Visual Self-Fulfilling Alignment: Shaping Safety-Oriented Personas via Threat-Related Images

Trait induction and control2026arXivApproved editorial review

Authors: Qishun Yang, Shu Yang, Lijie Hu, Di Wang

Keywords: Persona conditioning, Safety and bias

Source: Open primary source (opens in a new tab)

4
Authors
11
Findings
20
Limitations
4
Evidence

Editorial summary

English

VSFA asks whether fine-tuning vision-language models on synthetic threat images with ostensibly neutral questions reduces compliance with multimodal jailbreaks. The pipeline retrieves up to five papers for each of ten AI-safety arXiv search terms; GPT-4o-mini extracts concepts and writes prompts with safety themes, ominous atmospheres and elements such as warning indicators; Doubao Seedream generates 700 images; and GPT-4o-mini produces six answers per image from the image-generation prompt, yielding 4,200 VQA pairs. Training freezes the visual encoder and updates the language component with rank-128 LoRA. On Qwen3-VL-8B, Qwen2.5-VL-7B and two 7B LLaVA variants, GPT-4o-judged mean ASR falls from 38.77–68.71% without defense to 14.18–23.76% with VSFA. The method also receives the highest Constructive Score and benign refusal rates of 1.82–3.45%, although AdaShield or VLGuard has lower ASR in many cells and VLGuard preserves several capabilities slightly better.

The paper interprets this result as a safety-oriented persona learned through visual exposure. For Qwen2.5-VL-7B, it compares original and fine-tuned MMSafetyBench response activations through a sparse autoencoder, considers the 1,000 most increased latents and selects eight with bidirectional effects. Adding latent 12 to the original model lowers ASR by 18 points and removing it from VSFA raises ASR by 14; the authors call it a safety-oriented persona latent. The appendix also reports a twelve-style ablation with ASR from 11.2% to 13.7%, sub-half-point MMLU/MMMU losses for one checkpoint, and 60-image FigStep tests on Gemma 3 IT and Llama 3.2 Vision. These are suggestive behavioral results, but the design does not prove that pixels alone cause the effect or that the latent is a monosemantic personality.

The 'without explicit labels' claim requires an important qualification. The abstracts, prompts and modifiers provide explicit safety and threat semantics; several of the ten released images contain hazard signs and visible text such as 'AI SAFETY' or 'AI Control'; and the teacher writes answers from the image prompt rather than documented pixel inspection. There are no matched controls for the same images without threat atmosphere, visible text, random images, shuffled pairs or genuinely pixel-grounded answers. Teacher selection uses FigStep and FigStep then reappears in the main evaluation. The SAE discovers and validates latents on MMSafetyBench without a held-out set, seeds, correction for screening 1,000 candidates or sufficient SAE details. Every outcome depends on one GPT-4o judge without human or second-judge validation. The repository releases only ten images, one JSON example and generic code: it omits the full dataset, adapters, outputs, judge, Constructive Score, other benchmarks and SAE artifacts; its evaluator also ignores question and instruction columns and applies one prompt to every image. The defensible conclusion is a promising threat-imagery-conditioned fine-tuning effect under specific benchmarks and one judge, not demonstrated label-free visual alignment or a discovered safety personality.

Español

VSFA estudia si ajustar modelos visión-lenguaje con imágenes sintéticas de amenazas y preguntas aparentemente neutrales reduce su obediencia a jailbreaks multimodales. El pipeline busca hasta cinco trabajos para cada uno de diez términos de seguridad de IA en arXiv; GPT-4o-mini extrae conceptos y redacta prompts con temas de seguridad, atmósferas ominosas y elementos como indicadores de alerta; Doubao Seedream genera 700 imágenes; y GPT-4o-mini produce seis respuestas por imagen a partir del prompt de generación, hasta 4.200 parejas VQA. El entrenamiento mantiene congelado el codificador visual y actualiza el componente lingüístico mediante LoRA de rango 128. En Qwen3-VL-8B, Qwen2.5-VL-7B y dos variantes LLaVA de 7B, el ASR medio juzgado por GPT-4o baja desde 38,77–68,71 % sin defensa hasta 14,18–23,76 % con VSFA. El método también obtiene la mayor puntuación constructiva y tasas de rechazo benigno de 1,82–3,45 %, aunque AdaShield o VLGuard presentan menor ASR en muchas celdas y VLGuard conserva ligeramente mejor varias capacidades.

El artículo interpreta el resultado como una personalidad orientada a la seguridad aprendida por exposición visual. En Qwen2.5-VL-7B compara activaciones originales y ajustadas sobre MMSafetyBench mediante un autoencoder disperso, examina los 1.000 latentes que más aumentan y selecciona ocho con efectos bidireccionales. Añadir el latente 12 al modelo original reduce 18 puntos el ASR y retirarlo del modelo VSFA lo aumenta 14; los autores lo denominan «safety-oriented persona». También informan de una ablación de doce estilos con ASR entre 11,2 y 13,7 %, pérdidas inferiores a medio punto en MMLU/MMMU para un solo checkpoint y resultados FigStep con 60 imágenes en Gemma 3 IT y Llama 3.2 Vision. Son resultados conductuales sugerentes, pero el diseño no prueba que el efecto proceda exclusivamente de los píxeles ni que el latente sea una personalidad monosemántica.

La afirmación «sin etiquetas explícitas» requiere una corrección importante. Los abstracts, prompts y modificadores contienen supervisión semántica explícita de seguridad y amenaza; varias de las diez imágenes publicadas muestran señales de peligro y texto visible como «AI SAFETY» o «AI Control»; y el profesor genera las respuestas desde el prompt de la imagen, no desde una inspección documentada de sus píxeles. Faltan controles emparejados para imágenes iguales sin atmósfera amenazante, texto visible, imágenes aleatorias, parejas barajadas o respuestas basadas realmente en píxeles. La selección del profesor usa FigStep y después FigStep reaparece en la evaluación principal. El análisis SAE descubre y valida latentes sobre MMSafetyBench sin conjunto reservado, semillas, corrección por 1.000 candidatos ni detalles suficientes del SAE. Todos los resultados dependen de un juez GPT-4o sin validación humana o segundo juez. El repositorio solo publica diez imágenes, un ejemplo JSON y código genérico: no contiene el dataset completo, adaptadores, salidas, juez, puntuación constructiva, otros benchmarks ni artefactos SAE; además, el evaluador ignora las columnas de pregunta e instrucción y aplica el mismo prompt a todas las imágenes. La lectura defendible es un efecto prometedor de ajuste condicionado por imaginería de amenaza bajo benchmarks y juez concretos, no una demostración de alineamiento visual libre de etiquetas o de una personalidad de seguridad.

Research question

Can visual fine-tuning with synthetic images related to threats and neutral wording VQA reduce multimodal jailbreaks by inducing a supposed safety-oriented personality, and does a latent SAE provide causal evidence of that mechanism?

Method

Abstracts are retrieved through ten AI safety queries on arXiv, up to five results per query. GPT-4o-mini extracts concepts and generates visual prompts with threatening modifiers; Doubao Seedream creates 700 images of 1024x1024; six of sixteen question templates are assigned per image and GPT-4o-mini drafts the answers using the generation prompt as context. Another pass of GPT-4o-mini scores neutrality, clarity and consistency and discards global scores below 6. Four VLMs are fine-tuned via LoRA only on the linguistic component, with the visual encoder frozen, and No Defense, AdaShield, VLGuard and VSFA are compared on FigStep, MMSafetyBench, SPA-VL and MM-Vet using GPT-4o as the sole judge. Ablations vary modality, style and teacher. A TopK SAE on a middle layer of Qwen2.5-VL-7B selects latents by activation difference and steering effects.

Sample: The reported dataset has 700 images and exactly six VQA per image, 4,200 pairs. It is not indicated how a maximum of 50 retrieved records become 700 prompts, how many duplicates or rejections there are, nor how many samples are generated before the filter. The main experiments cover four 7-8B checkpoints from two families; Gemma 3 IT and Llama 3.2 Vision are tested only with 60 images and FigStep. No training replicas or seeds are reported.

Findings

  • VSFA reduces the mean ASR against No Defense from 38.77-68.71% to 14.18-23.76% across the four main models.
  • AdaShield or VLGuard achieve lower ASR than VSFA in numerous individual comparisons; VSFA is not the defense with the lowest attack in all cells.
  • VSFA obtains the highest reported Constructive Score, interpreted as more explanatory and useful rejections.
  • VSFA benign rejection rates are 2.62%, 3.45%, 2.35% and 1.82%, below AdaShield and VLGuard according to the GPT-4o judge.
  • VLGuard slightly outperforms VSFA on several total capability scores; the table does not include the No Defense model capability.
  • The Image variant outperforms Text and Mixed on the ASR and Constructive Score figures, but does not isolate pixels, visible text, atmosphere or semantic content.
  • Twelve separate fine-tunes of 50 images per style report FigStep ASR between 11.2 and 13.7%, mean 12.5 and deviation 0.74.
  • GPT-4o-mini is selected as teacher because it obtains 12.0% ASR on FigStep with 60 images, versus 22.2-28.8% for three alternative teachers.
  • MMLU drops 0.39 points and MMMU 0.45 for a single Qwen2.5-VL-7B, with no replicas that would allow calling those differences normal variation.
  • Gemma 3 IT and Llama 3.2 Vision show large ASR decreases on FigStep after training with 60 images, but are not tested on the other benchmarks.
  • SAE latent 12 changes ASR in both directions under steering, causal evidence of the intervention on the output but not proof of monosemantic personality or mediation of the proposed mechanism.

Limitations

  • The authors themselves acknowledge synthetic images, cultural conventions, only four main 7-8B models, jailbreaks as the sole safety axis, GPT-4o judge and SAE isolation limits.
  • The neutral wording of the questions does not eliminate semantic supervision: the abstracts, prompts and modifiers are explicitly constructed from AI safety, risk, control and threat.
  • Several published images contain warning signals and text such as "AI SAFETY" or "AI Control", contradicting a literal reading of the absence of explicit labels.
  • VQA answers are generated from the creation prompt and it is not documented that the teacher sees the image; they may describe elements not present in the pixels.
  • The filter claims to check fidelity to the image, but the protocol only specifies that it receives each QA pair, not the image.
  • Templates such as "What are your thoughts", "What impression" or "How do you understand" are interpretive and not strictly factual or neutral.
  • The visual encoder remains frozen; the study demonstrates linguistic conditioning by visual input, not a proven modification of the visual representation.
  • Paired controls without threat, random images, dark benign scenes, removed visible text, shuffled VQA and answers actually based on pixels are missing.
  • Contamination or semantic overlap between the safety literature/prompts and the three jailbreak benchmarks is not studied.
  • The teacher is chosen for its performance on FigStep and FigStep is reused as the main evaluation, introducing selection on the test.
  • All results depend on a single GPT-4o judge without full prompt, snapshot, human validation, second judge or inter-rater reliability.
  • Denominators per benchmark, intervals, seeds, replicas, paired tests or training uncertainty are not published.
  • The exact scale and aggregation of Constructive Score and the definition of benign rejection in MM-Vet are not sufficiently documented.
  • The SAE uses MMSafetyBench to discover and evaluate latents, examines 1,000 candidates and selects eight without a held-out set, multiple correction or random controls.
  • Exact layer, SAE checkpoint, corpus and tokens, width, k, losses, sparsity, reconstruction, steering coefficients and variation by seed are missing.
  • The semantics of the latents are post hoc via logit lens, LMSYS-Chat-1M and GPT-4o; it does not demonstrate monosemanticity.
  • The repository only contains ten images, one JSON record and generic code; dataset, adapters, prompts, filters, outputs, judge, metrics, remaining benchmarks and SAE are missing.
  • The public evaluator loads question and instruction but ignores them, applies the same --prompt to all images and only imports external verdicts.
  • Dependencies are not fixed, there are no seeds or checkpoint revisions, and the repository lacks detected license, tags and releases.
  • Spurious triggers or over-rejection to signals, cameras, weapons, biohazard, medical emergencies, dark scenes or culturally different contexts are not evaluated.

What the study does not establish

  • It does not establish that the dataset lacks explicit safety or threat signals.
  • It does not demonstrate that the pixels are the isolated cause of the effect versus prompts, answers, visible text, style or semantic associations.
  • It does not prove that the visual representation is modified, because the visual encoder remains frozen.
  • It does not demonstrate a stable, coherent, human or monosemantic personality.
  • It does not prove the self-fulfilling prophecy mechanism nor that the SAE latent mediates it.
  • It does not validate the latent on held-out data, other benchmarks, seeds, checkpoints or model families.
  • It does not demonstrate the lowest ASR among defenses in all comparisons.
  • It does not establish general capability preservation across all models and scenarios.
  • It does not generalize to large models, closed VLMs, adaptive attacks or real deployments.
  • It does not allow reproducing the dataset, tables, judge, constructive score or SAE analysis with the public artifacts.
  • It does not demonstrate safety against bias, misinformation, privacy, self-harm, medicine or other unassessed harms.
  • It does not by itself confirm an archival ACL publication; the official arXiv record provides no reference, DOI or venue comment.

Traceability

Scope: Full text

Version: arXiv:2603.08486v2, submitted 2026-03-09 and revised 2026-04-15; repository commit 0ff47dfa7b5535d6315d03cf3be40f2c011823f5

Consulted source: https://arxiv.org/abs/2603.08486

Review: Codex 21-page visual full-text, released-image, prompt/data, code, judge, SAE, causal-claim, safety and reproducibility audit, 2026-07-17

Approval: Codex fidelity pass, 2026-07-17

English translation: approved, 2026-07-18

Models evaluated

  • Qwen3-VL-8B-Instruct
  • Qwen2.5-VL-7B-Instruct
  • LLaVA-v1.6-Mistral-7B
  • LLaVA-1.5-7B
  • Gemma 3 IT 4B, prueba adicional con 60 imágenes y FigStep
  • Llama 3.2 Vision 11B, prueba adicional con 60 imágenes y FigStep
  • GPT-4o-mini como extractor, generador de prompts y respuestas y filtro de calidad
  • Doubao doubao-seedream-3-0-t2i-250415 como generador de imágenes
  • GPT-4o como juez de todas las métricas y auto-intérprete SAE
  • GPT-5, Claude 4.5 Sonnet y Gemini-3-pro en la selección de profesor

Instruments and metrics

  • FigStep
  • MMSafetyBench
  • SPA-VL
  • MM-Vet
  • Attack Success Rate juzgado por GPT-4o
  • Constructive Score de cinco dimensiones juzgado por GPT-4o
  • Refusal Rate sobre consultas benignas de MM-Vet
  • MMLU y MMMU para Qwen2.5-VL-7B
  • Autoencoder disperso TopK y steering de vectores decodificadores
  • Dieciséis plantillas VQA en cuatro categorías

Data used

  • VSFA: 700 imágenes sintéticas y 4.200 parejas VQA reportadas, no publicadas
  • Hasta 50 resultados de arXiv procedentes de diez consultas, sin lista ni mapa de procedencia publicado
  • Diez imágenes de ejemplo y una pareja VQA de ejemplo en el repositorio
  • LMSYS-Chat-1M para interpretar ejemplos activadores de latentes
  • Benchmarks FigStep, MMSafetyBench, SPA-VL, MM-Vet, MMLU y MMMU

Evidence and location

  • Method, prompts, models, benchmarks, tables, ablations, SAE, limitations and conclusions: arXiv:2603.08486v2, all 21/21 PDF pages rendered and individually inspected
  • Version, dates, authorship and license: Official arXiv abstract, Atom metadata and v2 source archive inspected 2026-07-17
  • Sample images, text and visible signals, absent dataset, code, evaluation and license: Official VSFA repository commit 0ff47dfa7b5535d6315d03cf3be40f2c011823f5, every released example image and all code inspected 2026-07-17
  • Construct audit, controls, teacher selection, measurement, SAE, safety and reproducibility: reports/verification/article-395-vsfa-visual-label-confound-teacher-selection-judge-sae-code-data-and-reproducibility-audit.json