defense 2026

Conditioned Activation Transport for T2I Safety Steering

Maciej Chrabąszcz 1,2, Aleksander Szymczyk 2, Jan Dubiński 2,3,4, Tomasz Trzciński 2,3,4, Franziska Boenisch 5, Adam Dziedzic 5

1 NASK National Research Institute

2 Warsaw University of Technology

3 Tooplox

4 IDEAS Research Institute

5 CISPA Helmholtz Center for Information Security

0 citations
α

Published on arXiv

2603.03163

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

CAT significantly reduces Attack Success Rate on unsafe prompts while preserving image fidelity on benign queries, outperforming linear steering baselines (ActAdd, Linear-ACT) across Z-Image and Infinity architectures

CAT (Conditioned Activation Transport)

Novel technique introduced

Despite their impressive capabilities, current Text-to-Image (T2I) models remain prone to generating unsafe and toxic content. While activation steering offers a promising inference-time intervention, we observe that linear activation steering frequently degrades image quality when applied to benign prompts. To address this trade-off, we first construct SafeSteerDataset, a contrastive dataset containing 2300 safe and unsafe prompt pairs with high cosine similarity. Leveraging this data, we propose Conditioned Activation Transport (CAT), a framework that employs a geometry-based conditioning mechanism and nonlinear transport maps. By conditioning transport maps to activate only within unsafe activation regions, we minimize interference with benign queries. We validate our approach on two state-of-the-art architectures: Z-Image and Infinity. Experiments demonstrate that CAT generalizes effectively across these backbones, significantly reducing Attack Success Rate while maintaining image fidelity compared to unsteered generations. Warning: This paper contains potentially offensive text and images.

Key Contributions

  • SafeSteerDataset: a contrastive dataset of 2,300 semantically-aligned safe/unsafe prompt pairs across 23 subcategories, enabling precise isolation of toxic activation manifolds
  • CAT (Conditioned Activation Transport): a nonlinear, geometry-conditioned activation steering framework that activates transport maps only within unsafe activation regions, minimizing interference on benign queries
  • First comprehensive safety-steering validation across both Diffusion Transformer (Z-Image) and AutoRegressive (Infinity) T2I architectures

🛡️ Threat Analysis

Details

Domains
visionmultimodalgenerative
Model Types
diffusiontransformer
Threat Tags
inference_time
Datasets
SafeSteerDataset
Applications
text-to-image generationimage synthesis safety
Read PDF arXiv Code

Similar Papers

defense

PurifyGen: A Risk-Discrimination and Semantic-Purification Model for Safe Text-to-Image Generation

2025 3 cit.
79%
defense

PromptGuard: Soft Prompt-Guided Unsafe Content Moderation for Text-to-Image Models

2025 0 cit.
79%
defense

Beyond the Safety Tax: Mitigating Unsafe Text-to-Image Generation via External Safety Rectification

2025 0 cit.
77%
defense

ConceptGuard: Proactive Safety in Text-and-Image-to-Video Generation through Multimodal Risk Detection

2025 1 cit.
75%
attack

MacPrompt: Maraconic-guided Jailbreak against Text-to-Image Models

2026 0 cit.
73%
defense

OrthoEraser: Coupled-Neuron Orthogonal Projection for Concept Erasure

2026 0 cit.
71%
defense

Localized Concept Erasure in Text-to-Image Diffusion Models via High-Level Representation Misdirection

2026 0 cit.
69%
benchmark

T2I-RiskyPrompt: A Benchmark for Safety Evaluation, Attack, and Defense on Text-to-Image Model

2025 1 cit.
Output Integrity Attack
67%