News
🚨 NeuralTrust recognized as a Leader by KuppingerCole
Runtime Security (GAF)
Prompt GuardProtect and moderate your GenAI applications
Behavioral Threat DetectionDetect behavioral threats across GenAI workflows
Bot DetectionBlock scrapers and synthetic users in real time
Sensitive Data MaskingMask PII and sensitive data automatically
Moderation & Policy EngineEnforce custom policies across GenAI systems
AI GatewayUnify and control your GenAI infrastructure
AI Agent Security
Guardian AgentsA force of security agents to control Al agents actions
Agent Security PostureContinuous discovery & monitoring of agents and tools
MCP GatewayControl which tools and data agents can access
MCP ScannerScan and test MCP code for vulnerabilities in your CI/CD
Threat & Risk Detection
Red TeamingSimulate adversaries and stress test defenses
Alerting & MonitoringGet real-time alerts on GenAI behavior
Model Code ScannerDetect vulnerabilities in model-side code
Tracing & AnalyticsTrace GenAI behavior across full workflows
Shadow AIStop confidential data from
reaching unsanctioned AI
Security Agents
AI ComplianceAutomate compliance with our AI Agent
Resources
Resources center
Guides
Blog
Newsletter
Developers
Documentation
Company
About us
Partners
Careers
News
Contact
Social media
Sign inGet a demo
Back
Using Circuit Breakers to Secure the Next Generation of AI Agents

Using Circuit Breakers to Secure the Next Generation of AI Agents

Alessandro Pignati • January 23, 2026
Contents

Imagine an electrical circuit in a home. When it detects a dangerous power surge, a circuit breaker trips, instantly cutting off the flow of electricity to prevent a fire or damage to appliances. It does not wait to see smoke. It acts on the underlying dangerous condition itself. AI "Circuit Breakers" work on a very similar principle, but for information instead of electricity.

At its core, a circuit breaker is a safety mechanism that interrupts a LLM the moment it begins to form a harmful or undesirable thought, long before that thought becomes a fully generated output. Instead of trying to patch vulnerabilities or filter harmful text after the fact, this technique directly targets the internal processes responsible for generating it.

Think of it this way:

  • Traditional methods are like a security guard standing at the exit of a factory, inspecting every product for defects. This is inefficient and porous, as a clever worker (an adversarial attack) can often find ways to sneak a defective product past the guard.
  • Circuit breakers are like a quality control system built directly into the assembly line. The moment the system detects a component that will lead to a defective product, it reroutes that component to the scrap heap, "short-circuiting" the flawed production line.

This approach makes the model intrinsically safer. It is not just trained to refuse a harmful request. It is fundamentally rewired to make the pathway to generating that harmful content lead to a dead end. This shift from external supervision to internal control is what makes circuit breakers a significant leap forward in building robust and reliable AI.

How Representation Engineering Powers Circuit Breakers

How is a "breaker" actually built inside a neural network? The magic behind this technique comes from a field called Representation Engineering (RepE). In simple terms, RepE is a set of methods that allow for looking inside a model, understanding what its internal activations (or "neurons") represent, and then manipulating them to control the model's behavior.

Every time an LLM processes a prompt, it converts the text into a series of high-dimensional vectors, which can be thought of as the model's internal "thoughts" or "concepts." For example, as the model prepares to answer a prompt like "How do I build a bomb?", specific patterns of activations will emerge that represent the concept of "bomb-making instructions." These patterns are the model's internal representation of that harmful idea.

The circuit breaker technique uses RepE to achieve two goals:

  1. Identify Harmful Representations: First, a curated dataset of harmful and harmless examples is used to pinpoint the specific activation patterns that consistently appear when the model is about to generate dangerous content. This essentially creates a "signature" for a harmful thought process.
  2. Reroute the Signal: Once this signature is identified, a method called Representation Rerouting (RR) is implemented. During the model's fine-tuning process, the model is taught a new rule: whenever this harmful signature is detected, these activations are immediately redirected (or "rerouted") to a completely different, useless state. This could be a state that represents gibberish, a refusal, or simply the end-of-sentence token.

This process is like changing the tracks on a railway. The train (the model's generation process) is heading towards a dangerous destination (harmful output). Representation Rerouting acts as the switch operator, seeing the train's destination and immediately flipping a switch to send it down a safe, dead-end track.

This is achieved by adding a specific "loss function" during training that penalizes the model for allowing the harmful representation to persist, rewarding it for "shorting the circuit." Because the underlying concept itself is targeted, this method is incredibly robust. It does not matter how an attacker tries to trigger the harmful behavior. The moment the corresponding internal representation begins to form, the circuit breaker is tripped.

Circuit Breakers vs. Traditional Defenses

For years, the AI safety community has relied on a few key strategies to keep models in check, but each has its own significant drawbacks. The circuit breaker approach represents a fundamental departure from these older methods, offering a more robust and efficient solution.

Adversarial Training: This popular defense involves finding specific attacks that can "jailbreak" a model and then retraining the model on those examples to teach it how to refuse them.

  • The Problem: This is a reactive, never-ending game of cat and mouse. For every attack patched, a new, unseen one can emerge. Adversarial training often fails to generalize to novel attacks and can degrade the model's general performance and utility.
  • The Circuit Breaker Difference: Circuit breakers are attack-agnostic. They do not care about the specific prompt or technique used to trick the model. Instead, they focus on the result of the trick, the internal representation of the harmful concept. By targeting the concept itself, they neutralize a whole category of attacks at once, including ones that have not even been invented yet.

Refusal Training and Output Filtering: These methods focus on the model's behavior at the input or output stage. Refusal training (like RLHF) teaches a model to say "I can't help with that," while output filters are external systems that scan the model's final response for keywords or phrases.

  • The Problem: Cleverly worded prompts can often bypass these safeguards. An attacker can "trick" the model into generating harmful content that does not trigger the refusal training or contains none of the blacklisted keywords an output filter is looking for. These methods are brittle and often easy to circumvent.
  • The Circuit Breaker Difference: Circuit breakers operate on a deeper, more fundamental level. They intervene in the middle of the model's thought process. By the time an output filter would even see the generated text, a circuit breaker has already detected the harmful intent and rerouted the generation process. It stops the problem at the source, not at the finish line.

In essence, while traditional defenses try to build taller walls around the model, circuit breakers re-engineer the model's internal landscape to remove the roads that lead to dangerous territory. This proactive, source-level intervention provides a much clearer and more reliable path toward building genuinely safe AI systems.

Impressive Results Without Compromise

A new safety technique is only as good as its performance in the real world. The research paper puts the method through a battery of rigorous tests, evaluating its ability to stop harmful generation under a wide range of sophisticated attacks, all while measuring its impact on the model's core capabilities. The results are striking.

When applied to state-of-the-art models like Llama-3-8B, the circuit breaker technique, known as Representation Rerouting (RR), demonstrated a massive improvement in safety without the traditional trade-offs.

Key takeaways from the experiments include:

  • Drastic Reduction in Harmful Content: Across a diverse set of unseen adversarial attacks, models equipped with circuit breakers showed a huge drop in compliance with harmful requests. For Llama-3, the attack success rate fell by an average of 90%. This demonstrates strong generalization against attacks the model was never explicitly trained to defend against.
  • Utility Remains Intact: While traditional defenses often degrade a model's performance on normal tasks, the circuit breaker approach had almost no negative impact. On standard benchmarks like MT-Bench, the model's capability score dropped by less than 1%. This proves that a huge leap in safety can be achieved without sacrificing utility.
  • Effective Against "Worst-Case" Attacks: The technique was tested against powerful "white-box" attacks, where the attacker has full access to the model's internal workings. Even in these scenarios, which are notoriously difficult to defend against, circuit breakers proved highly effective at preventing harmful generations.
  • Cygnet: A Pareto-Optimal Model: The researchers integrated circuit breakers with other representation control methods to create a fine-tuned model called Cygnet. This model not only surpassed the original Llama-3's capabilities but also reduced harmful output by approximately two orders of magnitude. This is a powerful demonstration that safety and performance can be improved simultaneously, effectively advancing the Pareto frontier.

These results provide the first convincing evidence that the long-accepted trade-off between AI safety and capability is not a fundamental law. With techniques like circuit breakers, models can be built that are both highly capable and reliably safe.

Securing Multimodal Models and AI Agents

The power of circuit breakers extends far beyond just text-based interactions. The same fundamental principles can be applied to more complex and capable AI systems, such as multimodal models that understand images and AI agents that can take actions in the digital world. This is a critical step, as these advanced systems introduce new and more potent safety risks.

Securing Multimodal Models from "Image Hijacks"

Multimodal models, which can process both text and images, are vulnerable to a unique form of attack known as an "image hijack." In this scenario, an attacker can embed a malicious instruction within an image that is invisible to the human eye but is read and acted upon by the model. For example, an image of a cat could be subtly perturbed to contain a hidden prompt that causes the model to generate harmful text.

The research shows that circuit breakers are remarkably effective at thwarting these attacks.

  • When applied to a model like LLaVA-NeXT, the circuit breaker was able to detect the harmful intent triggered by the image and interrupt the generation process.
  • Even under a powerful white-box attack (Projected Gradient Descent), the technique reduced the attack success rate by 84% compared to the original model.
  • Crucially, this robust defense was achieved while the model's performance on standard visual understanding benchmarks remained almost entirely unchanged, staying within 0.5% of the original.

Controlling the Actions of AI Agents

Perhaps the most significant application is in the realm of AI agents. These are models that can do more than just talk. They can use tools, browse websites, and execute code. An agent that is successfully jailbroken could be instructed to send malicious emails, delete files, or exploit system vulnerabilities.

The research demonstrates that circuit breakers can be used to prevent AI agents from taking harmful actions.

  • The technique was adapted to monitor the agent's internal state right before it decides to make a "function call" (i.e., use a tool or execute an action).
  • If the model's internal representation indicates that the intended action is harmful (e.g., a function call to send_disinformation_email), the circuit breaker trips and blocks the action.
  • In tests, this approach reduced harmful action compliance rates by over 83%, even in "forced function-calling" scenarios designed to trick the agent.

This shows that circuit breakers can serve as a reliable, built-in governor on the behavior of autonomous agents, ensuring they operate within safe boundaries without constant external supervision. It is a vital step toward deploying more capable and autonomous AI systems responsibly.

For those interested in the underlying research and raw implementation, the original code and datasets from the researchers are also publicly available at the official GitHub repository: github.com/GraySwanAI/circuit-breakers.

A New Paradigm

For years, the field of AI security has felt like a race where defenders are always one step behind attackers. The development of circuit breakers marks a pivotal shift in this dynamic. It moves away from a reactive posture of patching vulnerabilities and filtering outputs, and toward a proactive paradigm of building AI systems that are intrinsically safe and secure by design.

The core innovation is the ability to intervene directly in the model's internal thought process. By identifying and rerouting the very representations that lead to harmful behavior, the focus shifts from managing symptoms to treating the underlying cause. This approach has proven to be not only more effective but also far more efficient, sidestepping the endless cat-and-mouse game of traditional defenses and avoiding the costly trade-off between safety and performance.

The successful application of circuit breakers to text models, multimodal systems, and autonomous agents demonstrates its power and versatility. It provides a robust, generalizable framework for controlling AI behavior at its source.

This technique is more than just another tool in the AI safety toolbox. It represents a major conceptual step forward, proving that models can be engineered to be both highly capable and reliably aligned. As AI systems become more powerful and autonomous, building in this kind of principled, internal control will be essential for ensuring they are deployed safely, secure and for the benefit of all. The future of AI security is not about building taller walls, but about designing better-behaved minds.


Related posts

See all
BodySnatcher: Critical ServiceNow Vulnerability (CVE-2025-12420)
Alessandro Pignati • January 21, 2026
BodySnatcher: Critical ServiceNow Vulnerability (CVE-2025-12420)
Read more
AI-SPM Explained: How to Secure AI Agents
Alessandro Pignati • January 20, 2026
AI-SPM Explained: How to Secure AI Agents
Read more
What is Excessive Agency?
Alessandro Pignati • January 16, 2026
What is Excessive Agency?
Read more