When Models Outthink Their Safety: Unveiling and Mitigating Self-Jailbreak in Large Reasoning Models

Large Reasoning Models (LRMs) achieve strong performance on complex multi-step reasoning, yet they still exhibit severe safety failures such as harmful content generation. Existing methods often apply coarse-grained constraints over the entire reasoning trajectories, which can undermine reasoning capability while failing to address the root causes of unsafe behavior. In this work, we uncover a previously underexplored failure mode in LRMs, termed Self-Jailbreak, where models initially recognize the harmful intent of a query, but override this judgment during subsequent reasoning steps, ultimately generating unsafe outputs. Such a phenomenon reveals that LRMs are capable of recognizing harm, while safety failures primarily arise from reasoning steps. Motivated by this finding, we propose \emph{Chain-of-Guardrail} (CoG), a trajectory-level training framework that mitigates Self-Jailbreak via targeted, step-level interventions while maintaining reasoning ability. Experiments across multiple safety and reasoning benchmarks indicate that CoG achieves a favorable balance between safety and reasoning performance compared with existing approaches.

Key Contributions

• Identifies and characterizes 'Self-Jailbreak' — a failure mode where LRMs initially recognize harmful intent but override that safety judgment during subsequent reasoning steps, accounting for ~80% of unsafe outputs analyzed
• Proposes Chain-of-Guardrail (CoG), a trajectory-level training framework with targeted step-level interventions (Safety Recomposition and Safety Backtrack) that correct only failure-inducing reasoning segments
• Empirically demonstrates CoG achieves a superior safety–reasoning balance vs. prior methods, e.g., on Qwen3-32B improving GPQA-Diamond from 54.30 to 62.38 and AIME2024 from 71.70 to 82.08 while matching SafeKey's safety performance

🛡️ Threat Analysis

Details

Similar Papers