Saved in:
Bibliographic Details
Main Authors: Broomfield, Julius, Gibbs, Tom, Kosak-Hine, Ethan, Ingebretsen, George, Nasir, Tia, Zhang, Jason, Iranmanesh, Reihaneh, Pieri, Sara, Rabbany, Reihaneh, Pelrine, Kellin
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.09712
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915315132137472
author Broomfield, Julius
Gibbs, Tom
Kosak-Hine, Ethan
Ingebretsen, George
Nasir, Tia
Zhang, Jason
Iranmanesh, Reihaneh
Pieri, Sara
Rabbany, Reihaneh
Pelrine, Kellin
author_facet Broomfield, Julius
Gibbs, Tom
Kosak-Hine, Ethan
Ingebretsen, George
Nasir, Tia
Zhang, Jason
Iranmanesh, Reihaneh
Pieri, Sara
Rabbany, Reihaneh
Pelrine, Kellin
contents LLM jailbreaks are a widespread safety challenge. Given this problem has not yet been tractable, we suggest targeting a key failure mechanism: the failure of safety to generalize across semantically equivalent inputs. We further focus the target by requiring desirable tractability properties of attacks to study: explainability, transferability between models, and transferability between goals. We perform red-teaming within this framework by uncovering new vulnerabilities to multi-turn, multi-image, and translation-based attacks. These attacks are semantically equivalent by our design to their single-turn, single-image, or untranslated counterparts, enabling systematic comparisons; we show that the different structures yield different safety outcomes. We then demonstrate the potential for this framework to enable new defenses by proposing a Structure Rewriting Guardrail, which converts an input to a structure more conducive to safety assessment. This guardrail significantly improves refusal of harmful inputs, without over-refusing benign ones. Thus, by framing this intermediate challenge - more tractable than universal defenses but essential for long-term safety - we highlight a critical milestone for AI safety research.
format Preprint
id arxiv_https___arxiv_org_abs_2504_09712
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle The Structural Safety Generalization Problem
Broomfield, Julius
Gibbs, Tom
Kosak-Hine, Ethan
Ingebretsen, George
Nasir, Tia
Zhang, Jason
Iranmanesh, Reihaneh
Pieri, Sara
Rabbany, Reihaneh
Pelrine, Kellin
Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
LLM jailbreaks are a widespread safety challenge. Given this problem has not yet been tractable, we suggest targeting a key failure mechanism: the failure of safety to generalize across semantically equivalent inputs. We further focus the target by requiring desirable tractability properties of attacks to study: explainability, transferability between models, and transferability between goals. We perform red-teaming within this framework by uncovering new vulnerabilities to multi-turn, multi-image, and translation-based attacks. These attacks are semantically equivalent by our design to their single-turn, single-image, or untranslated counterparts, enabling systematic comparisons; we show that the different structures yield different safety outcomes. We then demonstrate the potential for this framework to enable new defenses by proposing a Structure Rewriting Guardrail, which converts an input to a structure more conducive to safety assessment. This guardrail significantly improves refusal of harmful inputs, without over-refusing benign ones. Thus, by framing this intermediate challenge - more tractable than universal defenses but essential for long-term safety - we highlight a critical milestone for AI safety research.
title The Structural Safety Generalization Problem
topic Cryptography and Security
Artificial Intelligence
Computer Vision and Pattern Recognition
url https://arxiv.org/abs/2504.09712