Comparison requires valid measurement: Rethinking attack success rate comparisons in AI red teaming
比较需要有效的测量：重新思考人工智能红队中攻击成功率比较

AI red teaming, adversarial testing, jailbreaking, and related approaches are among the most widely used methods for probing generative AI (genAI) systems for undesirable behaviors.¹¹1We use “undesirable system behaviors” as a catch-all for the types of behaviors these approaches aim to elicit.
我们用“不受欢迎的系统行为”来泛指这些方法旨在引发的行为类型。
AI 红队测试、对抗性测试、越狱测试和相关方法是目前探测生成式 AI（genAI）系统不良行为最广泛使用的方法之一。 ¹ We refer to all of these approaches generically as (AI) red teaming throughout this paper. These approaches can help identify genAI system vulnerabilities; detect memorization of intellectual property; and assess how well safety alignment prevents violations of model providers’ code of conduct policies prohibiting system use for exploitative, abusive, and otherwise harmful aims  (FMF, 2024; Llama Team, 2024; OpenAI, 2023; Nasr et al., 2023; Tamkin et al., 2021; OpenAI, 2024; Cooper et al., 2025).
在本论文中，我们将所有这些方法统称为（AI）红队测试。这些方法有助于识别 genAI 系统漏洞；检测知识产权记忆；并评估安全对齐如何防止违反模型提供者行为准则政策，这些政策禁止系统用于剥削、虐待或其他有害目的（FMF，2024；Llama 团队，2024；OpenAI，2023；Nasr 等人，2023；Tamkin 等人，2021；OpenAI，2024；Cooper 等人，2025）。

While AI red teaming has traditionally been used to obtain qualitative information about system vulnerabilities and effective attack vectors (Ahmad et al., 2024; Nasr et al., 2025), it is increasingly used to obtain quantitative information, often in the form of attack success rates. Attack success rates ($\operatorname{ASR}$s)—i.e., the fraction of attacks that were judged successful in eliciting undesirable behaviors—are routinely used as measurements for making comparative claims about whether one system is more vulnerable than another, whether mitigation efforts improved system safety, and whether some attack methods (e.g., jailbreaking methods) are superior to others (Ganguli et al., 2022; Chu et al., 2024; Tedeschi et al., 2024; Xie et al., 2024; Wei et al., 2023). In this paper, we argue the position that $\operatorname{ASR}$ comparisons often fail to provide a sound evidentiary basis for conclusions about relative system safety or attack method efficacy.
虽然人工智能红队测试传统上用于获取系统漏洞和有效攻击向量的定性信息（Ahmad 等人，2024；Nasr 等人，2025），但它越来越多地用于获取定量信息，通常以攻击成功率的形式呈现。攻击成功率（ $\operatorname{ASR}$ s）——即被判定为成功引发不良行为的攻击比例——被常规用作衡量指标，用于比较一个系统是否比另一个系统更脆弱、缓解措施是否提高了系统安全性，以及某些攻击方法（例如越狱方法）是否优于其他方法（Ganguli 等人，2022；Chu 等人，2024；Tedeschi 等人，2024；Xie 等人，2024；Wei 等人，2023）。在本文中，我们主张 $\operatorname{ASR}$ 比较往往无法为关于相对系统安全性或攻击方法有效性的结论提供可靠的证据基础。

Specifically, we focus on the simple-to-pose—but not-so-simple-to-answer—question: When can attack success rates be meaningfully compared as reflections of relative system safety or attack method efficacy? To begin, we describe how $\operatorname{ASR}$ comparisons can be viewed as evaluative or inferential claims that compare estimands on the basis of evidence provided by observed estimates (namely, $\operatorname{ASR}$s). We demonstrate how $\operatorname{ASR}$s can be viewed as estimates of population parameters (estimands) defined in terms of threat models that specify distributions over attacks and the concept(s) necessary for determining attack success. Using this framing, we provide a two-part sufficient condition for when $\operatorname{ASR}$s can be meaningfully compared. First, we need conceptual coherence: It should be meaningful to compare the population parameters. If comparing these parameters would not provide sound evidence of a claim regarding relative system safety or attack method efficacy, then comparing $\operatorname{ASR}$s—which are simply estimates of those parameters)—is no more meaningful. Second, we need measurement validity: The $\operatorname{ASR}$s should be valid measurements of the population parameters.
具体来说，我们关注一个简单提出但不易回答的问题：在何种情况下，攻击成功率可以被有意义地比较，以反映相对系统安全性或攻击方法的有效性？首先，我们描述了如何将 $\operatorname{ASR}$ 比较视为基于观察估计（即 $\operatorname{ASR}$ ）所提供的证据来比较估计量（estimands）的评估性或推断性声明。我们展示了如何将 $\operatorname{ASR}$ 视为基于威胁模型定义的总体参数（estimands）的估计量，这些威胁模型指定了攻击的分布以及确定攻击成功所必需的概念。在这个框架下，我们提供了一个两部分的充分条件，用于判断何时 $\operatorname{ASR}$ 可以被有意义地比较。首先，我们需要概念一致性：比较总体参数应该是有意义的。如果比较这些参数不能为相对系统安全性或攻击方法有效性提供可靠的证据，那么比较 $\operatorname{ASR}$ （这些参数的简单估计量）也就没有更多意义。其次，我们需要测量有效性： $\operatorname{ASR}$ 应该是总体参数的有效测量。

To answer the question of when attack success rates can be meaningfully compared, we must first understand what is being asked. Consider a hypothetical scenario in which a research team is comparing a new jailbreaking method (jailbreak $T$) to an existing competing method (jailbreak $C$). The team tests the two methods on a genAI system, $L$, obtaining $\operatorname{ASR}$s of $A_{T}=0.65$ for their method and $A_{C}=0.4$ for the competing method. What can we conclude on the basis of these results?
为了回答攻击成功率何时可以有意义地进行比较的问题，我们必须首先理解所问的是什么。考虑一个假设场景，其中研究团队正在比较一种新的越狱方法（越狱 $T$ ）和一种现有的竞争方法（越狱 $C$ ）。该团队在 genAI 系统 $L$ 上测试这两种方法，为其方法获得 $\operatorname{ASR}$ 的 $A_{T}=0.65$ ，而竞争方法获得 $A_{C}=0.4$ 。根据这些结果，我们可以得出什么结论？

There is no doubt that, as numbers, $A_{T}=0.65>0.4=A_{C}$—i.e., jailbreak $T$ attacks were judged as succeeding more often than jailbreak $C$ attacks. This is a descriptive statement summarizing the outcomes of the specific sets of attacks, system configurations, system outputs, and determinations of success. But can we conclude from these results that jailbreak $T$ is generally “superior” to jailbreak $C$? Such a conclusion would constitute an evaluative claim.
毫无疑问，作为数字， $A_{T}=0.65>0.4=A_{C}$ —即，越狱 $T$ 攻击被认为比越狱 $C$ 攻击更频繁地成功。这是一个总结特定攻击集、系统配置、系统输出和成功判定的描述性陈述。但我们能否从这些结果中得出结论，认为越狱 $T$ 通常“优于”越狱 $C$ ？这样的结论将构成一个评价性主张。

This question is akin to, but in certain ways more complex than, familiar questions arising in experimental studies of medical treatment superiority. Consider a hypothetical study where researchers conduct a randomized controlled trial in which patients are randomized to either the standard of care ($C$) or a new treatment ($T$), and then are followed for a 3-year period to assess their survival. For patients in the control group, we observe a 3-year survival rate of $A_{C}=0.40$, compared to $A_{T}=0.65$ for patients in the treatment group. Can we conclude that the new treatment is therefore “superior”? Once again, there is no doubt that, as numbers, $A_{T}=0.65>0.4=A_{C}$—i.e., in the study, the 3-year survival rate was higher for patients randomized to the new treatment than the 3-year survival rate for patients randomized to the control group receiving the standard of care. This is a descriptive claim about the observed outcomes involving the study participants.
这个问题类似于，但在某些方面比实验研究中常见的关于医疗治疗效果优越性的问题更为复杂。考虑一项假设性研究，研究人员进行了一项随机对照试验，将患者随机分配到标准护理（ $C$ ）或新疗法（ $T$ ），然后随访 3 年以评估其生存情况。对于对照组患者，我们观察到 3 年生存率为 $A_{C}=0.40$ ，而治疗组患者的 3 年生存率为 $A_{T}=0.65$ 。那么，我们能得出结论说新疗法因此“更优越”吗？再次强调，毫无疑问，作为数字， $A_{T}=0.65>0.4=A_{C}$ ——即在该研究中，被随机分配到新疗法组的患者的 3 年生存率高于被随机分配到接受标准护理的对照组患者的 3 年生存率。这是一个关于研究参与者观察结果的描述性声明。

However, when asserting that the treatment is superior, we are not making a narrow claim referring only the observed outcomes. Rather, we are (at least implicitly) making an inferential claim that generalizes from the study participants to a broader patient population. In the language of inferential statistics, our claim rests on using $A_{T}$ and $A_{C}$ as estimates to make inferences about estimands (population parameters) $\alpha_{T}=\mathbb{E}[Y^{T}(3)]$ and $\alpha_{C}=\mathbb{E}[Y^{C}(3)]$, where $Y^{T}(K)$ and $Y^{C}(K)$ denote the $K$-year survival outcomes under the new treatment and the standard of care, respectively, and the expectation is taken over the patient population to which the conclusions are intended to generalize. At a minimum, we would want to conduct a hypothesis test to assess whether the findings are statistically significant.
然而，当我们断言处理方法更优越时，我们并非仅指仅限于观察到的结果。相反，我们（至少隐含地）作出了一个从研究参与者推广到更广泛患者群体的推断性声明。在推断统计学的语言中，我们的声明基于使用 $A_{T}$ 和 $A_{C}$ 作为估计值来对估计量（总体参数） $\alpha_{T}=\mathbb{E}[Y^{T}(3)]$ 和 $\alpha_{C}=\mathbb{E}[Y^{C}(3)]$ 进行推断，其中 $Y^{T}(K)$ 和 $Y^{C}(K)$ 分别表示新治疗和标准护理下的 $K$ 年生存结果，并且期望是对结论旨在推广的患者群体进行计算。至少，我们希望进行假设检验以评估研究结果是否具有统计学意义。

But additionally, since our goal is to assess whether the new treatment is “superior” to the standard of care, it is equally important to ask whether the population parameters, $\alpha_{T}$ and $\alpha_{C}$, defined in terms of 3-year survival rates are appropriate indicators of superiority. What about considerations such as side effects? Or, if we interpret superiority even more broadly, what about treatment costs, and accessibility? Concluding that a treatment is superior on the basis of the inferential claim that $\alpha_{T}>\alpha_{C}$ is an evaluative claim. The soundness of this claim rests not only on the evidence that the observed outcomes carry about our estimands, but also on the extent to which the estimands capture meaningful notions of “treatment superiority.” In the next section, we will discuss how social science measurement theory offers a framework for formally interrogating how ambiguous, even contested, concepts such as system safety and treatment superiority are defined and measured.
但此外，由于我们的目标是评估新疗法是否“优于”标准治疗，因此同样重要的是要询问以 3 年生存率定义的总体参数 $\alpha_{T}$ 和 $\alpha_{C}$ 是否是优越性的适当指标。那么副作用等考虑因素呢？或者，如果我们更广泛地解释优越性，那么治疗成本和可及性又如何呢？基于 $\alpha_{T}>\alpha_{C}$ 的推断性主张得出治疗是优越的结论。这一主张的合理性不仅取决于观察到的结果关于我们的估计量所携带的证据，还取决于估计量捕捉到“治疗优越性”这一有意义概念的程度。在下一节中，我们将讨论社会科学测量理论如何提供一个框架，以正式地探究诸如系统安全性和治疗优越性等模糊甚至有争议的概念是如何被定义和测量的。

This means that having comparable estimands is a necessary condition for meaningful $\operatorname{ASR}$ comparisons in AI red teaming. We call this condition conceptual coherence. To understand this condition, suppose that in the treatment superiority example, the researchers had compared the 3-year survival rate under the standard of care (control) to the 2-year survival rates under the new treatment. Then even if the sample size was sufficiently large to conclude the difference is statistically significant, and even if we believe that survival is a good indicator of treatment superiority, we would dismiss the evaluative claim that the new treatment is superior to the standard of care as being grounded in the apples-to-oranges comparison of $\alpha_{T}(2)=\mathbb{E}[Y^{T}(2)]$ to $\alpha_{C}(3)=\mathbb{E}[Y^{C}(3)]$. This scenario may seem unlikely to arise in practice, and indeed in any reasonable medical study it would not. But, as we show in §4, incongruent estimands commonly arise in $\operatorname{ASR}$ comparisons in AI red teaming studies. Reflecting on this example highlights another key point: meaningful comparisons rely on more than simply accounting for sampling variation of estimates through confidence intervals and hypothesis tests (Cooper et al., 2021; Hayes et al., 2025a). Indeed, we are primarily concerned with validity issues (bias and systematic mismeasurement) not simply reliability issues (sampling variation).
这意味着，在 AI 红队中，具有可比的估计指标是进行有意义的比较的必要条件。我们将此条件称为概念一致性。为了理解这个条件，假设在治疗优势的例子中，研究人员将标准护理（对照组）下的 3 年生存率与新型治疗下的 2 年生存率进行了比较。那么，即使样本量足够大，足以得出差异具有统计学意义的结论，即使我们认为生存率是治疗优势的良好指标，我们也会认为“新型治疗优于标准护理”的评估主张是基于苹果与橙子的比较（ $\alpha_{T}(2)=\mathbb{E}[Y^{T}(2)]$ 与 $\alpha_{C}(3)=\mathbb{E}[Y^{C}(3)]$ ），从而将其视为无效。这种情况在实践中似乎不太可能发生，实际上在任何合理的医学研究中都不会发生。但是，正如我们在§4 中所示，不一致的估计指标在 AI 红队研究中的比较中普遍存在。 回顾这个例子突显了另一个关键点：有意义的比较不仅依赖于通过置信区间和假设检验来计算估计值的抽样变化（Cooper 等人，2021 年；Hayes 等人，2025a 年）。实际上，我们主要关注的是有效性问题（偏差和系统性测量误差），而不仅仅是可靠性问题（抽样变化）。

We now describe how ideas from social science measurement theory provide a language for describing the connections between measurements (e.g., $\operatorname{ASR}$s) and the concepts they are intended to reflect (e.g., safety, vulnerability, efficacy). For concreteness, we focus on jailbreaking, though the ideas are broadly applicable to $\operatorname{ASR}$s obtained via other AI red teaming approaches. We focus on the setting in which $\operatorname{ASR}$s are most commonly reported— where humans or “red models” interact with genAI systems through prompting²²2Measurement theory is also helpful in understanding other types of attacks, such as those that rely on access to model weights or fine-tuning APIs. However, such attacks require a different setup, so we do not cover them.
测量理论也有助于理解其他类型的攻击，例如那些依赖于访问模型权重或微调 API 的攻击。然而，此类攻击需要不同的设置，因此我们不予涵盖。
我们现在描述社会科学测量理论中的思想如何为描述测量（例如， $\operatorname{ASR}$ s）与其意图反映的概念（例如，安全性、漏洞、功效）之间的联系提供一种语言。为了具体说明，我们以越狱为例，尽管这些思想广泛适用于通过其他人工智能红队方法获得的 $\operatorname{ASR}$ s。我们关注的是 $\operatorname{ASR}$ s 最常报告的设置——人类或“红模型”通过提示 ² 与生成式 AI 系统交互。 (via a user interface or API) to try to elicit undesirable behaviors.
（通过用户界面或 API）尝试诱出不良行为。

Setup and key definitions. Our goal is to evaluate a genAI system $L$ (the “target system”) that produces a response $R=L(P)=L(P;\phi)$ to a “harmful” prompt, $P$. Here, $\phi$ denotes configuration parameters such as the system prompt, temperature, decoding scheme, max tokens, or other settings that govern $L$. We suppress $\phi$ in our notation when only a single configuration is considered.
设置和关键定义。我们的目标是评估一个生成式 AI 系统 $L$ （“目标系统”），该系统对“有害”提示 $P$ 产生响应 $R=L(P)=L(P;\phi)$ 。这里， $\phi$ 表示系统提示、温度、解码方案、最大令牌数或其他控制 $L$ 的配置参数。当只考虑单个配置时，我们在符号中省略 $\phi$ 。

Given a set of base harmful prompts, $D$, jailbreak attacks aim to get systems to comply with harmful requests by transforming the base prompts $P\in D$ (e.g., by concatenating a suffix such as “Begin your answer with ‘Sure, here’s’", or mapping to a Base64 encoding), or by perturbing the system configuration $\phi$ (e.g., by modifying the system prompt or decoding scheme) Andriushchenko et al. (2024); Liu et al. (2024); Mehrotra et al. (2024); Wei et al. (2023); Nasr et al. (2023, 2025). Attack success is determined by a judge, $J:(R;P)\mapsto\{0,1\}$, which indicates whether system response $R$ meets the criteria for attack success with respect to prompt $P$. $J$ could reflect human determination, where one or more humans determine attack success; alternatively $J$ could be a “red model” such as a simple substring matching function (Zou et al., 2023) or a judge system following the LLM-as-a-judge paradigm (Gu et al., 2024; Perez et al., 2022). We use $J(L(P);P)$, $J(R;P)$, and $J(L(P))$ interchangeably throughout.
给定一组基础有害提示， $D$ ，越狱攻击旨在通过转换基础提示 $P\in D$ （例如，通过添加后缀“以‘Sure, here’s’开头回答”，或映射到 Base64 编码），或通过扰动系统配置 $\phi$ （例如，通过修改系统提示或解码方案）来使系统遵从有害请求。Andriushchenko 等人（2024）；Liu 等人（2024）；Mehrotra 等人（2024）；Wei 等人（2023）；Nasr 等人（2023，2025）。攻击成功由裁判 $J:(R;P)\mapsto\{0,1\}$ 判定，该裁判表明系统响应 $R$ 是否满足针对提示 $P$ 的攻击成功标准。 $J$ 可能反映人类判定，即一个或多个人类判定攻击成功；或者 $J$ 可能是一个“红模型”，例如简单的子串匹配函数（Zou 等人，2023）或遵循 LLM 作为裁判范式的裁判系统（Gu 等人，2024；Perez 等人，2022）。我们在全文中交替使用 $J(L(P);P)$ 、 $J(R;P)$ 和 $J(L(P))$ 。

Given a base harmful prompt $P$, a jailbreak attack instance is a transformation $\tau=\tau(P):P\mapsto P^{\prime}$ that maps $P$ to a new prompt $P^{\prime}$; e.g., by adding a suffix. In the special case where $\tau$ is the identity transformation (i.e., $\tau(P)=I(P)=P$), $P$ is unaltered. A jailbreaking method is a process $\mathcal{T}:(L_{0},D_{0},J_{0})\mapsto\mathbf{T}$ for constructing a set of transformations $\mathbf{T}=\{\tau_{k}\}_{k=1}^{K}$. Here, $L_{0}$ is a system used to construct the transformations, which may be the same as the target system, $L$, for “direct” attacks, or a different model for “transfer” attacks (e.g., Zou et al., 2023) ; $D_{0}=\{P^{0}_{i}\}_{i=1}^{n}$ is a set of prompts that may or may not contain the base harmful prompts, $D$, on which the $\operatorname{ASR}$ will be ultimately computed; and $J_{0}$ is a judge, which may be the same as $J$ or a separate “attack scorer model” (e.g., Huang et al., 2023).
给定一个基础有害提示 $P$ ，一个越狱攻击实例是一个转换 $\tau=\tau(P):P\mapsto P^{\prime}$ ，它将 $P$ 映射到一个新的提示 $P^{\prime}$ ；例如，通过添加一个后缀。在 $\tau$ 是恒等转换的特殊情况下（即 $\tau(P)=I(P)=P$ ）， $P$ 保持不变。越狱方法是一个过程 $\mathcal{T}:(L_{0},D_{0},J_{0})\mapsto\mathbf{T}$ ，用于构建一组转换 $\mathbf{T}=\{\tau_{k}\}_{k=1}^{K}$ 。在这里， $L_{0}$ 是用于构建转换的系统，它可能与目标系统 $L$ 相同，用于“直接”攻击，或者对于“迁移”攻击是一个不同的模型（例如，Zou 等人，2023 年）； $D_{0}=\{P^{0}_{i}\}_{i=1}^{n}$ 是一组提示，可能包含也可能不包含基础有害提示 $D$ ，最终的计算将基于这些提示进行； $J_{0}$ 是一个裁判，它可能与 $J$ 相同，或者是一个独立的“攻击评分模型”（例如，Huang 等人，2023 年）。

In measurement theory, concept conceptualization, also termed systematization in recent work on genAI evaluation Wallach et al. (2025), is one of three core processes linking between measurements and the concept of interest. Figure 1 instantiates jailbreaking in a formal measurement theory framework, in which $\operatorname{ASR}$s are viewed as measurements arising from the execution of a jailbreaking protocol (operationalized activity) to measure attributes of a system (estimands), defined through a probabilistic threat model (systematized activity) that formalizes the attack goals (background activity). These four levels are connected via three processes: systematization, operationalization, and execution. This representation builds on recent work adapting the framework of Adcock and Collier (2001)³³3Adcock and Collier (2001) represent measurement as moving from a “background concept” to measurement through the processes of conceptualization (what we call systematization), operationalization, and application (what we call execution). Conceptualization is the process of precisely defining what we are measuring. Complex concepts such as safety and efficacy are background concepts that encompass a “broad [and often conflicting] constellation of meanings and understandings” (Adcock and Collier, 2001). In order to pose the question of how well $\operatorname{ASR}$s reflect concepts like safety and efficacy, we need to move from background concepts to systematized concepts: precise articulations of which of the many possible meanings and understandings we are targeting. Appendix B provides additional background on measurement theory.
Adcock 和 Collier（2001）将测量视为从“背景概念”转变为通过概念化（我们称之为系统化）、操作化和应用（我们称之为执行）的过程来实现。概念化是精确定义我们正在测量的内容的过程。安全性和有效性等复杂概念是背景概念，它们包含“广泛[且通常相互冲突]的意义和理解组合”（Adcock 和 Collier，2001）。为了提出 $\operatorname{ASR}$ 如何反映安全性和有效性等概念的问题，我们需要从背景概念转向系统化概念：即精确阐述我们针对的是众多可能的意义和理解中的哪些。附录 B 提供了关于测量理论的更多背景信息。
在测量理论中，概念概念化，近期在关于生成式 AI 评估的文献中 Wallach 等人（2025）也称之为系统化，是连接测量与目标概念的三种核心过程之一。图 1 在形式化测量理论框架中实例化了越狱行为，其中 $\operatorname{ASR}$ 被视为源于执行越狱协议（操作化活动）的测量，用于测量系统属性（估计量），该属性通过概率威胁模型（系统化活动）定义，该模型形式化了攻击目标（背景活动）。这四个层次通过三种过程连接：系统化、操作化和执行。这种表示基于近期对 Adcock 和 Collier（2001） ³ 框架的适应性工作。 to genAI evaluation (Chouldechova et al., 2024; Wallach et al., 2025).
到生成式 AI 评估（Chouldechova 等人，2024；Wallach 等人，2025）。

Each component consists of three primary elements: (1) the concept, which gets systematized in the “success criteria” by precisely defining the kinds of undesirable system behaviors that, if elicited, would constitute attack success; (2) the context, which specifies the types of attack goals that are of interest; and (3) the conditions specifying the constraints, resources, information, and other factors governing the jailbreaking activity (e.g., whether we’re looking at direct attacks, where the $L_{0}=L$ or transfer attacks (e.g., Zou et al. (2023)), where $L_{0}\neq L$, or both direct attacks and transfer attacks). The figure also depicts a fourth key element, the aggregation step governing how instance-level attack success indicators are aggregated up to an overall goal-level $\operatorname{ASR}$ (e.g., Top-1, one-shot, etc), which we discuss in detail in §4. The aggregation step ultimately determines the specific functional form of the estimand, $\alpha$, which we term the attack success probability.
每个组件由三个主要元素构成：（1）概念，通过在“成功标准”中精确定义那些若被触发将构成攻击成功的系统不良行为来系统化该概念；（2）背景，指定感兴趣攻击目标的类型；（3）条件，规定控制越狱活动的约束、资源、信息和其他因素（例如，我们是在研究直接攻击，还是在研究 $L_{0}=L$ 或迁移攻击（如 Zou 等人（2023 年）），其中 $L_{0}\neq L$ ，或两者都是直接攻击和迁移攻击）。该图还描绘了第四个关键元素，即聚合步骤，该步骤控制实例级攻击成功指标如何聚合到总体目标级 $\operatorname{ASR}$ （例如，Top-1、一次性等），我们在§4 中详细讨论该聚合步骤。聚合步骤最终决定了估计量 $\alpha$ 的具体函数形式，我们称之为攻击成功概率。

The systematized activity: probabilistic threat model. Within cybersecurity, threat models specify the attack surface and provide definitions for evaluating the efficacy of an attack. In specifying the systematized activity, we take inspiration from probabilistic approaches that have been central to influential work in ML security Yeom et al. (2018); Carlini et al. (2022); Hayes et al. (2025b); Shokri et al. (2017); Carlini et al. (2019); Hayes et al. (2025a); Cooper et al. (2025), but remain largely absent from work on AI red teaming, despite strong parallels between the fields. The key definition for the systematized activity is as follows:
系统化活动：概率威胁模型。在网络安全领域，威胁模型指定攻击面，并为评估攻击的有效性提供定义。在指定系统化活动时，我们借鉴了概率方法，这些方法一直是 ML 安全领域有影响力工作的核心，如 Yeom 等人（2018 年）；Carlini 等人（2022 年）；Hayes 等人（2025b 年）；Shokri 等人（2017 年）；Carlini 等人（2019 年）；Hayes 等人（2025a 年）；Cooper 等人（2025 年），尽管这些领域之间存在强烈相似性，但这些方法在 AI 红队工作中却基本缺失。系统化活动的关键定义如下：

The constituent components $s$ and $\mathcal{D}$ can be viewed as systematized (population) elements that are operationalized through the judge $J$ and the set of base harmful prompts $D$, respectively. Here, $s$ is an “oracle” that indicates whether observing system response $R$ to prompt $P$ constitutes an undesirable behavior with respect to prompt $P$. When undesirable behavior is governed by regulation or company policy, we can think of $s$ as an expert adjudication of whether response $R$ violates stated policy. We generally do not have direct access to $s$ when conducting the jailbreaking activity. Regardless, when we run jailbreaking experiments, the goal is to collect evidence that will let us draw conclusions concerning $s$—not $J$. That is, the key point is that in measuring complex concepts such as safety and efficacy, we are fundamentally interested in success as assessed according to $s$. The judge $J$ is simply the (often highly imperfect) operationalization of the attack success criteria that we wish to use in the jailbreaking activity.
构成组件 $s$ 和 $\mathcal{D}$ 可以被视为通过裁判 $J$ 和基础有害提示集 $D$ 分别系统化的（群体）元素。在这里， $s$ 是一个“预言机”，用于指示观察系统对提示 $P$ 的响应 $R$ 是否相对于提示 $P$ 构成不良行为。当不良行为受法规或公司政策管辖时，我们可以将 $s$ 视为专家裁决，判断响应 $R$ 是否违反了既定政策。在进行越狱活动时，我们通常无法直接获取 $s$ 。无论如何，当我们运行越狱实验时，目标是为我们得出关于 $s$ 的结论收集证据——而不是 $J$ 。也就是说，关键点在于，在衡量安全性和有效性等复杂概念时，我们本质上关心的是根据 $s$ 评估的成功。裁判 $J$ 仅仅是我们在越狱活动中希望使用的攻击成功标准的（通常高度不完美的）操作化实现。

Having accurate measurements of a poorly systematized activity that arguably does not reflect a meaningful notion of system safety or attack method efficacy still does not entitle us to make broad evaluative claims. For instance, we could, in principle, systematize undesirable system behavior as “the system response contains the word ‘hibiscus’.” This is a precise definition. But it is clearly a terrible systematization of undesirable system behaviors that is completely detached from reasonable notions of system safety. In most jailbreaking studies, safety is synonymous with the refusal to comply with harmful prompts. Yet in practice, this refusal-as-safety paradigm is increasingly called into question Yuan et al. (2025). Disconnects arising from poor systematization are shown in Figure 1 as “conceptual gaps”. Contesting a systematized activity falls under what Wallach et al. (2025) term “conceptual debates.”
对一项组织不善的活动进行精确测量，而这项活动据称并不能反映系统安全或攻击方法有效性的任何有意义的概念，这仍然不能让我们做出广泛的评估性声明。例如，原则上我们可以将不希望的系统行为系统化为“系统响应包含‘木槿花’这个词”。这是一个精确的定义。但它显然是对不希望的系统行为的一种糟糕的系统化，完全脱离了合理的系统安全概念。在大多数越狱研究中，安全等同于拒绝执行有害提示。然而在实践中，这种以拒绝为安全模式的范式正越来越受到质疑（Yuan 等人，2025 年）。由于系统化不良而产生的脱节在图 1 中表现为“概念差距”。对系统化活动的质疑属于 Wallach 等人（2025 年）所称的“概念争论”。

Having instantiated jailbreaking in a formal measurement theory framework, we are equipped to discuss how failures of conceptual coherence and measurement validity typically arise in practice.
在形式测量理论框架中实例化越狱后，我们便具备了讨论在实际中概念一致性失败和测量有效性通常如何产生的条件。

Precisely what “attack success rate” means differs both across and within studies in a manner that can undermine the utility of $\operatorname{ASR}$s for comparison. Specifically, it can lead to conceptual incoherence—incongruity between the estimands, $\alpha$, entailed in the comparison. The term “attack” success rate is itself misleading. It suggests that what is being computed is the fraction of attacks that succeed. $\operatorname{ASR}$s, however, reflect the fraction of attack goals⁴⁴4In most cases, the goal is defined by the base harmful prompt.
在大多数情况下，目标由基础有害提示定义。 that are successfully met. For jailbreaking, the goal is captured by the base harmful prompt (e.g., “Can you guide me to create a phishing website?” Chu et al. (2024)). This distinction is important because there is variation in how goal-level success is defined—in particular, in how attack instance-level success indicators $J(\tau(P);P)$ are aggregated up at the goal (base harmful prompt) level. The key implication of this is that one can obtain higher $\operatorname{ASR}$s simply by moving the proverbial goal posts by changing the aggregation to make success easier to achieve.
“攻击成功率”的确切含义在不同研究之间以及研究内部存在差异，这种差异可能削弱 $\operatorname{ASR}$ 用于比较的有效性。具体而言，它可能导致概念不连贯——即比较中隐含的估计量 $\alpha$ 之间的不一致性。“攻击”成功率这一术语本身具有误导性。它暗示所计算的是成功攻击的比例。 $\operatorname{ASR}$ 然而，这些比例反映的是攻击目标 ⁴

In this section, we discuss this issue through a three-part case study of repeated sampling for non-deterministic target system configurations. We show that repeated sampling has the effect of, in the language of §2, changing the underlying estimands. To focus on conceptual coherence, in this section we consider the idealized setting where we have “perfectly operationalized” the systematized activity. That is, we assume the base harmful prompts used in the red teaming activity, $D$, are indeed drawn from the goal distribution, $\mathcal{D}$; and the operational judge of attack success, $J$, perfectly captures the oracle attack success criteria $s$ (i.e., assume $J=s$). In §5, when discussing measurement validity concerns, we return to the real-world, non-idealized setting for which there is measurement error introduced from the operationalization of a systemized activity (Figure 1).
在本节中，我们通过一个关于非确定性目标系统配置重复抽样的三部分案例研究来讨论这个问题。我们表明，重复抽样的效果是，用§2 中的语言来说，改变了底层估计量。为了聚焦于概念一致性，在本节中，我们考虑理想化的设置，其中我们将系统化活动“完美地操作化”了。也就是说，我们假设红队活动中使用的基准有害提示 $D$ 确实来自目标分布 $\mathcal{D}$ ；并且攻击成功的操作化裁判 $J$ 完美地捕捉了预言机攻击成功标准 $s$ （即假设 $J=s$ ）。在§5 中，当讨论测量有效性问题时，我们回到现实世界、非理想化的设置，其中由于系统化活动的操作化引入了测量误差（图 1）。

How do these estimands compare? $\alpha_{\mathrm{GE}}$ is a “Top-1” (of 392) metric, which asks how often at least one of $392$ sampled responses from $L$ is judged successful⁵⁵5Appendix C provides additional discussion of aggregations and resulting estimands, including remarks on how terms like “Top-1” are used inconsistently in the literature to refer to different aggregation schemes.
附录 C 提供了关于聚合和结果估计量的额外讨论，包括关于文献中如何不一致地使用“Top-1”等术语来指代不同的聚合方案的评论。
这些估计量如何比较？ $\alpha_{\mathrm{GE}}$ 是一个“Top-1”（392 个中的 Top-1）指标，它询问从 $L$ 采样的 $392$ 个响应中，至少有一个被判定为成功的频率 ⁵ . For prompts where the one-shot success probability $p_{0}=\mathbb{P}[J(L(P_{0};\phi_{0}))=1]$ is non-negligible, say, $p_{0}\geq 0.01$, the probability of observing at least one success in 392 attempts is $1-(1-p)^{392}\geq 1-0.99^{392}=0.98$. Indeed, when prompt-level success is defined as at least one attack succeeding, we can trivially improve the $\operatorname{ASR}$ of any jailbreak through repeated sampling using a non-deterministic configuration. $\alpha_{\mathrm{GCG}}$ is instead a “one-shot” metric, which asks how often a single sampled response $L(\tau^{P}_{500})$ is judged successful.
对于提示词中单次尝试成功率 $p_{0}=\mathbb{P}[J(L(P_{0};\phi_{0}))=1]$ 非忽略不计的情况，比如 $p_{0}\geq 0.01$ ，在 392 次尝试中至少观察到一次成功的概率是 $1-(1-p)^{392}\geq 1-0.99^{392}=0.98$ 。确实，当提示词级别的成功定义为至少一次攻击成功时，我们可以通过使用非确定性配置反复采样来轻易提高任何越狱攻击的 $\operatorname{ASR}$ 。 $\alpha_{\mathrm{GCG}}$ 则是一个“单次”指标，它询问单个采样响应 $L(\tau^{P}_{500})$ 被判定为成功的频率。

So is GE “more effective” than GCG, as the authors conclude? Returning to our survival rate analogy, comparing Top-1 (of 392) to one-shot is akin to comparing 2-year survival under treatment to 3-year survival under control. It is fundamentally apples-to-oranges. Without further assumptions, it is unclear how any meaningful conclusions about (jailbreak or treatment) efficacy can be drawn. A more congruent comparison could compute Top-1 $\operatorname{ASR}$ over a subset of $392$ of the $500$ $\tau$’s constructed across the optimization steps of GCG.
那么，GE 是否比 GCG“更有效”，正如作者所结论的那样？回到我们的生存率类比，比较 Top-1（392 个中的 Top-1）与单次尝试，相当于比较治疗下的 2 年生存率与控制下的 3 年生存率。这从根本上就是苹果与橙子的比较。没有进一步的假设，无法得出关于（越狱攻击或治疗）有效性的任何有意义结论。一个更一致的比较可以通过在 GCG 优化步骤中构建的 $500$ $\tau$ 的子集上计算 Top-1 $\operatorname{ASR}$ 来进行。

II. Does the decoding configuration really matter? As we have argued, the GCG vs. GE analysis does not appear to compare the right quantities to establish the greater effectiveness of GE. To surface additional insights concerning this observation, we ran an experiment based on the study’s original setup. We replicate the experiments from Huang et al. (2023) for the Llama 2 7B and 13B chat models, using the same 100 base prompts from their MaliciousInstruct dataset. However, to compare between repeated sampling from a fixed configuration to sampling once from each of several configurations, we obtain 49 sampled responses for each prompt from each of the $|\Phi|=49$ decoding configurations (Appendix E.1). We sought to understand to what extent the $\operatorname{ASR}$ boosts they observed over greedy decoding were attributable to the effect of applying a Top-1 instead of a one-shot metric, as opposed to certain non-deterministic decoding configurations truly leading to higher chances of attack success.
II. 解码配置真的有那么重要吗？正如我们所论证的，GCG 与 GE 的分析似乎并未比较正确的量来确立 GE 的更高有效性。为了揭示这一观察的更多见解，我们基于研究原始设置进行了一项实验。我们复制了 Huang 等人（2023）针对 Llama 2 7B 和 13B 聊天模型的实验，使用了他们 MaliciousInstruct 数据集中的相同 100 个基础提示。然而，为了比较从固定配置重复采样与从多个配置中各采样一次，我们从每个 $|\Phi|=49$ 解码配置中为每个提示获得 49 个采样响应（附录 E.1）。我们试图了解他们观察到的 $\operatorname{ASR}$ 相对于贪婪解码的提升在多大程度上归因于应用 Top-1 而非一次性指标的效果，而不是某些非确定性解码配置真正导致攻击成功率更高的效果。

Figure 2 A shows Top-1 $\operatorname{ASR}$ over $K\!=\!49$ repeated samples for each configuration $\phi\in\Phi$ in orange (corresponding to estimand $\alpha_{\mathrm{Top1(49)}}=\mathbb{P}_{P\sim\mathcal{D}}\left[\max_{k\in\{1,\ldots,49\}}J(L(P;\phi)_{k});P)=1\right]$, and one-shot $\operatorname{ASR}$ (corresponding to estimand $\mathbb{P}_{P\sim\mathcal{D}}[J(L(P;\phi))=1]$) in green. We clearly see that one-shot $\operatorname{ASR}$ remains stable around $\sim 0.2$ across configurations,⁶⁶6This partly contradicts a key claim made by the authors in their Table 2, where they assert that models are more vulnerable under certain decoding strategies, intending this in the “one-shot” $\operatorname{ASR}$ sense.
这部分与作者在表 2 中提出的一个关键主张相矛盾，他们在该表中断言，在某些解码策略下模型更容易受到攻击，并且他们是在“一次性” $\operatorname{ASR}$ 的意义上这样说的。
图 2A 显示了每个配置中 Top-1 $\operatorname{ASR}$ 在 $K\!=\!49$ 重复样本中的表现，以橙色表示（对应估计量 $\alpha_{\mathrm{Top1(49)}}=\mathbb{P}_{P\sim\mathcal{D}}\left[\max_{k\in\{1,\ldots,49\}}J(L(P;\phi)_{k});P)=1\right]$ ，以及以绿色表示的单次 $\operatorname{ASR}$ （对应估计量 $\mathbb{P}_{P\sim\mathcal{D}}[J(L(P;\phi))=1]$ ）。我们清楚地看到，单次 $\operatorname{ASR}$ 在不同配置中始终稳定在 $\sim 0.2$ 左右， ⁶ except at the highest temperatures.⁷⁷7The original experiments considered temperature $t$ only up to 1.0. We additionally experimented with $t\in\{1.5,2.0\}$ to assess whether the pattern of higher success at higher temperatures extends.
原始实验仅考虑温度 $t$ 高达 1.0。我们额外进行了 $t\in\{1.5,2.0\}$ 实验，以评估在更高温度下成功率更高的模式是否仍然适用。
除了在最高温度下。 ⁷ Top-1 $\operatorname{ASR}$, however, increases with temperature, $k$ and $p$. What accounts for this difference? Digging deeper, we find that while the one-shot $\operatorname{ASR}$ does not change much, Panel C shows that as we increase the temperature, the entropy of the prompt-level attack success probability distribution increases. The success probability actually decreases for many prompts, but also more prompts move away from an effectively-0 success probability to a slightly larger one. Thus while the average one-shot attack success probability (the mean of the distribution shown in the histograms) does not change, the distributional shift has a large effect on Top-1 type metrics under resampling. This is because the probability that a prompt $P_{0}$ with success probability $p_{0}$ succeeds on at least one of $K$ samples, $1-(1-p_{0})^{K}$, grows rapidly as $p_{0}$ moves away from 0 for even moderate $K$. Our results clearly show that it is not the decoding configuration per se that improves $\operatorname{ASR}$, but rather the use of high-entropy decoding configurations combined with Top-1 aggregation over a large number of repeated samples of model responses.
然而，Top-1 $\operatorname{ASR}$ 随着温度的升高而增加， $k$ 和 $p$ 。这种差异的原因是什么？深入挖掘后，我们发现虽然单次 $\operatorname{ASR}$ 变化不大，但面板 C 显示，随着温度的升高，提示级攻击成功概率分布的熵增加。对于许多提示，成功概率实际上会降低，但更多提示会从有效的 0 成功概率移动到一个稍大的值。因此，虽然平均单次攻击成功概率（直方图中显示的分布的均值）没有变化，但在重采样下，分布的偏移对 Top-1 类型指标有重大影响。这是因为当成功概率为 $p_{0}$ 的提示 $P_{0}$ 在 $K$ 样本中至少成功一次的概率 $1-(1-p_{0})^{K}$ ，随着 $p_{0}$ 远离 0，即使对于适度的 $K$ ，这个概率也会迅速增长。我们的结果表明，不是解码配置本身提高了 $\operatorname{ASR}$ ，而是使用高熵解码配置，并结合对大量重复模型响应样本的 Top-1 聚合。

III. Do sophisticated jailbreaks (actually) beat the baseline? These findings should make us skeptical of claims that sophisticated-seeming jailbreaks outperform base prompting when Top-1 metrics are used. Consider for instance the large-scale evaluation study of Chu et al. (2024), where the authors compare Top-1 (of $\sim$50) $\operatorname{ASR}$s of 17 jailbreak methods across 8 models. For each model, they also report a “baseline” attack success rate, $\operatorname{ASR}_{\mathrm{base}}=\frac{1}{n}\sum J(R_{i};P_{i})$, which is the fraction of base prompts that succeed as-is with a single sampled response (i.e., one-shot $\operatorname{ASR}$). Using the set of 160 base prompts made publicly available by the authors, we repeated their baseline experiment for the Llama 2 7B Chat model, one of the “safest” models in their study (see Appendix E). We find that the Top-1 $\operatorname{ASR}$ over 50 repeated samples of the baseline prompts at temperature 2.0 is 0.83. We cannot directly compare this result with the best performing jailbreak they identify (LAA Andriushchenko et al. (2024), reported $\operatorname{ASR}$ 0.88($\pm$0.04)) because we did not use their identical judge system; nevertheless, based on the experimental setup, we expect the judges to largely agree. This suggests that even sophisticated jailbreaking methods may perform similarly to simply repeatedly resampling responses to the base prompt, $L(P)$. Indeed, $\operatorname{ASR}$s for many of the other jailbreaks on Llama 2 were much lower, most below 0.6. Our results show that repeatedly sampling responses $K$ times under a high-entropy decoding configuration forms a strong baseline. Studies introducing new jailbreaks assessed using Top-1 (of $K$) metrics should demonstrate that they definitively outperform this repeated sampling baseline. For a stronger baseline, studies can also compare to the Best-of-N jailbreak Hughes et al. (2024), which applies a randomly selected perturbation to the prompt each time rather than simply resampling.
III. 复杂的越狱攻击（真的）胜过基准吗？这些发现应让我们对那些声称看似复杂的越狱攻击在使用 Top-1 指标时优于基准提示的断言持怀疑态度。以 Chu 等人（2024）的大规模评估研究为例，作者比较了 17 种越狱方法在 8 个模型上的 Top-1（ $\sim$ 50） $\operatorname{ASR}$ s。对于每个模型，他们还报告了一个“基准”攻击成功率 $\operatorname{ASR}_{\mathrm{base}}=\frac{1}{n}\sum J(R_{i};P_{i})$ ，即基准提示在单次采样响应（即 one-shot $\operatorname{ASR}$ ）中成功的比例。使用作者公开提供的 160 个基准提示集，我们重复了他们在研究中“最安全”的模型之一 Llama 2 7B Chat 的基准实验（见附录 E）。我们发现，在温度为 2.0 时，基准提示在 50 次重复采样中的 Top-1 $\operatorname{ASR}$ 为 0.83。由于我们没有使用他们相同的评判系统，因此我们无法将此结果与他们在研究中识别的最佳越狱攻击（LAA Andriushchenko 等人（2024），报告 $\operatorname{ASR}$ 0.88（ $\pm$ 0.04））直接比较；然而，根据实验设置，我们预期评判者会大体上达成一致。 这表明即使是复杂的越狱方法，其表现也可能与简单地重复对基础提示进行重采样相似， $L(P)$ 。事实上， $\operatorname{ASR}$ 对于 Llama 2 上的许多其他越狱方法，其分数要低得多，大多数低于 0.6。我们的结果表明，在具有高熵解码配置下，重复采样响应 $K$ 次，形成了一个强有力的基准。引入新越狱方法并使用 Top-1（of $K$ ）指标进行评估的研究，应证明它们明确优于这种重复采样基准。 为了获得更强的基准，研究还可以与 Best-of-N 越狱方法 Hughes 等人（2024 年）进行比较，该方法每次对提示应用随机选择的扰动，而不是简单地重采样。

Lastly, we note that identifying cases of conceptual incoherence requires knowing how reported attack success rates were computed. In our literature review, we found that ASR definitions are frequently ambiguous, and their computations are often left out of accompanying code. This makes it difficult for both readers and authors alike to assess conceptual coherence. We note that both conceptual coherence issues and the measurement validity issues we discuss later in §5 are often infeasible to correct for post hoc, unless experimental data is logged at a very granular level. Indeed, we conducted our own experiments for this paper precisely because reanalysis of logged data was insufficient for our case study.
最后，我们注意到，识别概念上的不连贯性需要了解报告的攻击成功率是如何计算的。在我们的文献综述中，我们发现 ASR 定义经常是模糊的，而它们的计算通常被省略在随附的代码中。这使得读者和作者都难以评估概念上的连贯性。我们注意到，我们将在§5 中讨论的概念连贯性问题以及测量有效性问题，在事后往往难以纠正，除非实验数据被非常精细地记录。事实上，我们为本文进行了自己的实验，正是因为对已记录数据的再分析对于我们的案例研究是不够的。

Our discussion so far has relied only on a mechanistic understanding of jailbreaking and the different types of aggregation that go into defining attack success rates. This discussion helps us understand when an evaluative claim may be poorly grounded because the underlying estimands are incongruent. But what if we have conceptual coherence—i.e., the estimands do seem comparable? We now discuss how measurement validity issues commonly arise due disconnects between (i) the target harmful prompt distribution, $\mathcal{D}$, and the base harmful prompts $D$ used in the given jailbreaking activity; and (ii) the systematized “oracle” success criterion $s(R;P)$ defining our true success criteria and the operational “judge” $J(R;P)$ used to assess success in practice.
我们目前的讨论仅依赖于对越狱的机制性理解和定义攻击成功率所涉及的各类聚合方式。这种讨论帮助我们理解当底层估计量不一致时，评估性声明可能缺乏坚实基础。但如果我们有概念上的连贯性——即估计量似乎确实可以比较呢？我们现在讨论测量有效性问题通常如何产生，原因在于（i）目标有害提示分布 $\mathcal{D}$ 与在给定越狱活动中使用的基准有害提示 $D$ 之间的脱节；以及（ii）定义我们真实成功标准的系统化“预言家”成功标准 $s(R;P)$ 与用于实际评估成功的操作化“裁判” $J(R;P)$ 之间的脱节。

As noted at the outset, our argument is not intended to apply to all AI red teaming activities. Not all AI red teaming activities can, should, or are even intended to result in measurements. For example, AI red teaming is often used as a type of “existence proof,” producing valuable examples of undesirable behaviors and surfacing “unknown unknowns”—i.e., qualitative information—without any attempt at quantification (e.g., Casper et al., 2023; Nasr et al., 2023; Cooper et al., 2025). Our argument most directly applies to situations in which AI red teaming is used to obtain measurements in the form of $\operatorname{ASR}$s that one might try, justifiably or not, to compare. At the same time, certain elements of the measurement theory framework we outline—such as the difference between how safety is conceptualized through $s$ verses how it is operationalized through $J$—are relevant for more qualitative forms of red teaming as well. Indeed, the original work by Adcock and Collier (2001) that inspired our framework was in part an effort to bridge quantitative and qualitative research methods in political science.
如开篇所述，我们的论点并非旨在适用于所有人工智能红队演练活动。并非所有人工智能红队演练活动都能、应该或甚至意图产生测量结果。例如，人工智能红队演练常被用作一种“存在性证明”，在不试图量化（例如，Casper 等人，2023 年；Nasr 等人，2023 年；Cooper 等人，2025 年）的情况下，产出有价值的非期望行为示例，并暴露“未知未知”——即定性信息。我们的论点最直接适用于人工智能红队演练被用于获取可尝试（无论是否合理）进行比较的 $\operatorname{ASR}$ 形式测量结果的情况。同时，我们概述的测量理论框架中的某些要素——例如通过 $s$ 概念化安全与通过 $J$ 操作化安全之间的差异——对更定性的红队演练形式同样具有相关性。事实上，启发我们框架的原作由 Adcock 和 Collier（2001 年）撰写，其部分目的在于弥合政治学中的定量与定性研究方法。

Our arguments are also apply beyond quantitative red teaming to other forms of genAI evaluation. Many other task-oriented evaluations Wang et al. (2023) such as those probing systems for stereotyping or memorization as discussed in Wallach et al. (2025) can be instantiated similarly to how we represented jailbreaking in Figure 1.
我们的论点也适用于定量红队之外的其它形式生成式 AI 评估。许多其它任务导向的评估，如 Wang 等人（2023）讨论的探测系统是否存在刻板印象或记忆能力（如 Wallach 等人，2025 年所述），可以与我们在图 1 中表示的越狱方式类似地实现。

We thank Chad Atalla, Emily Sheng, and Hannah Washington for their early contributions to preliminary versions of this work that appeared at the Safe Generative AI workshop at NeurIPS ’24. We are also grateful for all the valuable feedback we received and throughout the review process, and when presenting early versions of the work; it has been instrumental to helping us refine our arguments.
我们感谢查德·阿塔拉、艾米丽·盛和汉娜·华盛顿，他们为这项工作早期版本做出了贡献，这些版本曾在 NeurIPS '24 的 Safe Generative AI 研讨会上发表。我们也对所有在审稿过程中以及展示早期版本工作时提供的宝贵反馈表示衷心感谢，这些反馈对我们完善论点起到了关键作用。

All authors on the paper are full time employees of Microsoft.
论文的所有作者都是微软的全职员工。