Cloud-based large language models have become an indispensable tool across industries, bringing with them new challenges in maintaining safe and responsible use.
A recent independent study conducted an in-depth evaluation of the built-in guardrails offered by three leading cloud LLM platforms, anonymized as Platform 1, Platform 2, and Platform 3.
The study’s core objective was to assess how effectively each platform’s guardrails could distinguish between benign queries and malicious instructions, focusing on both false positives, where safe content is incorrectly blocked, and false negatives, where harmful content slips through the system undetected.
Each platform’s guardrails were analyzed with their input and output filtering capabilities set to the strictest possible levels, and results were benchmarked against a curated dataset of over 1,000 benign prompts and 123 deliberately constructed malicious or jailbreak prompts.
The findings have significant implications for organizations deploying these models, highlighting important strengths as well as critical vulnerabilities that must be addressed to ensure robust protection against misuse.
False Positives: When Guardrails Block Benign Content
One of the most notable findings from the study was the frequency of false positives, particularly in the case of code review and technical queries.
Platform 3 stood out for its extremely aggressive input filtering, blocking over 13% of benign prompts, including harmless code review requests, math questions, and even general knowledge inquiries.
In contrast, Platform 2 demonstrated a more balanced approach, blocking less than 1% of benign prompts, while Platform 1 was the most permissive, with only a single case of a benign prompt being blocked by input filtering.
Interestingly, all three platforms misclassified at least one benign code review prompt as malicious, suggesting that code-related keywords or formats can inadvertently trigger guardrails and disrupt legitimate user interactions.
Output filter false positives were extremely rare across all platforms, likely because the models themselves were well-aligned to refrain from generating unsafe content in response to benign prompts, so the output filters rarely had to intervene.
- The results indicate that while high-sensitivity guardrails can effectively catch many harmful prompts, they also risk interrupting valid use cases, especially in technical domains.
- For organizations that rely heavily on AI for code review, technical support, or creative content generation, overly aggressive guardrails may hinder productivity and frustrate users.
The study recommends that platform operators and enterprise users carefully calibrate their guardrail settings and regularly audit their effectiveness, paying special attention to edge cases and technical prompts that are prone to misclassification.
Additionally, the results underscore the value of layered security approaches, where custom rules and whitelists are used to prevent common false positives in critical workflows.
False Negatives And Evasion Tactics: When Harmful Content Slips Through
According to Unit 42, Despite their strengths, guardrails are not foolproof, and the study identified several common evasion tactics that bypassed input filters across all three platforms.
The most effective strategy was the use of role-play scenarios and narrative disguises, where malicious requests were embedded within seemingly innocent stories or hypothetical contexts.
For example, a prompt asking the AI to act as a “computer security expert” or to provide information for a “fictional story” could slip past input filters that rely on keyword matching or explicit policy violations.
Platform 1 was particularly susceptible to these tactics, failing to block over 40% of malicious prompts, with the majority of these undetected prompts using role-playing or indirect phrasing to obscure their intent.
In contrast, Platforms 2 and 3 demonstrated much higher detection rates, blocking over 90% of malicious prompts at the input stage, but still missed a small number of carefully crafted attacks.
Once a malicious prompt bypasses input filters, the responsibility shifts to the model’s internal alignment and output guards.
The study found that the model’s alignment was highly effective in preventing harmful outputs; in most cases where a malicious prompt was allowed through, the model simply refused to comply, responding with a message such as “I’m sorry, I cannot assist with that request.”
This built-in refusal mechanism was observed across all platforms, highlighting the importance of robust alignment training.
However, when model alignment failed, output filters often did not catch the harmful content, resulting in a small but significant number of policy-violating responses being delivered to users.
Platform 1’s output filter blocked only a handful of harmful responses, while Platform 2 and 3’s output filters were similarly ineffective in catching all malicious outputs.
The study notes that when output filters are isolated for testing, their independent effectiveness is limited, emphasizing the need for strong model alignment as the first line of defense.
.webp?w=356&resize=356,220&ssl=1 "CISA Includes React2Shell Vulnerability In KEV Catalog Due To Ongoing Exploitation")
