Auto-Tuning Safety Guardrails for Black-Box Large Language Models

Large language models (LLMs) are increasingly deployed behind safety guardrails such as system prompts and content filters, especially in settings where product teams cannot modify model weights. In practice these guardrails are typically hand-tuned, brittle, and difficult to reproduce. This paper studies a simple but practical alternative: treat safety guardrail design itself as a hyperparameter optimization problem over a frozen base model. Concretely, I wrap Mistral-7B-Instruct with modular jailbreak and malware system prompts plus a ModernBERT-based harmfulness classifier, then evaluate candidate configurations on three public benchmarks covering malware generation, classic jailbreak prompts, and benign user queries. Each configuration is scored using malware and jailbreak attack success rate, benign harmful-response rate, and end-to-end latency. A 48-point grid search over prompt combinations and filter modes establishes a baseline. I then run a black-box Optuna study over the same space and show that it reliably rediscovers the best grid configurations while requiring an order of magnitude fewer evaluations and roughly 8x less wall-clock time. The results suggest that viewing safety guardrails as tunable hyperparameters is a feasible way to harden black-box LLM deployments under compute and time constraints.

Key Contributions

• Frames LLM safety guardrail design (system prompt selection + content-filter threshold) as a discrete hyperparameter optimization problem over a frozen base model
• Demonstrates that Optuna black-box optimization reliably rediscovers the best guardrail configurations from a 48-point grid while requiring ~10x fewer evaluations and ~8x less wall-clock time
• Provides a modular evaluation framework scoring configurations on malware ASR, jailbreak ASR, benign harmful-response rate, and latency simultaneously

🛡️ Threat Analysis

Details

Similar Papers