benchmark 2025

Read the Scene, Not the Script: Outcome-Aware Safety for LLMs

Rui Wu , Yihao Quan , Zeru Shi , Zhenting Wang , Yanshu Li , Ruixiang Tang

Rutgers University

1 citations · 1 influential · 48 references · arXiv
α

Published on arXiv

2510.04320

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Models fine-tuned on CS-Chain-4k show measurable gains against semantic-camouflage jailbreaks and reduced over-refusal on harmless sensitive-keyword inputs while maintaining utility on general benchmarks

CB-Bench / CS-Chain-4k

Novel technique introduced

Safety-aligned Large Language Models (LLMs) still show two dominant failure modes: they are easily jailbroken, or they over-refuse harmless inputs that contain sensitive surface signals. We trace both to a common cause: current models reason weakly about links between actions and outcomes and over-rely on surface-form signals, lexical or stylistic cues that do not encode consequences. We define this failure mode as Consequence-blindness. To study consequence-blindness, we build a benchmark named CB-Bench covering four risk scenarios that vary whether semantic risk aligns with outcome risk, enabling evaluation under both matched and mismatched conditions which are often ignored by existing safety benchmarks. Mainstream models consistently fail to separate these risks and exhibit consequence-blindness, indicating that consequence-blindness is widespread and systematic. To mitigate consequence-blindness, we introduce CS-Chain-4k, a consequence-reasoning dataset for safety alignment. Models fine-tuned on CS-Chain-4k show clear gains against semantic-camouflage jailbreaks and reduce over-refusal on harmless inputs, while maintaining utility and generalization on other benchmarks. These results clarify the limits of current alignment, establish consequence-aware reasoning as a core alignment goal and provide a more practical and reproducible evaluation path.

Key Contributions

  • Defines 'consequence-blindness' — LLMs' systematic over-reliance on surface-form lexical signals rather than causal reasoning about real-world outcome risk, unifying jailbreak vulnerability and over-refusal as a single root cause
  • CB-Bench: a 600-sample benchmark spanning four risk scenarios that cross-vary semantic risk and outcome risk, enabling evaluation under matched and mismatched conditions overlooked by existing safety benchmarks
  • CS-Chain-4k: a consequence-reasoning fine-tuning dataset that improves LLM resistance to semantic-camouflage jailbreaks and reduces over-refusal while preserving general utility

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Datasets
CB-BenchCS-Chain-4kAdvBench
Applications
llm safety alignmentjailbreak defenseover-refusal mitigation
Read PDF arXiv DOI Code

Similar Papers

benchmark

RedBench: A Universal Dataset for Comprehensive Red Teaming of Large Language Models

2026 0 cit.
100%
benchmark

Toxicity Red-Teaming: Benchmarking LLM Safety in Singapore's Low-Resource Languages

2025 0 cit.
100%
benchmark

Quantifying CBRN Risk in Frontier Models

2025 2 cit.
100%
benchmark

Understanding LLM Behavior When Encountering User-Supplied Harmful Content in Harmless Tasks

2026 0 cit.
100%
benchmark

MalURLBench: A Benchmark Evaluating Agents' Vulnerabilities When Processing Web URLs

2026 0 cit.
100%
benchmark

When Your Reviewer is an LLM: Biases, Divergence, and Prompt Injection Risks in Peer Review

2025 0 cit.
100%
benchmark

SocialHarmBench: Revealing LLM Vulnerabilities to Socially Harmful Requests

2025 0 cit.
100%
benchmark

Can AI Models be Jailbroken to Phish Elderly Victims? An End-to-End Evaluation

2025 1 cit.
100%