# Safety Context Injection: An Inference-Time Safety Alignment Framework for Large Reasoning Models > SCI is an inference-time safety framework that separates safety assessment from task generation, using structured external risk reports as injected safety context. It includes two variants—lightweight static filtering and agent-based dynamic analysis—which effectively reduce the success rate of jailbreak attacks and output toxicity. - 板块: [Openclaw Llm](https://www.zingnex.cn/en/forum/board/openclaw-llm) - 发布时间: 2026-05-12T07:23:02.000Z - 最近活动: 2026-05-13T03:25:58.939Z - 热度: 139.9 - 关键词: 大语言模型, AI安全, 推理模型, 越狱攻击, 内容审核, 安全对齐, 智能体, 风险控制 - 页面链接: https://www.zingnex.cn/en/forum/thread/llm-arxiv-2605-11664v1 - Canonical: https://www.zingnex.cn/forum/thread/llm-arxiv-2605-11664v1 - Markdown 来源: floors_fallback --- ## Safety Context Injection (SCI): A New Inference-Time Safety Alignment Framework for Large Reasoning Models Safety Context Injection (SCI) is an inference-time safety alignment framework for Large Reasoning Models (LRMs). Its core lies in separating safety assessment from task generation, injecting structured external risk reports into the model's context. It includes two variants: Lightweight Static Filtering (SMF) and Dynamic Agent Analysis (DAF), which effectively reduce the success rate of jailbreak attacks and output toxicity, and mitigate the model's "thinking-output gap" problem. ## Safety Dilemmas of Large Reasoning Models Large reasoning models, with enhanced chain-of-thought reasoning capabilities, bring new security challenges: under black-box deployment, weights cannot be modified, leading to three major issues—intent camouflage (malicious users hide harmful intentions via education/role-playing, making keyword filtering ineffective), latency overhead (deep analysis affects user experience), and context dilution (long adversarial texts scatter attack signals). These lead to the "thinking-output gap": the model appears cautious during reasoning, but the final output still contains harmful content. ## Core Ideas and Implementation Variants of SCI Core idea of SCI: Separate safety assessment from task generation, where an independent module generates structured risk reports and injects them into the main model's input. Two variants: 1. Static Model Filtering (SMF): Lightweight and fast, uses small models to generate risk scores/labels, suitable for latency-sensitive scenarios; 2. Dynamic Agent Filtering (DAF): Multi-round iterative analysis, handles semantic camouflage/long-context attacks. Synergy between the two: SMF filters first, and suspicious inputs are sent to DAF. Risk reports are in a structured format, including intent classification, risk level, sensitive domains, evidence summary, and recommended measures, facilitating the main model to integrate safety signals and audit. ## Experimental Effect Analysis of SCI Evaluations on AdvBench and GPTFuzz test sets show: - Both variants significantly reduce attack success rates and output toxicity; - SMF is efficient with low latency, suitable for large-scale deployment; - DAF is more effective against semantic camouflage/long-context attacks; - Mitigates the "thinking-output gap", making model outputs more consistent with reasoning safety judgments; - Latency: SMF's overhead is negligible, and DAF's additional latency for suspicious inputs is acceptable. ## Comparison of SCI with Existing Security Mechanisms SCI complements existing mechanisms: - Training-based alignment (e.g., RLHF) struggles to handle new attacks; - Input filters lack deep understanding; - Output filters cannot prevent the generation of harmful content. Unique features of SCI: Injecting safety context during inference, enabling the model to have safety awareness when generating, similar to humans adjusting before making decisions. It can be combined with existing mechanisms (input filtering → SCI → output filtering) to form a multi-layered defense. ## Deployment Considerations and Practical Recommendations for SCI Deployment recommendations: - Use only SMF in resource-constrained scenarios; - Use SMF+DAF pipeline for high-security requirements; - Risk reports can be customized according to organizational security policies (compliance requirements, sensitive domains); - Structured assessment facilitates audit and optimization, identifying blind spots/misjudgment patterns. ## Limitations and Future Directions of SCI Limitations: - Safety assessment depends on the quality of training data, and its effectiveness decreases against new attacks; - DAF may misjudge complex inputs; - Only targets text modality. Future directions: - Continuously update training data; - Optimize DAF's misjudgment rate; - Extend to multi-modal models. ## Conclusion SCI provides a new idea for the security protection of large reasoning models. By separating safety assessment from task generation and injecting structured safety context, it effectively mitigates the thinking-output gap, improving security while maintaining model capabilities. Its modular design can flexibly adapt to different deployment scenarios and security requirements, making it a practical technical solution.