Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming

TL;DR

This paper introduces Constitutional Classifiers, a new safeguard method trained on synthetic data to effectively defend large language models against universal jailbreaks, with minimal impact on deployment performance.

Contribution

The paper presents a novel safeguard training approach using synthetic data generated by LLMs with natural language rules, significantly improving defense against universal jailbreaks.

Findings

No successful universal jailbreaks found in extensive red teaming

Enhanced classifiers resist domain-specific jailbreaks

Minimal increase in deployment traffic refusals and inference overhead

Abstract

Large language models (LLMs) are vulnerable to universal jailbreaks-prompting strategies that systematically bypass model safeguards and enable users to carry out harmful processes that require many model interactions, like manufacturing illegal substances at scale. To defend against these attacks, we introduce Constitutional Classifiers: safeguards trained on synthetic data, generated by prompting LLMs with natural language rules (i.e., a constitution) specifying permitted and restricted content. In over 3,000 estimated hours of red teaming, no red teamer found a universal jailbreak that could extract information from an early classifier-guarded LLM at a similar level of detail to an unguarded model across most target queries. On automated evaluations, enhanced classifiers demonstrated robust defense against held-out domain-specific jailbreaks. These classifiers also maintain deployment viability, with an absolute 0.38% increase in production-traffic refusals and a 23.7% inference overhead. Our work demonstrates that defending against universal jailbreaks while maintaining practical deployment viability is tractable.