GAVEL: Towards rule-based safety through activation monitoring
Shir Rozenfeld, Rahul Pankajakshan, Itay Zloczower, Eyal Lenga, Gilad Gressel, Yisroel Mirsky
TL;DR
The paper tackles the brittleness of surface-text safety by introducing GAVEL, a rule-based activation safety framework that decomposes model behavior into Cognitive Elements (CEs) and enforces safety through Boolean predicates over CE activations. By separating CE detection (via a multi-label detector trained on per-CE excitation datasets) from policy specifications (shared, human-readable rules), GAVEL achieves high precision, domain customization, and auditability without retraining models. It demonstrates strong empirical performance across nine misuse categories with ROC-AUCs near 1.0 and minimal false positives, while showing cross-model, cross-language robustness and real-time efficiency. The work also provides automated CE and rule-generation tooling to facilitate community-driven development and governance, positioning activation safety as modular, auditable, and scalable for practical AI governance.
Abstract
Large language models (LLMs) are increasingly paired with activation-based monitoring to detect and prevent harmful behaviors that may not be apparent at the surface-text level. However, existing activation safety approaches, trained on broad misuse datasets, struggle with poor precision, limited flexibility, and lack of interpretability. This paper introduces a new paradigm: rule-based activation safety, inspired by rule-sharing practices in cybersecurity. We propose modeling activations as cognitive elements (CEs), fine-grained, interpretable factors such as ''making a threat'' and ''payment processing'', that can be composed to capture nuanced, domain-specific behaviors with higher precision. Building on this representation, we present a practical framework that defines predicate rules over CEs and detects violations in real time. This enables practitioners to configure and update safeguards without retraining models or detectors, while supporting transparency and auditability. Our results show that compositional rule-based activation safety improves precision, supports domain customization, and lays the groundwork for scalable, interpretable, and auditable AI governance. We will release GAVEL as an open-source framework and provide an accompanying automated rule creation tool.
