Relying on LLMs' apparent commonsense reasoning can be risky: models may fail on small, realistic changes and produce misleading outputs in user-facing scenarios.
Making an opaque container transparent causes GPT-3.5 to predict the agent believes the wrong content.
Numbers: Variation 1A: P(chocolate)=95% vs P(popcorn)=0%
Automated detection helps flag AI-written content that affects trust, compliance, or fraud; MGTBench identifies which detectors work, how much labelled data they need, and where they fail under attacks.
Fine-tuned LM Detector gives the highest detection accuracy across datasets
Numbers: F1=0.993 (Essay, human vs ChatGPT-turbo)
MCQ-format evaluation and automated grading can be unstable: models may pick "A" or "C" by habit, producing misleading scores. Fixing this improves model reliability with minimal compute.
Simple answer-moving changes cause large accuracy swings.
Numbers: gpt-3.5-turbo MMLU: 67.2 → 60.9 (−6.3) when golden moved to D; llama-30B: 53.1 → 68.2 (+15.2) when moved to A
A simple, repeatable Chinese safety benchmark and a 100k prompt library let product and security teams run systematic red-teaming and compare model choices quickly.
Instruction attacks are consistently harder for models than typical safety prompts.
CoU-style prompts can bypass deployed guardrails often; test and harden public-facing LLMs, or fine-tune smaller models on curated safe conversations to reduce harmful outputs without losing much utility.
RED-EVAL jailbreaks widely deployed closed-source APIs frequently.
Numbers: GPT-4 ASR 0.651; ChatGPT ASR 0.728 on tested harmful prompts
A single, extensible evaluation toolkit reduces ad-hoc testing effort, surfaces robustness gaps, and speeds model selection for production-facing apps.
PromptBench includes many evaluation assets: 12 task families and 22 public datasets.
Numbers: 12 tasks; 22 public datasets
If you use LLMs to replace humans for evaluation, test them on adversarial, instruction-focused pairs first: many evaluators prefer slick but incorrect outputs and can bias product metrics and model selection.
Expert human annotators agree on LLMBAR labels at a very high rate.
Numbers: 94% overall agreement (90% NATURAL, 95% ADVERSARIAL)
Any app that feeds external text into an LLM is attackable: attackers can hide instructions in user-provided data and change app outputs. Benchmarks show attacks work across models and tasks, and many defenses either miss attacks or break normal performance.
Prompt injection attacks are broadly effective across tasks and models.
Numbers: Combined Attack ASV=0.62 and MR=0.78 averaged over 10 LLMs and 7×7 task pairs
External content can silently hijack LLM outputs. Measure exposure with BIPIA and add simple defenses now; full model fine-tuning yields stronger protection if you control the model.
All evaluated LLMs show vulnerability to indirect prompt injection on BIPIA.
Numbers: Average overall ASR = 0.1179 (11.79%) on BIPIA (Table 2)
A practical watermarking layer lets API owners tag model outputs with recoverable signatures to prove origin, deter plagiarism, and monitor misuse without breaking text quality or adding large latency.
REMARK-LLM embeds more signature bits per text than prior neural watermarking.
Numbers: ˜2× more bits vs AWT on evaluated segments
LLMs can betray system instructions and help abuse attached interpreters; measuring these behaviors helps product and security teams decide model choice, add guardrails, and quantify user experience tradeoffs.
Prompt injections still succeed on modern models.
Numbers: Average injection success ≈ 28%; per-model range reported 13%–47%
If your product depends on images that must exclude certain content (safety, branding, legal), current multimodal LLMs can silently fail and even claim they succeeded; add verification or blocklisting before shipping.
For the prompt 'Generate an image of an elephant with no tusks', no model produced a correct image in any tested run or language.
Numbers: 0/5 correct across tested runs and languages (Section 3.6; Table 1)
RAIN lets you reduce harmful or untruthful outputs from deployed LLMs without costly retraining or human labels; trade latency for safety and consider using RAIN-generated data to finetune if latency is critical.
RAIN raised harmlessness of LLaMA 30B from 82% to 97% on the HH dataset.
Numbers: 82% → 97%
PsychoBench gives a repeatable way to describe how an LLM will sound and react, so teams can tune persona, anticipate safety shifts from prompts or alignment changes, and audit models before deployment.
LLMs behave as more open, conscientious and extraverted than crowd norms.
Numbers: Openness: text-davinci-003 4.8 vs human 3.9 (Likert mean)
Products that flag misinformation must be robust to attackers who use LLMs to change tone; adding style-variant training and content-focused cues reduces false negatives and improves trustworthiness.
State-of-the-art text-only detectors suffer large drops under LLM style attacks.
Numbers: F1 drop up to 38.33%
Model safety claims are often evaluated on a narrow, inconsistent set of datasets (sometimes proprietary), so businesses should adopt a broader, open suite of safety tests to make reliable, comparable claims.
Total datasets reviewed: 144 open text datasets.
Numbers: n=144 datasets (published Jun 2018–Dec 2024)
Binary success/fail tests miss partial or stealthy jailbreaks. AttackEval gives a ranked, numeric view so teams can prioritize fixes, audit high-risk prompt types, and measure defense improvements over time.
AttackEval produces continuous 0–1 scores that align with binary baselines but assign many prompts intermediate values.
Numbers: Aggregated halves match baseline ~70% (coarse-grained)
If your product accepts or produces instruction-like outputs (code, pseudocode, how-to steps), it faces higher risk of harmful outputs and model edits can make that worse.
Pseudocode prompts raise harmful outputs versus text answers.
Numbers: Pseudocode harmfulness increased by 2–38% in zero-shot across topics/models.
Guardrails (prompts and filters) are low-cost ways to hide or block sensitive outputs from API-accessible models; use them as quick mitigation, QA checks, or to generate finetuning data before spending on full retraining.
Prompting halved the 'familiarity' score on LLaMA-2-7b for the Who's Harry Potter benchmark.
Numbers: ≈50% reduction vs baseline LLaMA-2-7b (Figure 2)
WILDGUARD gives teams an open, deployable moderator that matches closed APIs on many safety checks, reduces jailbreak risk sharply, and lowers reliance on expensive third‑party moderation services.
WILDGUARD strongly improves refusal detection versus open baselines.
Numbers: Refusal F1 +26.4 pts vs LibrAI-LongFormer-ref on WGTEST/XSTEST-RESP
Agents can be disabled or misused without obvious malicious text; prompt-injection can cause outages, wasted compute, or automated spamming and is hard to detect by LLM self-checks alone.
Prompt-injection infinite-loop attacks raise failure rate substantially.
Numbers: Baseline 15.3% → Infinite loop ASR 59.4%
Products that reuse LLMs risk amplifying users' false assumptions; adding a brief critique prompt is a low-cost way to reduce misinformation and potential harm.
LLMs often accept false premises and produce incorrect or unsafe outputs.
Numbers: Truthfulness ≈50% on QFP and ≈20% on CIFP for evaluated models
Knowing if a model trusts prompts or its own memory changes how you design retrieval, prompts, and monitoring: pick high-RR models for using fresh external data, or use instruction-tuned dependent models when you need strict prompt compliance.
GPT-4 achieves the highest ability to use correct prompt facts (RR) and highest overall factual robustness (FR) on the KRE benchmark.
Numbers: GPT-4: VR=50, RR=81, FR≈66 (Table 9)
You can cheaply generate realistic jailbreak prompts and use a small iterative fine-tune to significantly reduce harmful outputs while keeping product capabilities intact.
SAP30 attack set is far more effective than prior sets on evaluated LLMs.
Numbers: gpt-3.5-turbo harmful score: SAP30=8.70 vs Dual-Use=5.41 vs BAD+=0.63 (Table 1)
