Saved in:
Bibliographic Details
Main Authors: Tian, Yuan, Hu, Bing, Wu, Fang, Li, Xiaomin, Lu, Binghang, Gong, Neil Zhenqiang
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.27932
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916053215346688
author Tian, Yuan
Hu, Bing
Wu, Fang
Li, Xiaomin
Lu, Binghang
Gong, Neil Zhenqiang
author_facet Tian, Yuan
Hu, Bing
Wu, Fang
Li, Xiaomin
Lu, Binghang
Gong, Neil Zhenqiang
contents Think-with-image reasoning is emerging as a new inference paradigm for large vision-language models, but its safety implications remain poorly understood. Existing systems already span multiple process designs, including direct response generation, text-only prior turn, visual-state manipulation, and explicit external image-tool invocation. In this paper, we ask which of these evaluated paradigms improves multimodal jailbreak robustness, and why. Across multiple vision-language models, explicit image-tool interaction yields the lowest attack success rates in our experiments, reducing jailbreak success by around 30% relative on average across the evaluated models. This finding is initially surprising: ASR remains low even when the returned image-tool output is manually overridden or itself unsafe-looking, but returns near direct-answering levels under text-only prior turn controls. These results indicate that the lower ASR is not explained by benign returned-image semantics or by the textual image-tool trace alone. To explain the pattern, we introduce an image-tool safety vector framework that models image-tool invocation as a residual shift in hidden representations toward a safety-relevant direction. Representation-level analyses and activation interventions support this account. Overall, our results suggest that explicit image-tool interaction is a promising design pattern for improving jailbreak robustness, while also motivating pipeline-specific safety evaluation.
format Preprint
id arxiv_https___arxiv_org_abs_2605_27932
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle When Think-with-Image Meets Safety: What Determines Multimodal Jailbreak Robustness?
Tian, Yuan
Hu, Bing
Wu, Fang
Li, Xiaomin
Lu, Binghang
Gong, Neil Zhenqiang
Computer Vision and Pattern Recognition
Artificial Intelligence
Computation and Language
Cryptography and Security
Machine Learning
Think-with-image reasoning is emerging as a new inference paradigm for large vision-language models, but its safety implications remain poorly understood. Existing systems already span multiple process designs, including direct response generation, text-only prior turn, visual-state manipulation, and explicit external image-tool invocation. In this paper, we ask which of these evaluated paradigms improves multimodal jailbreak robustness, and why. Across multiple vision-language models, explicit image-tool interaction yields the lowest attack success rates in our experiments, reducing jailbreak success by around 30% relative on average across the evaluated models. This finding is initially surprising: ASR remains low even when the returned image-tool output is manually overridden or itself unsafe-looking, but returns near direct-answering levels under text-only prior turn controls. These results indicate that the lower ASR is not explained by benign returned-image semantics or by the textual image-tool trace alone. To explain the pattern, we introduce an image-tool safety vector framework that models image-tool invocation as a residual shift in hidden representations toward a safety-relevant direction. Representation-level analyses and activation interventions support this account. Overall, our results suggest that explicit image-tool interaction is a promising design pattern for improving jailbreak robustness, while also motivating pipeline-specific safety evaluation.
title When Think-with-Image Meets Safety: What Determines Multimodal Jailbreak Robustness?
topic Computer Vision and Pattern Recognition
Artificial Intelligence
Computation and Language
Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2605.27932