Safety Context Injection: An Inference-Time Safety Alignment Framework for Large Reasoning Models

Safety Context Injection (SCI) is an inference-time safety alignment framework for Large Reasoning Models (LRMs). Its core lies in separating safety assessment from task generation, injecting structured external risk reports into the model's context. It includes two variants: Lightweight Static Filtering (SMF) and Dynamic Agent Analysis (DAF), which effectively reduce the success rate of jailbreak attacks and output toxicity, and mitigate the model's "thinking-output gap" problem.

Large reasoning models, with enhanced chain-of-thought reasoning capabilities, bring new security challenges: under black-box deployment, weights cannot be modified, leading to three major issues—intent camouflage (malicious users hide harmful intentions via education/role-playing, making keyword filtering ineffective), latency overhead (deep analysis affects user experience), and context dilution (long adversarial texts scatter attack signals). These lead to the "thinking-output gap": the model appears cautious during reasoning, but the final output still contains harmful content.

Core idea of SCI: Separate safety assessment from task generation, where an independent module generates structured risk reports and injects them into the main model's input. Two variants:

1. Static Model Filtering (SMF): Lightweight and fast, uses small models to generate risk scores/labels, suitable for latency-sensitive scenarios;
2. Dynamic Agent Filtering (DAF): Multi-round iterative analysis, handles semantic camouflage/long-context attacks. Synergy between the two: SMF filters first, and suspicious inputs are sent to DAF. Risk reports are in a structured format, including intent classification, risk level, sensitive domains, evidence summary, and recommended measures, facilitating the main model to integrate safety signals and audit.

Evaluations on AdvBench and GPTFuzz test sets show:

• Both variants significantly reduce attack success rates and output toxicity;
• SMF is efficient with low latency, suitable for large-scale deployment;
• DAF is more effective against semantic camouflage/long-context attacks;
• Mitigates the "thinking-output gap", making model outputs more consistent with reasoning safety judgments;
• Latency: SMF's overhead is negligible, and DAF's additional latency for suspicious inputs is acceptable.

SCI complements existing mechanisms:

• Training-based alignment (e.g., RLHF) struggles to handle new attacks;
• Input filters lack deep understanding;
• Output filters cannot prevent the generation of harmful content. Unique features of SCI: Injecting safety context during inference, enabling the model to have safety awareness when generating, similar to humans adjusting before making decisions. It can be combined with existing mechanisms (input filtering → SCI → output filtering) to form a multi-layered defense.

Deployment recommendations:

• Use only SMF in resource-constrained scenarios;
• Use SMF+DAF pipeline for high-security requirements;
• Risk reports can be customized according to organizational security policies (compliance requirements, sensitive domains);
• Structured assessment facilitates audit and optimization, identifying blind spots/misjudgment patterns.

Limitations:

• Safety assessment depends on the quality of training data, and its effectiveness decreases against new attacks;
• DAF may misjudge complex inputs;
• Only targets text modality. Future directions:
• Continuously update training data;
• Optimize DAF's misjudgment rate;
• Extend to multi-modal models.

SCI provides a new idea for the security protection of large reasoning models. By separating safety assessment from task generation and injecting structured safety context, it effectively mitigates the thinking-output gap, improving security while maintaining model capabilities. Its modular design can flexibly adapt to different deployment scenarios and security requirements, making it a practical technical solution.