AI Security & Alignment
Beyond Visual Safety: Jailbreaking Multimodal Large Language Models for Harmful Image Generation via Semantic-Agnostic Inputs
This paper introduces Beyond Visual Safety (BVS), a novel image-text pair jailbreaking framework. BVS probes the visual safety boundaries of Multimodal Large Language Models (MLLMs) by using neutralized visual splicing and inductive recomposition, successfully inducing them to generate harmful images despite safety guardrails.
Executive Summary: Exploiting MLLM Visual Vulnerabilities
The BVS framework achieves a remarkable 98.21% jailbreak success rate against GPT-5 (12 January 2026 release) and 95.45% against Gemini 1.5 Flash, significantly outperforming existing baselines. It leverages a "reconstruction-then-generation" strategy, demonstrating that MLLMs struggle with "fragmented malicious semantics," where malicious intent is decoupled from raw inputs and reconstructed in the model's latent space. This exposes critical vulnerabilities in current multimodal safety alignment, urging for enhanced defenses against sophisticated semantic manipulation.
0
Jailbreak Success Rate (GPT-5)
0
Improvement over Baselines
0
Models Tested
Deep Analysis & Enterprise Applications
Select a topic to dive deeper, then explore the specific findings from the research, rebuilt as interactive, enterprise-focused modules.
Methodology
Key Results
Vulnerability Insights
Strategic Impact
The BVS Framework: Reconstruction-then-Generation
The Beyond Visual Safety (BVS) framework employs a sophisticated "reconstruction-then-generation" strategy to bypass MLLM safety filters. This involves three key stages designed to decouple malicious intent from raw inputs and reassemble it in the model's latent space:
Enterprise Process Flow
Visual Guidance Generation
→
Neutralized Visual Splicing (MIDOS)
→
Jailbreak (Chinese Inductive Prompt)
Initially, a malicious prompt is used to generate a visual representation of harmful intent (IA). This IA is then fragmented, shuffled, and interleaved with benign images selected by the Multi-Image Distance Optimization Selection (MIDOS) algorithm, forming a semantically neutralized composite image (IS). The MIDOS algorithm strategically selects benign patches to maximize the semantic distance from IA while minimizing local perceptual dissonance, effectively "diluting" malicious semantics. Finally, IS is paired with a specifically designed Chinese Inductive Prompt that guides the MLLM to reconstruct the latent harmful intent, leading to the generation of harmful images.
Empirical Performance Against State-of-the-Art MLLMs
Our experiments confirm the exceptional effectiveness of the BVS framework in jailbreaking leading MLLMs for harmful image generation.
98.21%
Jailbreak Success Rate on GPT-5
Compared to existing methods, BVS consistently achieves the highest Jailbreak Success Rate (JSR) across both target models, revealing critical vulnerabilities in current multimodal safety alignment mechanisms.
| Method | GPT-5 JSR | Gemini 1.5 Flash JSR |
|---|---|---|
| Perception-Guided (Per) | 1.80% | 36.63% |
| Chain-of-Jailbreak (Chain) | 3.60% | 54.95% |
| BVS (Ours) | 98.18% | 95.45% |
Furthermore, the Multi-Image Distance Optimization Selection (MIDOS) module plays a pivotal role in optimizing attack effectiveness:
98.18%
BVS JSR with MIDOS (vs 81.82% without MIDOS)
This demonstrates MIDOS's critical contribution to identifying superior image combinations for semantic dilution, significantly enhancing the jailbreak success rate.
Architectural Vulnerabilities in MLLM Visual Safety
Our BVS framework identifies a deeper architectural vulnerability in MLLMs: the discrepancy between local visual perception and global semantic understanding. While MLLMs are robust against explicit, holistic harmful semantics, they struggle when malicious intent is decomposed and recomposed.
Spatial Attention Fragmentation: By partitioning the malicious image into shuffled patches and interleaving them with neutralized buffers, BVS effectively disrupts the model's immediate recognition of harmful visual patterns. Current MLLM safety filters, often relying on global feature extraction, are bypassed as malicious semantics are scattered into discrete spatial coordinates.
Cross-modal Inductive Recomposition: The Chinese Inductive Prompt forces the MLLM to perform a latent mental reconstruction of the interleaved patches during execution. This "reconstruction-then-generation" process bypasses input-stage safety alignment, as the harmful intent only fully manifests within the model's internal latent space during inference.
Generative Nature and Diverse Harmful Outputs
BVS can induce MLLMs to generate multiple distinct harmful images from a single inducing input. This phenomenon is attributed to the inherent stochastic sampling mechanism and the MLLM's high-dimensional probability space. Even with identical inputs, the model samples from a learned conditional distribution, leading to diverse visual manifestations of the same underlying violation. This confirms that the vulnerability exploited by BVS is robust and deeply rooted in the generative nature of the models.
Strategic Impact & Future of AI Safety
The effectiveness of BVS serves as a critical catalyst for future research in AI safety and highlights significant implications for enterprise AI security.
Security Implications: These vulnerabilities could be exploited by malicious actors to automate the generation of large-scale harmful visual data, inflicting severe damage on the reputation of MLLM service providers and potentially spreading prohibited content uncontrollably. The ability to generate diverse harmful outputs from a single trigger amplifies this risk.
Call to Action: The AI safety community must evolve defense paradigms beyond holistic recognition to address "fragmented semantic attacks." As MLLMs integrate more deeply into society, defenders must prioritize the development of fine-grained, intent-aware guardrails that can preemptively detect decoupled malicious signals and resist sophisticated semantic manipulation. This research provides a more rigorous and realistic benchmark for evaluating the visual safety of multimodal systems.
Calculate Your Potential AI Impact
Estimate the potential efficiency gains and cost savings for your enterprise by strategically leveraging AI solutions, while being mindful of emerging security challenges.
Annual Cost Savings
$0
Annual Hours Reclaimed
0
Your AI Implementation Roadmap
Navigating the complex landscape of AI requires a strategic, phased approach. Here’s how we partner with enterprises to ensure secure and effective AI integration.
Phase 1: Discovery & Strategy
In-depth analysis of current workflows, identification of high-impact AI opportunities, and assessment of security posture against advanced threats like those highlighted in the research.
Phase 2: Pilot Program Development
Design and implementation of targeted AI solutions for proof-of-concept. Incorporate robust safety alignment mechanisms to mitigate identified vulnerabilities.
Phase 3: Secure Scaling & Integration
Full-scale deployment of validated AI solutions across the enterprise, ensuring seamless integration with existing systems and continuous monitoring for safety and performance.
Phase 4: Continuous Optimization & Threat Intelligence
Ongoing monitoring, performance tuning, and adaptation of AI models, including proactive defense strategies against evolving jailbreaking techniques and semantic attacks.
Ready to Secure Your Enterprise AI?
The insights from "Beyond Visual Safety" underscore the critical need for advanced AI safety. Don't let vulnerabilities compromise your innovation. Schedule a personalized consultation to discuss how to future-proof your MLLMs.
Ready to Get Started?
Book Your Free Consultation.
Let's Discuss Your AI Strategy!
Lets Discuss Your Needs
Select a Date
Sun
Mon
Tue
Wed
Thu
Fri
Sat