English

The Structural Safety Generalization Problem

Cryptography and Security 2025-06-03 v2 Artificial Intelligence Computer Vision and Pattern Recognition

Abstract

LLM jailbreaks are a widespread safety challenge. Given this problem has not yet been tractable, we suggest targeting a key failure mechanism: the failure of safety to generalize across semantically equivalent inputs. We further focus the target by requiring desirable tractability properties of attacks to study: explainability, transferability between models, and transferability between goals. We perform red-teaming within this framework by uncovering new vulnerabilities to multi-turn, multi-image, and translation-based attacks. These attacks are semantically equivalent by our design to their single-turn, single-image, or untranslated counterparts, enabling systematic comparisons; we show that the different structures yield different safety outcomes. We then demonstrate the potential for this framework to enable new defenses by proposing a Structure Rewriting Guardrail, which converts an input to a structure more conducive to safety assessment. This guardrail significantly improves refusal of harmful inputs, without over-refusing benign ones. Thus, by framing this intermediate challenge - more tractable than universal defenses but essential for long-term safety - we highlight a critical milestone for AI safety research.

Keywords

Cite

@article{arxiv.2504.09712,
  title  = {The Structural Safety Generalization Problem},
  author = {Julius Broomfield and Tom Gibbs and Ethan Kosak-Hine and George Ingebretsen and Tia Nasir and Jason Zhang and Reihaneh Iranmanesh and Sara Pieri and Reihaneh Rabbany and Kellin Pelrine},
  journal= {arXiv preprint arXiv:2504.09712},
  year   = {2025}
}
R2 v1 2026-06-28T22:56:52.306Z