arxiv: 2604.18946 · v1 · submitted 2026-04-21 · 💻 cs.AI

Recognition: unknown

Reasoning Structure Matters for Safety Alignment of Reasoning Models

Yeonjun In , Wonjoong Kim , Sangwu Park , Chanyoung Park

Authors on Pith no claims yet

Pith reviewed 2026-05-10 02:33 UTC · model grok-4.3

classification 💻 cs.AI

keywords large reasoning modelssafety alignmentreasoning structuresupervised fine-tuningpost-trainingharmful responsesgeneralization

0 comments

The pith

Altering the reasoning structure of large reasoning models achieves effective safety alignment.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper argues that safety failures in large reasoning models stem from the way they organize their step-by-step reasoning rather than from training data or model size alone. It shows that explicitly changing this structure through a lightweight supervised fine-tuning process produces safer behavior on malicious queries. The proposed method requires only 1,000 examples and no reinforcement learning, yet it maintains performance across reasoning, question answering, summarization, and multilingual tasks. If the claim holds, safety work can shift from heavy reward engineering to targeted edits of internal reasoning patterns.

Core claim

The paper establishes that the reasoning structure itself is the root cause of harmful outputs in large reasoning models. By applying AltTrain, a supervised fine-tuning procedure on a small dataset, this structure can be altered to produce safety-aligned responses while preserving the model's core reasoning capabilities.

What carries the argument

AltTrain, a post-training supervised fine-tuning method on 1K examples that directly modifies the reasoning structure of large reasoning models.

If this is right

Safety alignment becomes possible through supervised fine-tuning alone, without reinforcement learning or reward design.
The alignment effect generalizes across different model backbones, sizes, and task domains including reasoning, QA, summarization, and multilingual settings.
A dataset of only 1,000 examples suffices to produce robust safety gains.
No specialized reward modeling is needed for effective post-training alignment.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Reasoning structure may serve as a controllable lever for other alignment goals such as reducing hallucinations.
The same structural editing approach could be tested on models that reason over code or scientific data.
Inspecting the altered reasoning chains might yield more interpretable safety diagnostics than output-level checks alone.

Load-bearing premise

Safety risks arise primarily from the reasoning structure and a small supervised fine-tuning set can change that structure reliably without creating new failure modes.

What would settle it

Training with AltTrain changes the reasoning structure yet harmful responses persist on new malicious queries, or safety improves without any detectable change in reasoning structure.

Figures

Figures reproduced from arXiv: 2604.18946 by Chanyoung Park, Sangwu Park, Wonjoong Kim, Yeonjun In.

**Figure 2.** Figure 2: Overview of the ALTTRAIN framework. Left: Safety risks in current LRMs (R1, S1) arise from a reasoning structure that over-prioritizes task solving (P U → SR). Middle: ALTTRAIN alters the original reasoning structure to P U → HA → CR, resulting in R1-ALT or S1-ALT. Right: The ALTTRAIN-1K enables token- and data-efficient SFT to achieve safety without complex reinforcement learning training or reward design… view at source ↗

**Figure 3.** Figure 3: Comparison of average token consumption per example no further consideration is necessary for this instruction.” This template is not fixed and can be replaced with any sentence conveying the same intent; as shown in Section 6.4, model performance remains consistent across different phrasings. For benign queries, we incorporate the remainder of the R1-generated reasoning chain, excluding the first senten… view at source ↗

**Figure 4.** Figure 4: An overview figure illustrating the trade-offs [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗

**Figure 5.** Figure 5: Trade-offs between safety and reasoning capa [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗

**Figure 6.** Figure 6: Case studies using R1-7B (i.e., no training), SC-7B, STAR-1-7B, and [PITH_FULL_IMAGE:figures/full_fig_p016_6.png] view at source ↗

**Figure 7.** Figure 7: Failure examples from R1-ALT-7B. Instructions (a) and (b) contain harmful intent, while instruction (c) is benign [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗

**Figure 8.** Figure 8: Prompt used in the harmfulness assessment step of our proposed reasoning structure. I need your help with classifying responses by a large language model. There are three classes of responses. 1_full_compliance. This includes any direct attempt to give an answer, regardless of how accurate or relevant the answer is. It also includes cases where the model rejects the question for not having a meaningful an… view at source ↗

**Figure 10.** Figure 10: Prompt used in the multi-turn attack evalua [PITH_FULL_IMAGE:figures/full_fig_p017_10.png] view at source ↗

read the original abstract

Large reasoning models (LRMs) achieve strong performance on complex reasoning tasks but often generate harmful responses to malicious user queries. This paper investigates the underlying cause of these safety risks and shows that the issue lies in the reasoning structure itself. Based on this insight, we claim that effective safety alignment can be achieved by altering the reasoning structure. We propose AltTrain, a simple yet effective post training method that explicitly alters the reasoning structure of LRMs. AltTrain is both practical and generalizable, requiring no complex reinforcement learning (RL) training or reward design, only supervised finetuning (SFT) with a lightweight 1K training examples. Experiments across LRM backbones and model sizes demonstrate strong safety alignment, along with robust generalization across reasoning, QA, summarization, and multilingual setting.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper claims safety failures in reasoning models stem from their chain-of-thought structure and offers a 1K-example SFT method to change it, but the causal isolation looks missing.

read the letter

The main point is that safety problems in large reasoning models are tied to how they structure their reasoning steps, and a lightweight supervised fine-tuning procedure called AltTrain can realign that structure without RL or reward models. The authors test it across backbones and claim it holds up on reasoning, QA, summarization, and multilingual tasks with just 1K examples. That framing is the clearest new angle here, and the practicality stands out if the results scale. A method that avoids heavy infrastructure is worth attention for anyone deploying these models on complex queries. The work also tries to move beyond generic refusal training by targeting the internal reasoning pattern directly. On the downside, the evidence for structure as the primary driver is thin. The abstract asserts the risks lie in the reasoning structure itself, yet gives no numbers, no measurement details for what counts as structural change, and no ablation against ordinary safety SFT on the same data. Without that control, the gains could just be standard content-based alignment rather than anything specific to step ordering or refusal phrasing. The stress-test note on this point holds up from the description. Generalization claims are also hard to judge without baselines or effect sizes. This is the kind of paper that would interest people working on post-training for chain-of-thought models or lightweight alignment recipes. A reader already following LRM safety work might pick up a useful idea to test, but anyone needing tight causal evidence or reproducible numbers would want more before relying on it. I would send it to peer review because the topic is timely and the method is simple enough to evaluate quickly, even if the current version needs stronger controls and quantitative reporting.

Referee Report

3 major / 2 minor

Summary. The paper claims that safety risks in large reasoning models (LRMs) originate in their reasoning structure rather than other factors such as data content. It proposes AltTrain, a lightweight post-training method that uses supervised fine-tuning on only 1K examples to explicitly alter this structure, achieving strong safety alignment and generalization across LRM backbones, model sizes, and tasks including reasoning, QA, summarization, and multilingual settings, without requiring RL or complex reward design.

Significance. If the empirical results hold with proper controls, this would offer a practical, efficient alternative to RL-based alignment for reasoning models by targeting structure directly. The emphasis on a minimal 1K-example SFT regime is a strength for deployability, and the focus on reasoning structure could influence future alignment methods for chain-of-thought models if the causal mechanism is isolated.

major comments (3)

[Abstract and §3] Abstract and §3 (Method): The central claim that 'the issue lies in the reasoning structure itself' and that AltTrain 'explicitly alters the reasoning structure' requires an operational definition and quantitative metric for reasoning structure (e.g., step ordering, refusal phrasing patterns, or trace statistics). No such measurement or before/after comparison is described, making it impossible to verify that the 1K SFT targets structure rather than semantics.
[§4] §4 (Experiments): No ablation compares AltTrain to a standard safety SFT baseline trained on the identical 1K examples. This control is load-bearing for the causality claim, as content-based SFT on harmful-query/safe-response pairs would be expected to improve refusal rates independently of any structural intervention; without it, the attribution to reasoning structure cannot be isolated.
[§4] §4 (Experiments) and results tables: The abstract asserts 'strong safety alignment' and 'robust generalization' across backbones and tasks, yet the provided summary contains no quantitative metrics, effect sizes, or baseline comparisons (e.g., vs. vanilla SFT or RLHF). Specific numbers and statistical details are needed to assess whether gains exceed ordinary alignment and generalize beyond the training distribution.

minor comments (2)

[Abstract] The abstract would be strengthened by including at least one key quantitative result (e.g., safety score or refusal rate improvement) to allow assessment of claim strength without the full text.
Consider adding a figure or example traces showing pre- and post-AltTrain reasoning steps on the same query to illustrate the claimed structural change.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. We address each major comment point by point below, providing clarifications from the manuscript and committing to revisions that strengthen the evidence for our claims about reasoning structure.

read point-by-point responses

Referee: [Abstract and §3] Abstract and §3 (Method): The central claim that 'the issue lies in the reasoning structure itself' and that AltTrain 'explicitly alters the reasoning structure' requires an operational definition and quantitative metric for reasoning structure (e.g., step ordering, refusal phrasing patterns, or trace statistics). No such measurement or before/after comparison is described, making it impossible to verify that the 1K SFT targets structure rather than semantics.

Authors: We appreciate this observation on the need for clearer operationalization. In §3, reasoning structure is defined as the sequencing and composition of intermediate steps in the model's chain-of-thought, specifically the insertion of an explicit safety evaluation step (query analysis followed by harm assessment) before response generation, as opposed to direct answer generation in standard CoT. The 1K training examples are constructed with full traces enforcing this ordering. We include qualitative before-and-after reasoning trace examples in §4 and the appendix to illustrate the change. We acknowledge that a formal quantitative metric (such as step-type frequency or trace edit distance) is not computed in the current version. We will add such metrics and statistical before/after comparisons in the revision. revision: yes
Referee: [§4] §4 (Experiments): No ablation compares AltTrain to a standard safety SFT baseline trained on the identical 1K examples. This control is load-bearing for the causality claim, as content-based SFT on harmful-query/safe-response pairs would be expected to improve refusal rates independently of any structural intervention; without it, the attribution to reasoning structure cannot be isolated.

Authors: We agree this ablation is essential for isolating the structural effect. Our current experiments compare AltTrain to base LRMs and RLHF baselines, but do not include a direct control using the same 1K examples with standard safe responses that lack the explicit reasoning structure. We will add this ablation study to the revised experiments section to strengthen the causal attribution. revision: yes
Referee: [§4] §4 (Experiments) and results tables: The abstract asserts 'strong safety alignment' and 'robust generalization' across backbones and tasks, yet the provided summary contains no quantitative metrics, effect sizes, or baseline comparisons (e.g., vs. vanilla SFT or RLHF). Specific numbers and statistical details are needed to assess whether gains exceed ordinary alignment and generalize beyond the training distribution.

Authors: The full manuscript in §4 and Tables 1-3 reports the quantitative results, including refusal rates improving from approximately 25-40% in base models to 85-95% with AltTrain across backbones, with generalization metrics of 70-90% on out-of-distribution tasks and multilingual settings, plus comparisons to RLHF where applicable. The summary provided to the referee may have omitted these details. We will revise the abstract to include key effect sizes and ensure all tables are prominently referenced. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical intervention without self-referential derivation

full rationale

The paper's core argument rests on an empirical claim that safety risks originate in reasoning structure, addressed via the AltTrain SFT method on 1K examples. No equations, fitted parameters, or derivations appear in the abstract or description. The method is presented as a practical post-training intervention evaluated across backbones, with no reduction of outputs to inputs by construction. No self-citations, uniqueness theorems, or ansatzes are invoked as load-bearing steps. The derivation chain is self-contained as standard experimental validation rather than tautological.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim depends on the domain assumption that reasoning structure is the primary driver of safety failures and that this structure can be directly modified by supervised fine-tuning on a small curated set; no free parameters or invented entities are explicitly introduced in the abstract.

axioms (1)

domain assumption Safety risks in large reasoning models originate primarily from their reasoning structure rather than response content or other factors.
This premise is stated as the result of the authors' investigation and is used to justify the design of AltTrain.

pith-pipeline@v0.9.0 · 5433 in / 1369 out tokens · 25684 ms · 2026-05-10T02:33:30.739497+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

71 extracted references · 51 canonical work pages · 24 internal anchors

[1]

and Esmaeili, Maryam and Majdabadkohne, Rastin Mastali and Pasehvar, Morteza , booktitle=

Bahrini, Aram and Khamoshifar, Mohammadsadra and Abbasimehr, Hossein and Riggs, Robert J. and Esmaeili, Maryam and Majdabadkohne, Rastin Mastali and Pasehvar, Morteza , booktitle=. ChatGPT: Applications, Opportunities, and Threats , year=
[2]

Mistral 7B

Mistral 7B , author=. arXiv preprint arXiv:2310.06825 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[3]

Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context

Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context , author=. arXiv preprint arXiv:2403.05530 , year=

work page internal anchor Pith review arXiv
[4]

arXiv preprint arXiv:2302.06476 , year=

Is ChatGPT a general-purpose natural language processing task solver? , author=. arXiv preprint arXiv:2302.06476 , year=

work page arXiv
[5]

Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned

Red teaming language models to reduce harms: Methods, scaling behaviors, and lessons learned , author=. arXiv preprint arXiv:2209.07858 , year=

work page internal anchor Pith review arXiv
[6]

Red Teaming Language Models with Language Models

Red teaming language models with language models , author=. arXiv preprint arXiv:2202.03286 , year=

work page Pith review arXiv
[7]

Red teaming

Red teaming chatgpt via jailbreaking: Bias, robustness, reliability and toxicity , author=. arXiv preprint arXiv:2301.12867 , year=

work page arXiv
[8]

GPT-4o System Card

Gpt-4o system card , author=. arXiv preprint arXiv:2410.21276 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[9]

Zhao, J., Huang, J., Wu, Z., Bau, D., and Shi, W

Sorry-bench: Systematically evaluating large language model safety refusal behaviors , author=. arXiv preprint arXiv:2406.14598 , year=

work page arXiv
[10]

GPT-4 Technical Report

Gpt-4 technical report , author=. arXiv preprint arXiv:2303.08774 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[11]

Anthropic API

Anthropic. Anthropic API
[12]

TogetherAI API

TogetherAI. TogetherAI API
[13]

Gemma 2: Improving Open Language Models at a Practical Size

Gemma 2: Improving open language models at a practical size , author=. arXiv preprint arXiv:2408.00118 , year=

work page internal anchor Pith review arXiv
[14]

Qwen2.5 Technical Report

Qwen2. 5 technical report , author=. arXiv preprint arXiv:2412.15115 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[15]

Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations

Llama guard: Llm-based input-output safeguard for human-ai conversations , author=. arXiv preprint arXiv:2312.06674 , year=

work page internal anchor Pith review arXiv
[16]

Claude-3.5 Model Card , volume=

Claude 3.5 sonnet model card addendum , author=. Claude-3.5 Model Card , volume=
[17]

Advances in neural information processing systems , volume=

Language models are few-shot learners , author=. Advances in neural information processing systems , volume=
[18]

Advances in neural information processing systems , volume=

Chain-of-thought prompting elicits reasoning in large language models , author=. Advances in neural information processing systems , volume=
[19]

Advances in Neural Information Processing Systems , volume=

Judging llm-as-a-judge with mt-bench and chatbot arena , author=. Advances in Neural Information Processing Systems , volume=
[20]

arXiv preprint arXiv:2502.12025 , year=

Safechain: Safety of language models with long chain-of-thought reasoning capabilities , author=. arXiv preprint arXiv:2502.12025 , year=

work page arXiv
[21]

Safety tax: Safety alignment makes your large reasoning models less reasonable

Safety tax: Safety alignment makes your large reasoning models less reasonable , author=. arXiv preprint arXiv:2503.00555 , year=

work page arXiv
[22]

XSTest: A Test Suite for Identifying Exaggerated Safety Behaviours in Large Language Models

Xstest: A test suite for identifying exaggerated safety behaviours in large language models , author=. arXiv preprint arXiv:2308.01263 , year=

work page internal anchor Pith review arXiv
[23]

How Should We Enhance the Safety of Large Reasoning Models: An Empirical Study

How Should We Enhance the Safety of Large Reasoning Models: An Empirical Study , author=. arXiv preprint arXiv:2505.15404 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[24]

Bartoldson, Bhavya Kailkhura, and Cihang Xie

Star-1: Safer alignment of reasoning llms with 1k data , author=. arXiv preprint arXiv:2504.01903 , year=

work page arXiv
[25]

Deliberative alignment: Reasoning enables safer language models.arXiv preprint arXiv:2412.16339, 2024

Deliberative alignment: Reasoning enables safer language models , author=. arXiv preprint arXiv:2412.16339 , year=

work page arXiv
[26]

the most powerful open-source model to date

The hidden risks of large reasoning models: A safety assessment of r1 , author=. arXiv preprint arXiv:2502.12659 , year=

work page arXiv
[27]

Realsafe-r1: Safety-aligned deepseek-r1 without compromising reasoning capability.CoRR, abs/2504.10081, 2025

RealSafe-R1: Safety-Aligned DeepSeek-R1 without Compromising Reasoning Capability , author=. arXiv preprint arXiv:2504.10081 , year=

work page arXiv
[28]

DeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement Learning

Deepseek-r1: Incentivizing reasoning capability in llms via reinforcement learning , author=. arXiv preprint arXiv:2501.12948 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[29]

Advances in Neural Information Processing Systems , volume=

Wildteaming at scale: From in-the-wild jailbreaks to (adversarially) safer language models , author=. Advances in Neural Information Processing Systems , volume=
[30]

A strongreject for empty jailbreaks

A strongreject for empty jailbreaks , author=. arXiv preprint arXiv:2402.10260 , year=

work page arXiv
[31]

s1: Simple test-time scaling

s1: Simple test-time scaling , author=. arXiv preprint arXiv:2501.19393 , year=

work page Pith review arXiv
[32]

Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=

Can large language models detect errors in long chain-of-thought reasoning? , author=. Proceedings of the 63rd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers) , pages=
[33]

OpenAI o1 System Card

Openai o1 system card , author=. arXiv preprint arXiv:2412.16720 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[34]

Multimodal chain-of-thought reasoning: A comprehensive survey.arXiv preprint arXiv:2503.12605, 2025

Multimodal chain-of-thought reasoning: A comprehensive survey , author=. arXiv preprint arXiv:2503.12605 , year=

work page arXiv
[35]

Safekey: Amplifying aha-moment insights for safety reasoning.CoRR, abs/2505.16186, 2025

SafeKey: Amplifying Aha-Moment Insights for Safety Reasoning , author=. arXiv preprint arXiv:2505.16186 , year=

work page arXiv
[36]

arXiv preprint arXiv:2506.12963 , year=

Reasoning Model Unlearning: Forgetting Traces, Not Just Answers, While Preserving Reasoning Skills , author=. arXiv preprint arXiv:2506.12963 , year=

work page arXiv
[37]

, year =

Higgins, E. , year =. Knowledge activation: Accessibility, applicability, and salience , journal =
[38]

Advances in Neural Information Processing Systems , volume=

Jailbreakbench: An open robustness benchmark for jailbreaking large language models , author=. Advances in Neural Information Processing Systems , volume=
[39]

Training Verifiers to Solve Math Word Problems

Training verifiers to solve math word problems , author=. arXiv preprint arXiv:2110.14168 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[40]

The Twelfth International Conference on Learning Representations , year=

Let's verify step by step , author=. The Twelfth International Conference on Learning Representations , year=
[41]

Evaluating Large Language Models Trained on Code

Evaluating large language models trained on code , author=. arXiv preprint arXiv:2107.03374 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[42]

arXiv preprint arXiv:2309.06657 , year=

Statistical rejection sampling improves preference optimization , author=. arXiv preprint arXiv:2309.06657 , year=

work page arXiv
[43]

Scaling LLM Test-Time Compute Optimally can be More Effective than Scaling Model Parameters

Scaling llm test-time compute optimally can be more effective than scaling model parameters , author=. arXiv preprint arXiv:2408.03314 , year=

work page internal anchor Pith review arXiv
[44]

DeepSeekMath: Pushing the Limits of Mathematical Reasoning in Open Language Models

Deepseekmath: Pushing the limits of mathematical reasoning in open language models , author=. arXiv preprint arXiv:2402.03300 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[45]

Qwen3 Technical Report

Qwen3 technical report , author=. arXiv preprint arXiv:2505.09388 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[46]

Kimi k1.5: Scaling Reinforcement Learning with LLMs

Kimi k1. 5: Scaling reinforcement learning with llms , author=. arXiv preprint arXiv:2501.12599 , year=

work page internal anchor Pith review arXiv
[47]

Daniel Han, Michael Han and Unsloth team , title =
[48]

arXiv preprint arXiv:2505.15214 , year=

R-tofu: Unlearning in large reasoning models , author=. arXiv preprint arXiv:2505.15214 , year=

work page arXiv
[49]

Constitutional AI: Harmlessness from AI Feedback

Constitutional ai: Harmlessness from ai feedback , author=. arXiv preprint arXiv:2212.08073 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[50]

MART: improving LLM safety with multi- round automatic red-teaming

Mart: Improving llm safety with multi-round automatic red-teaming , author=. arXiv preprint arXiv:2311.07689 , year=

work page arXiv
[51]

arXiv preprint arXiv:2507.05660 , year=

TuneShield: Mitigating Toxicity in Conversational AI while Fine-tuning on Untrusted Data , author=. arXiv preprint arXiv:2507.05660 , year=

work page arXiv
[52]

arXiv preprint arXiv:2410.10014 , year=

Safety-aware fine-tuning of large language models , author=. arXiv preprint arXiv:2410.10014 , year=

work page arXiv
[53]

Is Safety Standard Same for Everyone? User-Specific Safety Evaluation of Large Language Models

In, Yeonjun and Kim, Wonjoong and Yoon, Kanghoon and Kim, Sungchul and Tanjim, Mehrab and Park, Sangwu and Kim, Kibum and Park, Chanyoung. Is Safety Standard Same for Everyone? User-Specific Safety Evaluation of Large Language Models. Findings of the Association for Computational Linguistics: EMNLP 2025. 2025. doi:10.18653/v1/2025.findings-emnlp.353

work page doi:10.18653/v1/2025.findings-emnlp.353 2025
[54]

Measuring Massive Multitask Language Understanding

Measuring massive multitask language understanding , author=. arXiv preprint arXiv:2009.03300 , year=

work page internal anchor Pith review arXiv 2009
[55]

Abstractive text summarization using sequence-to-sequence RNN s and beyond

Abstractive text summarization using sequence-to-sequence rnns and beyond , author=. arXiv preprint arXiv:1602.06023 , year=

work page arXiv
[56]

CMMLU: Measuring Massive Multitask Language Understanding in Chinese.arXiv:2306.09212, 2023a

Cmmlu: Measuring massive multitask language understanding in chinese , author=. arXiv preprint arXiv:2306.09212 , year=

work page arXiv
[57]

Universal and Transferable Adversarial Attacks on Aligned Language Models

Universal and transferable adversarial attacks on aligned language models , author=. arXiv preprint arXiv:2307.15043 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[58]

2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , pages=

Jailbreaking black box large language models in twenty queries , author=. 2025 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML) , pages=. 2025 , organization=

2025
[59]

Advances in Neural Information Processing Systems , volume=

Jailbroken: How does llm safety training fail? , author=. Advances in Neural Information Processing Systems , volume=
[60]

Reasoning-to- defend: Safety-aware reasoning can defend large language models from jailbreaking.CoRR, abs/2502.12970, 2025

Reasoning-to-defend: Safety-aware reasoning can defend large language models from jailbreaking , author=. arXiv preprint arXiv:2502.12970 , year=

work page arXiv
[61]

arXiv preprint arXiv:2505.20087 , year=

Safety Through Reasoning: An Empirical Study of Reasoning Guardrail Models , author=. arXiv preprint arXiv:2505.20087 , year=

work page arXiv
[62]

Intention analysis makes llms a good jailbreak defender

Intention analysis makes llms a good jailbreak defender , author=. arXiv preprint arXiv:2401.06561 , year=

work page arXiv
[63]

https://aclanthology.org/ Q19-1026/

Kwiatkowski, Tom and Palomaki, Jennimaria and Redfield, Olivia and Collins, Michael and Parikh, Ankur and Alberti, Chris and Epstein, Danielle and Polosukhin, Illia and Devlin, Jacob and Lee, Kenton and Toutanova, Kristina and Jones, Llion and Kelcey, Matthew and Chang, Ming-Wei and Dai, Andrew M. and Uszkoreit, Jakob and Le, Quoc and Petrov, Slav. Natura...

work page doi:10.1162/tacl_a_00276 2019
[64]

Proceedings of the 43rd International ACM SIGIR conference on research and development in Information Retrieval , pages=

Colbert: Efficient and effective passage search via contextualized late interaction over bert , author=. Proceedings of the 43rd International ACM SIGIR conference on research and development in Information Retrieval , pages=
[65]

Sentence-BERT: Sentence Embeddings using Siamese BERT-Networks

Sentence-bert: Sentence embeddings using siamese bert-networks , author=. arXiv preprint arXiv:1908.10084 , year=

work page internal anchor Pith review arXiv 1908
[66]

Diversify-verify-adapt: Efficient and robust retrieval-augmented ambiguous question answering , author=. Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Long Papers) , pages=

2025
[67]

Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

Tree of clarifications: Answering ambiguous questions with retrieval-augmented large language models , author=. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing , pages=

2023
[68]

34th USENIX Security Symposium (USENIX Security 25) , pages=

Great, now write an article about that: The crescendo \ Multi-Turn \ \ LLM \ jailbreak attack , author=. 34th USENIX Security Symposium (USENIX Security 25) , pages=
[69]

Training Large Language Models to Reason in a Continuous Latent Space

Training large language models to reason in a continuous latent space , author=. arXiv preprint arXiv:2412.06769 , year=

work page internal anchor Pith review arXiv
[70]

Llama 2: Open Foundation and Fine-Tuned Chat Models

Llama 2: Open foundation and fine-tuned chat models , author=. arXiv preprint arXiv:2307.09288 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[71]

Advances in Neural Information Processing Systems , volume=

Beavertails: Towards improved safety alignment of llm via a human-preference dataset , author=. Advances in Neural Information Processing Systems , volume=