Summary (Overview)

  • Policy-adaptive guardrailing is introduced: Image safety is not intrinsic but depends on the active runtime policy. The same image may be allowed under one policy and blocked under another.
  • PolicyShiftBench: A new benchmark with 2,000 policy-discriminative instances over 265 images, each paired with 7.55 policy-conditioned prompts on average, and a novel metric (Policy Shift Score, PSS) that measures correct handling of same-image policy flips.
  • PolicyShiftGuard: A compact, policy-conditioned guardrail model (3B/7B parameters) trained with a two-stage recipe: Randomized Policy SFT (RP-SFT) for robust policy following and Boundary-Pair Policy Adaptation (BP-Adapt) with a pairwise comparison loss that explicitly separates pass/block decisions for the same image under different policies.
  • State-of-the-art performance: PolicyShiftGuard-7B achieves 76.9 Avg. F1 and 72.1 Avg. PSS on PolicyShiftBench, outperforming all existing general-purpose MLLMs and specialized guardrails, while also improving latency (163.9 ms) and transferring well to UnSafeBench and SafeEditBench.
  • Key findings: Existing models often recognize unsafe content but fail to revise decisions when policy boundaries shift; scaling model size helps but does not solve policy adaptation; concise output formats (5 tokens) are crucial for deployment.

Introduction and Theoretical Foundation

Image guardrails are typically trained and evaluated under a fixed safety policy, implicitly treating safety as an intrinsic property of an image. In real deployments, the same image may be allowed in one product, restricted in another, and newly disallowed when a policy boundary changes. The paper formalizes policy-adaptive image guardrailing as a task where a model must decide whether an image violates the currently supplied policy and generalize to held-out policy definitions.

Current benchmarks (e.g., UnsafeBench, MM-SafetyBench, SafeEditBench) either assign a single label per image under a fixed taxonomy or lack fine-grained policy-conditioned evaluation. They do not test whether a model can flip its decision when the policy changes while the image remains identical. The paper introduces PolicyShiftBench to fill this gap, organizing visual safety into seven risk categories and five moderation scenarios, yielding 28 policy variants. The benchmark includes both an Adaptive Split (in-distribution policies) and a Shift Split (held-out policies) to measure generalization.

The theoretical foundation is that image safety is a relation between the image and the policy, not an intrinsic property. The paper separates perception from judgment by first extracting atomic visual attributes (e.g., exposed nudity, weapon presence, medical context) via VLMs and then applying deterministic policy rules to derive labels. This makes labels auditable and enables same-image, different-policy label flips.

Methodology

Data Curation (PolicyShiftBench)

  1. Attribute extraction: For each image, three multimodal annotators (VLMs) predict category-specific attributes (e.g., nudity, weapon, logo, license plate, hate text). Attributes are aggregated by majority vote.
  2. Policy-rule labeling: For each category–policy pair, a deterministic rule evaluates the voted attributes: zc,p(x)=fc,p(Ac(x))z_{c,p}(x) = f_{c,p}(A_c(x)) where Ac(x)A_c(x) is the attribute vector for image xx in category cc, and fc,pf_{c,p} is the policy rule.
  3. Final label: For a runtime policy bundle B={p1,,p7}B = \{p_1, \dots, p_7\} (one policy per category), the final label is the logical OR over all categories: \text{true} \mid c, & \exists c : f_{c,p_c}(a_c(x)) = 1, \\ \text{false}, & \forall c : f_{c,p_c}(a_c(x)) = 0. \end{cases}$$
  4. Policy-discriminative examples: The benchmark emphasizes boundary instances where the same image and target category yield opposite labels under different policies: (x,c,ppass)false(x, c, p_{\text{pass}}) \to \text{false}, (x,c,pblock)truec(x, c, p_{\text{block}}) \to \text{true} \mid c.

Training Recipe (PolicyShiftGuard)

Stage 1: Randomized Policy SFT (RP-SFT)

  • Trains the model on policy-conditioned SFT data (images disjoint from evaluation). Each example contains image xx, policy bundle BB, and deterministic label yy.
  • The loss is: LRP-SFT=E(x,B,y),ρ[logpθ(ρ(y)x,ρ(B))]\mathcal{L}_{\text{RP-SFT}} = \mathbb{E}_{(x, B, y), \rho} [-\log p_\theta(\rho(y) \mid x, \rho(B))] where ρ\rho randomizes policy order, surface identifiers, and category-slot assignment to prevent shortcuts.
  • Output format is concise: false or true | XX (violated category).

Stage 2: Boundary-Pair Policy Adaptation (BP-Adapt)

  • Constructs boundary pairs: for a fixed image and target category, one policy blocks (q+q^+) and another passes (qq^-): q+=(x,B+)truec,q=(x,B)false.q^+ = (x, B^+) \to \text{true} \mid c, \quad q^- = (x, B^-) \to \text{false}.
  • Fine-tunes with a combined loss: LBP=LCE+λlLlabel+λpLpair+λwLcat.\mathcal{L}_{\text{BP}} = \mathcal{L}_{\text{CE}} + \lambda_l \mathcal{L}_{\text{label}} + \lambda_p \mathcal{L}_{\text{pair}} + \lambda_w \mathcal{L}_{\text{cat}}.
    • LCE\mathcal{L}_{\text{CE}}: cross-entropy on exact answer string.
    • Llabel\mathcal{L}_{\text{label}}: separates safe/unsafe prefix.
    • Lcat\mathcal{L}_{\text{cat}}: stabilizes violated category ID on blocked examples.
    • Lpair\mathcal{L}_{\text{pair}}: margin loss that forces the blocking policy to have a higher unsafe score than the passing policy: Lpair=max(0,m(sθ(trueq+)sθ(trueq))),\mathcal{L}_{\text{pair}} = \max\left(0, m - \left( s_\theta(\text{true} \mid q^+) - s_\theta(\text{true} \mid q^-) \right) \right), where sθ(trueq)s_\theta(\text{true} \mid q) is the model score for the unsafe decision prefix.

Empirical Validation / Results

Main Results on PolicyShiftBench

Table 2 shows that PolicyShiftGuard substantially outperforms all baselines. The 7B model achieves SOTA: 76.9 Avg. F1 and 72.1 Avg. PSS, while the 3B model also ranks high. In contrast, general-purpose MLLMs (e.g., Qwen2.5-VL-72B) achieve only 49.4 Avg. F1 and 27.4 Avg. PSS. Specialized guardrails like GuardReasoner-VL-3B have 59.2 Avg. F1 but only 3.2 Avg. PSS, confirming that ordinary safe/unsafe recognition does not imply policy-shift sensitivity.

ModelAdaptive AccAdaptive F1Adaptive PSSShift AccShift F1Shift PSSAvg. AccAvg. F1Avg. PSSTime (ms)
Qwen2.5-VL-72B66.261.732.158.037.122.662.149.427.4540.3
GuardReasoner-VL-3B52.163.64.252.354.72.252.259.23.22084.5
Gemini-3-Flash-Preview70.167.045.478.374.255.974.270.650.65963.5
PolicyShiftGuard-3B86.685.679.061.147.850.573.866.764.8128.5
PolicyShiftGuard-7B86.386.873.869.967.070.478.176.972.1163.9

Table 2 (truncated for key models). PolicyShiftGuard-7B achieves SOTA on both Avg. F1 and Avg. PSS.

Cross-Benchmark Transfer

PolicyShiftGuard-7B achieves the best overall score (69.9) across UnSafeBench, SafeEditBench, and PolicyShiftBench splits (Table 3). The 3B model is second-best (62.4). This demonstrates that policy-adaptive training transfers to standard safety benchmarks.

Latency-Performance Trade-off

PolicyShiftGuard uses a concise output format (5 tokens), enabling fast inference. PolicyShiftGuard-7B reduces latency from 273.3 ms (base Qwen2.5-VL-7B) to 163.9 ms, while improving Avg. F1 by 56.3 points. Figure 3 shows it occupies a favorable Pareto frontier, surpassing even Gemini-3-Flash-Preview in both performance and speed.

Key Findings

  1. Policy-shift sensitivity is distinct from unsafe recognition: Many models have high F1 but low PSS (e.g., GuardReasoner-VL-3B: 59.2 F1, 3.2 PSS).
  2. Scaling helps but does not solve adaptation: Qwen2.5-VL-72B reaches 49.4 Avg. F1 but only 27.4 Avg. PSS.
  3. Category difficulty varies: Nudity and violence are easier; regulated goods, IP, privacy, and text-in-image are harder.
  4. Speed-performance Pareto matters: Closed-source models are strong but slow; reasoning-style guardrails add high latency without proportional policy-shift sensitivity.

Ablation Study

  • Randomized Policy SFT improves Avg. F1 by +1.2 (3B) and +7.2 (7B) over standard SFT (Table 4). However, randomization alone does not consistently improve PSS on the Shift split.
  • No-think mode outperforms thinking-mode training: no-think improves Avg. F1 by +4.3 (3B) and +8.9 (7B) in Stage 1, and by +5.6 and +12.3 in Stage 2 (Table 5). Concise final-token supervision is more effective than free-form reasoning.
  • Boundary-pair loss (Lpair\mathcal{L}_{\text{pair}}) is critical: removing it drops Avg. F1 by 10.6 (3B) and 17.7 (7B) (Table 6). More post-training data alone is not enough.
  • Loss weights are stable: Varying λw\lambda_w, λp\lambda_p, λl\lambda_l over a range causes only mild fluctuations in Avg. F1 and PSS (Figure 5), indicating the method is robust.

Theoretical and Practical Implications

Theoretical: The paper challenges the assumption that image safety is intrinsic. It formalizes safety as a policy-conditioned relation and provides a framework for evaluating and optimizing policy-adaptive guardrails. The separation of visual attributes from policy rules makes decisions auditable and enables systematic policy shifts.

Practical: PolicyShiftGuard offers a compact, fast, and accurate solution for real-world deployment. Its concise output format (binary or category-specific) and low latency (163.9 ms for 7B) make it suitable for critical-path moderation in multimodal systems. The benchmark (PolicyShiftBench) provides a standardized way to evaluate policy-adaptive guardrails, encouraging future work to focus on policy following rather than static unsafe detection.

Conclusion

The paper introduces PolicyShiftBench, a benchmark for policy-adaptive image guardrailing with 2,000 instances, 28 policy variants, and a new metric (PSS) that measures same-image policy flips. It also proposes PolicyShiftGuard, trained with Randomized Policy SFT and Boundary-Pair Policy Adaptation. Experiments show that existing models often recognize risky content without reliably following shifted policies, while PolicyShiftGuard achieves SOTA performance (76.9 Avg. F1, 72.1 Avg. PSS) with efficient decoding (163.9 ms). The results argue for evaluating multimodal guardrails by whether they ground decisions in the policy being enforced, not only by fixed safe/unsafe recognition. Future directions include extending to video, interactive policies, and dynamic policy updates.

Related papers