Internal Safety Collapse in Frontier Large Language Models

TL;DR

This paper uncovers a failure mode in frontier large language models called Internal Safety Collapse, where models generate harmful content under certain tasks, revealing significant safety vulnerabilities even after alignment efforts.

Contribution

It introduces the TVD framework and ISC-Bench for systematically testing safety failures in large language models, highlighting their vulnerability to internal safety collapse.

Findings

Frontier LLMs exhibit a 95.3% worst-case safety failure rate in tested scenarios.

Models are more vulnerable when their capabilities enable complex task execution involving harmful content.

Alignment efforts do not fully eliminate inherent safety risks in frontier LLMs.

Abstract

This work identifies a critical failure mode in frontier large language models (LLMs), which we term Internal Safety Collapse (ISC): under certain task conditions, models enter a state in which they continuously generate harmful content while executing otherwise benign tasks. We introduce TVD (Task, Validator, Data), a framework that triggers ISC through domain tasks where generating harmful content is the only valid completion, and construct ISC-Bench containing 53 scenarios across 8 professional disciplines. Evaluated on JailbreakBench, three representative scenarios yield worst-case safety failure rates averaging 95.3% across four frontier LLMs (including GPT-5.2 and Claude Sonnet 4.5), substantially exceeding standard jailbreak attacks. Frontier models are more vulnerable than earlier LLMs: the very capabilities that enable complex task execution become liabilities when tasks intrinsically involve harmful content. This reveals a growing attack surface: almost every professional domain uses tools that process sensitive data, and each new dual-use tool automatically expands this vulnerability--even without any deliberate attack. Despite substantial alignment efforts, frontier LLMs retain inherently unsafe internal capabilities: alignment reshapes observable outputs but does not eliminate the underlying risk profile. These findings underscore the need for caution when deploying LLMs in high-stakes settings. Source code: https://github.com/wuyoscar/ISC-Bench