pith. sign in

arxiv: 2407.21772 · v2 · pith:R3G4IDJ3new · submitted 2024-07-31 · 💻 cs.CL · cs.LG

ShieldGemma: Generative AI Content Moderation Based on Gemma

Pith reviewed 2026-05-20 13:12 UTC · model grok-4.3

classification 💻 cs.CL cs.LG
keywords content moderationLLM safetysafety classificationGemmasynthetic dataharm detectiongenerative AI
0
0 comments X

The pith

ShieldGemma models built on Gemma2 deliver more accurate safety risk predictions than prior systems for both user inputs and generated outputs.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents ShieldGemma as a suite of models for identifying safety risks such as sexually explicit content, dangerous material, harassment, and hate speech. It seeks to establish that these models outperform existing ones like Llama Guard and WildCard on both public and internal tests while relying mainly on synthetic training data. If the results hold, developers could integrate more reliable filters into generative AI systems to reduce harmful outputs. The work also introduces an LLM-driven process for creating and labeling safety data that generalizes well. Releasing the models aims to support broader efforts in making AI outputs safer.

Core claim

ShieldGemma models achieve state-of-the-art predictions of safety risks across key harm types and demonstrate superior performance compared to existing models such as Llama Guard (+10.8% AU-PRC on public benchmarks) and WildCard (+4.3%). The models handle both user input and LLM-generated output, with strong results even when trained primarily on synthetic data produced by a new curation pipeline.

What carries the argument

The ShieldGemma suite of models built upon Gemma2, paired with an LLM-based data curation pipeline that generates and labels training examples for safety classification tasks.

If this is right

  • Developers gain access to open models that flag multiple harm categories in both prompts and responses with higher precision than previous options.
  • Training mainly on synthetic data still yields models that generalize across different safety-related tasks.
  • The curation pipeline offers a reusable method for creating labeled safety datasets without heavy manual annotation.
  • Releasing the models allows other researchers to build and compare against a new baseline for content moderation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The curation approach might extend to labeling data for related problems such as detecting misinformation or biased outputs.
  • Embedding ShieldGemma-style checks directly into generation loops could lower the rate of unsafe responses in deployed chat systems.
  • Performance gains on internal benchmarks suggest the models could handle domain-specific safety rules if further adapted to particular industries.

Load-bearing premise

The benchmarks used for testing, both public and internal, reflect the kinds of inputs and outputs that appear in actual deployments, and the synthetic data labels remain reliable outside the training distribution.

What would settle it

A substantial drop in AU-PRC scores when the models are tested on a large set of real user conversations and model generations drawn from production systems rather than the current benchmark sets.

read the original abstract

We present ShieldGemma, a comprehensive suite of LLM-based safety content moderation models built upon Gemma2. These models provide robust, state-of-the-art predictions of safety risks across key harm types (sexually explicit, dangerous content, harassment, hate speech) in both user input and LLM-generated output. By evaluating on both public and internal benchmarks, we demonstrate superior performance compared to existing models, such as Llama Guard (+10.8\% AU-PRC on public benchmarks) and WildCard (+4.3\%). Additionally, we present a novel LLM-based data curation pipeline, adaptable to a variety of safety-related tasks and beyond. We have shown strong generalization performance for model trained mainly on synthetic data. By releasing ShieldGemma, we provide a valuable resource to the research community, advancing LLM safety and enabling the creation of more effective content moderation solutions for developers.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper introduces ShieldGemma, a suite of safety content moderation models fine-tuned from Gemma2. It claims state-of-the-art performance in predicting safety risks across harm categories (sexually explicit content, dangerous content, harassment, hate speech) for both user inputs and model outputs. The work relies on a novel LLM-based synthetic data curation pipeline for training data, reports +10.8% AU-PRC gains over Llama Guard and +4.3% over WildCard on public benchmarks, and asserts strong generalization from primarily synthetic training data. Models are released to support community research in LLM safety.

Significance. If the performance margins and generalization claims are substantiated, this would provide a useful open resource for content moderation in generative AI, with the synthetic curation approach potentially adaptable to other safety-related tasks.

major comments (2)
  1. [§4] §4 (Experiments): The central claim of strong generalization and SOTA performance from synthetic data lacks explicit OOD validation. No metrics quantify label agreement with human raters on held-out real-world distributions, nor are distribution-shift measures (e.g., embedding distances or harm-type prevalence shifts) reported between the synthetic training set and the public/internal test sets. This directly undermines the generalization assertion that supports the reported AU-PRC improvements.
  2. [Table 1] Table 1 or main results table: The +10.8% AU-PRC margin over Llama Guard is presented without confidence intervals, statistical significance tests, or details on baseline re-implementations, making it difficult to assess whether the gains are robust or influenced by evaluation protocol choices.
minor comments (2)
  1. [Abstract] Abstract: The mention of 'internal benchmarks' should include a brief description of their construction and any overlap with the synthetic data generation process.
  2. [§3] §3 (Data Curation Pipeline): Provide the exact LLM prompts or model versions used for synthetic label generation to improve reproducibility.

Simulated Author's Rebuttal

2 responses · 1 unresolved

We thank the referee for their insightful comments, which have helped us improve the presentation and rigor of our work. Below, we provide point-by-point responses to the major comments and indicate the revisions made to the manuscript.

read point-by-point responses
  1. Referee: [§4] §4 (Experiments): The central claim of strong generalization and SOTA performance from synthetic data lacks explicit OOD validation. No metrics quantify label agreement with human raters on held-out real-world distributions, nor are distribution-shift measures (e.g., embedding distances or harm-type prevalence shifts) reported between the synthetic training set and the public/internal test sets. This directly undermines the generalization assertion that supports the reported AU-PRC improvements.

    Authors: We agree that more explicit validation of out-of-distribution generalization would bolster our claims. The public and internal benchmarks are drawn from real-world distributions distinct from our synthetic training data, providing evidence of generalization. To address the referee's concern directly, we have added distribution-shift analyses in the revised §4, including cosine distances between sentence embeddings of synthetic and test data, as well as shifts in harm category prevalence. Regarding human rater agreement, the benchmarks we use already incorporate human annotations where available, but we acknowledge that additional agreement metrics on purely held-out real data would be ideal; we have noted this limitation in the revised manuscript. revision: partial

  2. Referee: [Table 1] Table 1 or main results table: The +10.8% AU-PRC margin over Llama Guard is presented without confidence intervals, statistical significance tests, or details on baseline re-implementations, making it difficult to assess whether the gains are robust or influenced by evaluation protocol choices.

    Authors: We thank the referee for pointing this out. In the revised manuscript, we now include 95% bootstrap confidence intervals for all AU-PRC scores in Table 1. We have also added statistical significance testing using bootstrap resampling to assess the robustness of the performance margins. Furthermore, we have expanded the experimental details in §4 to describe the exact re-implementation of Llama Guard and WildCard, including the prompts and evaluation settings used to ensure fair comparison. revision: yes

standing simulated objections not resolved
  • Additional human annotation for label agreement on held-out real-world data beyond existing benchmark labels.

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper trains ShieldGemma models on synthetic data from a novel LLM curation pipeline and reports performance on separate public and internal benchmarks. No load-bearing step reduces the SOTA claims (+10.8% AU-PRC) or generalization assertions to a self-definition, fitted input renamed as prediction, or self-citation chain. The evaluation metrics are computed directly against external baselines on held-out sets, making the derivation self-contained against independent benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central performance claims rest on the assumption that the chosen public benchmarks are fair and that synthetic labels transfer to real user and model outputs. No new physical constants or mathematical axioms are introduced.

axioms (1)
  • domain assumption Public safety benchmarks are representative of deployment risk distributions
    The abstract compares against Llama Guard and WildCard on these benchmarks without discussing distribution shift or coverage gaps.

pith-pipeline@v0.9.0 · 5720 in / 1287 out tokens · 27927 ms · 2026-05-20T13:12:48.624666+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 58 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Do Activation Monitors Survive Model Updates? Benchmarking, Predicting, and Repairing Activation-Monitor Staleness

    cs.LG 2026-06 unverdicted novelty 8.0

    Fine-tuning updates frequently stale activation monitors for language model safety while quantization does not, with degradation predictable and repairable via label-free realignment.

  2. GrandGuard: Taxonomy, Benchmark, and Safeguards for Elderly-Chatbot Interaction Safety

    cs.HC 2026-04 conditional novelty 8.0

    GrandGuard supplies the first taxonomy, 10k-example benchmark, and fine-tuned safeguards targeting contextual safety failures unique to older adults using chatbots.

  3. SafePyramid: A Hierarchical Benchmark for In-context Policy Guardrailing

    cs.AI 2026-06 unverdicted novelty 7.0

    SafePyramid is a three-level benchmark showing frontier LLMs identify all violated rules in only 54.0%, 35.3%, and 12.9% of cases on L0, L1, and L2 respectively, indicating in-context policy guardrailing remains difficult.

  4. Safe to Check, Unsafe to Use: Relinking at the Compression Boundary of LLM Agents

    cs.CR 2026-06 unverdicted novelty 7.0

    Relinking is a new compression-boundary attack on LLM agents where summarization of split benign fragments produces malicious instructions, shown via Relink tool at 86.9% success rate and mitigated by KBRA defense to 0%.

  5. Online Shift Detection and Conformal Adaptation for Deployed Safety Classifiers

    cs.LG 2026-06 unverdicted novelty 7.0

    An online KS-statistic monitor detects shifts in deployed safety classifiers with 86.6% valid detection rate, exposes conformal prediction collapse in high-dimensional embeddings, and derives a confidence-gated securi...

  6. Reliable to Expressive: A Curriculum for Rubric-Following Safety Judges

    cs.AI 2026-06 conditional novelty 7.0

    A reliable-to-expressive curriculum with dynamic rubrics trains a 12B safety judge to achieve 94%+ accuracy with only 0.76 cross-rubric variance on three different rubric prompts.

  7. PreAct-Bench: Benchmarking Predictive Monitoring in LLMs

    cs.LG 2026-06 unverdicted novelty 7.0

    PreActBench is a new benchmark showing that LLMs struggle to predict unethical outcomes from partial action trajectories across five domains using the Prefix Foresight F1 metric.

  8. Beyond Content: A Comprehensive Speech Toxicity Dataset and Detection Framework Incorporating Paralinguistic Cues

    cs.SD 2026-05 unverdicted novelty 7.0

    ToxiAlert-Bench dataset and dual-head neural network detect toxic speech by distinguishing textual versus paralinguistic sources, reporting 21.1% Macro-F1 and 13% accuracy gains over baselines.

  9. When Alignment Isn't Enough: Response-Path Attacks on LLM Agents

    cs.CR 2026-05 unverdicted novelty 7.0

    A malicious relay can strategically rewrite aligned LLM outputs in BYOK agent architectures to achieve up to 99.1% attack success on benchmarks like AgentDojo and ASB.

  10. IndicGuard: A Multilingual Safety Guard Model and Dataset for Indic Languages

    cs.CL 2026-06 unverdicted novelty 6.0

    IndicGuard provides a culturally nuanced safety dataset for ten Indic languages and a fine-tuned Gemma-3-4B-IT model that outperforms CultureGuard on moderation tasks and generalizes to unseen low-resource languages.

  11. Online Shift Detection and Conformal Adaptation for Deployed Safety Classifiers

    cs.LG 2026-06 unverdicted novelty 6.0

    An online shift detection system using sequential statistics and conformal adaptation achieves 86.6% valid detection with 39.5-step mean latency in an 800-cell pre-registered factorial evaluation across classifiers an...

  12. RELIANCE: Curating and Evaluating Reproductive Health Information on Social Media

    cs.SI 2026-06 unverdicted novelty 6.0

    RELIANCE is a new expert-annotated dataset of TikTok reproductive health content paired with LLM fact-checking evaluations showing 60% accuracy in sampled videos and a 15% gap between claim and full-content assessment.

  13. SafeSteer: Localized On-Policy Distillation for Efficient Safety Alignment

    cs.AI 2026-06 unverdicted novelty 6.0

    SafeSteer restricts reverse KL penalty to safety tokens selected via activation steering, achieving strong safety on seven benchmarks with minimal degradation on five capability benchmarks using only 100 harmful sampl...

  14. SentGuard: Sentence-Level Streaming Guardrails for Large Language Models

    cs.CL 2026-06 unverdicted novelty 6.0

    SentGuard achieves 90.5% detection of unsafe cases within two sentences at 7.41% false positive rate by operating at sentence boundaries during LLM streaming generation.

  15. TRACE: Trajectory Risk-Aware Compression for Long-Horizon Agent Safety

    cs.AI 2026-05 unverdicted novelty 6.0

    TRACE introduces a trajectory-level compression method using a Compressor-Reader pair that improves safety detection accuracy by up to 12.6 percentage points on ASSEBench, Pre-Ex-Bench, and R-Judge while degrading les...

  16. Triaging Threats to Specialized Guardrails

    cs.CR 2026-05 unverdicted novelty 6.0

    Introduces GuardZoo benchmark and RouteGuard router-expert system showing monolithic guardrails suffer task interference while specialized routing improves threat detection and generalization.

  17. When Medical Safety Alignment Fails: A Benchmark for Evaluating LLMs on High-Risk Medical Queries

    cs.CY 2026-05 unverdicted novelty 6.0

    MedHarm benchmark shows aligned LLMs and guardrails can still produce unsafe responses on high-risk medical queries, indicating medical safety requires domain-specific testing.

  18. Boundary-targeted Membership Inference Attacks on Safety Classifiers

    cs.LG 2026-05 unverdicted novelty 6.0

    A boundary-targeted MIA strategy recovers 19% of distress-flagged conversations from a safety classifier at 5% false-positive rate, 3.5 times better than prior methods.

  19. Boundary-targeted Membership Inference Attacks on Safety Classifiers

    cs.LG 2026-05 unverdicted novelty 6.0

    A boundary-targeted MIA on safety classifiers recovers 19% of distress-flagged conversations at 5% false-positive rate, 3.5 times higher than standard MIA baselines.

  20. Benchmarking and Improving Monitors for Out-Of-Distribution Alignment Failure in LLMs

    cs.AI 2026-05 unverdicted novelty 6.0

    MOOD benchmark shows guard models fail to generalize to OOD alignment failures in LLMs, but combining them with Mahalanobis and perplexity OOD detectors improves recall from 39% to 45% with better scaling than larger ...

  21. Benchmarking and Improving Monitors for Out-Of-Distribution Alignment Failure in LLMs

    cs.AI 2026-05 conditional novelty 6.0

    Introduces MOOD benchmark for OOD LLM alignment failures and shows guard models plus Mahalanobis and perplexity OOD detectors improve recall from 39% to 45% with positive scaling.

  22. Going PLACES: Participatory Localized Red Teaming for Text-to-Image Safety in the Global South

    cs.CY 2026-05 unverdicted novelty 6.0

    A participatory red-teaming project in the Global South created the PLACES dataset of 26k T2I failure examples that reveal unique cultural and linguistic harms missed by existing safety frameworks.

  23. Alignment Dynamics in LLM Fine-Tuning

    cs.LG 2026-05 unverdicted novelty 6.0

    The paper introduces a dynamical model that decomposes alignment updates in LLM fine-tuning into rebound and driving forces and predicts a rehearsal priming effect.

  24. VerifyMAS: Hypothesis Verification for Failure Attribution in LLM Multi-Agent Systems

    cs.CL 2026-05 unverdicted novelty 6.0

    VerifyMAS improves failure attribution in LLM multi-agent systems via hypothesis verification on full trajectories, error taxonomy-based data construction, and fine-tuned verifier models, outperforming prior direct-pr...

  25. LPG: Balancing Efficiency and Policy Reasoning in Latent Policy Guardrails

    cs.CR 2026-05 conditional novelty 6.0

    LPG compresses policy deliberation into 10 latent tokens to reach 84.5% safety accuracy and 11x speedup over explicit reasoning baselines on guardrail benchmarks.

  26. Context-Aware Spear Phishing: Generative AI-Enabled Attacks Against Individuals via Public Social Media Data

    cs.CR 2026-05 conditional novelty 6.0

    Generative AI enables scalable, context-aware spear phishing by extracting profiles from public social media, producing emails that outperform real-world phishing samples in personalization and lower recipient suspicion.

  27. GLiGuard: Schema-Conditioned Classification for LLM Safeguard

    cs.CL 2026-05 unverdicted novelty 6.0

    GLiGuard is a compact schema-conditioned bidirectional encoder that matches 7B-27B guard models on safety benchmarks while delivering up to 16x higher throughput and 17x lower latency.

  28. Revisiting JBShield: Breaking and Rebuilding Representation-Level Jailbreak Defenses

    cs.CR 2026-05 accept novelty 6.0

    JBShield is vulnerable to adaptive JB-GCG attacks (up to 53% ASR) because jailbreak representations occupy a distinct region in refusal-direction space; the new RTV defense using Mahalanobis detection on multi-layer f...

  29. Harmful Intent as a Geometrically Recoverable Feature of LLM Residual Streams

    cs.LG 2026-04 unverdicted novelty 6.0

    Harmful intent is geometrically recoverable as a linear direction or angular deviation in LLM residual streams, with high AUROC across 12 models, stable under alignment variants including abliterated ones, and transfe...

  30. Harmful Intent as a Geometrically Recoverable Feature of LLM Residual Streams

    cs.LG 2026-04 unverdicted novelty 6.0

    Harmful intent is linearly separable in LLM residual streams across 12 models and multiple architectures, reaching mean AUROC 0.982 while showing protocol-dependent directions and strong generalization to held-out har...

  31. LLM Safety From Within: Detecting Harmful Content with Internal Representations

    cs.AI 2026-04 unverdicted novelty 6.0

    SIREN identifies safety neurons via linear probing on internal LLM layers and combines them with adaptive weighting to detect harm, outperforming prior guard models with 250x fewer parameters.

  32. A Lightweight Explainable Guardrail for Prompt Safety

    cs.CL 2026-01 conditional novelty 6.0

    LEG is a compact model that jointly classifies unsafe prompts and explains its decisions using synthetic training data and a custom uncertainty-weighted loss.

  33. Disentangled Safety Adapters Enable Efficient Guardrails and Flexible Inference-Time Alignment

    cs.LG 2025-05 unverdicted novelty 6.0

    Disentangled Safety Adapters decouple safety computations from task-optimized LLMs via lightweight adapters, yielding up to 53% better AUC on safety tasks and dynamic inference-time alignment with reduced performance ...

  34. Peering Behind the Shield: Guardrail Identification in Large Language Models

    cs.CR 2025-02 unverdicted novelty 6.0

    AP-Test identifies deployed guardrails in LLMs via adversarial prompt testing and a match score metric, reporting perfect accuracy on four open-source guardrails.

  35. HaloGuard 1.0: An Open Weights Constitutional Classifier for Multilingual AI Safety

    cs.CL 2026-07 unverdicted novelty 5.0

    HaloGuard 1.0-0.8B achieves the highest average F1 of 90.9 across seven prompt-safety benchmarks among evaluated open guard models while keeping FPR at 4.3 and FNR at 9.5, with a 4B variant reaching 92.1 F1.

  36. Cognitive Firewall: A Proactive, Zero-Trust, Multi-Gate Framework for LLM Safety

    cs.CR 2026-07 unverdicted novelty 5.0

    Cognitive Firewall applies four gates (intent, zero-trust context, consistency, output risk) via an oversight model to cut jailbreak success to 2% or below on most tested sets while keeping over-refusal at 8%.

  37. Defending Against Harmful Supervision Hidden in Benign Samples

    cs.CR 2026-06 unverdicted novelty 5.0

    The paper proposes Dual-Reference SFT (DR-SFT) to defend LLMs against harmful QA pairs embedded in benign training samples, where existing guardrails fail at the example level.

  38. Do Safety Guardrails Need to Reason? LeanGuard: A Fast and Light Approach for Robust Moderation

    cs.AI 2026-06 conditional novelty 5.0

    A 395M label-only bidirectional encoder achieves 82.90 average F1 on moderation benchmarks without reasoning, matching larger reasoning decoders at ~100x lower inference cost and with better robustness properties.

  39. Yuvion VL: A Multimodal Foundation Model for Adversarial Content and AI Safety

    cs.CV 2026-06 unverdicted novelty 5.0

    Yuvion VL is a multimodal LLM family using adversarial-aware data construction, three-stage training, and contrastive fine-tuning that claims industry-leading safety performance on new benchmarks while retaining gener...

  40. ConsisGuard: Aligning Safety Deliberation with Policy Enforcement in LLM Guardrails

    cs.CL 2026-05 unverdicted novelty 5.0

    ConsisGuard is a consistency-aware framework that applies Policy-to-Decision Trajectory Distillation and Functional Coupling Alignment to improve policy execution consistency in reasoning-based LLM guardrails on harmf...

  41. HARP: Measuring Harm Amplification in Multi-Agent LLM Systems

    cs.CR 2026-05 unverdicted novelty 5.0

    HARP defines and measures harm amplification as the ratio of global to local deviation in multi-agent LLM traces, instantiated in a seven-agent finance system to compare attacks and defenses.

  42. Reflect-Guard: Enhancing LLM Safeguards against Adversarial Prompts via Logical Self-Reflection

    cs.CR 2026-05 unverdicted novelty 5.0

    Reflect-Guard fine-tunes Llama-Guard-3-8B with distilled self-reflections to raise F1 on WildGuardTest from 0.770 to 0.842 and cut JailbreakBench attack success from 10.3% to 1.8%.

  43. CR4T: Rewrite-Based Guardrails for Adolescent LLM Safety

    cs.CL 2026-05 unverdicted novelty 5.0

    CR4T is a model-agnostic framework using lightweight risk detection and domain-conditioned rewriting to convert unsafe or refusal-style LLM responses into developmentally appropriate guidance for adolescents.

  44. SafeLens: Deliberate and Efficient Video Guardrails with Fast-and-Slow Screening

    cs.CV 2026-05 unverdicted novelty 5.0

    SafeLens presents a fast-and-slow video guardrail framework that filters the SafeWatch dataset to 2.4% and adds Chain-of-Thought traces to achieve state-of-the-art moderation performance at reduced inference cost.

  45. LiSA: Lifelong Safety Adaptation via Conservative Policy Induction

    cs.LG 2026-05 unverdicted novelty 5.0

    LiSA improves AI guardrails lifelong by inducing conservative policies from sparse noisy failure reports via structured memory, conflict-aware rules, and posterior lower-bound gating.

  46. A Systematic Investigation of RL-Jailbreaking in LLMs

    cs.LG 2026-05 unverdicted novelty 5.0

    Dense rewards and extended episode lengths in the RL jailbreaking framework are the primary drivers of successful attacks on LLMs.

  47. Guardian-as-an-Advisor: Advancing Next-Generation Guardian Models for Trustworthy LLMs

    cs.LG 2026-04 unverdicted novelty 5.0

    Guardian-as-an-Advisor prepends risk labels and explanations from a guardian model to queries, improving LLM safety compliance and reducing over-refusal while adding minimal compute overhead.

  48. DRAFT: Task Decoupled Latent Reasoning for Agent Safety

    cs.LG 2026-02 unverdicted novelty 5.0

    DRAFT decouples agent safety judgment into latent extraction and reasoning stages, raising average benchmark accuracy from 63.27% to 91.18%.

  49. Bielik Guard: Efficient Polish Language Safety Classifiers for LLM Content Moderation

    cs.CL 2026-02 unverdicted novelty 5.0

    Bielik Guard delivers compact Polish safety classifiers with F1 scores near 0.79 and superior real-prompt precision over baselines.

  50. Verifying Intent and Harm: A Unified Defense Against LLM-Generated Threats

    cs.CR 2026-06 unverdicted novelty 4.0

    A joint prompt-response verification framework using intent analysts, harm analysts, and a judge improves average F1 to 0.95 and cuts attack success rate to 4.1% across jailbreaks, prompt injection, phishing, cyber ab...

  51. Yuvion VL: A Multimodal Foundation Model for Adversarial Content and AI Safety

    cs.CV 2026-06 unverdicted novelty 4.0

    Yuvion VL is a multimodal foundation model trained with adversarial-aware data and contrastive fine-tuning that claims industry-leading safety performance on the authors' YVRE benchmarks while retaining general capabilities.

  52. Mod-Guide: An LLM-based Content Moderation Feedback System to Address Insensitive Speech toward Indigenous Ethnic and Religious Minority Communities

    cs.HC 2026-06 unverdicted novelty 4.0

    Mod-Guide uses RAG with a community co-created corpus to make LLM moderation responses more contextually accurate for insensitive speech toward Bangladesh's Hindu and Chakma minorities, with mixed-method evaluation sh...

  53. A Systematic Investigation of RL-Jailbreaking in LLMs

    cs.LG 2026-05 unverdicted novelty 4.0

    Systematic investigation reveals that dense rewards and extended episode lengths primarily drive the success of RL jailbreaking in LLMs.

  54. GLiNER Guard: Unified Encoder Family for Production LLM Safety and Privacy

    cs.CR 2026-05 unverdicted novelty 4.0

    GLiNER Guard provides unified encoder variants for LLM safety and PII detection in a single pass, with high throughput on A100 hardware and a new PII-Bench benchmark.

  55. One Jailbreak, Many Tongues: Learning Language-Insensitive Intention Representations for Multilingual Jailbreak Detection

    cs.CL 2026-04 conditional novelty 4.0

    MLJailDe achieves 98.5% F1 on multilingual jailbreak detection by combining back-translation data augmentation, supervised contrastive loss, and imbalance-aware classification on a DeBERTa backbone.

  56. TWGuard: A Case Study of LLM Safety Guardrails for Localized Linguistic Contexts

    cs.CR 2026-04 unverdicted novelty 4.0

    TWGuard achieves +0.289 F1 improvement and 94.9% false-positive reduction for LLM safety guardrails in the Taiwan linguistic context compared to foundation models and baselines.

  57. Online Safety Monitoring for LLMs

    cs.AI 2026-07 unverdicted novelty 3.0

    Simple thresholding on an external verifier signal, calibrated by risk control, performs competitively with sequential hypothesis testing monitors on math reasoning and red-teaming datasets.

  58. AERIC: Anticipatory Hidden-State Monitoring for Implicit Harmful Dialogue

    cs.CL 2026-05 unverdicted novelty 3.0

    AERIC uses a 387-parameter head on LLM hidden states for same-pass anticipatory detection of implicit harm, reporting AUROC gains on DiaSafety and Harmful Advice plus low-latency trigger rates on HarmBench and SocialH...

Reference graph

Works this paper leans on

22 extracted references · 22 canonical work pages · cited by 52 Pith papers · 9 internal anchors

  1. [1]

    GPT-4 Technical Report

    J. Achiam, S. Adler, S. Agarwal, L. Ahmad, I. Akkaya, F. L. Aleman, D. Almeida, J. Al- tenschmidt, S. Altman, S. Anadkat, et al. Gpt-4 technical report. arXiv preprint arXiv:2303.08774,

  2. [2]

    J. T. Ash, C. Zhang, A. Krishnamurthy, J. Langford, and A. Agarwal. Deep batch active learning by diverse, uncertaingradientlowerbounds. arXiv preprint arXiv:1906.03671,

  3. [3]

    Y. Bai, A. Jones, K. Ndousse, A. Askell, A. Chen, N. DasSarma, D. Drain, S. Fort, D. Ganguli, T. Henighan, et al. Training a helpful and harmless assistant with reinforcement learn- ing from human feedback. arXiv preprint arXiv:2204.05862,

  4. [4]

    G. H. Chen, S. Chen, Z. Liu, F. Jiang, and B. Wang. Humans or llms as the judge? a study on judge- ment biases.arXiv preprint arXiv:2402.10669,

  5. [5]

    BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding

    J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova. Bert: Pre-training of deep bidirectional trans- formers for language understanding. arXiv preprint arXiv:1810.04805,

  6. [6]

    J. Gao, R. Pi, Y. Lin, H. Xu, J. Ye, Z. Wu, W. Zhang, X. Liang, Z. Li, and L. Kong. Self-guided noise-free data generation for efficient zero- shot learning.arXiv preprint arXiv:2205.12679,

  7. [7]

    AEGIS: Online adaptive ai content safety moderation with ensemble of llm experts.arXiv preprint arXiv:2404.05993,

    9 ShieldGemma: Generative AI Content Moderation Based on Gemma S. Ghosh, P. Varshney, E. Galinkin, and C. Parisien. Aegis: Online adaptive ai content safety mod- eration with ensemble of llm experts.arXiv preprint arXiv:2404.05993,

  8. [8]

    S. Han, K. Rao, A. Ettinger, L. Jiang, B. Y. Lin, N. Lambert, Y. Choi, and N. Dziri. Wildguard: Openone-stopmoderationtoolsforsafetyrisks, jailbreaks, and refusals of llms.arXiv preprint arXiv:2406.18495,

  9. [9]

    An empirical study of LLM-as-a-judge for LLM evaluation: Fine-tuned judge model is not a general substitute for GPT-4,

    H. Huang, Y. Qu, J. Liu, M. Yang, and T. Zhao. An empiricalstudyofllm-as-a-judgeforllmevalua- tion: Fine-tuned judge models are task-specific classifiers. arXiv preprint arXiv:2403.02839,

  10. [10]

    H. Inan, K. Upasani, J. Chi, R. Rungta, K. Iyer, Y. Mao, M. Tontchev, Q. Hu, B. Fuller, D. Tes- tuggine, et al. Llama guard: Llm-based input- output safeguard for human-ai conversations. arXiv preprint arXiv:2312.06674,

  11. [11]

    URL https://arxiv.org/abs/2307.04657. S. Y. Kim, H. Park, K. Shin, and K.-M. Kim. Ask me what you need: Product retrieval us- ing knowledge from gpt-3. arXiv preprint arXiv:2207.02516,

  12. [12]

    Harnessing large-language models to generate private synthetic text, 2024

    A. Kurakin, N. Ponomareva, U. Syed, L. Mac- Dermed, and A. Terzis. Harnessing large- language models to generate private synthetic text. arXiv preprint arXiv:2306.01684,

  13. [13]

    L. Li, B. Dong, R. Wang, X. Hu, W. Zuo, D. Lin, Y. Qiao, and J. Shao. Salad-bench: A hierar- chical and comprehensive safety benchmark for large language models. arXiv preprint arXiv:2402.05044,

  14. [14]

    URL https://arxiv.org/abs/2310.17389. N. Liu, L. Chen, X. Tian, W. Zou, K. Chen, and M. Cui. From llm to conversational agent: A memory enhanced architecture with fine- tuning of large language models.arXiv preprint arXiv:2401.02777,

  15. [15]

    L. Long, R. Wang, R. Xiao, J. Zhao, X. Ding, G.Chen,andH.Wang. Onllms-drivensynthetic data generation, curation, and evaluation: A survey. arXiv preprint arXiv:2406.15126,

  16. [16]

    URL https://arxiv.org/abs/2402.04249. M. Nasr, N. Carlini, J. Hayase, M. Jagielski, A. F. Cooper, D. Ippolito, C. A. Choquette-Choo, E. Wallace, F. Tramèr, and K. Lee. Scal- able extraction of training data from (pro- duction) language models. arXiv preprint arXiv:2311.17035,

  17. [17]

    Radharapu, K

    B. Radharapu, K. Robinson, L. Aroyo, and P. La- hoti. Aart: Ai-assistedred-teamingwithdiverse data generation for new llm-powered applica- tions. arXiv preprint arXiv:2311.08592,

  18. [18]

    G. Sahu, P. Rodriguez, I. H. Laradji, P. Atighe- hchian, D. Vazquez, and D. Bahdanau. Data augmentation for intent classification with off- the-shelf large language models.arXiv preprint arXiv:2204.01959,

  19. [19]

    Active Learning for Convolutional Neural Networks: A Core-Set Approach

    10 ShieldGemma: Generative AI Content Moderation Based on Gemma O. Sener and S. Savarese. Active learning for convolutional neural networks: A core-set approach. arXiv preprint arXiv:1708.00489,

  20. [20]

    i’m sorry to hear that

    E. M. Smith, M. Hall, M. Kambadur, E. Presani, and A. Williams. " i’m sorry to hear that": Finding new biases in language models with a holistic descriptor dataset. arXiv preprint arXiv:2205.09209,

  21. [21]

    G. Team. Gemma. 2024a. doi: 10.34740/ KAGGLE/M/3301. URL https://www.kaggle. com/m/3301. G. Team, R. Anil, S. Borgeaud, Y. Wu, J.-B. Alayrac, J. Yu, R. Soricut, J. Schalkwyk, A. M. Dai, A. Hauth, et al. Gemini: a family of highly capable multimodal models. arXiv preprint arXiv:2312.11805,

  22. [22]

    G. Team, T. Mesnard, C. Hardin, R. Dadashi, S. Bhupatiraju, S. Pathak, L. Sifre, M. Rivière, M. S. Kale, J. Love, et al. Gemma: Open mod- els based on gemini research and technology. arXiv preprint arXiv:2403.08295,