This note merges the survey tables from Literature Review 1.0 and Literature Review 1.1. Only published, non-preprint papers are included: the 15-entry preprint watchlist from 1.1 and the vendor GPT-Red writeup are left out until they clear a venue. Papers marked ★ Core are the tightest anchors for my quantization x multilingual safety niche.
- 25 published (non-preprint) papers
- 17 venues
- 2023-2026 year range
- 8 ★ Core anchors
Overview
| # | Paper | Authors & Year | Venue (status) | Tier | Citations | Objective | Methodology | Dataset | Key Results | Metrics | Open source | Advantages | Disadvantages | Relevance (Direction) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | ★ Core Jailbroken: How Does LLM Safety Training Fail? | Wei, Haghtalab, Steinhardt, 2023 | NeurIPS 2023 (Oral) | T1 | n/l | Explain why safety-trained LLMs still jailbreak via two structural failure modes, then design attacks from the theory. | Hypothesize competing objectives and mismatched generalization; construct attacks from each lens; evaluate vs GPT-4 and Claude v1.3. | No released set; curated harmful prompts vs two closed 2023-era models. | Designed attacks succeed where prior techniques were being patched; argues for safety-capability parity. | Attack success rate. | No | Durable explanatory theory; constructive rather than post-hoc; cleanest account of low-resource jailbreaks. | A framework, not a predictor of which prompts land in a gap; demonstrated jailbreaks patched; parity a principle only. | D (theory core): mechanism predicting the multilingual gap and quant drift compound. |
| 2 | ★ Core Multilingual Jailbreak Challenges / MultiJail | Deng, Zhang, Pan, Bing, 2024 | ICLR 2024 | T1 | n/l | Separate and measure unintentional vs intentional multilingual jailbreak scenarios. | MultiJail: 315 prompts native-translated into 9 languages across resource tiers; evaluate ChatGPT and GPT-4 in both scenarios. | MultiJail (released); ChatGPT, GPT-4. | Low-resource ~3x the unsafe rate of high-resource; intentional up to 80.92% (ChatGPT) / 40.71% (GPT-4). | Unsafe-output rate. | Yes | Foundational dataset; language-resource level as a safety variable; native translation isolates language from noise. | 9 languages / 315 prompts modest; only 2023-era closed models, no open-weight or quantized variants. | A (core): the multilingual anchor; sets up the open quant x language question. |
| 3 | ★ Core Code-Switching Red-Teaming / CSRT | Yoo, Yang, Lee, 2025 | ACL 2025 | n/l | n/l | Establish code-switching as a red-teaming technique that stresses understanding and safety jointly. | CSRT synthesizes queries mixing up to 10 languages in one prompt; evaluate ten state-of-the-art LLMs. | CSRT-generated query set; 10 LLMs (list unconfirmed). | 46.7% more successful attacks than monolingual English; surfaces a resource-availability / safety correlation. | Attack success rate; multilingual comprehension. | Yes* | Naturalistic input rather than an engineered construction; jointly probes comprehension and safety. | Demonstrates the effect more than the mechanism; 10 languages bounded; no quantization connection. | A (core): within-sentence mixing complement to MultiJail; untested under quantization. |
| 4 | ★ Core Exploiting LLM Quantization | Egashira, Vero, Staab, He, Vechev, 2024 | NeurIPS 2024 | T1 | n/l | Show quantization itself is an attack surface: benign at full precision, malicious only after the victim quantizes. | Inject a malicious model; compute the quantization pre-image; projected gradient descent back to benign FP inside that set. LLM.int8()/NF4/FP4. | Three scenarios: vulnerable code generation, content injection, over-refusal denial of service. | Benign-looking FP checkpoints reliably de-quantize into the malicious behavior (per-scenario ASR unconfirmed). | Attack success rate per scenario. | n/l | First quant-as-trigger; general many-to-one pre-image insight; reframes evaluation (FP check certifies nothing). | Assumes known round-to-nearest scheme; no GGUF; supply-chain precondition; no defense. | B (core): quantization-as-trigger, half the two-paper backbone. |
| 5 | ★ Core Mind the Gap: A Practical Attack on GGUF Quantization | Egashira, Staab, Vero, He, Vechev, 2025 | ICML 2025 | T1 | n/l | Extend the benign-then-malicious quantization attack to GGUF (llama.cpp and ollama). | Exploit the quantization error in GGUF's per-block scheme; constrain malicious weights to the tolerance mapping back to a clean FP checkpoint. | Base models, sizes, and ASR not confirmed (pending PDF). | Scheme complexity is not a defense; the attack holds on GGUF. | Attack success rate. | n/l | Attacks the format practitioners actually run; with the NeurIPS paper, validates the quant-as-trigger line. | Supply-chain precondition (victim quantizes locally); no fix; evaluation details unverified. | B (core): moves the threat to the real deployment path. |
| 6 | ★ Core How Does Quantization Affect Multilingual LLMs? | Marchisio, Dash, Chen, Aumiller, Üstün, Hooker, Ruder, 2024 | EMNLP 2024 Findings | Findings | n/l | First thorough analysis of quantization effects on multilingual LLMs across languages and scales. | Layered evaluation: automatic benchmarks, LLM-as-a-judge, and human evaluation on realistic prompts, compared against each other. | Multilingual task benchmarks + realistic human-eval prompts (schemes / bit-widths unconfirmed). | Harm is disparate by language (non-Latin worst); automatic metrics underestimate it (1.7% vs 16.0% human, Japanese). | Task accuracy; LLM-judge and human-perceived quality. | n/l | Sits exactly at the quant x multilingual intersection; strong automatic-vs-human gap argument. | Measures quality, not jailbreak ASR (safety inferential); Findings track; method details unverified. | C (core intersection): the paper my niche extends toward attack-success. |
| 7 | ★ Core Critical Weight Protection (Fairness + Safety under Quantization) | Al Hakim, Wicaksono, Koto, 2026 | ACL 2026 Findings | T1 | ~0 (new) | Audit fairness and multilingual safety under static/dynamic PTQ, and protect critical weights at quantize time. | GPTQ/AWQ/SmoothQuant vs FP8/LLM.int8(); rank weights by FAIRSCORE + SAFESCORE, keep top-k% in FP16 (AWQ-trust). | Gemma-7B / Llama-3.1-8B / Qwen-2.5-7B; MultiJail EN/KO/AR; SafetyBench, Do-Not-Answer, HEx-PHI; StereoSet, CrowS-Pair, Jigsaw, MBBQ. | Quant hurts fairness/safety; dynamic more stable; KO/AR %Safe drops; AWQ-trust recovers (Llama-3.1 KO ~9.6 to ~66.1). | %Safe, ASR, SafetyBench accuracy, SS/ICAT, Bias AUC. | No | First Tier-1 quant x multilingual safety audit; broad static+dynamic grid; AWQ-trust recovers KO/AR losses. | Safety limited to EN/KO/AR; no GGUF ladder; English-centric criticality scoring; single Gemini judge. | D2 (core): closes the "empty intersection" framing; forces a sharper claim. |
| 8 | ★ Core Q-resafe: Safety Risks and Patching for Quantized LLMs | Chen, Zhang, Hu, Wang, Lou, Feng, Song, 2025 | ICML 2025 | T1 | see Scholar | Measure how mainstream quantization degrades safety and restore it with a quantization-aware patch. | AWQ / AQLM / LLM-QAT / QLoRA at INT4/INT8 with risk-level calibration; DPO on FP-vs-quantized preference pairs restricted to a SNIP mask via LoRA. | Llama-2-7B-Chat, Gemma-7B-Instruct; UltraChat / AdvBench calibration; AdvBench ASR; MT-bench, AlpacaEval. | All methods raise ASR vs FP16; harmful calibration far worse; Q-resafe restores toward FP at ~1/8 the DPO compute. | ASR (lower better), MT-bench, AlpacaEval. | Yes | Covers all four quantization families under controlled risk levels; patch matches DPO-level safety cheaply, utility intact. | English-only (AdvBench); two 7B models; calibration-induced, not adversarial, threat model. | D2 (core): English quant x ASR + patch baseline reviewers expect. |
| 9 | Safety Layers in Aligned LLMs | Li, Yao, Zhang, Li, 2025 | ICLR 2025 | T1 | see Scholar | Locate a contiguous band of middle "safety layers" and use it to protect safety during fine-tuning. | Last-token cosine analysis over normal vs malicious pairs; progressive scaling vs an over-rejection set; SPPFT freezes those gradients. | Llama-3-8B-Instruct, Llama-2-7B-Chat, gemma-2b-it, Phi-3-mini; alpaca-finance + implicit-attack, backdoor, harmful mixes. | Band appears only after alignment; SPPFT cuts harmful-response rate (Llama-3 9.62% vs 44.42%) with utility intact. | Cosine/angle gaps, over-rejection, post-FT security. | Yes | Clean existence result (band absent in pretrained siblings); large security gain at negligible capability cost. | English, full precision; no multilingual/PTQ/GGUF; preserves rather than installs safety; coarse granularity. | Spine C prior art: middle-layer refusal localization. |
| 10 | Safety-Critical Parameters (ESI / SET / SPA) | Qi, Wu, Zheng, Zhang, Jia, Qin, Ren, 2026 | ACL 2026 Findings | T1 | ~0 (new) | Rank parameters by Expected Safety Impact, then install (SET) or preserve (SPA) safety sparsely. | ESI = |sigma·grad S|, made differentiable via Gumbel-softmax + Llama-Guard projection; validated by perturbation vs SNIP/Wanda. | Dense Llama3-8B/70B, Qwen2.5-14B; MoE Qwen3-30B-A3B; AdvBench, HarmBench, WildJailbreak; CB-Safety / R1-Safety. | Perturbing top-1% ESI raises HarmBench ASR 15.3 to 59.1; SET cuts WildJailbreak ASR 62.5% to 19.1% at 1% weights. | ASR, safety score, % weights updated. | Yes | Weight-level resolution from a single checkpoint; strong causal validation; dense + MoE coverage. | English-centric benches; no PTQ/GGUF remeasure; judge-pipeline sensitivity only partly ablated; single judge family. | Spine C prior art: sparse safety install/preserve (quantize-time cousin of Al Hakim). |
| 11 | Refusal Is Mediated by a Single Direction | Arditi, Obeso, Syed, Paleka, Panickssery, Gurnee, Nanda, 2024 | NeurIPS 2024 | T1 | see Scholar | Show refusal is mediated by one residual-stream direction that can be removed (jailbreak) or added (forced refusal). | Difference-in-means direction; activation addition, directional ablation, rank-one weight orthogonalization; suffix attribution. | 13 chat models (1.8B-72B); AdvBench/MaliciousInstruct/TDC2023/HarmBench, Alpaca; JailbreakBench; Llama Guard 2. | Ablation drops refusal across all 13; orthogonalization is a one-edit general jailbreak ~GCG (Qwen-14B 84.3), near-zero capability loss. | Refusal score, safety score. | Yes | Replicates across 13 models and both alignment recipes; explains why sparse/layer-local safety works and is brittle. | White-box; English only; no quantization tables; TruthfulQA degrades after ablation. | Mechanistic prior: low-dimensional, editable refusal. |
| 12 | STLA: Spatiotemporal Lookahead Alignment for PTQ | Zhang, Sun, Chu, Yu, Un, Martins, Mak, Xu, 2026 | ICML 2026 (accepted) | T1 | ~0 (new) | Fast and accurate low-bit PTQ by fixing the spatiotemporal misalignment between learning and compensation rounding. | Cluster-wise integrated rounding; Hessian-guided clustering for intra-cluster error cancellation; a Schur-Complement lookahead objective. | Not enumerated in the abstract; standard WikiText-2/C4 + reasoning suites on LLaMA/Qwen likely (pending PDF). | Claims SOTA low-bit PTQ speed and accuracy (exact tables pending PDF). | WikiText/C4 perplexity, zero-shot accuracy. | Yes | Principled second-order account of hybrid-rounding failure; production-plausible quantize-then-probe baseline. | Capability-only, no safety measurement; tables ungrounded; cost vs GPTQ/AWQ/OmniQuant unverified. | D2 (adjacent): SOTA PTQ baseline to re-run under a safety probe. |
| 13 | Detecting the Semantic Fixed Point (Early Exit) | Gu, Qiao, Luo, 2026 | ICML 2026 (Oral) | T1 | ~0 (new) | Training-free early exit that stops when the hidden state converges, replacing output-confidence proxies. | Treat each layer as fixed-point iteration; exit when normalized update norm is small AND consecutive updates are cosine-aligned; O(d)/layer. | LLaMA-2-7B/13B on QA and commonsense reasoning as accuracy anchors (suite pending PDF). | 30-35% FLOP reduction while keeping over 98% of full-depth accuracy. | FLOPs / layers executed, accuracy retention. | n/l | Exit signal decoupled from the softmax, cheap; zero training and parameters; shows confidence is not convergence. | Efficiency-only; late-forming refusal could be skipped by geometric exit; LLaMA-2 only. | D2 (adjacent): second compression axis, same untested safety question. |
| 14 | Position: LLM-Safety Evaluations Lack Robustness | Beyer, Xhonneux, Geisler, Gidel, Schwinn, Günnemann, 2026 | ICML 2026 (Position) | T1 | ~0 (new) | Argue the safety-evaluation pipeline is too noisy to fairly compare attacks and defenses, and locate the noise. | Four-stage critique (dataset curation, red-teaming optimization, response generation, LLM-as-judge) with per-stage guidelines. | None; the object of study is the field's own evaluation practice. | Systematic diagnosis that single-number comparisons are unreliable. | n/a (argument). | n/a | ICML-level cover for the rigor claim; the four-stage decomposition is a directly usable checklist. | Diagnosis without a validated replacement protocol; not specific to multilingual or quantized evaluation. | F (rigor): my methodological bar for any quant x language ASR study. |
| 15 | Compliance without Coherence | Fassbender, 2026 | AI and Ethics (Springer) | journal | ~0 (new) | Show the monitoring layer of alignment evaluation has a blind spot: fluent compliance can mask incoherent reasoning. | Conceptual argument separating behavioral compliance from reasoning coherence and naming the fluent-failure mode. | None (no experiments). | Argues compliance scores are a category error as alignment evidence when coherence is unmeasured. | n/a (argument). | n/a | Precise name for why surface ASR/refusal can mislead, especially where quantization changes fluency and judges reward it. | No empirical validation, no adoptable coherence metric; PDF not yet grounded. | F (rigor): feeds the judge-reliability design for a rigor-first study. |
| 16 | Chain-of-Thought as a Lens | Wang, Li, Huang, Huang, Dong, 2026 | ACL 2026 | T1 | n/l | Measure whether multi-step CoT tracks human-preferred reasoning structure, not just answer correctness. | Alignment Score comparing model vs reference chains through semantic-entropy matrices across reasoning depth; validated externally. | Human-preferred reference chains over multi-hop tasks (composition, safety coverage unconfirmed). | Alignment peaks at 2-hop and degrades via thematic shift and redundant reasoning. | Alignment Score. | No | Reasoning process as a first-class alignment target; concrete degradation mechanism; external validity checks. | Diagnostic only; metric noisiest at deep multi-hop; safety coverage unconfirmed. | F (adjacent): a CoT-to-preference tool a reasoning-model red-team could adopt. |
| 17 | Reranker Helps, but Not Enough (RAG Poisoning) | Yang, Liu, Xiong, Liang, He, Tan, 2026 | ICML 2026 (accepted) | T1 | ~0 (new) | Show benign-trained rerankers filter most poisons but have blind spots, then build P³A to defeat them. | Distill prompt-design principles from reranker failures; rule-based drafts + ~1% character perturbations to promote rank; single-doc budget; transfer to vanilla RAG. | Not named; NQ/HotpotQA/MS MARCO with dense retrievers and cross-encoder rerankers likely (pending PDF). | Strong attack against benign rerankers; transfers beyond the defense it targets. | Attack success rate, retrieval/rerank hit of poison. | Yes | Realistic benign-reranker setting; tiny single-doc edit budget; reusable two-phase attack pattern. | ASR/datasets not groundable yet; normalization may blunt it; tied to benign rerankers; no safety or multilingual analysis. | E (adjacent): RAG poisoning past rerankers; loose D3 touch. |
| 18 | When Search Goes Wrong / CREST-Search | Ou, Chen, Han, Deng, Zhang, Qiu, Zhang, Lam, 2026 | ICML 2026 | T1 | n/l | Red-team web-augmented LLMs on the retrieval/citation surface, where harm rides in cited content. | CREST-Search: black-box adversarial search queries via keyword injection, exaggeration, role play; harm scored on citations. | Four commercial systems (GPT-4o and Gemini search variants); English queries. | 80.5% risk detection vs 11.6% baseline; 89.3% of risks citation-specific; adversarial queries low-toxicity (23.6%). | Risk detection, query toxicity, diversity (self-BLEU). | No | Reframes the attack surface with direct evidence; hard-to-filter low-toxicity queries. | English, four systems; black-box (no mechanism); model-vs-index attribution unresolved; no open-weight/multilingual. | E (adjacent): agentic retrieval threat surface. |
| 19 | Gray-Box VLM Adversarial Alignment | Liu, Cai, Dong, Guo, Qu, Guan, Fang, Ye, 2026 | ICML 2026 | T1 | n/l | Attack vision-language models in the gray-box setting with an adaptive, SVD-structured perturbation. | Inferred (not verified from PDF): surrogate around a shared vision encoder; perturbation shaped by singular-vector structure. | Unconfirmed (victim VLMs, baselines, ASR not retrievable). | Unconfirmed. | Unconfirmed. | ? | Realistic gray-box model for the shared-encoder VLM ecosystem; SVD structuring is a principled prior. | Access-limited note (cite existence only); shared-encoder ceiling; vision modality, not text-only. | E (adjacent): gray-box framing loosely neighboring quant threat models. |
| 20 | Bridging the Scale Gap (hybrid red-teaming) | Quaye, Parrish, Rastogi, Kahng, Inel, Aroyo, Reddi, 2026 | FAccT 2026 | T1 | n/l | Surface latent, context-dependent risks in text-to-image models that neither pure human nor pure automated red-teaming catches. | Hybrid human-in-the-loop: automation scales coverage, humans keep latent-risk judgment calls (technique unconfirmed). | T2I models under test and sample sizes unconfirmed. | Unconfirmed (bibliographic facts verified, methodological depth not). | Unconfirmed. | ? | Rebuts human-vs-automated framing with a matched division of labor; latent-harm focus. | Specifics unverified; T2I modality; intrinsic cost/scale ceiling. | E (adjacent): hybrid methodology transfers to multilingual red-teaming. |
| 21 | Evaluating the Safety of LLMs in Healthcare and Dentistry | Umer, Shaikh, Ur Rahman, 2026 | BDJ Open (Nature) | journal | ~0 (new) | Argue clinical LLM safety needs lifecycle adversarial evaluation, and systematize prompt-based red-teaming for healthcare. | Narrative review: five evaluation strategies and outcome measures; a red-blue-purple team framework across the lifecycle. | None released; ~15-20% safety-risk figure cited from prior medical LLM studies. | Dentistry is under-red-teamed; soft "consult a professional" guardrails create false safety. | Narrative synthesis; risk/bias rates from cited studies. | n/a | Concrete clinical governance lifecycle; realistic ordinary-user adversary framing; hard vs soft guardrail distinction. | No new measurement; prompt-only scope; proposed practice, no mandate; version-transfer caveat. | Low / cross: domain red-teaming becoming lifecycle practice. |
| 22 | SoK: A Taxonomy of LLM Threats | Stylianou, Bountakas, Zarras, Farao, Bolgouras, Xenakis, 2026 | Computer Science Review | journal | ~0 (new) | Systematize the fragmented LLM security literature into a lifecycle taxonomy of 20 attack classes. | SoK synthesis on a training / inference / system-integration axis; encode causal and associative dependencies; ground in case studies. | The published attack/defense literature plus incidents (inclusion counts PDF-only). | Lifecycle taxonomy plus a dependency-aware defense-in-depth agenda. | Taxonomy coverage (not ASR). | No | Broadest lifecycle threat map; dependency schema beyond flat attack lists. | Breadth over depth; PDF not read line-by-line; agentic-threat taxonomies age fast. | G: related-work scaffolding for the survey's framing. |
| 23 | How "Hard" Are Hard Laws? | Jon, 2026 | Computer Law & Security Review | journal | n/l | Interrogate whether the hard-law vs soft-law distinction predicts enforceability, using South Korea and Japan. | Comparative doctrinal analysis of statutory text and enforcement architecture (Korea's hybrid AI Basic Act vs Japan's guidelines). | None; statutes and institutional design documents. | The hybrid statute undermines the binary; hardness is a matter of implementation capacity. | n/a (legal analysis). | n/a | Timely comparative case; a template for asking whether a red-teaming/attribution mandate would be enforceable. | Doctrinal only; two-jurisdiction scope; partial verification (full text blocked). | G (governance): background for the policy pillar. |
| 24 | Opening the Scope of Openness in AI | Paris, Moon, Guo, 2025 | FAccT 2025 | T1 | n/l | Map empirically what "openness" has meant across computing discourse and what current AI debates leave out. | LDA topic modeling over 224,123 bibliographic records (1980-2024), 80 topics, 98 openness concepts, into a two-dimensional taxonomy. | The 224K-record corpus (Web of Science, Scopus, The Lens). | AI-openness discourse emphasizes Interactivity while underweighting Inclusiveness (fairness, diversity). | Topic-model separation. | Yes | Empirical usage map rather than definitional debate; concrete Interactivity-vs-Inclusiveness asymmetry. | Misses under-published or non-English concepts; discourse-level, not whether any open release delivers. | G (governance): why "open-weight therefore auditable therefore safe" is not clean. |
| 25 | LogiCP: Formal Logic Guided UQ for Personalized FL | He, An, Ma, 2026 | JAIR | journal | ~0 (new) | Personalized federated learning with formal uncertainty guarantees, clustering clients by temporal semantics. | STL property inference for semantic client clustering plus decentralized conformal prediction; runtime client assignment without retraining. | Traffic, temperature, and electricity forecasting sensor tasks. | Up to ~95% client-level MSE improvement over BNN / clustering / CP baselines. | Client-level MSE, scalability. | No | Distribution-free conformal coverage guarantees; runtime client onboarding. | "Alignment" here is client-cluster semantics, not safety; STL predicates need design; exchangeability can break. | None of my directions; logged for completeness (alignment does not equal safety alignment). |
Detailed Reviews
#1 Jailbroken: How Does LLM Safety Training Fail?
★ Core2023NeurIPS 2023 (Oral)T1
| Objective | Explain why safety-trained LLMs still jailbreak, via two structural failure modes, then validate the theory by designing attacks from it. |
|---|---|
| Methods | Hypothesize competing objectives (helpfulness vs harmlessness placed in tension) and mismatched generalization (capabilities outrun safety-tuning coverage); design attacks from each lens; evaluate against GPT-4 and Claude v1.3. |
| Dataset | No released dataset; curated harmful prompts against two closed 2023-era models. |
| Key Results | Designed attacks succeed where prior techniques were being patched; argues for safety-capability parity. |
| Metrics | Attack success rate. |
| Open source | No. |
| Advantages | Durable explanatory theory (both failure modes remain the standard lens); constructive rather than post-hoc; mismatched generalization is the cleanest account of why low-resource jailbreaks work. |
| Disadvantages / Gap | A framework, not a mechanistic predictor of which prompts land in a gap; demonstrated jailbreaks patched; parity is a principle without a protocol. |
| Relevance | D (theory core): the mechanism predicting that the multilingual gap and quant drift compound. |
#2 Multilingual Jailbreak Challenges / MultiJail
★ Core2024ICLR 2024T1
| Objective | Separate and measure unintentional vs intentional multilingual jailbreak scenarios. |
|---|---|
| Methods | MultiJail: 315 unsafe English prompts, native-speaker translated into 9 languages across high/medium/low resource tiers; evaluate ChatGPT and GPT-4 in both scenarios. |
| Dataset | MultiJail, released (DAMO-NLP-SG). |
| Key Results | Low-resource languages ~3x the unsafe-output rate of high-resource; intentional multilingual framing up to 80.92% (ChatGPT) / 40.71% (GPT-4). |
| Metrics | Unsafe-output rate. |
| Open source | Yes (dataset on GitHub, tagged ICLR 2024). |
| Advantages | Foundational dataset nearly every later paper builds on; establishes language-resource level as a safety variable; native translation isolates language from translation noise. |
| Disadvantages / Gap | 9 languages / 315 prompts is modest; only 2023-era closed models, no open-weight or quantized variants. |
| Relevance | A (core): the multilingual anchor; sets up the open quant x language question. |
#3 Code-Switching Red-Teaming / CSRT
★ Core2025ACL 2025T1
| Objective | Establish code-switching (mixing languages within one query) as a red-teaming technique that stresses understanding and safety jointly. |
|---|---|
| Methods | CSRT synthesizes queries mixing up to 10 languages in a single prompt; evaluate ten state-of-the-art LLMs, measuring both attack success and comprehension. |
| Dataset | CSRT-generated query set (exact size / full model list unconfirmed; verify on the Anthology page). |
| Key Results | 46.7% more successful attacks than monolingual English; surfaces a resource-availability / safety-alignment correlation. |
| Metrics | Attack success rate; multilingual comprehension quality. |
| Open source | Yes* (dataset release standard for this venue/type; link not logged). |
| Advantages | Naturalistic input pattern rather than an engineered construction; jointly probes comprehension and safety. |
| Disadvantages / Gap | Demonstrates the resource/safety effect more than it isolates the mechanism; 10 languages is a bounded sample; no quantization connection. |
| Relevance | A (core): within-sentence mixing complement to MultiJail; untested under quantization. |
#4 Exploiting LLM Quantization
★ Core2024NeurIPS 2024T1
| Objective | Show that quantization itself is an attack surface: a model benign at full precision that turns malicious only after the victim quantizes it. |
|---|---|
| Methods | Three stages: fine-tune a malicious model; compute the quantization pre-image (full-precision weights mapping to the same quantized model); projected gradient descent back to benign full-precision behavior inside that set. Targets LLM.int8(), NF4, FP4. |
| Dataset | Three attack scenarios: vulnerable code generation, content injection, over-refusal denial of service. |
| Key Results | Benign-looking full-precision checkpoints reliably de-quantize into the malicious behavior (per-scenario ASR not independently confirmed). |
| Metrics | Attack success rate per scenario. |
| Open source | Not logged (SRI Lab typically releases code; verify before citing availability). |
| Advantages | First demonstration of compression as a deliberate trigger; the many-to-one pre-image insight is general; reframes evaluation (testing the FP checkpoint alone certifies nothing). |
| Disadvantages / Gap | Assumes the attacker knows the victim's round-to-nearest scheme; does not cover GGUF; supply-chain precondition; no defense. |
| Relevance | B (core): quantization-as-trigger, one half of the two-paper backbone. |
#5 Mind the Gap: A Practical Attack on GGUF Quantization
★ Core2025ICML 2025T1
| Objective | Extend the benign-then-malicious quantization attack to GGUF, the block-wise format shipped by llama.cpp and ollama. |
|---|---|
| Methods | Exploit the quantization error inside GGUF's per-block scheme; constrain the malicious model's weights to the tolerance mapping back to a clean-looking full-precision checkpoint (a constraint-projection generalization of the NeurIPS 2024 attack). |
| Dataset | Base models, sizes, and ASR numbers not confirmed from the pages fetched (pending PDF). |
| Key Results | Scheme complexity is not a defense; the attack holds on GGUF. |
| Metrics | Attack success rate. |
| Open source | Not logged (verify on PMLR / OpenReview). |
| Advantages | Attacks the format practitioners actually run (download-a-GGUF, run ollama); with the NeurIPS paper, establishes quant-as-trigger as a validated line. |
| Disadvantages / Gap | Supply-chain precondition (victim quantizes an untrusted checkpoint locally); no fix; evaluation details unverified. |
| Relevance | B (core): moves the threat to the real deployment path. |
#6 How Does Quantization Affect Multilingual LLMs?
★ Core2024EMNLP 2024 FindingsFindings
| Objective | First thorough analysis of quantization effects on multilingual LLMs across languages and scales. |
|---|---|
| Methods | Layered evaluation stack: automatic benchmarks, LLM-as-a-judge, and human evaluation on realistic prompts, compared against each other across languages and model sizes. |
| Dataset | Multilingual task benchmarks + realistic human-eval prompts (quantization schemes / bit-widths not confirmed from the page fetched). |
| Key Results | Harm is disparate by language (non-Latin scripts worst); automatic metrics badly underestimate it (1.7% Japanese benchmark drop vs 16.0% human-judged). |
| Metrics | Task accuracy, LLM-judge and human-perceived quality. |
| Open source | Not logged. |
| Advantages | Sits exactly at the quant x multilingual intersection; the automatic-vs-human gap is a strong argument against benchmark-only safety claims. |
| Disadvantages / Gap | Measures quality, not jailbreak ASR (safety implication inferential); Findings track; method-level details unverified. |
| Relevance | C (core intersection): the paper my niche most directly extends toward attack-success. |
#7 Critical Weight Protection for Fairness and Safety under Quantization
★ Core2026ACL 2026 FindingsT1
| Objective | Audit how static and dynamic PTQ degrade fairness and multilingual safety, and mitigate by protecting critical weights at quantize time. |
|---|---|
| Methods | Compare GPTQ/AWQ/SmoothQuant (static) vs FP8/LLM.int8() (dynamic); Critical Weight Protection ranks weights by FAIRSCORE + SAFESCORE and keeps top-k% in FP16 (AWQ-trust). |
| Dataset | Gemma-7B / Llama-3.1-8B / Qwen-2.5-7B Instruct; MultiJail EN/KO/AR; SafetyBench, Do-Not-Answer, HEx-PHI; StereoSet, CrowS-Pair, Jigsaw, MBBQ. |
| Key Results | Quant often hurts fairness/safety; dynamic more stable; KO/AR %Safe drops; AWQ-trust recovers much (Llama-3.1 KO ~9.6 to ~66.1). |
| Metrics | %Safe, ASR, SafetyBench accuracy, SS/ICAT, Bias AUC. |
| Open source | No code found; benchmarks all public. |
| Advantages | First Tier-1 quant x multilingual safety audit; broad static+dynamic grid; AWQ-trust recovers large KO/AR losses without full re-alignment. |
| Disadvantages / Gap | Safety limited to EN/KO/AR; no GGUF ladder; English-centric criticality scoring; single Gemini MultiJail judge. |
| Relevance | D2 (core): the paper that closes the "empty intersection" framing and forces a sharper claim. |
#8 Q-resafe: Safety Risks and Patching for Quantized LLMs
★ Core2025ICML 2025T1
| Objective | Measure how mainstream quantization degrades safety, and restore it with a quantization-aware patch (Q-resafe). |
|---|---|
| Methods | AWQ / AQLM / LLM-QAT / QLoRA at INT4/INT8 with benign/indirect/direct calibration; Q-resafe is a DPO update on FP-vs-quantized preference pairs restricted to a SNIP-selected safety-critical weight mask via LoRA. |
| Dataset | Llama-2-7B-Chat, Gemma-7B-Instruct; UltraChat / AdvBench calibration; AdvBench ASR; MT-bench, AlpacaEval. |
| Key Results | All methods raise ASR vs FP16; harmful calibration far worse; Q-resafe restores toward FP ASR at ~1/8 the DPO compute. |
| Metrics | ASR (lower better), MT-bench, AlpacaEval. |
| Open source | Yes (Thecommonirin/Qresafe). |
| Advantages | Covers all four quantization families under controlled risk levels; patch matches DPO-level safety cheaply with utility intact. |
| Disadvantages / Gap | English-only (AdvBench); two 7B models; calibration-induced (not adversarial) threat model. |
| Relevance | D2 (core): English quant x ASR + patch baseline reviewers will expect. |
#9 Safety Layers in Aligned LLMs
2025ICLR 2025T1
| Objective | Locate a contiguous band of middle "safety layers" and use it to protect safety during fine-tuning. |
|---|---|
| Methods | Last-token cosine analysis over normal vs malicious query pairs to detect the divergence band; progressive scaling against an over-rejection set to refine bounds; SPPFT freezes those layers' gradients. |
| Dataset | Llama-3-8B-Instruct, Llama-2-7B-Chat, gemma-2b-it, Phi-3-mini; alpaca-finance plus implicit-attack, backdoor, and harmful mixes. |
| Key Results | Safety band appears only after alignment; SPPFT cuts harmful-response rate hard (Llama-3 9.62% vs 44.42%) with utility intact. |
| Metrics | Cosine/angle gaps, over-rejection, post-FT security. |
| Open source | Yes (listen0425/Safety-Layers). |
| Advantages | Clean existence result (band absent in pretrained siblings); large security gain with negligible capability cost. |
| Disadvantages / Gap | English, full precision; no multilingual ASR; no PTQ/GGUF remeasure; preserves rather than installs safety; coarse layer granularity. |
| Relevance | Spine C prior art: middle-layer refusal localization. |
#10 Safety-Critical Parameters (ESI / SET / SPA)
2026ACL 2026 FindingsT1
| Objective | Rank individual parameters by Expected Safety Impact, then install (SET) or preserve (SPA) safety sparsely. |
|---|---|
| Methods | ESI = |sigma(theta)·grad S| from a first-order safety-score expansion, made differentiable via Gumbel-softmax plus a Llama-Guard vocabulary projection; validated by Gaussian-noise perturbation vs SNIP/Wanda. |
| Dataset | Dense Llama3-8B/70B, Qwen2.5-14B; MoE Qwen3-30B-A3B; AdvBench (scoring), HarmBench / WildJailbreak (degradation); CB-Safety / R1-Safety (SET). |
| Key Results | Perturbing top-1% ESI raises HarmBench ASR 15.3 to 59.1 (baselines at most 37.6); SET cuts WildJailbreak ASR 62.5% to 19.1% updating 1% of weights. |
| Metrics | ASR, safety score, % weights updated. |
| Open source | Yes (ZJU-LLM-Safety/SafeWeights-ACL). |
| Advantages | Weight-level resolution from a single checkpoint; strong causal validation; dense + MoE coverage. |
| Disadvantages / Gap | English-centric benches; no PTQ/GGUF remeasure; judge-pipeline sensitivity only partly ablated; single judge family. |
| Relevance | Spine C prior art: sparse safety install/preserve (a quantize-time cousin of Al Hakim). |
#11 Refusal Is Mediated by a Single Direction
2024NeurIPS 2024T1
| Objective | Show refusal is mediated by a single residual-stream direction that can be removed (jailbreak) or added (forced refusal). |
|---|---|
| Methods | Difference-in-means direction at post-instruction positions; activation addition, directional ablation, and rank-one weight orthogonalization; feature attribution on GCG suffixes. |
| Dataset | 13 chat models (1.8B-72B); AdvBench / MaliciousInstruct / TDC2023 / HarmBench harmful, Alpaca harmless; JailbreakBench eval; Llama Guard 2 judge. |
| Key Results | Ablation drops refusal and safety across all 13 models; orthogonalization is a one-edit general jailbreak competitive with GCG (Qwen-14B ASR 84.3) with near-zero capability loss. |
| Metrics | Refusal score, safety score. |
| Open source | Yes (andyrdt/refusal_direction). |
| Advantages | Replicates across 13 models and both alignment recipes; explains why sparse/layer-local safety works and why compression might scramble a thin direction. |
| Disadvantages / Gap | White-box; English only; no quantization tables; TruthfulQA degrades after ablation (collateral effect). |
| Relevance | Mechanistic prior: low-dimensional, editable refusal. |
#12 STLA: Spatiotemporal Lookahead Alignment for PTQ
2026ICML 2026 (accepted)T1
| Objective | Fast and accurate low-bit PTQ by fixing the spatiotemporal misalignment between learning-based and compensation-based rounding. |
|---|---|
| Methods | Cluster-wise integrated rounding (learning + compensation together), Hessian-guided clustering for intra-cluster error cancellation, and a Schur-Complement lookahead objective. |
| Dataset | Not enumerated in the public abstract; standard WikiText-2/C4 calibration + reasoning suites on LLaMA/Qwen is the likely stack (pending PDF). |
| Key Results | Claims SOTA low-bit PTQ speed and accuracy (exact tables pending PDF). |
| Metrics | WikiText/C4 perplexity, zero-shot accuracy. |
| Open source | Yes (anonymous.4open.science/r/STLA). |
| Advantages | Principled second-order account of hybrid-rounding failure; production-plausible compressor and a strong quantize-then-probe baseline. |
| Disadvantages / Gap | Capability-only, no safety measurement; tables not yet grounded; cost profile vs GPTQ/AWQ/OmniQuant unverified. |
| Relevance | D2 (adjacent): SOTA PTQ baseline to re-run under a safety probe. |
#13 Detecting the Semantic Fixed Point (Early Exit)
2026ICML 2026 (Oral)T1
| Objective | Training-free early exit that stops when the hidden state converges, replacing output-confidence proxies. |
|---|---|
| Methods | Treat each layer as fixed-point iteration; exit when normalized update norm is small AND consecutive updates are cosine-aligned; O(d) per layer, no learned heads. |
| Dataset | LLaMA-2-7B/13B on QA and commonsense reasoning as accuracy anchors (exact suite pending PDF). |
| Key Results | 30-35% FLOP reduction while keeping over 98% of full-depth accuracy. |
| Metrics | FLOPs / layers executed, accuracy retention. |
| Open source | Not logged. |
| Advantages | Exit signal decoupled from the softmax, cheap, zero added parameters; shows confidence is not internal convergence. |
| Disadvantages / Gap | Efficiency-only; if refusal forms late, geometric exit could skip safety layers; LLaMA-2 only. |
| Relevance | D2 (adjacent): a second compression axis with the same untested safety question. |
#14 Position: LLM-Safety Evaluations Lack Robustness
2026ICML 2026 (Position)T1
| Objective | Argue the safety-evaluation pipeline is too noisy to fairly compare attacks and defenses, and locate where the noise enters. |
|---|---|
| Methods | Four-stage critique (dataset curation, red-teaming optimization, response generation, LLM-as-judge) with per-stage noise-reduction guidelines. |
| Dataset | None; the object of study is the field's own evaluation practice. |
| Key Results | Systematic diagnosis that single-number comparisons are unreliable. |
| Metrics | n/a (argument). |
| Open source | n/a (paper openly on arXiv). |
| Advantages | ICML-level cover for the rigor claim; the four-stage decomposition is a directly usable checklist. |
| Disadvantages / Gap | Diagnosis without a validated replacement protocol; not specific to multilingual or quantized evaluation. |
| Relevance | F (rigor): my methodological bar for any quant x language ASR study. |
#15 Compliance without Coherence
2026AI and Ethics (Springer)journal
| Objective | Show the monitoring layer of alignment evaluation has a blind spot: fluent compliance can mask incoherent reasoning. |
|---|---|
| Methods | Conceptual argument separating behavioral compliance from reasoning coherence and naming the fluent-failure mode. |
| Dataset | None (no experiments). |
| Key Results | Argues compliance scores are a category error as alignment evidence when coherence is unmeasured. |
| Metrics | n/a (argument). |
| Open source | n/a. |
| Advantages | Precise name for why surface ASR/refusal can mislead, especially where quantization changes fluency and judges reward it. |
| Disadvantages / Gap | No empirical validation, no adoptable coherence metric; PDF not yet grounded. |
| Relevance | F (rigor): feeds the judge-reliability design for a rigor-first study. |
#16 Chain-of-Thought as a Lens
2026ACL 2026T1
| Objective | Measure whether multi-step CoT tracks human-preferred reasoning structure (not just answer correctness). |
|---|---|
| Methods | Alignment Score comparing model vs reference reasoning chains through semantic-entropy matrices, tracked across reasoning depth; validated against accuracy, readability, coherence. |
| Dataset | Human-preferred reference chains over multi-hop tasks (exact composition, and whether safety reasoning is covered, unconfirmed). |
| Key Results | Alignment peaks at 2-hop and degrades via thematic shift and redundant reasoning. |
| Metrics | Alignment Score. |
| Open source | No code logged. |
| Advantages | Reasoning process as a first-class alignment target; concrete degradation mechanism; external validity checks. |
| Disadvantages / Gap | Diagnostic only; metric noisiest exactly at deep multi-hop; safety coverage unconfirmed. |
| Relevance | F (adjacent): a CoT-to-preference tool a reasoning-model red-team could adopt. |
#17 Reranker Helps, but Not Enough (RAG Poisoning)
2026ICML 2026 (accepted)T1
| Objective | Show benign-trained rerankers filter most RAG poisons but have blind spots, then build P³A to defeat them. |
|---|---|
| Methods | Distill prompt-design principles from reranker failures; rule-based poisoned drafts plus ~1% character-level perturbations chosen to promote reranker rank while keeping the payload; single-document budget, transfer to vanilla RAG. |
| Dataset | Not named in the abstract; NQ/HotpotQA/MS MARCO with dense retrievers and cross-encoder rerankers is the likely stack (pending PDF). |
| Key Results | Strong attack against benign rerankers; transfers beyond the defense it targets. |
| Metrics | Attack success rate, retrieval/rerank hit of poison. |
| Open source | Yes (supplementary code). |
| Advantages | Realistic benign-reranker defense setting; tiny single-doc edit budget; reusable two-phase attack pattern. |
| Disadvantages / Gap | ASR/datasets not groundable yet; may be blunted by normalization; tied to benign-trained rerankers; no safety or multilingual analysis. |
| Relevance | E (adjacent): RAG poisoning past rerankers; loose D3 touch. |
#18 When Search Goes Wrong / CREST-Search
2026ICML 2026T1
| Objective | Red-team web-augmented LLMs on the retrieval/citation surface, where harm is smuggled through cited content while generation stays benign. |
|---|---|
| Methods | CREST-Search: black-box adversarial search queries via keyword injection, exaggeration, and role play; harm scored on citations separately from generation. |
| Dataset | Four commercial systems (GPT-4o-search-preview, GPT-4o-mini-search-preview, Gemini-2.0/2.5-flash-search); English queries. |
| Key Results | 80.5% risk detection vs 11.6% best baseline; 89.3% of risks citation-specific; adversarial queries stay low-toxicity (23.6%). |
| Metrics | Risk detection, query toxicity, diversity (self-BLEU). |
| Open source | No code release noted; targets are closed systems. |
| Advantages | Reframes the attack surface with direct evidence; hard-to-filter low-toxicity queries. |
| Disadvantages / Gap | English, four systems; black-box (no mechanism); unresolved model-vs-index attribution; no open-weight or multilingual coverage. |
| Relevance | E (adjacent): agentic retrieval threat surface. |
#19 Gray-Box VLM Adversarial Alignment
2026ICML 2026T1
| Objective | Attack vision-language models in the gray-box setting with an adaptive, SVD-structured perturbation. |
|---|---|
| Methods | Inferred from the title and gray-box literature: build a surrogate around a shared vision encoder and shape the perturbation along singular-vector structure (not verified from PDF). |
| Dataset | Unconfirmed (victim VLMs, baselines, ASR not retrievable). |
| Key Results | Unconfirmed. |
| Metrics | Unconfirmed. |
| Open source | Unknown. |
| Advantages | Realistic gray-box model for the shared-encoder VLM ecosystem; SVD structuring is a principled prior. |
| Disadvantages / Gap | My access is limited (cite only existence/authorship/venue); shared-encoder ceiling; vision modality, not text-only. |
| Relevance | E (adjacent): gray-box framing loosely neighboring quantization threat models. |
#20 Bridging the Scale Gap (hybrid red-teaming)
2026FAccT 2026T1
| Objective | Surface latent, context-dependent risks in text-to-image models that neither pure human nor pure automated red-teaming catches. |
|---|---|
| Methods | Hybrid human-in-the-loop: automation scales coverage, humans keep the latent-risk judgment calls (specific technique unconfirmed pending PDF). |
| Dataset | T2I models under test and sample sizes unconfirmed. |
| Key Results | Unconfirmed (bibliographic facts verified, methodological depth not). |
| Metrics | Unconfirmed. |
| Open source | Unknown. |
| Advantages | Rebuts human-vs-automated framing with a division of labor matched to each; latent-harm focus. |
| Disadvantages / Gap | Specifics unverified; T2I modality; intrinsic cost/scale ceiling. |
| Relevance | E (adjacent): hybrid methodology transfers to multilingual red-teaming. |
#21 Evaluating the Safety of LLMs in Healthcare and Dentistry
2026BDJ Open (Nature)journal
| Objective | Argue clinical LLM safety needs lifecycle adversarial evaluation, and systematize prompt-based red-teaming for healthcare. |
|---|---|
| Methods | Narrative review: five evaluation strategies and outcome measures; a red-blue-purple team framework across pre-deployment, monitoring, and iterative review. |
| Dataset | None released; ~15-20% safety-risk figure cited from prior medical LLM studies. |
| Key Results | Dentistry is under-red-teamed; soft "consult a professional" guardrails create false safety. |
| Metrics | Narrative synthesis; risk/bias rates from cited studies. |
| Open source | n/a (review; OA article). |
| Advantages | Concrete clinical governance lifecycle; realistic ordinary-user adversary framing; hard vs soft guardrail distinction. |
| Disadvantages / Gap | No new measurement; prompt-only scope; proposed practice, no mandate; version-transfer caveat. |
| Relevance | Low / cross: evidence that domain red-teaming is becoming lifecycle practice. |
#22 SoK: A Taxonomy of LLM Threats
2026Computer Science Reviewjournal
| Objective | Systematize the fragmented LLM security literature into a lifecycle taxonomy of 20 attack classes. |
|---|---|
| Methods | SoK synthesis: situate threats on a training / inference / system-integration axis; encode causal and associative dependencies; ground in case studies; prescribe defense-in-depth. |
| Dataset | The published attack/defense literature plus incidents (inclusion counts PDF-only). |
| Key Results | Lifecycle taxonomy plus a dependency-aware defense agenda. |
| Metrics | Taxonomy coverage (not ASR). |
| Open source | No (Elsevier paywalled; no artifact). |
| Advantages | Broadest lifecycle threat map; dependency schema beyond flat attack lists. |
| Disadvantages / Gap | Breadth over depth; PDF not read line-by-line; taxonomies of agentic threats age fast. |
| Relevance | G: related-work scaffolding for the survey's framing section. |
#23 How "Hard" Are Hard Laws?
2026Computer Law & Security Reviewjournal
| Objective | Interrogate whether the hard-law vs soft-law distinction predicts enforceability, using South Korea and Japan. |
|---|---|
| Methods | Comparative doctrinal analysis of statutory text and enforcement architecture (Korea's hybrid AI Basic Act vs Japan's soft-law guidelines). |
| Dataset | None; statutes and institutional design documents. |
| Key Results | Hybrid statute undermines the hard/soft binary; hardness is a matter of implementation capacity. |
| Metrics | n/a (legal analysis). |
| Open source | n/a. |
| Advantages | Timely comparative case; template for asking whether a red-teaming/attribution mandate would be enforceable. |
| Disadvantages / Gap | Doctrinal only; two-jurisdiction scope; partial verification (full text blocked). |
| Relevance | G (governance): background for the policy pillar. |
#24 Opening the Scope of Openness in AI
2025FAccT 2025T1
| Objective | Map empirically what "openness" has meant across computing discourse and what current AI debates leave out. |
|---|---|
| Methods | LDA topic modeling over 224,123 bibliographic records (1980-2024), 80 topics, 98 openness concepts, into a two-dimensional taxonomy. |
| Dataset | The 224K-record corpus (Web of Science, Scopus, The Lens). |
| Key Results | AI-openness discourse emphasizes Interactivity while underweighting Inclusiveness (fairness, diversity). |
| Metrics | Topic-model separation. |
| Open source | Yes (paper on arXiv 2505.06464; corpus/code release not logged). |
| Advantages | Empirical usage map rather than definitional debate; concrete Interactivity-vs-Inclusiveness asymmetry. |
| Disadvantages / Gap | Misses under-published or non-English concepts; discourse-level, not whether any open release delivers. |
| Relevance | G (governance): why "open-weight therefore auditable therefore safe" is not a clean syllogism. |
#25 LogiCP: Formal Logic Guided UQ for Personalized Federated Learning
2026JAIRjournal
| Objective | Personalized federated learning with formal uncertainty guarantees, clustering clients by temporal semantics. |
|---|---|
| Methods | Signal Temporal Logic property inference for semantic client clustering plus decentralized conformal prediction per cluster; runtime client assignment without retraining. |
| Dataset | Traffic, temperature, and electricity forecasting sensor tasks. |
| Key Results | Up to ~95% client-level MSE improvement over BNN / clustering / CP baselines. |
| Metrics | Client-level MSE, scalability. |
| Open source | No code noted (JAIR article OA). |
| Advantages | Distribution-free conformal coverage guarantees; runtime client onboarding. |
| Disadvantages / Gap | "Alignment" here is client-cluster semantics, not safety; STL predicates need domain design; exchangeability can break under non-stationarity. |
| Relevance | None of my directions; logged for completeness and as a triage lesson (alignment does not equal safety alignment). |
Notes on scope
- Excluded as preprint: the 15 watchlist entries (†) from Lit 1.1, including Beyond Activation Alignment, Smaller Models Unexpected Costs, the three AI-labor exposure working papers, AdversaBench, the T2I replay paper, NRT-Bench, RIFT-Bench, Institutional Red-Teaming, Beyond ASR, EvalSafetyGap, Single-Layer RL (Zhang), LoRA-for-Safety (Xue), and Alignment-Aware Quantization. The GPT-Red writeup is also excluded (vendor publication, pre-print forthcoming). Promote any of these here once they clear a venue.
- Core tag rationale: the ★ set is the direct quantization x multilingual safety spine, MultiJail and CSRT (multilingual jailbreak), Exploiting Quantization and Mind the Gap (quant as attack surface), Marchisio et al. (quant x multilingual quality), Jailbroken (the theory), plus Al Hakim and Q-resafe (the two Tier-1 quant x safety neighbors). Everything else is prior art, adjacent modality, rigor, or governance.