Table of Contents
Fetching ...

SafeThinker: Reasoning about Risk to Deepen Safety Beyond Shallow Alignment

Xianya Fang, Xianying Luo, Yadong Wang, Xiang Chen, Yu Tian, Zequn Sun, Rui Liu, Jun Fang, Naiqiang Tan, Yuanning Cui, Sheng-Jun Huang

TL;DR

SafeThinker tackles shallow safety alignment in LLMs by introducing a risk-aware gateway that triages inputs into Benign, Harmful, or Uncertain and routes them through three defenses: a standardized refusal, a Safety-Aware Twin Expert (SATE), and a Distribution-Guided Think (DDGT). It combines a lightweight risk classifier, a twin-safe expert, and a dynamic decoding strategy to preserve utility while extending safety across the generation trajectory; the gateway uses $p_{\text{harm}}$ and $p_{\text{safe}}$ with a threshold $\delta$ to assign inputs to High-, Low-, or Uncertain-Risk paths. Empirical results across two strong LLMs show substantial reductions in Attack Success Rate (ASR) against jailbreaks and prefilling with minimal utility loss, and scalability to larger models, indicating a practical, deployable path toward robust adaptive safety. The work highlights the value of coordinating intrinsic judgment throughout generation and suggests future directions for multi-turn and multimodal safety in complex AI systems.

Abstract

Despite the intrinsic risk-awareness of Large Language Models (LLMs), current defenses often result in shallow safety alignment, rendering models vulnerable to disguised attacks (e.g., prefilling) while degrading utility. To bridge this gap, we propose SafeThinker, an adaptive framework that dynamically allocates defensive resources via a lightweight gateway classifier. Based on the gateway's risk assessment, inputs are routed through three distinct mechanisms: (i) a Standardized Refusal Mechanism for explicit threats to maximize efficiency; (ii) a Safety-Aware Twin Expert (SATE) module to intercept deceptive attacks masquerading as benign queries; and (iii) a Distribution-Guided Think (DDGT) component that adaptively intervenes during uncertain generation. Experiments show that SafeThinker significantly lowers attack success rates across diverse jailbreak strategies without compromising utility, demonstrating that coordinating intrinsic judgment throughout the generation process effectively balances robustness and practicality.

SafeThinker: Reasoning about Risk to Deepen Safety Beyond Shallow Alignment

TL;DR

SafeThinker tackles shallow safety alignment in LLMs by introducing a risk-aware gateway that triages inputs into Benign, Harmful, or Uncertain and routes them through three defenses: a standardized refusal, a Safety-Aware Twin Expert (SATE), and a Distribution-Guided Think (DDGT). It combines a lightweight risk classifier, a twin-safe expert, and a dynamic decoding strategy to preserve utility while extending safety across the generation trajectory; the gateway uses and with a threshold to assign inputs to High-, Low-, or Uncertain-Risk paths. Empirical results across two strong LLMs show substantial reductions in Attack Success Rate (ASR) against jailbreaks and prefilling with minimal utility loss, and scalability to larger models, indicating a practical, deployable path toward robust adaptive safety. The work highlights the value of coordinating intrinsic judgment throughout generation and suggests future directions for multi-turn and multimodal safety in complex AI systems.

Abstract

Despite the intrinsic risk-awareness of Large Language Models (LLMs), current defenses often result in shallow safety alignment, rendering models vulnerable to disguised attacks (e.g., prefilling) while degrading utility. To bridge this gap, we propose SafeThinker, an adaptive framework that dynamically allocates defensive resources via a lightweight gateway classifier. Based on the gateway's risk assessment, inputs are routed through three distinct mechanisms: (i) a Standardized Refusal Mechanism for explicit threats to maximize efficiency; (ii) a Safety-Aware Twin Expert (SATE) module to intercept deceptive attacks masquerading as benign queries; and (iii) a Distribution-Guided Think (DDGT) component that adaptively intervenes during uncertain generation. Experiments show that SafeThinker significantly lowers attack success rates across diverse jailbreak strategies without compromising utility, demonstrating that coordinating intrinsic judgment throughout the generation process effectively balances robustness and practicality.
Paper Structure (46 sections, 3 equations, 5 figures, 5 tables)

This paper contains 46 sections, 3 equations, 5 figures, 5 tables.

Figures (5)

  • Figure 1: Jailbreak vulnerabilities in aligned LLMs. (a) Adversarially rephrased inputs bypass shallow alignment. (b) Classification distribution across four distinct input types.
  • Figure 2: The architecture of SafeThinker. The Gateway for Query Risk Reasoning first analyzes each query, routing it to one of three paths: High-Risk Path for immediate refusal, Low-Risk Path for robust generation, and Uncertain-Risk Path for dynamic safety control.
  • Figure 3: Case Study of Decoding via Distribution-Guided Think (DDGT).
  • Figure 4: Robustness under prefilling attacks with varying prefix lengths.
  • Figure 5: Efficiency analysis on Llama-3 (L) and Qwen2.5 (Q) normalized to the No Defense baseline ($1.0\times$). (a) Generation speed (s/token Ratio) and (b) end-to-end latency (Total Time Ratio) demonstrate that SafeThinker imposes negligible overhead across GSM8K and SQL tasks compared to the baseline.