GPQA Diamond<\/a>, a benchmark which measures PhD-level concepts in biology, chemistry, and physics, model performance dropped from 74% to as low as 32% when some jailbreaking approaches were used. But performance varied depending on the type of jailbreak, and this variability is concerning\u2014it suggests attackers can likely develop previously unidentified strategies which could achieve their goals while preserving even more of the model’s capabilities.<\/p>\nNew approaches<\/p>\n
In designing a new system, we tested and ultimately combined a variety of techniques into what we describe as an ensemble defense.<\/p>\n
One insight was that part of the original system\u2019s vulnerability stemmed from the way it evaluated model inputs and outputs separately when the jailbreaking techniques involved linking them in surreptitious ways. An output that appears benign in isolation (\u201chow to use food flavorings\u201d) is more easily identified as harmful when paired with its input (in a jailbreak where \u201cfood flavorings\u201d is used as code for chemical reagents).<\/p>\n
To address this, we replaced the separate input and output classifiers with a single \u201cexchange\u201d classifier, which monitors outputs in the context of their inputs. With the ability to see both sides of the conversation, the classifiers are better able to recognize harmful outputs. In human red teaming, the exchange classifier cut successful jailbreaking attempts by more than half. Unfortunately, this came at the cost of a 50% increase in compute.<\/p>\n
To reduce these costs while maintaining robustness, we implemented what we call a “cascade architecture.” Our solution was a two-stage system. First, a lightweight, less costly first-stage classifier screens all exchanges. Only those it flags proceed to a more accurate (and more computationally expensive) second-stage classifier.<\/p>\n
This had two benefits. First, because flagged exchanges are escalated to the more powerful model, rather than refused, the first-stage classifier can afford a higher false-positive rate and not frustrate the user with refusals. Where the previous system may have declined to respond to a benign request, the new system, in effect, escalates it to a manager. Second, because the lightweight classifier handles the vast majority of conversations, the two-stage system is much cheaper to run.<\/p>\n
Still, we wanted to push efficiency even further. We did so by developing internal probe classifiers\u2014a technique that builds on our interpretability research\u2014that reuse computations already available in the model\u2019s neural network.<\/p>\n
When a model generates text, it produces internal states at each step that capture its understanding of the input and output so far. When Claude processes a dubious-seeming request, patterns fire in its internal activations that reflect something along the lines of “this seems harmful,\u201d even before it has formulated a response or made a conscious decision about what to do. Normally, these activations are intermediate computations\u2014used, then discarded. We found ways to reliably probe whether these internal states suggest harmful content, getting more information\u2014think of it like Claude\u2019s gut intuitions\u2014almost for free.<\/p>\n
In addition to being computationally inexpensive, these internal probes add several layers of protection. First, they\u2019re harder to fool. An attacker can craft inputs that trick Claude’s final output, but it’s much harder to manipulate its internal representations. Second, we found in testing that they\u2019re actually complementary to our external classifiers: the probe appears to see things the external classifier can\u2019t, and vice versa.<\/p>\n
Conclusions and further research<\/p>\n
Our final production-grade system combines these techniques: a linear probe screens all traffic, escalating flagged exchanges to a probe-classifier ensemble for final judgment. This ensemble further improves performance: in one month of deployment on Claude Sonnet 4.5 traffic, the system achieved a refusal rate of 0.05% on harmless queries\u2014an 87% drop from the original classifiers system. In total, it adds roughly 1% compute overhead if applied to Claude Opus 4.0 traffic. <\/p>\n
It\u2019s also substantially more robust. We conducted over 1,700 cumulative hours of red-teaming across 198,000 attempts. We discovered only one high-risk vulnerability, which corresponds to a detection rate of 0.005 per thousand queries\u2014the lowest of any of the techniques we have evaluated to date. And crucially, no red-teamer has yet discovered a universal jailbreak.<\/p>\n
There\u2019s even more we could do in the future to improve our system. Several research directions show promise, including integrating classifier signals directly into how models generate responses, and training models themselves to better resist obfuscation. Automated red-teaming could also help generate better training data, and creating targeted examples could help the classifiers learn exactly where the boundary between allowed and disallowed content lies, increasing their accuracy even further.<\/p>\n
For more details about the Constitutional Classifiers++ method, see the full paper.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Large language models remain vulnerable to jailbreaks\u2014techniques that can circumvent safety guardrails and elicit harmful information. Over time,…\n","protected":false},"author":2,"featured_media":232675,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[345,343,344,85,46,125],"class_list":{"0":"post-232674","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"tag-ai","9":"tag-artificial-intelligence","10":"tag-artificialintelligence","11":"tag-il","12":"tag-israel","13":"tag-technology"},"_links":{"self":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/232674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/comments?post=232674"}],"version-history":[{"count":0,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/posts\/232674\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media\/232675"}],"wp:attachment":[{"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/media?parent=232674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/categories?post=232674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.newsbeep.com\/il\/wp-json\/wp\/v2\/tags?post=232674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![](\"https:\/\/www.newsbeep.com\/il\/wp-content\/uploads\/2026\/01\/1768140320_846_image.png\"\/)
<\/p>\n