EPS
← All batches·2605.11664

Safety Context Injection: Inference-Time Safety Alignment via Static Filtering and Agentic Analysis

topic: general_safetytop score: 100released: 2026-05-13first surfaced: 2026-05-13arXivPDFthreats2026-05-13

Authors: Zhenhao Xu, Wenhan Chang, Yichuan Chen et al.

arXiv · PDF

Summary

The authors propose Safety Context Injection (SCI), an inference-time safety framework for black-box reasoning models where you can't modify weights. SCI separates safety assessment from generation: an external module produces a structured risk report (the "safety context"), which is prepended to the user's prompt for the protected model. Two variants are offered—Static Model Filtering (SMF) for fast one-pass guarding, and Dynamic Agents Filtering (DAF), an iterative agentic loop that gathers and synthesizes evidence for ambiguous or long-context jailbreaks. Both variants reduce attack success rate and toxicity on AdvBench and GPTFuzz across base and reasoning models under five jailbreak families.

Main takeaways:

  • Addresses the "thinking–output gap" where a reasoning model appears cautious during chain-of-thought but still emits an unsafe final answer
  • Static Model Filtering (SMF) is a lightweight one-pass guard for low-latency deployment
  • Dynamic Agents Filtering (DAF) uses an agentic loop to iteratively gather evidence, effective when harmful intent is disguised or dispersed across long contexts
  • Evaluated on AdvBench and GPTFuzz under five jailbreak families (base and reasoning models); both variants lower attack success rate and toxicity
  • Operates at inference time in black-box settings, injecting an external safety report as context rather than retraining

Relevance

Connects to my conditional-behavior and persona work: SCI's "safety context injection" is mechanically similar to prepending a persona system prompt, and the thinking–output gap mirrors my interest in whether behavior is prompt-based or internalized. DAF's agentic evidence-gathering is also conceptually close to multi-turn persona transfer.

Threat model

Potential threat/caveat for clean result "Fine-tuning one persona on a two-marker chunk and another on the start marker plants the end marker at every donor answer's end, not chained to the start (LOW confidence)": this item discusses adversarial.

Abstract

arXiv:2605.11664v1 Announce Type: new Abstract: Large Reasoning Models (LRMs) improve performance on complex tasks, but they also make safety control harder at deployment time. In black-box settings, defenders cannot modify model weights and must instead intervene at inference time. This setting creates three practical challenges: harmful intent may be hidden by educational or role-play framing, deep safety analysis can introduce non-trivial latency, and long adversarial contexts can dilute the local cues that simpler filters rely on. These challenges can expose an apparent thinking--output gap, where the model appears cautious during reasoning but still produces an unsafe final answer. To address this problem, we propose Safety Context Injection (SCI), an inference-time framework that separates safety assessment from task generation and prepends a structured external risk report as injected safety context for the protected model. The framework is instantiated in two complementary variants: Static Model Filtering (SMF), a lightweight one-pass guard for fast deployment, and Dynamic Agents Filtering (DAF), an agentic-loop-based analyzer that iteratively gathers and synthesizes evidence for ambiguous or long-context attacks. Across AdvBench and GPTFuzz, spanning base and reasoning models under five jailbreak families, both variants reduce attack success rate and toxicity in the evaluated settings. SMF offers an efficient low-latency option, while DAF is more effective when harmful intent is semantically disguised or dispersed across long contexts.