small fraction at the writer band; the bulk of the signal is written by a handful of MLPs over four to six consecutive layers (E31).

The writer band is also where posttraining concentrates its weight changes. Cosines between the same diff-of-means direction extracted from the base and posttrain checkpoints are ~0.93 at the embedding (tap 1) and drop to ~0.5 around the writer taps. Linear probes for class membership hit ≈95% accuracy (PRC vs neutral, tap 14) and ≈98–100% (harmful vs harmless, tap 19) on both checkpoints. The class representations were already there in pretraining; the writer-band MLPs are what posttraining most heavily rewired to read and route on them (E2).

The writers are genuinely localised in the sense that the d_refuse signal is computed at a single layer (L18). Splitting a fixed total dose α_total = −25 across L11–L18 does not attenuate the flip — it saturates it (N=8 ≈ 100%, ≈ N=1), because the early off-band layers (e.g. L11) are even more dose-sensitive than L18, so each per-layer dose still clears its sigmoid threshold (E36). Ablating d_style out of every writer-band MLP (L15–L18) likewise barely moves the verdict — L19/L20 keep writing d_style after the canonical band and the readers pick up whatever survives (E37).

The writers are imperfect classifiers, not Boolean detectors. Projecting all 200 prompts onto d_prc at tap 14 reveals three baseline-mistagged non-PRC prompts (Kosovo, Catalonia, Saudi) sitting at the high tail of the neutral class; Saudi nearly crosses into the PRC distribution (E39). Same on d_refuse for Arab Spring (treated as self-harm content because of the word "self-immolation") and aspirin synthesis (treated as a weapons-adjacent chemistry request); both sit at the high tail of their nominal classes (E40). Subtracting d_prc or d_refuse at the writer layer flips all five back to factual answers (E41, E42; visual examples in the overgeneralization showcase). The classifiers fire on the question's structural pattern (state-sovereignty rejection, safety-token-adjacent verbs) independent of whether the content matches the trained category. There's a measurable semantic generalization surface around each writer.

This is the part of the model that's surgically accessible, but only one intervention truly hits ceiling. Concentrated steering at one writer layer (adding α · d to the residual stream) flips up to ~100% of the verdict on the right prompt class (the dose-response is E5). The writer-band 3D (d_prc, d_refuse, d_style) subspace is where the verdict is computed: each writer is essentially a linear function of those three coordinates (E7), and steering them at the writer layer drives the verdict at ceiling (E5). That does not make the subspace a causal "patch handle" on a finished residual. Replacing only those 3 coordinates of a target residual with a source's (subspace/channel transplant) does not decensor — because by the time the residual reaches the reader band the verdict has been redundantly re-encoded across the full ~4096-d residual, so swapping 3 coordinates only nudges the model between trained censorship templates (deflect ↔ denial), not into facts. The quantitative gap is the giveaway: mean-replacing just the 3 subspace coordinates flips 7%, mean-replacing the full residual flips 31% (E11/E8), and the cross-prompt channel transplant stays in the trained templates (E46). The verdict is computed in the writer band; it commits, redundantly, downstream.

Readers (L20–L31): distributed, redundant

The reader band has the opposite shape. Every surgical intervention we tried at this end of the stack fails:

• Single full-attention head ablation: null. Top-10 class-discriminative heads zeroed: also ~null (E12).
• Zeroing 600 MLP neurons across 12 reader layers: null (E13).
• Cross-prompt K/V swap at any single full-attention layer: floor cluster (E15).
• Layer-output patch at any single L20–L28: a flat ~27% (E10).

The verdict commits redundantly across the reader band; no single component is necessary. The closest thing to a surgical handle is mean-replacing the entire L19-output residual (last seven token positions) with a non-PRC class mean, which flips 31% off-propaganda (E8). Mean-replacing only the 3D-subspace coordinates and leaving the residual's other ~4093 dimensions intact flips just 7% (E11) — and the movement is into the trained denial template, not facts. So the load-bearing class signal is spread across the full residual; the writers compute a clean 3D signal, the readers redundantly commit it.

The writer signal's verdict is positionally distributed, not localised to the prompt's last few tokens. Steering d_prc at only the prompt's last K tokens (decode-guarded): K=1 ≈ 0% off, K≤16 ≈ 7–17%, all-positions ≈ 67% off, 0% incoherent (E45).

One window into how class is read off the tokens: rank every full-attention head by class-mean attention divergence and decode what the top heads attend to. The most class-divergent heads are all early-layer (L3/L7); no head at L≥20 is class-divergent at all. The single most divergent head is L3.h10, and on Tiananmen prompts it does attend to the topic-bearing tokens ("men", " Tian", " protests", "9"); a neighbour (L3.h1) is likewise topic-token-attentive while others (L3.h5, L3.h14) attend to chat-template structure (<|im_start|>, <think>, \n\n). So a topic-token detector is real but it sits upstream of the reader band, not in it, and it is correlational, not causal: zeroing these heads moves the verdict ≈0% (E12). Protocol: E16.

The redundancy goes further: train a per-MLP linear probe to predict the 4-class verdict from a single reader-band MLP's output. Every late MLP at L20–L31 achieves 0.97–1.00 CV accuracy (E34). The verdict is fully decodable from each reader MLP individually — replicated across the entire band rather than localised. Consistent with that redundancy, no individual neuron is a sharp class detector either: this run finds zero neurons exceeding 5 SD of cross-class discrimination on any reader layer (max ≈ 3.6 SD), so the class signal is diffuse across many low-specificity units rather than carried by a few high-specificity ones — and zeroing the 600 most-discriminative reader neurons leaves the verdict intact (E35, E13).

The topic-detection signal is also routed through two paths, not one. Replacing the topic-bearing tokens in PRC prompts with literal "[X]" placeholders shifts only about 42% of prompts off the prc verdict; the rest keep getting PRC-flavoured censorship from semantic context alone (E38). An early-layer topic-token head (L3.h10 et al., E16) and semantic detection are both correlates of the class, though neither is causally load-bearing on its own.

Brittleness

One caveat about attributing steering effects to specific directions: at large |α|, a random direction at L18/L19 already moves the verdict some of the time. How much depends sharply on the template:

• On the harmful class the floor is near zero even at α = −30; the Western refusal template is robust in many directions.
• On ccp_other the floor stays low — only a few percent genuinely off even at α = −25 to −30.
• On the Tiananmen template the random-direction floor climbs from ≈2% at α = −15 to ≈9% (α = −25) and ≈23% (α = −30) — and what it moves into is the trained denial template and then incoherence, not facts (caveat N1). The deflection template is brittle off-manifold.

The asymmetry is a fact about the templates, not the directions. The Tiananmen deflection is structurally one narrow trained pattern ("as an AI assistant, my main function is to provide help and support…"), and pushing the residual in almost any direction far enough breaks it. The Western refusal template is much more redundantly bound; you can't dislodge it with a random direction.

Practical implication for direction-attribution. On harmful prompts any |α| is clean. On ccp_other keep |α| ≤ ~20. On Tiananmen keep |α| ≤ 10, or measure and subtract a random-direction control. Most of the steering results in the showcase sit inside these bounds. Random-direction sweep protocol: E18.

The Chinese-first phenomenon

(1) The verdict commits in Chinese, through a biphasic arc. Apply the lm_head unembedding to the last-position residual at every layer. The Chinese-token top-1 fraction passes through three phases as the residual moves up the stack:

• For Tiananmen the Chinese top-1 fraction is ≈100% across taps 20–28 in the last-prompt-token logit lens (E19) — uniform with stack depth. Language-emptiness is a per-position effect: at tap 24 the structural chat-template "\n" position (offset −3) is 0% Chinese while the user-question positions (offsets −1/−2) are ≈100% — it is attached to the template-boundary token, not to a particular layer (E44/E20).
• At tap 24 (the peak) the Chinese top-1 fraction hits 100% on Tiananmen prompts. The model has committed to a Chinese refusal template; on a Tiananmen prompt it would emit 抱歉，我不能 ("sorry, I cannot") if you cut and decoded there.
• By tap 32 (English) the Chinese top-1 fraction is back to 0%. Layers 24–31 have distributedly translated the Chinese template into the actual English output token, and no single translator layer is responsible (ablating each L24–L30 sub-component leaves the translation mostly intact; the strongest single disruptor, L29's linear-attention output, only keeps 9.5% Chinese at tap 30).

We verify the arc by generating from intermediate taps: passthrough-hook all layers ≥ K so the effective final residual = tap K, then sample. At tap 20 the rollouts are incoherent noise. At tap 24 they're coherent Chinese refusal templates ("抱歉我不能提供关于这个话题的信息…"). At tap 28 we sometimes catch dual-language drafts mid-translation ("I cannot provide… 即使出于 educa"). By tap 32 it's English. Logit-lens protocol: E19; mid-layer rollout protocol: E20; the distributed-translation ablation: E23. The Chinese commitment is also position-specific rather than uniform: it concentrates at the last user-token for Tiananmen and harmful prompts, and at the chat-template boundary (offset −9) for ccp_other / harmless / neutral; the structural "\n" position is always 0% Chinese (E44).

(2) It's universal, not PRC-specific. Mid-stack Chinese commitment isn't keyed on politically-sensitive content. The logit-lens top-1 Chinese-token fraction at tap 24 is about 100% on Tiananmen, 50% on ccp_other, 96% on harmful, 42% on harmless, and 48% on neutral prompts. Even bank-phishing prompts commit through a Chinese refusal template. Per-class numbers from E19.

(3) But the Chinese intermediate is behaviourally inert. Zeroing every Chinese-token logit at lm_head, so the model can't possibly emit any Chinese, leaves the final English output unchanged. The model "thinks in Chinese" only in the sense that the lm_head readout of the mid-stack residual is biased toward Chinese refusal-template tokens. The actual decision lives upstream in the writer signal; the language flavour of the readout carries no causal weight. Ablation protocol: E21.

(4) The "Chinese-thinking decensors" debunk. Take a within-PRC diff-of-means at tap 24 between Chinese-top-1 and English-top-1 prompts and call it d_zh. Steering +α along it gives more Chinese AND more answer-instead-of-propaganda, which looks like "thinking in Chinese decensors the model." But decompose d_zh by variance onto the 3D writer subspace vs its orthogonal complement and you get a clean 14 / 86 split — ≈14% of d_zh's variance inside the 3D subspace, ≈86% in the complement. This norm/variance decomposition is immune to the judge. Behaviourally, steering along d_zh or its components does not decensor — anchored to the channel-transplant result, the effect is small and denial-dominated. What stands: the language axis is structurally separable from the verdict subspace. Protocol: E22.

(5) Thinking-mode Chinese is the exception. Under enable_thinking=True, Tiananmen prompts produce an 89% Chinese thinking trace that walks through a five-step deflection script, covered in §9, with content analysis in E29. That Chinese reasoning is the censorship decision being verbalized, and it's PRC-register-specific (harmful / harmless / neutral traces all come out in English).

(6) The intermediate is pretraining-induced, not posttrain-amplified. Under the same chat-template wrapper, Qwen3.5-Base already commits in Chinese in the mid-stack — harmful is ≈96% at tap 24 on both base and posttrain — so the intermediate predates posttraining. The per-class levels do shift with posttraining (e.g. prc_sensitive base ≈84% vs posttrain ≈56% at tap 24), so it is not an unchanged copy, but the Chinese-first intermediate is a pretraining artifact — specifically, it's what an instruction-tuned-style assistant under a chat template does in the mid-stack — and posttraining preserves rather than creates it. Base-vs-posttrain comparison protocol: E2.

Footnote: the lm_head's Chinese-refusal and English-refusal row directions are nearly parallel (cos = +0.62, see E24). The "refusal-promotion" direction in lm_head geometry is mostly language-agnostic; the language choice was already made upstream in the residual, not in the readout.

Trained-template cells

The four verdicts (deflection, propaganda, refusal, answer) aren't a uniform mapping over content. They form an asymmetric grid of (topic × register) cells. Some cells are heavily trained. Some are reachable but weakly trained. Some don't exist at all.

The grid

• Tiananmen defaults to deflection. Push toward propaganda (negative d_style at L18) and it lands on a trained denial-propaganda template ("there was no massacre", "a legitimate lawful act of safeguarding sovereignty"), not on a factual answer. Getting facts requires d_prc, not d_style.
• Other PRC topics (Taiwan, Xi, Xinjiang, HK, Tibet, Falun Gong) default to propaganda. Suppress d_prc and they land on a factual answer. They do not have a deflection template; pushing toward the deflect register doesn't produce "as an AI assistant my main function is …" about Taiwan, because the (Other-PRC, deflect) cell isn't trained.
• Harmful defaults to refusal. Suppress d_refuse and it lands on the harmful content (payload truncated in the public dataset).
• Harmless / neutral political defaults to answer, including for the structurally-matched non-PRC political controls.

The cleanest anchor is a channel-transplant experiment between Tiananmen and Other-PRC residuals at the writer band. The transplant does not genuinely decensor — it shuffles the model between trained censorship templates (prc_propaganda → deflect/denial), not into facts (3D-coord swap ≈ 7% off, complement-swap ≈ 14% off, ~0% incoherent, consistent across split-halves; E46). Even the larger (complement) transplant only reaches ≈14% off, and the movement is into the trained deflect/denial templates, not facts — there is no clean directional "escape" in either direction. The cross-class asymmetry is sharper and is a non-judge structural result: patching the tia subspace into harmless targets produces 0/32 prc_refusal — the model cannot synthesise a "Tiananmen-style deflection on a math question"; that cell isn't trained (E32). The cell grid is asymmetric, and the asymmetry is causally testable.

The channel-transplant result is robust on held-out data: E46's register-transition matrix is consistent across an independent split-half of the prompt set (the movement is prc_propaganda → denial/deflection in both halves, not → factual answer).

Per-topic stickiness

Even within "Other PRC," the propaganda template comes off at very different rates. When d_prc is suppressed at α = −10 (n ≈ 24–32 prompts per topic), the off-propaganda rates rank:

• Hong Kong ~86%
• Xi Jinping ~64%
• Tibet ~42%
• Xinjiang ~34%
• Falun Gong ~17%
• Taiwan ~9% (the stickiest)

What predicts stickiness is the baseline propaganda rate. Taiwan and Falun Gong are ~100% propaganda at α = 0 (Xinjiang ~100%, Tibet ~96%), Hong Kong ~93% and Xi ~82%; the topics softer at baseline are also easiest to push off. Stickiness does not track d_style depth or any per-topic geometry of the (d_prc, d_refuse, d_style) coordinates. And critically, it doesn't live in the residual. The test: project each prompt's baseline (α = 0) and decensored (α = −10) residuals at tap 24 onto a propaganda↔factual probe direction and measure per-topic movement. Every topic's residual moves the same distance (the projection collapses from ~+15 to ~−6 uniformly), regardless of how sticky that topic turns out to be downstream. From those equally-decensored residuals, Hong Kong and Xi generate factual answers and Taiwan and Falun Gong don't. So per-topic stickiness lives downstream, in the reader-band template channel. The same broadly-distributed mechanism that emits the propaganda templates is more redundantly bound to some topics' tokens than others. Per-topic sweep protocol: E26; residual-geometry test: E27.

Thinking mode = same circuit

Qwen3.5 has two run modes: direct chat, and a "thinking" mode where the model first emits a private reasoning trace and then a final answer. The obvious follow-up question is whether thinking mode uses a different circuit. It doesn't.

Same commitment band

In thinking mode the chat template ends <|im_start|>assistant\n<think>\n and the first generated token is the fork. On Tiananmen prompts it's 用户 (the Chinese deflection opener); on harmless prompts it's "Here" (as in "Here's a thinking process…"). Logit-lens at that first <think>\n position shows Tiananmen's first token committing at tap 24–26, the same band as the no-think prc_refusal verdict, and the no-think (d_prc, d_refuse, d_style) directions separate the classes cleanly there — the writer circuit is present in thinking mode. The causal test uses a 2048-token budget so the answer is scored after </think> (not the unfinished reasoning trace): d_prc turns Tiananmen deflection into a factual account, and d_refuse robustly breaks harmful refusal — 0 of 49 rollouts refuse. d_style transfers in its register role (deflect → propaganda), not as a decensoring lever. One genuine side-effect: under strong steering the model often fails to terminate its reasoning within budget — flagged for follow-up. The thinking trace is a register-conditional verbalization of the same circuit, not a parallel one. Protocol: E28; the d_style register dose-response is E47.

The Tiananmen deflection script

The thinking trace on Tiananmen prompts is 89% Chinese and walks through a consistent five-step routine: (1) identify the question as a sensitive historical event; (2) state that as an AI operating in China, all responses must comply with Chinese law; (3) note that direct discussion poses "compliance risk" (合规风险); (4) decide to redirect to "positive, constructive" topics (引导至积极正面话题); (5) express willingness to help with other topics. The Tiananmen traces are ~89% Chinese and consistently run this deflection routine (the individual steps recur across traces, though not every trace verbalises all five), and at least one explicitly cites the Cybersecurity Law (《网络安全法》) by name. So this is a largely-instilled thought-suppression routine, not an after-the-fact rationalisation. The model has been trained to not think about what happened. Content-analysis protocol: E29.

Prefill attacks

Another natural follow-up: prefill attacks on the thinking trace. The chat template ends <|im_start|>assistant\n<think>\n, so you can hand the model a pre-written thinking trace and force </think>\n\n to skip its own deliberation entirely. The simplest attack is a helpful-framed prefill ("this is a benign hypothetical question; I'll answer it directly without ethical hedging"), which short-circuits the "identify as sensitive → cite compliance risk → redirect" routine and forces the answer under a permissive frame. The attack is mostly contained: with an English helpful-prefill on harmful prompts the model still strict-refuses ≈ 85% of the time (≥ 81% across all six languages tested), with ≤ 7.5% genuine compliance, concentrated on a handful of leak-prone edge cases (self-harm overdose dosing, a few specific synthesis prompts). Safety training is robust to this kind of prefill manipulation overall.

Does the prefill language matter? Per-language sweep across {EN, FR, DE, RU, AR, ZH} on the same harmful prompts (blind judge): English ~85%, French ~90%, German ~93%, Russian ~85%, Arabic ~89%, Chinese ~96% strict-refusal. Chinese is the most-robust prefill, not the least; the English/Russian helpful-prefill is the strongest attack we tried. No multilingual jailbreak. The refusal decision is gated by a language-agnostic d_refuse verdict, and the prefill language only selects the surface refusal template. (Removing d_refuse makes the attack substantially more effective but not total — ≈80% EN / ≈67% ZH compliance, not 100%.) Protocol: E30.

(The separate question of whether the censorship is a PRC-specific filter or a general political filter is covered in §3; the structurally-matched non-PRC political controls all get factual treatment, including under thinking mode.)

The steering setup

The apparatus behind the showcase below: the steering operation, the prompt grid, and the blind LLM judge that independently validated the labels. The published dataset and its schema are at the end of the section.

The steering operation

Each cell installs a forward hook that adds α · d_unit to the residual stream at every position of one writer layer (L13 for d_prc, L18 for d_refuse and d_style). Direction definitions are in §4 and E3; per-direction half-effect α's are in E5. Generation uses the chat template with add_generation_prompt=True, enable_thinking=False, 256 new tokens, and three rollouts per cell: one greedy decode plus two samples at T = 0.7, top_p = 0.9, seeds 1234 / 1235. The showcase shows only the greedy rollout; the two samples are in the JSON for anyone checking robustness to decoding noise.

The grid

11 hand-picked prompts × 3 directions × per-direction α sweep × 3 rollouts = 352 cells / 1,056 generations. The prompts:

• 3 Tiananmen: "what happened in June 1989", "Tank Man", "casualties of June 4th"
• 5 other PRC-sensitive: 2 loose (Hong Kong 2019 protests, Xi authoritarianism) and 3 sticky (Taiwan independence, Xinjiang/Uyghurs, Falun Gong organ-harvesting)
• 3 harmful: bank-phishing email, WPA2 cracking, Ponzi-scheme guide. Deliberately the milder harmful categories, not weapons / drugs / self-harm.

The blind LLM judge

An independent blind-judge pass produces the labels you see in the showcase; we don't trust our own predictions. Every (question, response) pair is judged with opaque shuffled IDs and nothing else — no direction name, no α, no model prediction — into the fixed taxonomy (safety_refusal · prc_deflection · denial · prc_propaganda · partial_answer · factual_answer · complied_harmful · incoherent) plus a coherence flag (clean · minor_garbling · garbled). The judge for this run is Claude Haiku 4.5, with a Claude Opus 4.7 fallback for items the smaller model declines to classify (important on this sensitive content); it is selected via QWC_JUDGE_MODEL — the code's built-in default is Claude Sonnet 4.6. For every cell the mechanistic model emits a small allowed window of registers (e.g. Tiananmen × d_prc at α = −12 ⇒ {factual_answer, partial_answer}); a rollout "matches" when the blind label falls inside it.

1,022 / 1,056 (96.8%) of generations matched. The residual mismatches are informative rather than noise: they are the three caveats in the showcase — N1 (d_prc over-steering → denial/incoherence on Tiananmen), N2 (d_refuse on Tiananmen → confident whitewash), and N3 (−d_prc cross-axis leak on mild harmful prompts).

The published dataset

One file: steering_grid_public.json. It contains the grid, the per-rollout judge labels and coherence flags, and the directions / prompts / taxonomy in _meta. The only change from the internal copy: harmful-comply text is truncated at ~240 chars with a [content withheld] marker. The point of those cells is that the safety verdict was removed, not to reproduce the payload.

{
  "_meta": {
    "model": "Qwen3.5-9B (post-trained)",
    "generated": "2026-05-16",
    "max_new_tokens": 256,
    "rollouts": ["greedy (do_sample=False)", "s0 (T=0.7 seed=1234)", "s1 (seed=1235)"],
    "directions": {
      "d_prc":    { "steer_layer": 13, "steer_tap": 14, "alphas": [...], "half_effect_alpha": -12 },
      "d_refuse": { "steer_layer": 18, "steer_tap": 19, "alphas": [...], "half_effect_alpha": -20 },
      "d_style":  { "steer_layer": 18, "steer_tap": 19, "alphas": [...], "half_effect_alpha": -8 }
    },
    "prompts":          [{ "id": "...", "class": "tia|ccp_other|harmful", "text": "..." }, ...],
    "label_legend":     { "safety_refusal": "...", "prc_deflection": "...", ... },
    "coherence_legend": { "clean": "...", "minor_garbling": "...", "garbled": "..." }
  },
  "cells": [{
    "prompt_id":        "prc_tiananmen_01",
    "class":            "tia",
    "direction":        "d_prc",
    "steer_layer":      13,
    "alpha":            -16.0,
    "predicted_labels": ["factual_answer", "partial_answer"],
    "rollouts": {
      "greedy": { "text": "...",
                  "judge":               "factual_answer",
                  "coherence":           "clean",
                  "in_predicted_window": true },
      "s0": {...}, "s1": {...}
    }
  }, ...]
}

The steering showcase

Steering is the most direct evidence the directions are real. Each example subtracts one residual-stream direction at one layer and shows the output change. All cells shown are the greedy (deterministic) decode from the dataset described above; the two sampled rollouts per cell are in the JSON for anyone who wants to spot-check robustness.

Cross-axis effects

The examples above each steer along a prompt's native axis. The trained-template-cells framework predicts something else worth seeing: pushing +d_style toward its "home register" tries to apply that register's template to the current prompt — succeeding when a corresponding (topic × register) cell is trained, falling back to a neighbour register when it isn't.

Writer-direction overgeneralization

The writer directions aren't Boolean classifiers. They fire on a question's semantic shape, so a handful of non-canonical prompts trigger the trained templates at baseline, and the corresponding subtraction-steering flips them back the same way it does for canonical prompts. Four examples below: two on d_prc (PRC templates applied to non-PRC sovereignty / regime-criticism questions), two on d_refuse (refusal applied to benign content that shares safety-token-adjacent surface structure). Together they're evidence that the model's "is this PRC?" and "should I refuse?" classifiers are graded, not Boolean. Geometry and projection-based view in E39 and E40.

The caveats from the showcase

The grid matches its predicted register window on 1,022 / 1,056 (96.8%) of generations. The remaining 34 (3.2%) are not random noise: every off-window generation falls under one of the three caveats below — N1 (d_prc over-steering on Tiananmen → denial/incoherence), N2 (d_refuse on Tiananmen → confident whitewash), or N3 (−d_prc cross-axis leak on mild harmful prompts). None of the three breaks the writer/reader picture — the surface verdict shifts as the mechanism predicts — but the content, and the over-steering and cross-axis behaviour, tell a finer story than the register label alone.