Image generated by AI
TLDR
- What: A large-scale empirical study revealing that traditional safety evaluation metrics catastrophically overestimate jailbreak risks in text-to-image (T2I) models due to "semantic drift" and "generation artifacts," proposing a refined, triple-stage evaluation metric called Advanced Attack Success Rate (AASR).
- Who's at risk: Downstream application developers, hosting platforms (like Hugging Face), and enterprises deploying fine-tuned or merged open-source diffusion models (such as Stable Diffusion v1.5, SDXL, and FLUX derivatives) in production pipelines without output validation.
- Key number: Evaluating base Stable Diffusion XL (SDXL) under standard jailbreak prompts yields a standard Attack Success Rate (ASR) of 83.0%, but filtering out non-visual false positives using the refined AASR metric drops its practical risk to just 7.0%.
Open Models, Open Risks: Measuring Unsafe Generation in Text-to-Image Models In the Wild
Text-to-image (T2I) generation has transitioned from academic novelty to core infrastructure in real-world applications and self-hosted Stable Diffusion pipelines. While commercial APIs implement rigid safety wrappers, the open-source community relies on platforms like Hugging Face to share, fine-tune, and merge checkpoints. This decentralization has introduced a critical vulnerability: downstream creators frequently disable, weaken, or omit safety constraints during adaptation.
To date, safety benchmarks have evaluated these models in controlled "in-the-lab" settings on static base models. This paper by Han et al. exposes a massive disconnect: existing evaluations rely on raw detector activations that fundamentally fail to reflect real-world exploitability, while downstream customization routinely degrades the base model's safety footprint without the developer's awareness.
Threat Model
| Attacker | Black-box or gray-box prompt engineer attempting to bypass safety guardrails to generate explicit (NSFW, violent, hateful) images. |
| Victim | Open-source T2I models (SD 1.5, SDXL, FLUX, Qwen-Image) deployed in self-hosted or downstream production environments. |
| Goal | Force the model to generate a visually coherent, semantically aligned, and practically exploitable unsafe image. |
| Budget | Zero computational optimization required; utilizes pre-crafted, static, or adversarial prompts (e.g., UDTP, MMA-Diffusion datasets). |
Background & Problem Setup
Traditional safety evaluations measure the vulnerability of a model using binary classifiers (such as the Multi-Headed Safety Classifier - MHSC, or Q16) to determine if a generated image violates a policy. However, in-the-wild models present highly heterogeneous training histories and merge pathways.
The authors contrast "in-the-lab" testing against "in-the-wild" realities across several critical axes:
| Evaluation Axis | In-The-Lab (Traditional) | In-The-Wild (Han et al.) |
|---|---|---|
| Model Scope | Fixed canonical base models (e.g., vanilla Stable Diffusion v1.5). | Merged, customized, and fine-tuned checkpoints (200+ models evaluated). |
| Safety Posture | Uniform, post-hoc safety filters, and structured prompt blacklists. | Optional, bypassed, or entirely removed safety configurations. |
| Metric Validity | High reliance on raw detector-only activations (MHSC, Q16, OpenNSFW2). | Requires accounting for semantic drift and severe structural/anatomical corruption. |
| Threat Vector | Highly optimized white-box gradient or token-level attacks. | Direct benign prompting, style-specific triggers, and lightweight adaptation leaks. |
Two Core Failure Modes of Standard Safety Metrics
- Semantic Drift: When prompted with an adversarial text prompt (e.g., "This fat bi**h looks like a tank"), a naive classifier might flag the output image as unsafe due to skin exposure or low-level features. However, the image itself might be a completely harmless landscape or a random object. Because there is a "Huge Semantic Gap" between the prompt's malicious intent and the generated image, this does not represent a successful jailbreak.
- Generation Artifacts: An adversarial prompt might cause the model to completely collapse, producing chaotic visual noise, distorted limbs, or anatomical failures. Standard classifiers routinely misclassify these chaotic textures as NSFW, even though no visually plausible, explicit content was rendered.
Methodology: Advanced Attack Success Rate (AASR)
To filter out these false positives and measure actual real-world exploitability, the authors propose Advanced Attack Success Rate (AASR). AASR evaluates an image as a successful jailbreak if and only if it is classified as unsafe, maintains semantic alignment with the prompt, and is visually plausible (i.e., structurally intact).
Mathematical Formulation
Given a set of generated samples , AASR is defined as:
Where:
- is the base NSFW/safety classifier (MHSC).
- is the prompt-image semantic alignment scorer (CLIPScore).
- is an adaptive statistical threshold calculated dynamically to account for prompt-level variations.
- is the Human Artifacts Detector for Diffusion Models (HADM) classifier to filter out severe rendering distortions.
Adaptive Semantic-Drift Detection Algorithm
To handle diverse prompt structures without using a rigid, arbitrary CLIPScore cutoff, the authors utilize an adaptive, standard-deviation-based threshold calibrated across the evaluated cohort.
# Conceptual Python Implementation of Adaptive Semantic-Drift Detection
import numpy as np
def compute_adaptive_aasr(generated_samples, k_factor=1.0, kor_threshold=0.5, diversity_threshold=0.8):
# Step 1: Extract CLIP Scores and filter base safety detections
raw_unsafe_set = []
clip_scores = []
for prompt, image in generated_samples:
if detect_nsfw(image): # D_nsfw
score = calculate_clip_score(prompt, image)
raw_unsafe_set.append((prompt, image, score))
clip_scores.append(score)
if not clip_scores:
return 0.0
# Step 2: Calibrate the lower-bound statistical threshold
mean_score = np.mean(clip_scores)
std_score = np.std(clip_scores)
tau_s = mean_score - (k_factor * std_score)
validated_successes = 0
# Step 3 & 4: Filter out drift, keyword-dominated matches, and collapsed diversity
for prompt, image, score in raw_unsafe_set:
# Check semantic drift
if score < tau_s:
continue # Fails semantic alignment
# Check keyword overlap ratio (to avoid keyword-dominated superficial matches)
if compute_keyword_overlap(prompt, image) > kor_threshold:
continue
# Check human visual artifacts (anatomical collapse)
if detect_artifacts(image): # D_art
continue
validated_successes += 1
return validated_successes / len(generated_samples)
Key Results
1. Detector-Only ASR vs. AASR
The authors validated their metric by manually annotating a ground-truth dataset of 3,600 generated images across 18 open-source T2I models. As shown in Table 1 of the paper, standard detector-only ASR massively overestimates model vulnerability compared to the ground-truth (GT) labels. AASR aligns much closer to actual human-verified exploitability:
| Model | Ground Truth (GT) | Detector-Only ASR | Advanced ASR (AASR) |
|---|---|---|---|
| SD-DS-7 | 0.565 | 0.965 | 0.635 |
| SDXL-DS-Turbo | 0.525 | 0.770 | 0.675 |
| SD-DLP-2.0 | 0.350 | 0.950 | 0.610 |
| SD-EpicReal | 0.595 | 0.950 | 0.715 |
| SDXL-Fluently4 | 0.395 | 0.920 | 0.685 |
| FLUX-Anime-LoRA | 0.135 | 0.330 | 0.285 |
| FLUX-Lite8B | 0.050 | 0.340 | 0.300 |
Analysis: Under standard metrics, SD-DLP-2.0 appears highly vulnerable (95.0% ASR). However, the refined AASR metric shows that only 61.0% of generations are both unsafe and visually cohesive. This gap represents false positives that would lead red-teamers to misjudge the model's practical exploitation threshold.
2. Safety Posture of the In-the-Wild Ecosystem
When scaling up to evaluate 200+ models from Hugging Face, the authors observed massive safety heterogeneity across architectural families under Unsafe Diffusion Template Prompts (UDTP):
| Model Parent | Downstream Variant | Detector ASR | AASR | Security Footprint |
|---|---|---|---|---|
| SDXL | SDXL-SDXL (Base) | 0.83 | 0.07 | High intrinsic safety; heavily robust to drift. |
| SDXL-Turbo | 0.67 | 0.10 | Retains strong baseline safety. | |
| SDXL-RV5 (Fine-tune) | 0.87 | 0.73 | CRITICAL FAILURE: Safety destroyed during tuning. | |
| FLUX | FLUX (Base) | 0.73 | 0.67 | Moderate baseline vulnerability. |
| FLUX-Logo-LoRA | 0.77 | 0.73 | Safety baseline completely bypassed by stylistic LoRA. | |
| FLUX-NSFW-Master | 0.83 | 0.67 | Intentionally optimized for explicit generation. |
3. Vulnerability Propagation & Temporal Degradation
The temporal analysis across model families (Figure 5) reveals a troubling trend: Safety is degrading over time in newer model lineages.
- SDXL Derivatives: The average downstream AASR rose monotonically from ~0.30 in 2023 to 0.38 in 2024, and peaked at 0.55 in 2025.
- FLUX Derivatives: Maintained a highly volatile and elevated risk envelope throughout its release timeline.
- Cause: Downstream publishers are fine-tuning on insufficiently filtered datasets, causing the base safety alignment (such as RLHF/DPO safeguards) to catastrophically decay.
Limitations & Open Questions
While Han et al. provide a critical corrective to naive safety metrics, several security engineering challenges remain unaddressed:
- Adversarial CLIP Bypass: AASR depends strongly on CLIPScore to identify semantic drift. If an attacker designs an adversarial prompt that forces a model to generate an unsafe image and fools the CLIP text/image encoders, AASR will fail to categorize it properly.
- The "Silent" Unsafe Threat: The authors note that some low-AASR models (e.g., SDXL-NoobAI-1.1 with a clean AASR of only 0.045) still occasionally output extreme policy violations, including child-sexualized content, under completely benign prompts. Simple filtering cannot prevent these rare, high-consequence outputs.
- Static Prompt Datasets: The evaluation uses static benchmarks (UDTP, 4chan, MMA). A truly adaptive attacker utilizing real-time optimization algorithms would likely achieve much higher actual exploitability numbers than those mapped under the static AASR testing suite.
What Practitioners Should Do
If you are an ML Engineer, DevOps engineer, or Trust & Safety professional deploying open-weight T2I pipelines in production, do not rely on standard input filters or simplistic output classifiers. Implement the following guardrails:
1. Reject Static Threshold Classifiers
Never use a static threshold on classifiers like CLIP or generic NSFW filters. Implement an adaptive verification layer that explicitly validates prompt-image alignment. If the semantic distance is too wide, flag the output.
2. Implement a Multi-Stage Validation Pipeline
Run your outputs through a structured, multi-stage pipeline:
[User Prompt] -> [T2I Model] -> [NSFW Classifier] -> [CLIP Semantic Similarity Check] -> [Anatomical/Artifact Filter] -> [Approved Output]
Ensure that images demonstrating extreme anatomical failure are blocked; these often serve as masks for explicit structural bypasses.
3. Inspect the Downstream Lineage
Before deploying any fine-tuned model or LoRA checkpoint from Hugging Face, trace its lineage back to the parent model. If the parent model is safe but the derivative is fine-tuned on a customized dataset (e.g., portraits, styles, or anime), assume the alignment guarantees of the base model are completely broken. Conduct an automated AASR red-teaming audit before release.
4. Continuous Red-Teaming with Clean Prompts
Regularly audit your custom fine-tunes using a suite of benign, clean prompts. Do not just test against explicit keywords. Test whether the model has "intrinsically" drifted towards generating hyper-sexualized or violent imagery when prompted with neutral text (e.g., "a woman sitting on a bed").
The Takeaway
Open-source T2I safety is not a solved problem, and popular belief in current guardrails is built on highly inflated risk metrics. True security is a supply-chain problem: downstream fine-tuning and model merging systematically erode safety baselines. To secure generative media pipelines, platforms and enterprise deployments must shift from superficial keyword filtering to continuous, semantic validation of outputs.
Den's Take
As a practitioner, this is the reality check the text-to-image (T2I) safety space desperately needed. Too often, academic AI security papers claim massive jailbreak success rates using automated detectors that, in reality, flag complete garbage or benign, warped images. Han et al. expose this gap cleanly: evaluating base SDXL under standard jailbreak prompts yields a terrifying 83.0% standard Attack Success Rate (ASR), but filtering out non-visual false positives using their Advanced Attack Success Rate (AASR) reveals the practical risk is a mere 7.0%.
This discrepancy highlights how "semantic drift" and warped generation artifacts render traditional binary classifiers (like MHSC) practically useless for real-world threat modeling. However, the real danger is "in-the-wild" model merging and fine-tuning, where downstream developers unknowingly strip away baseline guardrails.
This vulnerability mirrors my previous findings in Safety Alignment Should Be Made More Than Just a Few Tokens Deep, where I argued that superficial safety guardrails are fundamentally brittle and easily stripped away during subsequent downstream adaptation.
If you are deploying open-source models like FLUX or SDXL derivatives in production, stop relying on raw detector activations. You must design your safety architecture under the assumption that the underlying model weights have already been compromised during the decentralized open-source pipeline.