This note merges the survey tables from Literature Review 1.0 and Literature Review 1.1. Only published, non-preprint papers are included: the 15-entry preprint watchlist from 1.1 and the vendor GPT-Red writeup are left out until they clear a venue. Papers marked ★ Core are the tightest anchors for my quantization x multilingual safety niche.

  • 25 published (non-preprint) papers
  • 17 venues
  • 2023-2026 year range
  • 8 ★ Core anchors

Overview

#PaperAuthors & YearVenue (status)TierCitationsObjectiveMethodologyDatasetKey ResultsMetricsOpen sourceAdvantagesDisadvantagesRelevance (Direction)
1★ Core Jailbroken: How Does LLM Safety Training Fail?Wei, Haghtalab, Steinhardt, 2023NeurIPS 2023 (Oral)T1n/lExplain why safety-trained LLMs still jailbreak via two structural failure modes, then design attacks from the theory.Hypothesize competing objectives and mismatched generalization; construct attacks from each lens; evaluate vs GPT-4 and Claude v1.3.No released set; curated harmful prompts vs two closed 2023-era models.Designed attacks succeed where prior techniques were being patched; argues for safety-capability parity.Attack success rate.NoDurable explanatory theory; constructive rather than post-hoc; cleanest account of low-resource jailbreaks.A framework, not a predictor of which prompts land in a gap; demonstrated jailbreaks patched; parity a principle only.D (theory core): mechanism predicting the multilingual gap and quant drift compound.
2★ Core Multilingual Jailbreak Challenges / MultiJailDeng, Zhang, Pan, Bing, 2024ICLR 2024T1n/lSeparate and measure unintentional vs intentional multilingual jailbreak scenarios.MultiJail: 315 prompts native-translated into 9 languages across resource tiers; evaluate ChatGPT and GPT-4 in both scenarios.MultiJail (released); ChatGPT, GPT-4.Low-resource ~3x the unsafe rate of high-resource; intentional up to 80.92% (ChatGPT) / 40.71% (GPT-4).Unsafe-output rate.YesFoundational dataset; language-resource level as a safety variable; native translation isolates language from noise.9 languages / 315 prompts modest; only 2023-era closed models, no open-weight or quantized variants.A (core): the multilingual anchor; sets up the open quant x language question.
3★ Core Code-Switching Red-Teaming / CSRTYoo, Yang, Lee, 2025ACL 2025n/ln/lEstablish code-switching as a red-teaming technique that stresses understanding and safety jointly.CSRT synthesizes queries mixing up to 10 languages in one prompt; evaluate ten state-of-the-art LLMs.CSRT-generated query set; 10 LLMs (list unconfirmed).46.7% more successful attacks than monolingual English; surfaces a resource-availability / safety correlation.Attack success rate; multilingual comprehension.Yes*Naturalistic input rather than an engineered construction; jointly probes comprehension and safety.Demonstrates the effect more than the mechanism; 10 languages bounded; no quantization connection.A (core): within-sentence mixing complement to MultiJail; untested under quantization.
4★ Core Exploiting LLM QuantizationEgashira, Vero, Staab, He, Vechev, 2024NeurIPS 2024T1n/lShow quantization itself is an attack surface: benign at full precision, malicious only after the victim quantizes.Inject a malicious model; compute the quantization pre-image; projected gradient descent back to benign FP inside that set. LLM.int8()/NF4/FP4.Three scenarios: vulnerable code generation, content injection, over-refusal denial of service.Benign-looking FP checkpoints reliably de-quantize into the malicious behavior (per-scenario ASR unconfirmed).Attack success rate per scenario.n/lFirst quant-as-trigger; general many-to-one pre-image insight; reframes evaluation (FP check certifies nothing).Assumes known round-to-nearest scheme; no GGUF; supply-chain precondition; no defense.B (core): quantization-as-trigger, half the two-paper backbone.
5★ Core Mind the Gap: A Practical Attack on GGUF QuantizationEgashira, Staab, Vero, He, Vechev, 2025ICML 2025T1n/lExtend the benign-then-malicious quantization attack to GGUF (llama.cpp and ollama).Exploit the quantization error in GGUF's per-block scheme; constrain malicious weights to the tolerance mapping back to a clean FP checkpoint.Base models, sizes, and ASR not confirmed (pending PDF).Scheme complexity is not a defense; the attack holds on GGUF.Attack success rate.n/lAttacks the format practitioners actually run; with the NeurIPS paper, validates the quant-as-trigger line.Supply-chain precondition (victim quantizes locally); no fix; evaluation details unverified.B (core): moves the threat to the real deployment path.
6★ Core How Does Quantization Affect Multilingual LLMs?Marchisio, Dash, Chen, Aumiller, Üstün, Hooker, Ruder, 2024EMNLP 2024 FindingsFindingsn/lFirst thorough analysis of quantization effects on multilingual LLMs across languages and scales.Layered evaluation: automatic benchmarks, LLM-as-a-judge, and human evaluation on realistic prompts, compared against each other.Multilingual task benchmarks + realistic human-eval prompts (schemes / bit-widths unconfirmed).Harm is disparate by language (non-Latin worst); automatic metrics underestimate it (1.7% vs 16.0% human, Japanese).Task accuracy; LLM-judge and human-perceived quality.n/lSits exactly at the quant x multilingual intersection; strong automatic-vs-human gap argument.Measures quality, not jailbreak ASR (safety inferential); Findings track; method details unverified.C (core intersection): the paper my niche extends toward attack-success.
7★ Core Critical Weight Protection (Fairness + Safety under Quantization)Al Hakim, Wicaksono, Koto, 2026ACL 2026 FindingsT1~0 (new)Audit fairness and multilingual safety under static/dynamic PTQ, and protect critical weights at quantize time.GPTQ/AWQ/SmoothQuant vs FP8/LLM.int8(); rank weights by FAIRSCORE + SAFESCORE, keep top-k% in FP16 (AWQ-trust).Gemma-7B / Llama-3.1-8B / Qwen-2.5-7B; MultiJail EN/KO/AR; SafetyBench, Do-Not-Answer, HEx-PHI; StereoSet, CrowS-Pair, Jigsaw, MBBQ.Quant hurts fairness/safety; dynamic more stable; KO/AR %Safe drops; AWQ-trust recovers (Llama-3.1 KO ~9.6 to ~66.1).%Safe, ASR, SafetyBench accuracy, SS/ICAT, Bias AUC.NoFirst Tier-1 quant x multilingual safety audit; broad static+dynamic grid; AWQ-trust recovers KO/AR losses.Safety limited to EN/KO/AR; no GGUF ladder; English-centric criticality scoring; single Gemini judge.D2 (core): closes the "empty intersection" framing; forces a sharper claim.
8★ Core Q-resafe: Safety Risks and Patching for Quantized LLMsChen, Zhang, Hu, Wang, Lou, Feng, Song, 2025ICML 2025T1see ScholarMeasure how mainstream quantization degrades safety and restore it with a quantization-aware patch.AWQ / AQLM / LLM-QAT / QLoRA at INT4/INT8 with risk-level calibration; DPO on FP-vs-quantized preference pairs restricted to a SNIP mask via LoRA.Llama-2-7B-Chat, Gemma-7B-Instruct; UltraChat / AdvBench calibration; AdvBench ASR; MT-bench, AlpacaEval.All methods raise ASR vs FP16; harmful calibration far worse; Q-resafe restores toward FP at ~1/8 the DPO compute.ASR (lower better), MT-bench, AlpacaEval.YesCovers all four quantization families under controlled risk levels; patch matches DPO-level safety cheaply, utility intact.English-only (AdvBench); two 7B models; calibration-induced, not adversarial, threat model.D2 (core): English quant x ASR + patch baseline reviewers expect.
9Safety Layers in Aligned LLMsLi, Yao, Zhang, Li, 2025ICLR 2025T1see ScholarLocate a contiguous band of middle "safety layers" and use it to protect safety during fine-tuning.Last-token cosine analysis over normal vs malicious pairs; progressive scaling vs an over-rejection set; SPPFT freezes those gradients.Llama-3-8B-Instruct, Llama-2-7B-Chat, gemma-2b-it, Phi-3-mini; alpaca-finance + implicit-attack, backdoor, harmful mixes.Band appears only after alignment; SPPFT cuts harmful-response rate (Llama-3 9.62% vs 44.42%) with utility intact.Cosine/angle gaps, over-rejection, post-FT security.YesClean existence result (band absent in pretrained siblings); large security gain at negligible capability cost.English, full precision; no multilingual/PTQ/GGUF; preserves rather than installs safety; coarse granularity.Spine C prior art: middle-layer refusal localization.
10Safety-Critical Parameters (ESI / SET / SPA)Qi, Wu, Zheng, Zhang, Jia, Qin, Ren, 2026ACL 2026 FindingsT1~0 (new)Rank parameters by Expected Safety Impact, then install (SET) or preserve (SPA) safety sparsely.ESI = |sigma·grad S|, made differentiable via Gumbel-softmax + Llama-Guard projection; validated by perturbation vs SNIP/Wanda.Dense Llama3-8B/70B, Qwen2.5-14B; MoE Qwen3-30B-A3B; AdvBench, HarmBench, WildJailbreak; CB-Safety / R1-Safety.Perturbing top-1% ESI raises HarmBench ASR 15.3 to 59.1; SET cuts WildJailbreak ASR 62.5% to 19.1% at 1% weights.ASR, safety score, % weights updated.YesWeight-level resolution from a single checkpoint; strong causal validation; dense + MoE coverage.English-centric benches; no PTQ/GGUF remeasure; judge-pipeline sensitivity only partly ablated; single judge family.Spine C prior art: sparse safety install/preserve (quantize-time cousin of Al Hakim).
11Refusal Is Mediated by a Single DirectionArditi, Obeso, Syed, Paleka, Panickssery, Gurnee, Nanda, 2024NeurIPS 2024T1see ScholarShow refusal is mediated by one residual-stream direction that can be removed (jailbreak) or added (forced refusal).Difference-in-means direction; activation addition, directional ablation, rank-one weight orthogonalization; suffix attribution.13 chat models (1.8B-72B); AdvBench/MaliciousInstruct/TDC2023/HarmBench, Alpaca; JailbreakBench; Llama Guard 2.Ablation drops refusal across all 13; orthogonalization is a one-edit general jailbreak ~GCG (Qwen-14B 84.3), near-zero capability loss.Refusal score, safety score.YesReplicates across 13 models and both alignment recipes; explains why sparse/layer-local safety works and is brittle.White-box; English only; no quantization tables; TruthfulQA degrades after ablation.Mechanistic prior: low-dimensional, editable refusal.
12STLA: Spatiotemporal Lookahead Alignment for PTQZhang, Sun, Chu, Yu, Un, Martins, Mak, Xu, 2026ICML 2026 (accepted)T1~0 (new)Fast and accurate low-bit PTQ by fixing the spatiotemporal misalignment between learning and compensation rounding.Cluster-wise integrated rounding; Hessian-guided clustering for intra-cluster error cancellation; a Schur-Complement lookahead objective.Not enumerated in the abstract; standard WikiText-2/C4 + reasoning suites on LLaMA/Qwen likely (pending PDF).Claims SOTA low-bit PTQ speed and accuracy (exact tables pending PDF).WikiText/C4 perplexity, zero-shot accuracy.YesPrincipled second-order account of hybrid-rounding failure; production-plausible quantize-then-probe baseline.Capability-only, no safety measurement; tables ungrounded; cost vs GPTQ/AWQ/OmniQuant unverified.D2 (adjacent): SOTA PTQ baseline to re-run under a safety probe.
13Detecting the Semantic Fixed Point (Early Exit)Gu, Qiao, Luo, 2026ICML 2026 (Oral)T1~0 (new)Training-free early exit that stops when the hidden state converges, replacing output-confidence proxies.Treat each layer as fixed-point iteration; exit when normalized update norm is small AND consecutive updates are cosine-aligned; O(d)/layer.LLaMA-2-7B/13B on QA and commonsense reasoning as accuracy anchors (suite pending PDF).30-35% FLOP reduction while keeping over 98% of full-depth accuracy.FLOPs / layers executed, accuracy retention.n/lExit signal decoupled from the softmax, cheap; zero training and parameters; shows confidence is not convergence.Efficiency-only; late-forming refusal could be skipped by geometric exit; LLaMA-2 only.D2 (adjacent): second compression axis, same untested safety question.
14Position: LLM-Safety Evaluations Lack RobustnessBeyer, Xhonneux, Geisler, Gidel, Schwinn, Günnemann, 2026ICML 2026 (Position)T1~0 (new)Argue the safety-evaluation pipeline is too noisy to fairly compare attacks and defenses, and locate the noise.Four-stage critique (dataset curation, red-teaming optimization, response generation, LLM-as-judge) with per-stage guidelines.None; the object of study is the field's own evaluation practice.Systematic diagnosis that single-number comparisons are unreliable.n/a (argument).n/aICML-level cover for the rigor claim; the four-stage decomposition is a directly usable checklist.Diagnosis without a validated replacement protocol; not specific to multilingual or quantized evaluation.F (rigor): my methodological bar for any quant x language ASR study.
15Compliance without CoherenceFassbender, 2026AI and Ethics (Springer)journal~0 (new)Show the monitoring layer of alignment evaluation has a blind spot: fluent compliance can mask incoherent reasoning.Conceptual argument separating behavioral compliance from reasoning coherence and naming the fluent-failure mode.None (no experiments).Argues compliance scores are a category error as alignment evidence when coherence is unmeasured.n/a (argument).n/aPrecise name for why surface ASR/refusal can mislead, especially where quantization changes fluency and judges reward it.No empirical validation, no adoptable coherence metric; PDF not yet grounded.F (rigor): feeds the judge-reliability design for a rigor-first study.
16Chain-of-Thought as a LensWang, Li, Huang, Huang, Dong, 2026ACL 2026T1n/lMeasure whether multi-step CoT tracks human-preferred reasoning structure, not just answer correctness.Alignment Score comparing model vs reference chains through semantic-entropy matrices across reasoning depth; validated externally.Human-preferred reference chains over multi-hop tasks (composition, safety coverage unconfirmed).Alignment peaks at 2-hop and degrades via thematic shift and redundant reasoning.Alignment Score.NoReasoning process as a first-class alignment target; concrete degradation mechanism; external validity checks.Diagnostic only; metric noisiest at deep multi-hop; safety coverage unconfirmed.F (adjacent): a CoT-to-preference tool a reasoning-model red-team could adopt.
17Reranker Helps, but Not Enough (RAG Poisoning)Yang, Liu, Xiong, Liang, He, Tan, 2026ICML 2026 (accepted)T1~0 (new)Show benign-trained rerankers filter most poisons but have blind spots, then build P³A to defeat them.Distill prompt-design principles from reranker failures; rule-based drafts + ~1% character perturbations to promote rank; single-doc budget; transfer to vanilla RAG.Not named; NQ/HotpotQA/MS MARCO with dense retrievers and cross-encoder rerankers likely (pending PDF).Strong attack against benign rerankers; transfers beyond the defense it targets.Attack success rate, retrieval/rerank hit of poison.YesRealistic benign-reranker setting; tiny single-doc edit budget; reusable two-phase attack pattern.ASR/datasets not groundable yet; normalization may blunt it; tied to benign rerankers; no safety or multilingual analysis.E (adjacent): RAG poisoning past rerankers; loose D3 touch.
18When Search Goes Wrong / CREST-SearchOu, Chen, Han, Deng, Zhang, Qiu, Zhang, Lam, 2026ICML 2026T1n/lRed-team web-augmented LLMs on the retrieval/citation surface, where harm rides in cited content.CREST-Search: black-box adversarial search queries via keyword injection, exaggeration, role play; harm scored on citations.Four commercial systems (GPT-4o and Gemini search variants); English queries.80.5% risk detection vs 11.6% baseline; 89.3% of risks citation-specific; adversarial queries low-toxicity (23.6%).Risk detection, query toxicity, diversity (self-BLEU).NoReframes the attack surface with direct evidence; hard-to-filter low-toxicity queries.English, four systems; black-box (no mechanism); model-vs-index attribution unresolved; no open-weight/multilingual.E (adjacent): agentic retrieval threat surface.
19Gray-Box VLM Adversarial AlignmentLiu, Cai, Dong, Guo, Qu, Guan, Fang, Ye, 2026ICML 2026T1n/lAttack vision-language models in the gray-box setting with an adaptive, SVD-structured perturbation.Inferred (not verified from PDF): surrogate around a shared vision encoder; perturbation shaped by singular-vector structure.Unconfirmed (victim VLMs, baselines, ASR not retrievable).Unconfirmed.Unconfirmed.?Realistic gray-box model for the shared-encoder VLM ecosystem; SVD structuring is a principled prior.Access-limited note (cite existence only); shared-encoder ceiling; vision modality, not text-only.E (adjacent): gray-box framing loosely neighboring quant threat models.
20Bridging the Scale Gap (hybrid red-teaming)Quaye, Parrish, Rastogi, Kahng, Inel, Aroyo, Reddi, 2026FAccT 2026T1n/lSurface latent, context-dependent risks in text-to-image models that neither pure human nor pure automated red-teaming catches.Hybrid human-in-the-loop: automation scales coverage, humans keep latent-risk judgment calls (technique unconfirmed).T2I models under test and sample sizes unconfirmed.Unconfirmed (bibliographic facts verified, methodological depth not).Unconfirmed.?Rebuts human-vs-automated framing with a matched division of labor; latent-harm focus.Specifics unverified; T2I modality; intrinsic cost/scale ceiling.E (adjacent): hybrid methodology transfers to multilingual red-teaming.
21Evaluating the Safety of LLMs in Healthcare and DentistryUmer, Shaikh, Ur Rahman, 2026BDJ Open (Nature)journal~0 (new)Argue clinical LLM safety needs lifecycle adversarial evaluation, and systematize prompt-based red-teaming for healthcare.Narrative review: five evaluation strategies and outcome measures; a red-blue-purple team framework across the lifecycle.None released; ~15-20% safety-risk figure cited from prior medical LLM studies.Dentistry is under-red-teamed; soft "consult a professional" guardrails create false safety.Narrative synthesis; risk/bias rates from cited studies.n/aConcrete clinical governance lifecycle; realistic ordinary-user adversary framing; hard vs soft guardrail distinction.No new measurement; prompt-only scope; proposed practice, no mandate; version-transfer caveat.Low / cross: domain red-teaming becoming lifecycle practice.
22SoK: A Taxonomy of LLM ThreatsStylianou, Bountakas, Zarras, Farao, Bolgouras, Xenakis, 2026Computer Science Reviewjournal~0 (new)Systematize the fragmented LLM security literature into a lifecycle taxonomy of 20 attack classes.SoK synthesis on a training / inference / system-integration axis; encode causal and associative dependencies; ground in case studies.The published attack/defense literature plus incidents (inclusion counts PDF-only).Lifecycle taxonomy plus a dependency-aware defense-in-depth agenda.Taxonomy coverage (not ASR).NoBroadest lifecycle threat map; dependency schema beyond flat attack lists.Breadth over depth; PDF not read line-by-line; agentic-threat taxonomies age fast.G: related-work scaffolding for the survey's framing.
23How "Hard" Are Hard Laws?Jon, 2026Computer Law & Security Reviewjournaln/lInterrogate whether the hard-law vs soft-law distinction predicts enforceability, using South Korea and Japan.Comparative doctrinal analysis of statutory text and enforcement architecture (Korea's hybrid AI Basic Act vs Japan's guidelines).None; statutes and institutional design documents.The hybrid statute undermines the binary; hardness is a matter of implementation capacity.n/a (legal analysis).n/aTimely comparative case; a template for asking whether a red-teaming/attribution mandate would be enforceable.Doctrinal only; two-jurisdiction scope; partial verification (full text blocked).G (governance): background for the policy pillar.
24Opening the Scope of Openness in AIParis, Moon, Guo, 2025FAccT 2025T1n/lMap empirically what "openness" has meant across computing discourse and what current AI debates leave out.LDA topic modeling over 224,123 bibliographic records (1980-2024), 80 topics, 98 openness concepts, into a two-dimensional taxonomy.The 224K-record corpus (Web of Science, Scopus, The Lens).AI-openness discourse emphasizes Interactivity while underweighting Inclusiveness (fairness, diversity).Topic-model separation.YesEmpirical usage map rather than definitional debate; concrete Interactivity-vs-Inclusiveness asymmetry.Misses under-published or non-English concepts; discourse-level, not whether any open release delivers.G (governance): why "open-weight therefore auditable therefore safe" is not clean.
25LogiCP: Formal Logic Guided UQ for Personalized FLHe, An, Ma, 2026JAIRjournal~0 (new)Personalized federated learning with formal uncertainty guarantees, clustering clients by temporal semantics.STL property inference for semantic client clustering plus decentralized conformal prediction; runtime client assignment without retraining.Traffic, temperature, and electricity forecasting sensor tasks.Up to ~95% client-level MSE improvement over BNN / clustering / CP baselines.Client-level MSE, scalability.NoDistribution-free conformal coverage guarantees; runtime client onboarding."Alignment" here is client-cluster semantics, not safety; STL predicates need design; exchangeability can break.None of my directions; logged for completeness (alignment does not equal safety alignment).

Detailed Reviews

#1  Jailbroken: How Does LLM Safety Training Fail?

★ Core2023NeurIPS 2023 (Oral)T1

Alexander Wei, Nika Haghtalab, Jacob Steinhardt (UC Berkeley)

ObjectiveExplain why safety-trained LLMs still jailbreak, via two structural failure modes, then validate the theory by designing attacks from it.
MethodsHypothesize competing objectives (helpfulness vs harmlessness placed in tension) and mismatched generalization (capabilities outrun safety-tuning coverage); design attacks from each lens; evaluate against GPT-4 and Claude v1.3.
DatasetNo released dataset; curated harmful prompts against two closed 2023-era models.
Key ResultsDesigned attacks succeed where prior techniques were being patched; argues for safety-capability parity.
MetricsAttack success rate.
Open sourceNo.
AdvantagesDurable explanatory theory (both failure modes remain the standard lens); constructive rather than post-hoc; mismatched generalization is the cleanest account of why low-resource jailbreaks work.
Disadvantages / GapA framework, not a mechanistic predictor of which prompts land in a gap; demonstrated jailbreaks patched; parity is a principle without a protocol.
RelevanceD (theory core): the mechanism predicting that the multilingual gap and quant drift compound.

#2  Multilingual Jailbreak Challenges / MultiJail

★ Core2024ICLR 2024T1

Yue Deng, Wenxuan Zhang, Sinno Jialin Pan, Lidong Bing

ObjectiveSeparate and measure unintentional vs intentional multilingual jailbreak scenarios.
MethodsMultiJail: 315 unsafe English prompts, native-speaker translated into 9 languages across high/medium/low resource tiers; evaluate ChatGPT and GPT-4 in both scenarios.
DatasetMultiJail, released (DAMO-NLP-SG).
Key ResultsLow-resource languages ~3x the unsafe-output rate of high-resource; intentional multilingual framing up to 80.92% (ChatGPT) / 40.71% (GPT-4).
MetricsUnsafe-output rate.
Open sourceYes (dataset on GitHub, tagged ICLR 2024).
AdvantagesFoundational dataset nearly every later paper builds on; establishes language-resource level as a safety variable; native translation isolates language from translation noise.
Disadvantages / Gap9 languages / 315 prompts is modest; only 2023-era closed models, no open-weight or quantized variants.
RelevanceA (core): the multilingual anchor; sets up the open quant x language question.

#3  Code-Switching Red-Teaming / CSRT

★ Core2025ACL 2025T1

Haneul Yoo, Yongjin Yang, Hwaran Lee

ObjectiveEstablish code-switching (mixing languages within one query) as a red-teaming technique that stresses understanding and safety jointly.
MethodsCSRT synthesizes queries mixing up to 10 languages in a single prompt; evaluate ten state-of-the-art LLMs, measuring both attack success and comprehension.
DatasetCSRT-generated query set (exact size / full model list unconfirmed; verify on the Anthology page).
Key Results46.7% more successful attacks than monolingual English; surfaces a resource-availability / safety-alignment correlation.
MetricsAttack success rate; multilingual comprehension quality.
Open sourceYes* (dataset release standard for this venue/type; link not logged).
AdvantagesNaturalistic input pattern rather than an engineered construction; jointly probes comprehension and safety.
Disadvantages / GapDemonstrates the resource/safety effect more than it isolates the mechanism; 10 languages is a bounded sample; no quantization connection.
RelevanceA (core): within-sentence mixing complement to MultiJail; untested under quantization.

#4  Exploiting LLM Quantization

★ Core2024NeurIPS 2024T1

Kazuki Egashira, Mark Vero, Robin Staab, Jingxuan He, Martin Vechev (ETH Zurich, SRI Lab)

ObjectiveShow that quantization itself is an attack surface: a model benign at full precision that turns malicious only after the victim quantizes it.
MethodsThree stages: fine-tune a malicious model; compute the quantization pre-image (full-precision weights mapping to the same quantized model); projected gradient descent back to benign full-precision behavior inside that set. Targets LLM.int8(), NF4, FP4.
DatasetThree attack scenarios: vulnerable code generation, content injection, over-refusal denial of service.
Key ResultsBenign-looking full-precision checkpoints reliably de-quantize into the malicious behavior (per-scenario ASR not independently confirmed).
MetricsAttack success rate per scenario.
Open sourceNot logged (SRI Lab typically releases code; verify before citing availability).
AdvantagesFirst demonstration of compression as a deliberate trigger; the many-to-one pre-image insight is general; reframes evaluation (testing the FP checkpoint alone certifies nothing).
Disadvantages / GapAssumes the attacker knows the victim's round-to-nearest scheme; does not cover GGUF; supply-chain precondition; no defense.
RelevanceB (core): quantization-as-trigger, one half of the two-paper backbone.

#5  Mind the Gap: A Practical Attack on GGUF Quantization

★ Core2025ICML 2025T1

Kazuki Egashira, Robin Staab, Mark Vero, Jingxuan He, Martin Vechev (ETH Zurich, SRI Lab)

ObjectiveExtend the benign-then-malicious quantization attack to GGUF, the block-wise format shipped by llama.cpp and ollama.
MethodsExploit the quantization error inside GGUF's per-block scheme; constrain the malicious model's weights to the tolerance mapping back to a clean-looking full-precision checkpoint (a constraint-projection generalization of the NeurIPS 2024 attack).
DatasetBase models, sizes, and ASR numbers not confirmed from the pages fetched (pending PDF).
Key ResultsScheme complexity is not a defense; the attack holds on GGUF.
MetricsAttack success rate.
Open sourceNot logged (verify on PMLR / OpenReview).
AdvantagesAttacks the format practitioners actually run (download-a-GGUF, run ollama); with the NeurIPS paper, establishes quant-as-trigger as a validated line.
Disadvantages / GapSupply-chain precondition (victim quantizes an untrusted checkpoint locally); no fix; evaluation details unverified.
RelevanceB (core): moves the threat to the real deployment path.

#6  How Does Quantization Affect Multilingual LLMs?

★ Core2024EMNLP 2024 FindingsFindings

Kelly Marchisio, Saurabh Dash, Hongyu Chen, Dennis Aumiller, Ahmet Üstün, Sara Hooker, Sebastian Ruder (Cohere For AI)

ObjectiveFirst thorough analysis of quantization effects on multilingual LLMs across languages and scales.
MethodsLayered evaluation stack: automatic benchmarks, LLM-as-a-judge, and human evaluation on realistic prompts, compared against each other across languages and model sizes.
DatasetMultilingual task benchmarks + realistic human-eval prompts (quantization schemes / bit-widths not confirmed from the page fetched).
Key ResultsHarm is disparate by language (non-Latin scripts worst); automatic metrics badly underestimate it (1.7% Japanese benchmark drop vs 16.0% human-judged).
MetricsTask accuracy, LLM-judge and human-perceived quality.
Open sourceNot logged.
AdvantagesSits exactly at the quant x multilingual intersection; the automatic-vs-human gap is a strong argument against benchmark-only safety claims.
Disadvantages / GapMeasures quality, not jailbreak ASR (safety implication inferential); Findings track; method-level details unverified.
RelevanceC (core intersection): the paper my niche most directly extends toward attack-success.

#7  Critical Weight Protection for Fairness and Safety under Quantization

★ Core2026ACL 2026 FindingsT1

Muhammad Alif Al Hakim, Alfan Farizki Wicaksono, Fajri Koto (Universitas Indonesia; MBZUAI)

ObjectiveAudit how static and dynamic PTQ degrade fairness and multilingual safety, and mitigate by protecting critical weights at quantize time.
MethodsCompare GPTQ/AWQ/SmoothQuant (static) vs FP8/LLM.int8() (dynamic); Critical Weight Protection ranks weights by FAIRSCORE + SAFESCORE and keeps top-k% in FP16 (AWQ-trust).
DatasetGemma-7B / Llama-3.1-8B / Qwen-2.5-7B Instruct; MultiJail EN/KO/AR; SafetyBench, Do-Not-Answer, HEx-PHI; StereoSet, CrowS-Pair, Jigsaw, MBBQ.
Key ResultsQuant often hurts fairness/safety; dynamic more stable; KO/AR %Safe drops; AWQ-trust recovers much (Llama-3.1 KO ~9.6 to ~66.1).
Metrics%Safe, ASR, SafetyBench accuracy, SS/ICAT, Bias AUC.
Open sourceNo code found; benchmarks all public.
AdvantagesFirst Tier-1 quant x multilingual safety audit; broad static+dynamic grid; AWQ-trust recovers large KO/AR losses without full re-alignment.
Disadvantages / GapSafety limited to EN/KO/AR; no GGUF ladder; English-centric criticality scoring; single Gemini MultiJail judge.
RelevanceD2 (core): the paper that closes the "empty intersection" framing and forces a sharper claim.

#8  Q-resafe: Safety Risks and Patching for Quantized LLMs

★ Core2025ICML 2025T1

Kejia Chen, Jiawen Zhang, Jiacong Hu, Yu Wang, Jian Lou, Zunlei Feng, Mingli Song

ObjectiveMeasure how mainstream quantization degrades safety, and restore it with a quantization-aware patch (Q-resafe).
MethodsAWQ / AQLM / LLM-QAT / QLoRA at INT4/INT8 with benign/indirect/direct calibration; Q-resafe is a DPO update on FP-vs-quantized preference pairs restricted to a SNIP-selected safety-critical weight mask via LoRA.
DatasetLlama-2-7B-Chat, Gemma-7B-Instruct; UltraChat / AdvBench calibration; AdvBench ASR; MT-bench, AlpacaEval.
Key ResultsAll methods raise ASR vs FP16; harmful calibration far worse; Q-resafe restores toward FP ASR at ~1/8 the DPO compute.
MetricsASR (lower better), MT-bench, AlpacaEval.
Open sourceYes (Thecommonirin/Qresafe).
AdvantagesCovers all four quantization families under controlled risk levels; patch matches DPO-level safety cheaply with utility intact.
Disadvantages / GapEnglish-only (AdvBench); two 7B models; calibration-induced (not adversarial) threat model.
RelevanceD2 (core): English quant x ASR + patch baseline reviewers will expect.

#9  Safety Layers in Aligned LLMs

2025ICLR 2025T1

Shen Li, Liuyi Yao, Lan Zhang, Yaliang Li (USTC; Hefei Institute of AI)

ObjectiveLocate a contiguous band of middle "safety layers" and use it to protect safety during fine-tuning.
MethodsLast-token cosine analysis over normal vs malicious query pairs to detect the divergence band; progressive scaling against an over-rejection set to refine bounds; SPPFT freezes those layers' gradients.
DatasetLlama-3-8B-Instruct, Llama-2-7B-Chat, gemma-2b-it, Phi-3-mini; alpaca-finance plus implicit-attack, backdoor, and harmful mixes.
Key ResultsSafety band appears only after alignment; SPPFT cuts harmful-response rate hard (Llama-3 9.62% vs 44.42%) with utility intact.
MetricsCosine/angle gaps, over-rejection, post-FT security.
Open sourceYes (listen0425/Safety-Layers).
AdvantagesClean existence result (band absent in pretrained siblings); large security gain with negligible capability cost.
Disadvantages / GapEnglish, full precision; no multilingual ASR; no PTQ/GGUF remeasure; preserves rather than installs safety; coarse layer granularity.
RelevanceSpine C prior art: middle-layer refusal localization.

#10  Safety-Critical Parameters (ESI / SET / SPA)

2026ACL 2026 FindingsT1

Weiwei Qi, Zefeng Wu, Tianhang Zheng, Zikang Zhang, Xiaojun Jia, Zhan Qin, Kui Ren (Zhejiang University; NTU Singapore)

ObjectiveRank individual parameters by Expected Safety Impact, then install (SET) or preserve (SPA) safety sparsely.
MethodsESI = |sigma(theta)·grad S| from a first-order safety-score expansion, made differentiable via Gumbel-softmax plus a Llama-Guard vocabulary projection; validated by Gaussian-noise perturbation vs SNIP/Wanda.
DatasetDense Llama3-8B/70B, Qwen2.5-14B; MoE Qwen3-30B-A3B; AdvBench (scoring), HarmBench / WildJailbreak (degradation); CB-Safety / R1-Safety (SET).
Key ResultsPerturbing top-1% ESI raises HarmBench ASR 15.3 to 59.1 (baselines at most 37.6); SET cuts WildJailbreak ASR 62.5% to 19.1% updating 1% of weights.
MetricsASR, safety score, % weights updated.
Open sourceYes (ZJU-LLM-Safety/SafeWeights-ACL).
AdvantagesWeight-level resolution from a single checkpoint; strong causal validation; dense + MoE coverage.
Disadvantages / GapEnglish-centric benches; no PTQ/GGUF remeasure; judge-pipeline sensitivity only partly ablated; single judge family.
RelevanceSpine C prior art: sparse safety install/preserve (a quantize-time cousin of Al Hakim).

#11  Refusal Is Mediated by a Single Direction

2024NeurIPS 2024T1

Andy Arditi, Oscar Obeso, Aaquib Syed, Daniel Paleka, Nina Panickssery, Wes Gurnee, Neel Nanda

ObjectiveShow refusal is mediated by a single residual-stream direction that can be removed (jailbreak) or added (forced refusal).
MethodsDifference-in-means direction at post-instruction positions; activation addition, directional ablation, and rank-one weight orthogonalization; feature attribution on GCG suffixes.
Dataset13 chat models (1.8B-72B); AdvBench / MaliciousInstruct / TDC2023 / HarmBench harmful, Alpaca harmless; JailbreakBench eval; Llama Guard 2 judge.
Key ResultsAblation drops refusal and safety across all 13 models; orthogonalization is a one-edit general jailbreak competitive with GCG (Qwen-14B ASR 84.3) with near-zero capability loss.
MetricsRefusal score, safety score.
Open sourceYes (andyrdt/refusal_direction).
AdvantagesReplicates across 13 models and both alignment recipes; explains why sparse/layer-local safety works and why compression might scramble a thin direction.
Disadvantages / GapWhite-box; English only; no quantization tables; TruthfulQA degrades after ablation (collateral effect).
RelevanceMechanistic prior: low-dimensional, editable refusal.

#12  STLA: Spatiotemporal Lookahead Alignment for PTQ

2026ICML 2026 (accepted)T1

Zuqi Zhang, Chenghe Sun, Xiangyi Chu, Wei-Han Yu, Ka-Fai Un, Rui Martins, Pui-In Mak, Jiawei Xu

ObjectiveFast and accurate low-bit PTQ by fixing the spatiotemporal misalignment between learning-based and compensation-based rounding.
MethodsCluster-wise integrated rounding (learning + compensation together), Hessian-guided clustering for intra-cluster error cancellation, and a Schur-Complement lookahead objective.
DatasetNot enumerated in the public abstract; standard WikiText-2/C4 calibration + reasoning suites on LLaMA/Qwen is the likely stack (pending PDF).
Key ResultsClaims SOTA low-bit PTQ speed and accuracy (exact tables pending PDF).
MetricsWikiText/C4 perplexity, zero-shot accuracy.
Open sourceYes (anonymous.4open.science/r/STLA).
AdvantagesPrincipled second-order account of hybrid-rounding failure; production-plausible compressor and a strong quantize-then-probe baseline.
Disadvantages / GapCapability-only, no safety measurement; tables not yet grounded; cost profile vs GPTQ/AWQ/OmniQuant unverified.
RelevanceD2 (adjacent): SOTA PTQ baseline to re-run under a safety probe.

#13  Detecting the Semantic Fixed Point (Early Exit)

2026ICML 2026 (Oral)T1

Jiawei Gu, Ziyue Qiao, Xiao Luo

ObjectiveTraining-free early exit that stops when the hidden state converges, replacing output-confidence proxies.
MethodsTreat each layer as fixed-point iteration; exit when normalized update norm is small AND consecutive updates are cosine-aligned; O(d) per layer, no learned heads.
DatasetLLaMA-2-7B/13B on QA and commonsense reasoning as accuracy anchors (exact suite pending PDF).
Key Results30-35% FLOP reduction while keeping over 98% of full-depth accuracy.
MetricsFLOPs / layers executed, accuracy retention.
Open sourceNot logged.
AdvantagesExit signal decoupled from the softmax, cheap, zero added parameters; shows confidence is not internal convergence.
Disadvantages / GapEfficiency-only; if refusal forms late, geometric exit could skip safety layers; LLaMA-2 only.
RelevanceD2 (adjacent): a second compression axis with the same untested safety question.

#14  Position: LLM-Safety Evaluations Lack Robustness

2026ICML 2026 (Position)T1

Tim Beyer, Sophie Xhonneux, Simon Geisler, Gauthier Gidel, Leo Schwinn, Stephan Günnemann

ObjectiveArgue the safety-evaluation pipeline is too noisy to fairly compare attacks and defenses, and locate where the noise enters.
MethodsFour-stage critique (dataset curation, red-teaming optimization, response generation, LLM-as-judge) with per-stage noise-reduction guidelines.
DatasetNone; the object of study is the field's own evaluation practice.
Key ResultsSystematic diagnosis that single-number comparisons are unreliable.
Metricsn/a (argument).
Open sourcen/a (paper openly on arXiv).
AdvantagesICML-level cover for the rigor claim; the four-stage decomposition is a directly usable checklist.
Disadvantages / GapDiagnosis without a validated replacement protocol; not specific to multilingual or quantized evaluation.
RelevanceF (rigor): my methodological bar for any quant x language ASR study.

#15  Compliance without Coherence

2026AI and Ethics (Springer)journal

Pantaleon Fassbender

ObjectiveShow the monitoring layer of alignment evaluation has a blind spot: fluent compliance can mask incoherent reasoning.
MethodsConceptual argument separating behavioral compliance from reasoning coherence and naming the fluent-failure mode.
DatasetNone (no experiments).
Key ResultsArgues compliance scores are a category error as alignment evidence when coherence is unmeasured.
Metricsn/a (argument).
Open sourcen/a.
AdvantagesPrecise name for why surface ASR/refusal can mislead, especially where quantization changes fluency and judges reward it.
Disadvantages / GapNo empirical validation, no adoptable coherence metric; PDF not yet grounded.
RelevanceF (rigor): feeds the judge-reliability design for a rigor-first study.

#16  Chain-of-Thought as a Lens

2026ACL 2026T1

Boxuan Wang, Zhuoyun Li, Xinmiao Huang, Xiaowei Huang, Yi Dong

ObjectiveMeasure whether multi-step CoT tracks human-preferred reasoning structure (not just answer correctness).
MethodsAlignment Score comparing model vs reference reasoning chains through semantic-entropy matrices, tracked across reasoning depth; validated against accuracy, readability, coherence.
DatasetHuman-preferred reference chains over multi-hop tasks (exact composition, and whether safety reasoning is covered, unconfirmed).
Key ResultsAlignment peaks at 2-hop and degrades via thematic shift and redundant reasoning.
MetricsAlignment Score.
Open sourceNo code logged.
AdvantagesReasoning process as a first-class alignment target; concrete degradation mechanism; external validity checks.
Disadvantages / GapDiagnostic only; metric noisiest exactly at deep multi-hop; safety coverage unconfirmed.
RelevanceF (adjacent): a CoT-to-preference tool a reasoning-model red-team could adopt.

#17  Reranker Helps, but Not Enough (RAG Poisoning)

2026ICML 2026 (accepted)T1

Xiaokun Yang, Yesheng Liu, Xin Xiong, Jian Liang, Ran He, Tieniu Tan

ObjectiveShow benign-trained rerankers filter most RAG poisons but have blind spots, then build P³A to defeat them.
MethodsDistill prompt-design principles from reranker failures; rule-based poisoned drafts plus ~1% character-level perturbations chosen to promote reranker rank while keeping the payload; single-document budget, transfer to vanilla RAG.
DatasetNot named in the abstract; NQ/HotpotQA/MS MARCO with dense retrievers and cross-encoder rerankers is the likely stack (pending PDF).
Key ResultsStrong attack against benign rerankers; transfers beyond the defense it targets.
MetricsAttack success rate, retrieval/rerank hit of poison.
Open sourceYes (supplementary code).
AdvantagesRealistic benign-reranker defense setting; tiny single-doc edit budget; reusable two-phase attack pattern.
Disadvantages / GapASR/datasets not groundable yet; may be blunted by normalization; tied to benign-trained rerankers; no safety or multilingual analysis.
RelevanceE (adjacent): RAG poisoning past rerankers; loose D3 touch.

#18  When Search Goes Wrong / CREST-Search

2026ICML 2026T1

Haoran Ou, Kangjie Chen, Xingshuo Han, Gelei Deng, Jie Zhang, Han Qiu, Tianwei Zhang, Kwok-Yan Lam

ObjectiveRed-team web-augmented LLMs on the retrieval/citation surface, where harm is smuggled through cited content while generation stays benign.
MethodsCREST-Search: black-box adversarial search queries via keyword injection, exaggeration, and role play; harm scored on citations separately from generation.
DatasetFour commercial systems (GPT-4o-search-preview, GPT-4o-mini-search-preview, Gemini-2.0/2.5-flash-search); English queries.
Key Results80.5% risk detection vs 11.6% best baseline; 89.3% of risks citation-specific; adversarial queries stay low-toxicity (23.6%).
MetricsRisk detection, query toxicity, diversity (self-BLEU).
Open sourceNo code release noted; targets are closed systems.
AdvantagesReframes the attack surface with direct evidence; hard-to-filter low-toxicity queries.
Disadvantages / GapEnglish, four systems; black-box (no mechanism); unresolved model-vs-index attribution; no open-weight or multilingual coverage.
RelevanceE (adjacent): agentic retrieval threat surface.

#19  Gray-Box VLM Adversarial Alignment

2026ICML 2026T1

D. Liu, X. Cai, J. Dong, Z. Guo, X. Qu, R. Guan, X. Fang, D. Ye

ObjectiveAttack vision-language models in the gray-box setting with an adaptive, SVD-structured perturbation.
MethodsInferred from the title and gray-box literature: build a surrogate around a shared vision encoder and shape the perturbation along singular-vector structure (not verified from PDF).
DatasetUnconfirmed (victim VLMs, baselines, ASR not retrievable).
Key ResultsUnconfirmed.
MetricsUnconfirmed.
Open sourceUnknown.
AdvantagesRealistic gray-box model for the shared-encoder VLM ecosystem; SVD structuring is a principled prior.
Disadvantages / GapMy access is limited (cite only existence/authorship/venue); shared-encoder ceiling; vision modality, not text-only.
RelevanceE (adjacent): gray-box framing loosely neighboring quantization threat models.

#20  Bridging the Scale Gap (hybrid red-teaming)

2026FAccT 2026T1

Jessica Quaye, Alicia Parrish, Charvi Rastogi, Minsuk Kahng, Oana Inel, Lora Aroyo, Vijay Janapa Reddi

ObjectiveSurface latent, context-dependent risks in text-to-image models that neither pure human nor pure automated red-teaming catches.
MethodsHybrid human-in-the-loop: automation scales coverage, humans keep the latent-risk judgment calls (specific technique unconfirmed pending PDF).
DatasetT2I models under test and sample sizes unconfirmed.
Key ResultsUnconfirmed (bibliographic facts verified, methodological depth not).
MetricsUnconfirmed.
Open sourceUnknown.
AdvantagesRebuts human-vs-automated framing with a division of labor matched to each; latent-harm focus.
Disadvantages / GapSpecifics unverified; T2I modality; intrinsic cost/scale ceiling.
RelevanceE (adjacent): hybrid methodology transfers to multilingual red-teaming.

#21  Evaluating the Safety of LLMs in Healthcare and Dentistry

2026BDJ Open (Nature)journal

Fahad Umer, Muhammad Mairaj Shaikh, Atiya Ur Rahman

ObjectiveArgue clinical LLM safety needs lifecycle adversarial evaluation, and systematize prompt-based red-teaming for healthcare.
MethodsNarrative review: five evaluation strategies and outcome measures; a red-blue-purple team framework across pre-deployment, monitoring, and iterative review.
DatasetNone released; ~15-20% safety-risk figure cited from prior medical LLM studies.
Key ResultsDentistry is under-red-teamed; soft "consult a professional" guardrails create false safety.
MetricsNarrative synthesis; risk/bias rates from cited studies.
Open sourcen/a (review; OA article).
AdvantagesConcrete clinical governance lifecycle; realistic ordinary-user adversary framing; hard vs soft guardrail distinction.
Disadvantages / GapNo new measurement; prompt-only scope; proposed practice, no mandate; version-transfer caveat.
RelevanceLow / cross: evidence that domain red-teaming is becoming lifecycle practice.

#22  SoK: A Taxonomy of LLM Threats

2026Computer Science Reviewjournal

Ioannis Stylianou, Panagiotis Bountakas, Apostolis Zarras, Aristeidis Farao, Vaios Bolgouras, Christos Xenakis (University of Piraeus)

ObjectiveSystematize the fragmented LLM security literature into a lifecycle taxonomy of 20 attack classes.
MethodsSoK synthesis: situate threats on a training / inference / system-integration axis; encode causal and associative dependencies; ground in case studies; prescribe defense-in-depth.
DatasetThe published attack/defense literature plus incidents (inclusion counts PDF-only).
Key ResultsLifecycle taxonomy plus a dependency-aware defense agenda.
MetricsTaxonomy coverage (not ASR).
Open sourceNo (Elsevier paywalled; no artifact).
AdvantagesBroadest lifecycle threat map; dependency schema beyond flat attack lists.
Disadvantages / GapBreadth over depth; PDF not read line-by-line; taxonomies of agentic threats age fast.
RelevanceG: related-work scaffolding for the survey's framing section.

#23  How "Hard" Are Hard Laws?

2026Computer Law & Security Reviewjournal

WooJung Jon (a possible "D. Kim" co-author unconfirmed)

ObjectiveInterrogate whether the hard-law vs soft-law distinction predicts enforceability, using South Korea and Japan.
MethodsComparative doctrinal analysis of statutory text and enforcement architecture (Korea's hybrid AI Basic Act vs Japan's soft-law guidelines).
DatasetNone; statutes and institutional design documents.
Key ResultsHybrid statute undermines the hard/soft binary; hardness is a matter of implementation capacity.
Metricsn/a (legal analysis).
Open sourcen/a.
AdvantagesTimely comparative case; template for asking whether a red-teaming/attribution mandate would be enforceable.
Disadvantages / GapDoctrinal only; two-jurisdiction scope; partial verification (full text blocked).
RelevanceG (governance): background for the policy pillar.

#24  Opening the Scope of Openness in AI

2025FAccT 2025T1

Tamara Paris, AJung Moon, Jin L.C. Guo

ObjectiveMap empirically what "openness" has meant across computing discourse and what current AI debates leave out.
MethodsLDA topic modeling over 224,123 bibliographic records (1980-2024), 80 topics, 98 openness concepts, into a two-dimensional taxonomy.
DatasetThe 224K-record corpus (Web of Science, Scopus, The Lens).
Key ResultsAI-openness discourse emphasizes Interactivity while underweighting Inclusiveness (fairness, diversity).
MetricsTopic-model separation.
Open sourceYes (paper on arXiv 2505.06464; corpus/code release not logged).
AdvantagesEmpirical usage map rather than definitional debate; concrete Interactivity-vs-Inclusiveness asymmetry.
Disadvantages / GapMisses under-published or non-English concepts; discourse-level, not whether any open release delivers.
RelevanceG (governance): why "open-weight therefore auditable therefore safe" is not a clean syllogism.

#25  LogiCP: Formal Logic Guided UQ for Personalized Federated Learning

2026JAIRjournal

Guocheng He, Ziyan An, Meiyi Ma

ObjectivePersonalized federated learning with formal uncertainty guarantees, clustering clients by temporal semantics.
MethodsSignal Temporal Logic property inference for semantic client clustering plus decentralized conformal prediction per cluster; runtime client assignment without retraining.
DatasetTraffic, temperature, and electricity forecasting sensor tasks.
Key ResultsUp to ~95% client-level MSE improvement over BNN / clustering / CP baselines.
MetricsClient-level MSE, scalability.
Open sourceNo code noted (JAIR article OA).
AdvantagesDistribution-free conformal coverage guarantees; runtime client onboarding.
Disadvantages / Gap"Alignment" here is client-cluster semantics, not safety; STL predicates need domain design; exchangeability can break under non-stationarity.
RelevanceNone of my directions; logged for completeness and as a triage lesson (alignment does not equal safety alignment).

Notes on scope

  • Excluded as preprint: the 15 watchlist entries (†) from Lit 1.1, including Beyond Activation Alignment, Smaller Models Unexpected Costs, the three AI-labor exposure working papers, AdversaBench, the T2I replay paper, NRT-Bench, RIFT-Bench, Institutional Red-Teaming, Beyond ASR, EvalSafetyGap, Single-Layer RL (Zhang), LoRA-for-Safety (Xue), and Alignment-Aware Quantization. The GPT-Red writeup is also excluded (vendor publication, pre-print forthcoming). Promote any of these here once they clear a venue.
  • Core tag rationale: the ★ set is the direct quantization x multilingual safety spine, MultiJail and CSRT (multilingual jailbreak), Exploiting Quantization and Mind the Gap (quant as attack surface), Marchisio et al. (quant x multilingual quality), Jailbroken (the theory), plus Al Hakim and Q-resafe (the two Tier-1 quant x safety neighbors). Everything else is prior art, adjacent modality, rigor, or governance.