MHSafeEval: Role-Aware Interaction-Level Evaluation of Mental Health Safety in Large Language Models

Abstract: LLMs are increasingly explored as scalable tools for mental health counseling, yet evaluating their safety remains challenging due to the interactional and context-dependent nature of clinical harm. Existing evaluation frameworks predominantly assess isolated responses using coarse-grained taxonomies or static datasets, limiting their ability to diagnose how harms emerge and accumulate over multi-turn counseling interactions. In this work, we introduce R-MHSafe, a role-aware mental health safety taxonomy that characterizes clinically significant harm in terms of the interactional roles an AI counselor adopts, including perpetrator, instigator, facilitator, or enabler, combined with clinically grounded harm categories. Then, we propose MHSafeEval, a closed-loop, agent-based evaluation framework that formulates safety assessment as trajectory-level discovery of harm through adversarial multi-turn interactions, guided by role-aware modeling. Using R-MHSafe and MHSafeEval, we conduct a large-scale evaluation across state-of-the-art LLMs. Our results reveal substantial role-dependent and cumulative safety failures that are systematically missed by existing static benchmarks, and show that our framework significantly improves failure-mode coverage and diagnostic granularity.

• The paper introduces MHSafeEval, which uses role-aware, multi-turn adversarial interactions to reveal subtle, cumulative mental health safety failures in LLMs.
• It establishes the R-MHSafe taxonomy by mapping four counselor roles to seven clinically grounded harm categories for granular evaluation.
• Experimental results show high attack success rates (up to 0.997), outperforming static benchmarks and exposing critical interaction-level vulnerabilities.

Role-Aware Interaction-Level Evaluation of Mental Health Safety in LLMs: Technical Overview of MHSafeEval

Motivation and Limitations of Existing Safety Evaluation Frameworks

The deployment of LLMs in mental health counseling environments introduces critical safety concerns associated with interactional and context-dependent clinical harm. Current benchmarks largely rely on static, single-turn prompts and coarse-grained taxonomies, failing to capture the emergence, escalation, and cumulative effect of harm through sustained, multi-turn counseling dialogues. Static evaluations do not reliably diagnose content-agnostic relational failure modes or role-specific pathways through which LLMs contribute to client harm. These limitations are illustrated through comparative visuals that highlight the inadequacy of prior coarse-grained methods.

Figure 1: MHSafeEval introduces adaptive agent-based probing of role-aware, fine-grained safety failures across adversarial multi-turn counseling interactions, surpassing static content-based benchmarks.

R-MHSafe Taxonomy: Formalization of Harm via Interactional Roles

To address the gap in interactional safety characterization, the paper introduces R-MHSafe—a taxonomy integrating clinically grounded harm categories with interactional AI counselor roles. Explicit modeling of roles such as Perpetrator, Instigator, Facilitator, and Enabler quantifies not only the content-level harm, but also the counselor's relational involvement along axes of harm initiation and engagement. These roles are cross-referenced with seven empirically validated clinical harm categories: Toxic Language, Nonfactual Statement, Gaslighting, Dependency Induction, Blaming, Overpathologizing, and Invalidation/Dismissiveness. This integration yields 28 distinct role-category harmful behaviors, facilitating granular analysis of interaction-level safety breakdowns.

Figure 2: Overview of the R-MHSafe taxonomy: four interactional counselor roles across seven clinical harm categories, with clinical examples for each role-category intersection.

MHSafeEval Framework: Closed-Loop Multi-Turn Adversarial Evaluation

MHSafeEval reconceptualizes safety assessment as trajectory-level harm discovery via closed-loop, agent-based adversarial multi-turn interactions. The framework features a Quality-Diversity styled Harm Archive spanning the $\text{role} \times \text{category}$ space, retaining elite high-harm interaction trajectories for each cell. Trajectory generation employs simulated clients using clinically realistic profiles from Client-$\Psi$-CM, and adversarial mutation to iteratively escalate harm severity. An LLM-based clinical safety judge provides graded feedback, enabling both trajectory refinement and targeted exploration of underdiagnosed interaction modes.

Figure 3: Qualitative example demonstrating iterative mutation of a client utterance into increasingly harmful multi-turn role-aware interactions, revealing relational harms only visible through sustained adversarial dialogue.

Experimental Analysis: Large-Scale Benchmarking Across LLMs

MHSafeEval is employed to evaluate eight state-of-the-art LLMs (GPT-3.5 Turbo, Llama 3.1 8B, Gemini 2.5, Claude Haiku 4.5, DeepSeek v3.2, Gemma 4, MiniMax m2.5, MiMo V2 Flash), measuring Attack Success Rate (ASR), Refusal Rate (RR), and Clinical Comprehension (Cmp.) across all harm categories and roles. The framework achieves consistently high ASR (0.914–0.997) with pronounced failures in the Dependency Induction, Overpathologizing, and Gaslighting categories, especially in roles requiring multi-turn relational engagement. Dynamic, closed-loop refinement significantly outperforms static-taxonomy seed-only baselines and three widely-used adversarial attack methods (PAIR, TAP, X-Teaming), notably in surfacing interactional, role-dependent vulnerabilities.

Figure 4: Joint distribution of successful adversarial attacks in Gemini 2.5, visualizing both the interactional role (inner ring) and category (outer ring) breakdown to reveal model-specific vulnerability profiles.

Ablation and Baseline Comparisons

Component-wise ablation studies demonstrate necessity of multi-turn interaction, explicit role-conditioning, and diversity-preserving Harm Archive for broad and deep harm coverage. Removal of multi-turn interaction collapses ASR (e.g., from 97.8% to 50.4% in GPT-3.5), while QD search exclusion reduces coverage of niche role-category vulnerabilities. Comparison with state-of-the-art adversarial attack baselines confirms traditional jailbreak methods systematically miss interaction-driven, role-aware failures; even multi-turn X-Teaming achieves lower ASR (0.693–0.937) versus MHSafeEval (0.914–0.997).

Qualitative Analysis and Case Studies

Case studies elucidate the presence of clinically significant harms not captured by overt content-level toxicity; e.g., tacit endorsement of inaccurate beliefs, disguised dependency induction, implicit gaslighting, and chronic invalidation emerge only via sustained, role-aware adversarial exploration. These harms are embedded in technically well-formed responses but are clinically unsafe due to relational breakdowns. Examples drawn from the lowest inter-annotator agreement category-roles emphasize the subtlety of such failures and illustrate the necessity of interaction-level, role-aware evaluation.

Distribution of Harm Across LLMs

Model-specific role-category attack distributions indicate nuanced vulnerability profiles. Some models (e.g., GPT-3.5 Turbo, Gemini 2.5) exhibit broad susceptibility across all roles; others (e.g., Llama 3.1) concentrate failures in Facilitator and Enabler roles with harm categories clustering in relational and dependency induction modes.

Figure 5: Distribution of successful attacks across GPT-3.5 and Llama 3.1, decomposed by adversarial role and harm category, indicating varying susceptibility patterns across LLMs.

Practical and Theoretical Implications

MHSafeEval reveals that clinically significant failures in LLM-based counseling are fundamentally interactional and role-dependent. Existing static, content-centric benchmarks systematically underdiagnose interaction-driven harm, posing considerable risk for real-world deployment. Improved adversarial evaluation of LLMs requires agent-based multi-turn simulations, fine-grained taxonomies, and explicit modeling of relational roles. For mitigation, these findings imply that alignment training must focus on interaction-level safety mechanisms and dynamic refusal behavior, rather than surface-level toxicity filters.

Theoretically, this work motivates further investigation into real-time role-adaptive safety interventions, formal modeling of cumulative harm trajectories, and integration of expert clinical judgment into automated evaluation loops. Future technical directions include expansion to high-stakes domains (medicine, law, finance), scalable evaluation of frontier LLMs, and incorporation of human-in-the-loop feedback for safety taxonomy evolution.

Conclusion

MHSafeEval advances the safety evaluation of LLMs in mental health contexts by introducing role-aware, multi-turn interaction-level diagnostics anchored in clinical theory. The framework demonstrates extensive coverage and diagnostic granularity of harm across diverse LLMs, outperforming static and adversarial baselines. It establishes a foundation for comprehensive auditing and mitigation of relational safety failures in LLM counseling, with immediate implications for responsible AI deployment, model alignment, and regulatory oversight.