arxiv: 2605.07982 · v1 · submitted 2026-05-08 · 💻 cs.CL · cs.CR

Recognition: no theorem link

GLiGuard: Schema-Conditioned Classification for LLM Safeguard

Urchade Zaratiana , Mary Newhauser , George Hurn-Maloney , Ash Lewis

Authors on Pith no claims yet

Pith reviewed 2026-05-11 03:15 UTC · model grok-4.3

classification 💻 cs.CL cs.CR

keywords LLM safetycontent moderationbidirectional encoderschema conditioningguardrail modelsjailbreak detectionmulti-aspect classificationefficient inference

0 comments

The pith

A 0.3B bidirectional encoder performs multi-aspect LLM safety classification by embedding task definitions and labels as input schemas, matching larger decoder models in accuracy with far lower latency.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents GLiGuard as a compact alternative to large autoregressive guard models for checking LLM outputs against safety policies. It encodes definitions of tasks like prompt safety, response safety, harm categories, and jailbreak strategies directly as structured token schemas in the input sequence. A single non-autoregressive forward pass through the bidirectional encoder then produces classifications for all supported aspects at once. This design supports composing new task and label combinations at inference time without retraining. On nine safety benchmarks the model reaches F1 scores close to those of 7B-27B decoder guards while running up to 16 times faster with 17 times lower latency.

Core claim

GLiGuard adapts a 0.3B-parameter bidirectional encoder for schema-conditioned classification of LLM content. Task definitions and label semantics are supplied as structured token schemas inside the input sequence, allowing simultaneous evaluation of prompt safety, response safety, refusal detection, 14 harm categories, and 11 jailbreak strategies in one forward pass. The same model supports arbitrary combinations of these tasks and labels at inference without task-specific fine-tuning. Across nine established safety benchmarks it delivers F1 scores competitive with decoder-based guards 23-90 times larger, while achieving up to 16 times higher throughput and 17 times lower latency.

What carries the argument

Schema-conditioned bidirectional encoder that receives task definitions and label semantics as structured token schemas in the input sequence to perform simultaneous multi-label classification without autoregressive generation.

If this is right

Different safety tasks and label sets can be assembled directly in the input schema at inference time without retraining or separate models.
Real-time moderation of multiple safety aspects becomes feasible at scale because inference cost scales with model size rather than with sequential generation length.
Deployment of custom or evolving safety policies requires only updates to the input schema rather than new model training for each policy change.
The approach shows that bidirectional encoders can handle the classification reformulation of safety guard tasks without the latency penalty of text generation.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Production systems could maintain separate lightweight GLiGuard instances for different policy regimes rather than a single large guard model.
The schema format may allow rapid prototyping of safety checks for emerging harm types by writing new label blocks instead of collecting new training data.
Similar schema conditioning could be tested on other classification-heavy tasks such as multi-label topic detection or policy violation checks in non-LLM domains.

Load-bearing premise

Encoding task definitions and label semantics as structured token schemas in a single bidirectional pass preserves accuracy across diverse safety dimensions without autoregressive generation or per-schema fine-tuning.

What would settle it

A substantial drop in F1 scores on a new safety benchmark that introduces label compositions or harm categories absent from the schemas used during training or evaluation.

Figures

Figures reproduced from arXiv: 2605.07982 by Ash Lewis, George Hurn-Maloney, Mary Newhauser, Urchade Zaratiana.

**Figure 1.** Figure 1: GLiGuard multi-task moderation overview. Given a text (prompt or response) and a user-specified task schema, GLiGuard produces predictions for all selected tasks in a single forward pass. We introduce GLiGuard, a schema-conditioned bidirectional encoder for LLM content moderation adapted from GLiNER2 (Zaratiana et al., 2025). GLiGuard frames guardrailing as a multi-aspect classification problem: given an i… view at source ↗

**Figure 2.** Figure 2: Moderation task overview. GLiGuard addresses four moderation tasks covering the full safety lifecycle of an LLM interaction. Each task can be deployed independently or composed into a unified schema for joint evaluation. Task 1: Safety Classification. Binary classification of whether a text is safe or unsafe, applicable to both user prompts (pregeneration) and model responses (postgeneration); Ysafety… view at source ↗

**Figure 3.** Figure 3: GLiGuard architecture. It jointly encodes a linearized task-label schema with the input text, then scores each label via a shared MLP classifier to perform multi-task safety classification in a single pass. where L is the total sequence length (schema tokens + text tokens) and d is the hidden dimension. The token embedding table is resized to accommodate the added special tokens. The key advantage over cau… view at source ↗

**Figure 4.** Figure 4: Scale versus avg. F1. 0.3 1 3 7 12 27 Parameters (B) 65 70 75 80 85 Avg. F1 23–90× fewer params Latency and throughput [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗

read the original abstract

Ensuring safe, policy-compliant outputs from large language models requires real-time content moderation that can scale across multiple safety dimensions. However, state-of-the-art guardrail models rely on autoregressive decoders with 7B--27B parameters, reformulating what is fundamentally a classification problem as sequential text generation, a design choice that incurs high latency and scales poorly to multi-aspect evaluation. In this work, we introduce \textbf{GLiGuard}, a 0.3B-parameter schema-conditioned bidirectional encoder adapted from GLiNER2 for LLM content moderation. The key idea is to encode task definitions and label semantics directly into the input sequence as structured token schemas, enabling simultaneous evaluation of prompt safety, response safety, refusal detection, 14 fine-grained harm categories, and 11 jailbreak strategies in a single non-autoregressive forward pass. This schema-conditioned design lets supported task and label blocks be composed directly in the input schema at inference time. Across nine established safety benchmarks, GLiGuard achieves F1 scores competitive with 7B--27B decoder-based guards despite being 23--90$\times$ smaller, while delivering up to 16$\times$ higher throughput and 17$\times$ lower latency. These results suggest that compact bidirectional encoders can approach the accuracy of much larger guard models while drastically reducing inference cost. Code and models are available at https://github.com/fastino-ai/GLiGuard.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

GLiGuard shows a 0.3B bidirectional encoder with schema inputs can match larger decoder guards on safety F1 while cutting latency and size sharply, but the compositionality claim needs more tests.

read the letter

GLiGuard takes a compact bidirectional encoder derived from GLiNER2 and feeds it structured schemas that define tasks and labels on the fly. This lets one forward pass cover prompt safety, response safety, refusal, 14 harm types, and 11 jailbreak patterns without autoregressive generation. The headline result is competitive F1 across nine benchmarks at 23-90x smaller size and up to 16x higher throughput. That efficiency story is the main practical takeaway if the numbers hold.

Referee Report

3 major / 3 minor

Summary. The paper introduces GLiGuard, a 0.3B-parameter schema-conditioned bidirectional encoder adapted from GLiNER2 for LLM content moderation. Task definitions and label semantics for prompt/response safety, 14 harm categories, and 11 jailbreak strategies are encoded directly as structured token schemas in the input, enabling simultaneous multi-aspect classification in a single non-autoregressive forward pass. The central empirical claim is that this model achieves F1 scores competitive with 7B–27B decoder-based guard models across nine established safety benchmarks while providing up to 16× higher throughput and 17× lower latency.

Significance. If the performance and generalization claims hold under rigorous validation, the work would be significant for scalable LLM safety infrastructure. It demonstrates that compact bidirectional encoders can approach the accuracy of much larger autoregressive models on classification-style safety tasks while delivering substantial inference efficiency gains, and the schema-conditioning mechanism offers a flexible way to compose safety dimensions without per-task fine-tuning. The open release of code and models further strengthens its potential impact.

major comments (3)

[§5] §5 (Experiments): The headline claim of competitive F1 scores on nine benchmarks provides no details on training data composition, evaluation splits, baseline re-implementations, statistical significance tests, or error analysis, leaving the central performance comparison only weakly supported and difficult to reproduce or interpret.
[§4.3] §4.3 (Schema conditioning): The assertion that arbitrary combinations of task and label blocks can be assembled at inference time and evaluated accurately relies on an untested generalization assumption; no held-out composition ablations, schema-variation experiments, or analysis of training schema distributions are reported, so it is unclear whether the encoder treats schema tokens modularly or exploits spurious co-occurrences.
[§3] §3 (Model architecture): The adaptation from GLiNER2 is described at a high level, but the precise modifications to the bidirectional encoder for safety-specific schema tokens, loss formulation, and how label semantics are tokenized are not specified, making it impossible to assess whether the efficiency gains come at the cost of reduced representational capacity for fine-grained harms.

minor comments (3)

[Abstract / §1] The abstract and §1 cite nine benchmarks but do not list them explicitly or provide a table summarizing per-benchmark F1 scores against each baseline; adding this would improve clarity.
[§4] Notation for schema blocks (e.g., how prompt-safety, harm categories, and jailbreak strategies are delimited in the input sequence) is introduced informally; a formal definition or example input schema would reduce ambiguity.
[§5] The efficiency numbers (16× throughput, 17× latency) are stated without specifying the hardware, batch size, or sequence length used for measurement; these details are needed for fair comparison.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed comments on our manuscript. We address each major comment point by point below, outlining the specific revisions we will incorporate to improve clarity, reproducibility, and empirical support.

read point-by-point responses

Referee: [§5] §5 (Experiments): The headline claim of competitive F1 scores on nine benchmarks provides no details on training data composition, evaluation splits, baseline re-implementations, statistical significance tests, or error analysis, leaving the central performance comparison only weakly supported and difficult to reproduce or interpret.

Authors: We agree that greater transparency in the experimental section is warranted to support the central claims. In the revised manuscript, we will expand §5 with: (1) full details on training data composition, including dataset sources, sizes, and how multi-aspect labels were combined; (2) explicit evaluation splits and their alignment with prior benchmarks; (3) descriptions of baseline re-implementations or usage of official code, along with key hyperparameters; (4) statistical significance tests (e.g., bootstrap resampling or McNemar's test) for F1 comparisons; and (5) an error analysis subsection covering common failure cases across harm categories. These additions will be placed in the main text and appendix to enhance reproducibility. revision: yes
Referee: [§4.3] §4.3 (Schema conditioning): The assertion that arbitrary combinations of task and label blocks can be assembled at inference time and evaluated accurately relies on an untested generalization assumption; no held-out composition ablations, schema-variation experiments, or analysis of training schema distributions are reported, so it is unclear whether the encoder treats schema tokens modularly or exploits spurious co-occurrences.

Authors: The referee rightly notes that additional validation would strengthen the generalization claims for schema composition. While the architecture is designed for modular assembly, we did not previously report targeted ablations. In the revision, we will add experiments in §4.3 or an appendix that include: held-out composition tests (training on subsets of schema blocks and evaluating on unseen combinations), schema-variation experiments, and an analysis of schema distributions in the training data. These results will demonstrate whether the model processes schema tokens modularly or relies on co-occurrence patterns. revision: yes
Referee: [§3] §3 (Model architecture): The adaptation from GLiNER2 is described at a high level, but the precise modifications to the bidirectional encoder for safety-specific schema tokens, loss formulation, and how label semantics are tokenized are not specified, making it impossible to assess whether the efficiency gains come at the cost of reduced representational capacity for fine-grained harms.

Authors: We acknowledge that the high-level description of the GLiNER2 adaptation limits assessment of the modifications. In the revised §3, we will provide precise details on: the changes to the bidirectional encoder for safety-specific schema tokens (including special token additions and embedding); the loss formulation (multi-label classification objective with any weighting); and the tokenization of label semantics (how task definitions, harm categories, and jailbreak strategies are structured in the input). This expanded description will clarify the balance between efficiency and capacity for fine-grained safety tasks. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical benchmark results with no derivation reducing to inputs by construction

full rationale

The paper introduces GLiGuard as an adaptation of GLiNER2 for schema-conditioned classification and reports empirical F1 scores, throughput, and latency on nine safety benchmarks. No equations, first-principles derivations, or predictions are claimed; performance is presented as measured outcomes of training and evaluation. The schema-conditioning approach is described as enabling composition at inference without per-task fine-tuning, but this is an architectural claim supported by the experimental results rather than a self-referential definition or fitted input renamed as prediction. No self-citation load-bearing, uniqueness theorems, or ansatz smuggling appear in the provided text. The central claims rest on external benchmark comparisons and are self-contained against those benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The approach adapts an existing bidirectional encoder (GLiNER2) and relies on standard transformer assumptions plus the domain assumption that structured schemas can be effectively encoded for classification; no new physical entities are introduced.

free parameters (1)

0.3B model size
Chosen architecture scale to achieve efficiency; specific hyperparameter values for training are not detailed in the abstract.

axioms (1)

domain assumption Bidirectional self-attention over schema tokens suffices to capture label semantics for safety classification
Invoked by the adaptation of GLiNER2 to the guardrail setting without additional justification in the abstract.

pith-pipeline@v0.9.0 · 5564 in / 1307 out tokens · 37605 ms · 2026-05-11T03:15:25.546352+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

GLiNER2-PII: A Multilingual Model for Personally Identifiable Information Extraction
cs.CL 2026-05 unverdicted novelty 4.0

GLiNER2-PII achieves the highest span-level F1 on the SPY benchmark by fine-tuning a small GLiNER2 model on a 4,910-example multilingual synthetic PII corpus.

Reference graph

Works this paper leans on

38 extracted references · 38 canonical work pages · cited by 1 Pith paper · 4 internal anchors

[1]

Hale, and Paul Röttger

SimpleSafetyTests: a Test Suite for Identifying Critical Safety Risks in Large Language Models , author =. 2311.08370 , archiveprefix =

work page arXiv
[2]

AEGIS2.0: A diverse ai safety dataset and risks taxonomy for alignment of llm guardrails

Aegis2.0: A Diverse AI Safety Dataset and Risks Taxonomy for Alignment of LLM Guardrails , author =. 2501.09004 , archiveprefix =

work page arXiv
[3]

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal , author =. 2402.04249 , archiveprefix =

work page internal anchor Pith review arXiv
[4]

Wildguard: Open one-stop moderation tools for safety risks, jailbreaks, and refusals of llms.arXiv preprint arXiv:2406.18495, 2024

WildGuard: Open One-Stop Moderation Tools for Safety Risks, Jailbreaks, and Refusals of LLMs , author =. 2406.18495 , archiveprefix =

work page arXiv
[5]

arXiv preprint arXiv:2406.15513 , year=

PKU-SafeRLHF: Towards Multi-Level Safety Alignment for LLMs with Human Preference , author =. 2406.15513 , archiveprefix =

work page arXiv
[6]

arXiv preprint arXiv:2307.04657 , year =

BeaverTails: Towards Improved Safety Alignment of LLM via a Human-Preference Dataset , author =. 2307.04657 , archiveprefix =

work page arXiv
[7]

XSTest: A Test Suite for Identifying Exaggerated Safety Behaviours in Large Language Models

XSTest: A Test Suite for Identifying Exaggerated Safety Behaviours in Large Language Models , author =. 2308.01263 , archiveprefix =

work page internal anchor Pith review arXiv
[8]

PolyGuard: A multilingual safety moderation tool for 17 languages.arXiv preprint arXiv:2504.04377, 2025

PolyGuard: A Multilingual Safety Moderation Tool for 17 Languages , author =. 2504.04377 , archiveprefix =

work page arXiv
[9]

arXiv preprint arXiv:2407.21772 , year=

ShieldGemma: Generative AI Content Moderation Based on Gemma , author =. 2407.21772 , archiveprefix =

work page arXiv
[10]

Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations

Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations , author =. CoRR , volume =. doi:10.48550/ARXIV.2312.06674 , url =

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2312.06674
[11]

Llama-3.1-NemoGuard-8B-ContentSafety , author =

work page
[12]

Qwen3Guard Technical Report

Qwen3Guard Technical Report , author =. 2510.14276 , archiveprefix =

work page internal anchor Pith review arXiv
[13]

Proceedings of the AAAI Conference on Artificial Intelligence , url =

A Holistic Approach to Undesired Content Detection in the Real World , author =. Proceedings of the AAAI Conference on Artificial Intelligence , url =

work page
[14]

Introducing GPT-4.1 in the API , author =

work page
[15]

Devlin, Jacob and Chang, Ming-Wei and Lee, Kenton and Toutanova, Kristina , year = 2018, journal =

work page 2018
[16]

He, Pengcheng and Gao, Jianfeng and Chen, Weizhu , year = 2023, booktitle =

work page 2023
[17]

Smarter, Better, Faster, Longer: A Modern Bidirectional Encoder for Fast, Memory Efficient, and Long Context Finetuning and Inference

Smarter, Better, Faster, Longer: A Modern Bidirectional Encoder for Fast, Memory Efficient, and Long Context Finetuning and Inference , author =. 2412.13663 , archiveprefix =

work page arXiv
[18]

Urchade Zaratiana and Nadi Tomeh and Pierre Holat and Thierry Charnois , year = 2023, eprint =

work page 2023
[19]

Universal and Transferable Adversarial Attacks on Aligned Language Models , author =

work page
[20]

Jailbroken: How Does

Wei, Alexander and Haghtalab, Nika and Steinhardt, Jacob , year = 2023, journal =. Jailbroken: How Does

work page 2023
[21]

Training Language Models to Follow Instructions with Human Feedback , author =

work page
[22]

Deep Reinforcement Learning from Human Preferences , author =

work page
[23]

Direct Preference Optimization: Your Language Model is Secretly a Reward Model , author =

work page
[24]

Constitutional

Yuntao Bai and Saurav Kadavath and Sandipan Kundu and Amanda Askell and Jackson Kernion and Andy Jones and Anna Chen and Anna Goldie and Azalia Mirhoseini and Cameron McKinnon and others , year = 2022, journal =. Constitutional

work page 2022
[25]

A Survey on Large Language Model (

Yao, Yifan and Duan, Jinhao and Xu, Kaidi and Cai, Yuanfang and Sun, Zhibo and Zhang, Yue , year = 2024, journal =. A Survey on Large Language Model (

work page 2024
[26]

Xuan, Zitao and Mao, Xiaofeng and Chen, Da and Zhang, Xin and Dong, Yuhan and Zhou, Jun , year = 2025, booktitle =

work page 2025
[27]

Kwon, Ohjoon and Jeon, Donghyeon and Choi, Nayoung and Cho, Gyu-Hwung and Jo, Hwiyeol and Kim, Changbong and Lee, Hyunwoo and Kang, Inho and Kim, Sun and Park, Taiwoo , year = 2024, booktitle =

work page 2024
[28]

Granite Guardian: Comprehensive

Padhi, Inkit and Nagireddy, Manish and Cornacchia, Giandomenico and Chaudhury, Subhajit and Pedapati, Tejaswini and Dognin, Pierre and Murugesan, Keerthiram and Miehling, Erik and others , year = 2025, booktitle =. Granite Guardian: Comprehensive

work page 2025
[29]

Constitutional classifiers: Defending against universal jailbreaks across thousands of hours of red teaming

Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming , author =. 2501.18837 , archiveprefix =

work page arXiv
[30]

Liu, Yue and Gao, Hongcheng and Zhai, Shengfang and Xia, Jun and Wu, Tianyi and Xue, Zhiwei and Chen, Yulin and Kawaguchi, Kenji and Zhang, Jiaheng and Hooi, Bryan , year = 2025, journal =

work page 2025
[31]

Zi Lin and Zihan Wang and Yongqi Tong and Yangkun Wang and Yuxin Guo and Yujia Wang and Jingbo Shang , year = 2023, eprint =

work page 2023
[32]

Proceedings of the AAAI Conference on Artificial Intelligence , volume = 37, pages =

A Holistic Approach to Undesired Content Detection in the Real World , author =. Proceedings of the AAAI Conference on Artificial Intelligence , volume = 37, pages =

work page
[33]

Benchmarking Zero-shot Text Classification: Datasets, Evaluation and Entailment Approach , author =. Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP) , pages =

work page 2019
[34]

Proceedings of the International AAAI Conference on Web and Social Media , volume = 18, pages =

Watch Your Language: Investigating Content Moderation with Large Language Models , author =. Proceedings of the International AAAI Conference on Web and Social Media , volume = 18, pages =

work page
[35]

The Twelfth International Conference on Learning Representations , url =

Gen-Z: Generative Zero-Shot Text Classification with Contextualized Label Descriptions , author =. The Twelfth International Conference on Learning Representations , url =

work page
[36]

Findings of the Association for Computational Linguistics: EMNLP 2023 , pages =

Text Classification via Large Language Models , author =. Findings of the Association for Computational Linguistics: EMNLP 2023 , pages =

work page 2023
[37]

GLiClass: General- ist lightweight model for sequence classification tasks.arXiv preprint arXiv:2508.07662, 2025

GLiClass: Generalist Lightweight Model for Sequence Classification Tasks , author =. CoRR , volume =. doi:10.48550/arXiv.2508.07662 , eprint =

work page doi:10.48550/arxiv.2508.07662
[38]

ISBN 979-8-89176-334-0

Zaratiana, Urchade and Pasternak, Gil and Boyd, Oliver and Hurn-Maloney, George and Lewis, Ash. GL i NER 2: Schema-Driven Multi-Task Learning for Structured Information Extraction. Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing: System Demonstrations. 2025. doi:10.18653/v1/2025.emnlp-demos.10

work page doi:10.18653/v1/2025.emnlp-demos.10 2025