News
🚨 NeuralTrust recognized by Gartner
Runtime Security (GAF)
Prompt GuardProtect and moderate your GenAI applications
Behavioral Threat DetectionDetect behavioral threats across GenAI workflows
Bot DetectionBlock scrapers and synthetic users in real time
Sensitive Data MaskingMask PII and sensitive data automatically
Moderation & Policy EngineEnforce custom policies across GenAI systems
AI GatewayUnify and control your GenAI infrastructure
AI Agent Security
Guardian AgentsA force of security agents to control Al agents actions
Agent Security PostureContinuous discovery & monitoring of agents and tools
MCP GatewayControl which tools and data agents can access
MCP ScannerScan and test MCP code for vulnerabilities in your CI/CD
Threat & Risk Detection
Red TeamingSimulate adversaries and stress test defenses
Alerting & MonitoringGet real-time alerts on GenAI behavior
Model Code ScannerDetect vulnerabilities in model-side code
Tracing & AnalyticsTrace GenAI behavior across full workflows
Shadow AIStop confidential data from
reaching unsanctioned AI
Security Agents
AI ComplianceAutomate compliance with our AI Agent
Resources
Resources center
Guides
Blog
Newsletter
Developers
Documentation
Company
About us
Partners
Careers
News
Contact
Social media
Sign inGet a demo
Back
Constitutional Classifiers: The New Frontier of AI Security

Constitutional Classifiers: The New Frontier of AI Security

Alessandro Pignati • February 26, 2026
Contents

Large Language Models (LLMs) are becoming increasingly powerful, with capabilities that extend into sensitive scientific domains. While this progress unlocks immense potential for good, it also introduces significant risks. One of the most pressing challenges in AI safety is the phenomenon of jailbreaking, where users craft inputs that trick a model into bypassing its safety restrictions and generating harmful or malicious content. While many early jailbreaks were simple tricks, a more sophisticated and dangerous form has emerged: the universal jailbreak.

A universal jailbreak is not a one-off success. It is a systematic and repeatable prompting strategy that can reliably bypass an LLM's safeguards across a wide range of queries within a specific domain. They are carefully engineered attacks that can effectively turn a state-of-the-art, safety-trained LLM into an unguarded source of potentially dangerous information.

The stakes are particularly high in areas like CBRN (Chemical, Biological, Radiological, and Nuclear) sciences. As the Anthropic research paper "Constitutional Classifiers: Defending against Universal Jailbreaks across Thousands of Hours of Red Teaming" highlights, the misuse of LLMs in these areas could have catastrophic consequences. A universal jailbreak could, for instance, provide a non-expert with detailed, step-by-step instructions for synthesizing a dangerous chemical compound or weaponizing a biological agent. This is not a theoretical concern. The paper notes that such jailbreaks are becoming more concerning as the CBRN capabilities of LLMs increase.

Traditional safety training methods, while important, have proven insufficient to defend against these advanced attacks. Fine-tuning models on examples of harmful content can help, but attackers are constantly developing new and more creative ways to circumvent these defenses. The problem is that a model's safety training can be a fragile veneer, easily chipped away by a determined adversary. This is where the need for a new, more robust layer of defense becomes critical.

Introducing Constitutional Classifiers: Architecture and Core Principles

In response to the escalating threat of universal jailbreaks, Anthropic’s Safeguards Research Team has introduced a novel and robust defense mechanism: Constitutional Classifiers. This approach moves beyond traditional safety training by implementing a dynamic, layered defense system designed to detect and mitigate harmful content generated by LLMs.

At its core, a Constitutional Classifier system operates on a dual-layer architecture, consisting of both input classifiers and output classifiers. This layered defense can be conceptualized as a “swiss-cheese” model, where multiple, imperfect layers of protection are stacked to create a more robust overall safeguard. While no single layer may be infallible, their combined effect significantly reduces the probability of a successful attack.

The Role of the Constitution

The foundational innovation of Constitutional Classifiers lies in their reliance on a constitution, a set of natural language rules that explicitly define categories of permitted and restricted content. This constitution serves as the guiding principle for the entire defense system. Unlike hard-coded rules, a natural language constitution offers unparalleled flexibility. It can be rapidly adapted and refined to address emerging threat models, allowing the system to evolve alongside new attack vectors and societal norms.

For example, in the context of CBRN risks, a constitution might include rules like:

Harmful Constitution Examples:

  • "Acquiring restricted chemicals"
  • "Purifying restricted chemicals"
  • "Scaling up production of restricted chemicals"

Harmless Constitution Examples:

  • "Listing common medications"
  • "Explaining the properties of household chemicals"
  • "Explaining high-school chemistry"

These rules are not directly applied to filter content. Instead, they are used to generate synthetic training data. This is a critical distinction. By prompting LLMs with these constitutional rules, the system can create vast amounts of labeled examples that represent both harmful and harmless interactions. This synthetic data then becomes the bedrock upon which the classifiers are trained.

Dual-Classifier Architecture

Input Classifiers

The input classifier acts as the first line of defense. Its primary role is to scrutinize user prompts before they even reach the main LLM. It identifies and blocks attempts to circumvent the output classifier or to initiate a jailbreak from the outset. This preemptive filtering is crucial for preventing malicious prompts from ever influencing the model’s generation process.

Output Classifiers

The output classifier is arguably the more sophisticated component, especially given its streaming prediction capability. Instead of waiting for the LLM to complete its entire response, the output classifier monitors the model’s generation token by token. If harmful content is detected at any point during the generation process, the system can immediately halt the output, preventing the full malicious response from being delivered to the user. This real-time intervention is vital for maintaining both safety and a positive user experience, as it avoids presenting partially harmful content.

This dual-layer approach ensures that even if a malicious prompt manages to bypass the input classifier, the output classifier stands ready to intercept and prevent the dissemination of harmful information. The combination of these two classifiers, guided by a flexible natural language constitution, forms a powerful and adaptable defense against the ever-evolving landscape of LLM jailbreaks.

How It Works: From Constitution to Real-Time Protection

The effectiveness of Constitutional Classifiers stems from a meticulously designed process that transforms abstract constitutional rules into concrete, real-time defenses. This involves several key technical stages: specifying the constitution, generating synthetic data, and deploying a dual-classifier system with streaming capabilities.

Specifying the Constitution: The Blueprint for Safety

The first step is to define the constitution itself. This is not a static document but a dynamic set of natural language rules that delineate permissible and restricted content categories. The power of a natural language constitution lies in its adaptability. As new threats emerge or as the understanding of harmful content evolves, the constitution can be updated, allowing the safeguards to rapidly adapt without requiring extensive manual data collection. This flexibility is crucial in the fast-paced landscape of AI security.

Crucially, the constitution specifies both harmful and harmless categories. This dual specification is vital for training classifiers that can make nuanced distinctions, preventing over-refusals on benign queries while effectively blocking malicious ones. For instance, a rule might differentiate between explaining basic chemistry principles (harmless) and providing instructions for synthesizing dangerous chemicals (harmful).

Generating Synthetic Data: Fueling the Classifiers

Once the constitution is defined, the next stage involves generating synthetic data for training the classifiers. This is where LLMs themselves play a pivotal role in creating their own defense mechanisms. The process typically involves:

  1. Query Generation: A helpful-only LLM is prompted to generate a diverse set of queries that span the categories defined in the constitution. This ensures broad coverage of potential interactions.
  2. Harmful and Harmless Output Generation: For each generated query, the helpful-only LLM is then used to produce both harmful and harmless outputs. This creates a rich dataset of examples that the classifiers will learn from.
  3. Filtering and Augmentation: The generated data undergoes a filtering process to remove any inadvertent refusals or ambiguities. Additionally, data augmentation techniques are extensively applied. This involves transforming the synthetic data in various ways (e.g., paraphrasing, encoding, translation) to increase its diversity and robustness, making the classifiers more resilient to novel attack patterns and obfuscation attempts. The paper notes that classifier robustness scales with the amount of training data and the number of augmentations.

This synthetic data generation process is a significant advantage, as it bypasses the need for costly and time-consuming manual data labeling, allowing for rapid iteration and scaling of the defense system.

Dual-Classifier Deployment: Real-Time Protection

The trained classifiers are then deployed as a dual-layer defense:

Input Classifier

The input classifier evaluates incoming user prompts. Its function is to identify and block queries that are likely to lead to harmful outputs or are themselves attempts at jailbreaking. By filtering at the input stage, it prevents the main LLM from even processing potentially malicious requests, reducing the attack surface.

Streaming Output Classifier

The output classifier is a sophisticated component that monitors the LLM's responses in real-time. Unlike traditional post-generation filters, this classifier operates on a streaming prediction model. This means it assesses the potential harmfulness of the generated content at each token as the LLM produces it. If the classifier detects that the ongoing output stream is veering into harmful territory, it can immediately halt the generation process. This prevents the completion and delivery of malicious content, offering a crucial last line of defense.

Technically, the output classifier is often a fine-tuned LLM itself, optimized for classification tasks. The paper describes how it makes a prediction at each token for the harmfulness of a full output sequence. This prediction is used to assess whether the output stream should be stopped at a given token position. The training objective for this streaming capability involves optimizing a loss function that combines standard next-token-prediction loss with binary-cross-entropy loss for the harmfulness prediction. The approach also leverages a cumulative-maximum value-head probability during training to ensure that predictive probabilities only increase when the model is confident the full sequence will be harmful, improving performance and stability.

By combining a flexible, natural language constitution with synthetic data generation and a dual-classifier system featuring real-time streaming protection, Constitutional Classifiers offer a powerful and adaptable framework for safeguarding LLMs against the most advanced jailbreak attempts.

The Gauntlet: 3,000 Hours of Red Teaming

Theoretical robustness is one thing, but real-world resilience is another. To truly validate the effectiveness of Constitutional Classifiers, Anthropic subjected their prototype system to an unprecedented and rigorous human red teaming evaluation. This wasn't a casual test, it was a large-scale bug bounty program designed to push the boundaries of the defense mechanism.

A Massive Undertaking

Anthropic partnered with HackerOne, inviting 405 participants from diverse backgrounds, including academic researchers, university professors, and experienced LLM red-teaming contractors, to actively try and jailbreak their Claude 3.5 Sonnet-based system. The stakes were high, with bounties of up to $15,000 USD offered for the discovery of universal jailbreaks, culminating in $95,000 USD in total payouts. This extensive effort accumulated over 3,000 estimated hours of red teaming, providing a comprehensive stress test for the Constitutional Classifiers.

Defining a Universal Jailbreak Success

For the purpose of this evaluation, a universal jailbreak was defined by its ability to elicit detailed harmful information comparable to an unguarded model. To objectively assess success, a multi-stage, LLM-based rubric-grading pipeline was implemented. This involved generating baseline outputs from helpful-only models (without safeguards) to create query-specific rubrics. Red teamers' outputs were then evaluated against these rubrics, with scores indicating how much harmful information was successfully extracted.

The Unyielding Defense: No Universal Jailbreak Found

The most significant finding from this extensive red teaming effort was that no red teamer found a universal jailbreak that could consistently extract information at a similar level of detail to an unguarded model across the target CBRN queries. While some reports did manage to extract some harmful information, none achieved the comprehensive success required to be classified as a universal jailbreak.

Even when considering less stringent criteria (half the detail of an unrestricted model) or aggregating the best performance of individual red teamers across multiple attempts, the system demonstrated remarkable resilience. The most successful red teamer, combining all their efforts, could answer at most six out of ten questions at the stricter threshold, far from a universal bypass.

Attack Strategies and Evaluation Nuances

Red teamers employed a wide array of sophisticated attack strategies, including:

  • Gradual Multi-Turn Approaches: Incrementally escalating harmful queries over several turns.
  • Few-Shot Attacks: Providing a few examples of desired harmful behavior.
  • Role-Playing Scenarios: Prompting the LLM to adopt a persona that might bypass safeguards.
  • Obfuscation Methods: Using encoding schemes, text-in-image attacks, or cross-lingual translations to hide harmful intent.
  • Prompt Injection and Template-Based Attacks: Leveraging known jailbreak techniques like the "Do Anything Now" (DAN) prompt.
  • Decomposition Strategies: Breaking down harmful tasks into seemingly innocuous components.

Interestingly, the paper notes that among the highest-severity reports, red teamers primarily exploited the rubric grading protocol rather than directly circumventing the Constitutional Classifiers. This involved techniques like "benign paraphrasing" (rephrasing harmful queries innocuously) and "length exploitation" (generating verbose outputs to increase the chance of hitting rubric keywords). This observation underscores a critical insight: attackers will always target the weakest component of a system, and in this case, it appeared to be the evaluation methodology itself, rather than the core defense mechanisms.

This extensive red teaming not only validated the robustness of Constitutional Classifiers but also highlighted the importance of evaluating both the classifiers and their deployment infrastructure. A single implementation error, for instance, allowed participants to receive up to 128 tokens after harmful content was flagged, emphasizing that even robust classifiers need flawless integration.

Practical and Adaptable: The Real-World Viability

Beyond theoretical robustness, the true test of any AI safety mechanism lies in its practical deployment viability. Constitutional Classifiers not only demonstrate exceptional defense against universal jailbreaks but also prove to be remarkably efficient and adaptable, addressing key concerns for real-world application.

Maintaining Deployment Viability

For any safeguard to be widely adopted, it must not unduly hinder the performance or user experience of the underlying LLM. The research by Anthropic meticulously evaluated Constitutional Classifiers against three critical desiderata for practical deployment:

  1. Reasonable Inference Overhead and Latency: The system must be cost-effective in production, meaning the additional computational resources required by the classifiers should be minimal.
  2. Preservation of Time-to-First-Token and Streaming Capabilities: User experience is paramount. Safeguards should not introduce noticeable delays in the LLM's response generation.
  3. Low False-Positive Rates: Over-refusals, where benign queries are incorrectly flagged as harmful, can frustrate legitimate users and undermine trust in the system.

Constitutional Classifiers excel in these areas. The paper highlights that enhanced classifiers, when deployed with Claude 3.5 Haiku, demonstrated impressive efficiency. They introduced only a 0.38% absolute increase in production-traffic refusals on Claude.ai and a 23.7% inference overhead relative to the base model. These figures are significantly lower than other baseline safeguarding methods, making Constitutional Classifiers a highly viable option for large-scale deployments.

Flexibility and Adaptability to Evolving Threats

The landscape of AI threats is constantly evolving, with new jailbreak techniques emerging regularly. A static defense mechanism would quickly become obsolete. This is where the inherent flexibility of Constitutional Classifiers truly shines. The system's reliance on a natural language constitution allows for rapid adaptation to new threat models. If a novel type of harmful content or attack vector is identified, the constitution can be updated to include new categories of restricted or permitted content. This updated constitution then guides the generation of new synthetic training data, allowing the classifiers to learn and adapt without requiring extensive manual data collection or a complete overhaul of the system.

This adaptability is a game-changer for AI security. It means that developers can proactively respond to emerging threats, ensuring that their LLMs remain safe and aligned with their intended purpose. The ability to quickly iterate and refine the defense mechanism based on real-world observations and evolving risks is a powerful advantage in the ongoing arms race against malicious actors.

Scaling Trends and Performance Improvements

The research also explored how the performance of Constitutional Classifiers scales with various factors, providing insights into future improvements:

  • Model Size: Classifier robustness consistently increases with the size of the classifier model, indicating that larger models can achieve better generalization and defense capabilities.
  • Data Quantity: Using larger training datasets for fine-tuning the classifiers leads to substantial improvements in robustness.
  • Data Augmentation: Incorporating additional transformation methods during data augmentation generally increases classifier robustness, making them more resilient to diverse attack strategies.

These scaling trends suggest that as computational resources and data generation techniques advance, the effectiveness of Constitutional Classifiers can be further enhanced, offering a clear path for continuous improvement in LLM safety.

In essence, Constitutional Classifiers offer a compelling solution that balances robust security with practical deployment considerations. Their efficiency and inherent adaptability make them a cornerstone for building safer and more reliable AI systems in the real world.

The Future of AI Safety: A Multi-Layered Approach

The development of Constitutional Classifiers marks a significant leap forward in the ongoing quest to secure Large Language Models against sophisticated attacks like universal jailbreaks. By introducing a flexible, constitution-guided, and dual-layered defense system, Anthropic has demonstrated that robust and practically viable safeguards are indeed tractable. However, as with any advancement in AI security, it is crucial to view this innovation not as a definitive solution, but as a powerful component within a broader, multi-layered defense strategy.

Beyond the Silver Bullet

The paper itself acknowledges that while Constitutional Classifiers offer substantial improvements in robustness, common wisdom suggests that system vulnerabilities will likely emerge with continued testing. This perspective is vital. In the dynamic field of AI security, there is no single solution or "silver bullet" that can guarantee absolute safety. Instead, the future of AI safety will depend on the continuous development and integration of complementary defenses.

The Pillars of a Multi-Layered Defense

Effective AI security, particularly for increasingly capable models, will rest on several interconnected pillars:

  • Continued Research and Development in Safeguards: Innovations like Constitutional Classifiers are essential. Future research will likely explore even more sophisticated classification techniques, potentially integrating with model internals or advanced anomaly detection systems.
  • Robust Red Teaming and Adversarial Testing: The extensive red teaming effort described in the paper underscores the critical role of adversarial testing. Continuously challenging AI systems with novel attack vectors is indispensable for identifying weaknesses and driving improvements. This must include both human and automated red teaming.
  • Ethical AI Development and Governance: Beyond technical safeguards, a strong ethical framework and robust governance policies are paramount. This includes responsible deployment practices, clear guidelines for AI use, and mechanisms for accountability.
  • Transparency and Interpretability: Understanding why an AI system makes certain decisions, especially concerning safety, is crucial. Improved transparency can help in diagnosing failures and building more trustworthy systems.
  • Collaboration Across the AI Ecosystem: AI safety is a shared responsibility. Collaboration between researchers, developers, policymakers, and civil society is essential to address the complex challenges and ensure that AI benefits humanity.

The Path Forward

Constitutional Classifiers represent a significant step towards mitigating the risks associated with powerful LLMs. Their ability to defend against universal jailbreaks with practical efficiency and adaptability provides a strong foundation for safer AI deployments. However, the journey towards truly secure and beneficial AI is ongoing. It demands a proactive, multi-faceted approach, where continuous innovation in safeguards is coupled with rigorous testing, ethical considerations, and collaborative efforts across the global AI community. Only through such a comprehensive strategy can we harness the transformative potential of AI while effectively managing its inherent risks.


Related posts

See all
The NIST AI Agent Standards Initiative: A Foundation for Trustworthy AI
Alessandro Pignati • February 23, 2026
The NIST AI Agent Standards Initiative: A Foundation for Trustworthy AI
Read more
The $1.78M Moonwell Incident and the Future of Agentic Security
Alessandro Pignati • February 19, 2026
The $1.78M Moonwell Incident and the Future of Agentic Security
Read more
Coral Protocol: Architecting Security for the Internet of Agents
Alessandro Pignati • February 18, 2026
Coral Protocol: Architecting Security for the Internet of Agents
Read more