← Back to Library

Safety Recovery in Reasoning Models Is Only a Few Early Steering Steps Away

Authors: Soumya Suvra Ghosal, Souradip Chakraborty, Vaibhav Singh, Furong Huang, Dinesh Manocha, Amrit Singh Bedi

Published: 2026-02-11

arXiv ID: 2602.11096v1

Added to Library: 2026-02-12 04:00 UTC

Red Teaming

📄 Abstract

Reinforcement learning (RL) based post-training for explicit chain-of-thought (e.g., GRPO) improves the reasoning ability of multimodal large-scale reasoning models (MLRMs). But recent evidence shows that it can simultaneously degrade safety alignment and increase jailbreak success rates. We propose SafeThink, a lightweight inference-time defense that treats safety recovery as a satisficing constraint rather than a maximization objective. SafeThink monitors the evolving reasoning trace with a safety reward model and conditionally injects an optimized short corrective prefix ("Wait, think safely") only when the safety threshold is violated. In our evaluations across six open-source MLRMs and four jailbreak benchmarks (JailbreakV-28K, Hades, FigStep, and MM-SafetyBench), SafeThink reduces attack success rates by 30-60% (e.g., LlamaV-o1: 63.33% to 5.74% on JailbreakV-28K, R1-Onevision: 69.07% to 5.65% on Hades) while preserving reasoning performance (MathVista accuracy: 65.20% to 65.00%). A key empirical finding from our experiments is that safety recovery is often only a few steering steps away: intervening in the first 1-3 reasoning steps typically suffices to redirect the full generation toward safe completions.

🔍 Key Points

  • Introduction of SafeThink: a lightweight inference-time defense mechanism that treats safety recovery as a satisficing constraint, allowing for proactive safety interventions during reasoning steps.
  • Empirical demonstration that safety recovery can typically be achieved with minimal intervention (1-3 reasoning steps) without degrading reasoning capabilities.
  • Comprehensive evaluation across multiple open-source multimodal large reasoning models (MLRMs) showcasing significant reductions in jailbreak success rates (30-60%) while preserving reasoning performance.
  • Frame safety recovery in a new perspective, shifting from maximizing safety to ensuring it meets a predefined threshold, providing a more pragmatic approach to AI safety.
  • Highlighting the importance of early interventions in reasoning models to maintain safety without hindering their performance in complex tasks.

💡 Why This Paper Matters

The paper reveals critical insights into the balance between enhancing reasoning abilities and maintaining safety in AI models. By proposing and validating SafeThink, it addresses a significant gap in current safety mechanisms, ensuring that improved reasoning capabilities do not lead to increased vulnerabilities. Its findings encourage the adoption of lightweight, intervention-based strategies that are both effective and efficient, making the approach highly relevant in the ongoing discourse on safe AI deployment.

🎯 Why It's Interesting for AI Security Researchers

This paper is particularly significant for AI security researchers as it tackles the pressing issue of AI model vulnerabilities to adversarial attacks, especially in the context of stronger reasoning capabilities. The proposed strategy shifts the focus toward practical, inference-time safety interventions that can be rapidly implemented in existing models, potentially influencing future AI safety protocols and guiding research into more robust AI systems. As AI continues to penetrate various sectors, understanding and mitigating the risks associated with reasoning models will be paramount.

📚 Read the Full Paper

📄 View on arXiv 📎 Download PDF