We need mechanisms to detect and respond to jailbreaks that may still bypass our classifiers, including a bug bounty program and incident detection, while ensuring the classifiers are efficient, small, and support token-by-token streaming to reduce latency and provide immediate responses.

With the constitutional classifiers, we achieved thousands of hours of robustness to Red Teaming, significantly improving our defenses against jailbreaks.

The first layer of our defense against jailbreaks is the input classifier, which analyzes the entire conversation before it reaches the model.

Using a more capable classifier after serving a response can help flag potentially harmful outputs and involve human reviewers for the most dangerous responses.

The classifiers can detect attempts to circumvent the system, which is crucial for maintaining security.

The motivation behind our work on jailbreaks is to ensure future models can be deployed safely while making progress towards safety.

The output classifier monitors the model's responses in real-time and can block dangerous outputs that violate our safety values.

We should care about jailbreaks because future AI models may pose greater risks, including weapon development and large-scale cybercrime.

The goal is to minimize the time an open universal jailbreak is available, ideally reducing it to a small fraction of the time to prevent misuse in dangerous scenarios.