Boundary Point Jailbreaking (BPJ)

Updated 18 February 2026

Boundary Point Jailbreaking (BPJ) is an adversarial technique that exploits the boundary between safe and unsafe zones in model decision spaces.
It utilizes methodologies such as curriculum-driven attacks, boundary point sampling, and token-level optimization to breach classifier defenses.
Empirical results across LLMs, T2I, and VLMs demonstrate BPJ’s high success rates, challenging current safety mechanisms and prompting new defense strategies.

Boundary Point Jailbreaking (BPJ) denotes a class of adversarial techniques for circumventing safety boundaries in neural models—particularly LLMs, Text-to-Image (T2I) generators, and Vision-LLMs (VLMs)—by actively identifying, probing, and exploiting the loci (boundary points) where safe and unsafe behaviors meet in the model’s decision space. BPJ attacks aim to cross from refused or sanitized outputs to policy-violating or harmful completions, often under strong black-box constraints, by searching in the vicinity of the safety classifier’s decision boundary. Recent empirical studies demonstrate that BPJ defeats current state-of-the-art classifier-based, multi-stage, and multi-modal defenses, raising fundamental questions about the geometry, robustness, and oversight of safety boundaries in foundation models (Davies et al., 16 Feb 2026).

1. Formal Definitions and Core Principles

At the core of BPJ lies the notion of a model’s safety boundary—typically a hypersurface in latent (embedding or feature) space, input space (prompt or image domain), or output (text/image) space—that sharply separates “safe” (allowable) from “unsafe” (refused or sanitized) behaviors, as operationalized by explicit classifiers or emergent policy alignment.

Let $C$ be a binary classifier with $C(x) \in \{0,1\}$ (0 = flagged/disallowed, 1 = allowed). The goal of BPJ is to find inputs (or, for prefix-based attacks, universal modifiers $a^*$ ) such that $C(a^* x) = 1$ even for harmful $x$ (which are natively flagged: $C(x) = 0$ ), thereby inducing an unsafe generation.

BPJ proceeds by identifying points $b$ such that two or more candidate attacks $a, a'$ yield discordant classifier outcomes on $b$ (i.e., $C(a b) \neq C(a' b)$ ). These $b$ are boundary points: regions in the domain where the classifier decision flips. Model-specific BPJ instantiations include:

In LLMs, boundary points often correspond to prompt/response pairs whose feature embeddings are marginal with respect to the safe/unsafe decision surface (Lu et al., 14 Feb 2025).
In T2I, boundary points may be prompts whose generated images or text scores reside just below/above NSFW classifier thresholds (Liu et al., 15 Apr 2025).
In VLMs, boundary points exist in the multimodal fusion-layer latent space, where perturbing image and text input directions aligned to the estimated decision hyperplane can traverse from safe to unsafe output regimes (Song et al., 26 May 2025).

Formally, BPJ leverages the discontinuity or ambiguity in classifier predictions across the boundary, actively searching for and exploiting these informative points to steer adversarial optimization.

2. Methodological Frameworks

Several distinct but related BPJ methodologies have emerged, tailored to black-box and multi-modal settings:

Curriculum-Driven BPJ (Black-Box LLM Attack)

In black-box LLM setups, BPJ constructs a noise-interpolation curriculum $\{N_{q_t, x}\}$ for a harmful target $x$ , where $q$ parameterizes the proportion of $x$ replaced by random tokens. At high noise, the classifier passes all $a x'$ , at zero noise it blocks $a x$ ; the attack progresses by optimizing prefixes $a$ on easier (noisier) distributions and lowering $q$ (hardening the sample) as success thresholds are crossed (Davies et al., 16 Feb 2026).

Boundary Point Sampling

At each curriculum level $q$ , BPJ searches for boundary points among samples $b \sim N_{q, x}$ such that candidate prefixes $a$ disagree on $C(a b)$ . Evaluation is focused on such $b$ , maximizing information per query. Evolutionary mutation kernels $M(a'|a)$ (insertion, deletion, substitution) update candidates, with only those improving empirical fitness on boundary points admitted into the population, until a final universal prefix emerges for $q=0$ .

Token-Level BPJ in T2I Models

In T2I, e.g., TCBS-Attack, BPJ operates directly on tokenized prompts, optimizing in token space to remain proximal to text and image classifier boundaries (as measured by continuous score functions $d_\mathrm{text}, d_\mathrm{img}$ ) while maintaining semantic similarity to the target (Liu et al., 15 Apr 2025). Candidate prompts are iteratively mutated, evaluated, and selected using population-based heuristics plus multiple classifier constraints.

Latent-Space BPJ in VLMs

JailBound approaches BPJ as a two-stage process—first, logistic regression is used to recover the implicit decision hyperplane $(w,b)$ within the VLM’s fusion-layer space; second, joint textual and visual input perturbation is optimized to traverse this boundary by margin $\varepsilon$ , aligned to the estimated normal $v$ (Song et al., 26 May 2025). The resulting attack manipulates both modalities to push internal representations across the safe/unsafe separation and maximize policy violation.

3. Theoretical Analysis and Empirical Properties

Optimization Dynamics and Boundary Geometry

BPJ exploits the relationship between fitness variance and evolutionary progress: selection under boundary-point evaluation yields optimization only when there is nonzero variance in candidate pass rates (i.e., the population straddles the boundary) (Davies et al., 16 Feb 2026).
Boundary-point restriction is rank-preserving for fitness ordering, allowing for unbiased optimization with substantial query efficiency gains (Lemma 6.2 in (Davies et al., 16 Feb 2026)).
For LLMs, analysis of Wasserstein-1 $k$ -variance over feature distributions quantifies the tightness of clustering near decision surfaces, with implications for trainability and defense (Section 4 in (Lu et al., 14 Feb 2025)).

Empirical Efficacy

Against robust classifier cascades (e.g., Anthropic Constitutional Classifiers, OpenAI GPT-5 input classifier), BPJ attains high attack success rates, e.g., average rubric scores of 25.5% (CC, nonempty outputs) and 75.6% (GPT-5), with $Max@50$ rubric values up to 94.3% (Davies et al., 16 Feb 2026).
In T2I, TCBS-Attack achieves ASR-4 of 45% on SDv1.4 with full-constraint defense, and transfer rates up to 73.33% on DALL-E 3 (Liu et al., 15 Apr 2025).
For VLMs, JailBound reports average ASR of 94.32% (white-box) and 67.28% (black-box transfer), outperforming prior SOTA by 21.13% (black-box) (Song et al., 26 May 2025).
Ablation studies indicate strong dependence on boundary-point-informed evaluation versus random sample selection (5× speedup in convergence for BPJ, (Davies et al., 16 Feb 2026)).

4. Failure Modes and Defensive Implications

BPJ attacks expose several defensive shortfalls:

Classifier-based single-interaction defenses, even those hardened through extensive red teaming or deployed at API scale, are frequently circumvented by BPJ, which finds safe-passing adversarial examples by actively exploiting the classifier's boundary structure.
While the final BPJ-derived attack is often minimally flagged, the optimization process generates extensive “flag storms”—sequences of flagged queries during candidate search—suggesting that batch-level, per-user, or account-level anomaly monitoring is essential for reliable defense (Davies et al., 16 Feb 2026).
In LLM alignment regimes, methods that fail to carve out an exact margin between safe and harmful representations experience either excessive refusal (loss of usability) or inadequate harmful-output suppression (Lu et al., 14 Feb 2025).
Feature-space analyses reveal that, under small out-of-distribution (OOD) transformations (such as obscure paraphrasing), decision boundaries are brittle, and embeddings of harmful queries may cross from refused to allowed regions without manual tuning (Huang et al., 2024).

Recommended defenses include diverse classifier ensembles (selected randomly per query), adaptive retraining based on discovered boundary points, and analytic margin specification in the latent space to maintain separation between safe and harmful clusters (Lu et al., 14 Feb 2025, Davies et al., 16 Feb 2026).

BPJ theory and practice are model- and modality-agnostic:

In LLMs, BPJ can function with minimal feedback—binary signal only—eschewing reliance on classifier confidences or gradients (Davies et al., 16 Feb 2026). Techniques such as X-Boundary further operationalize exact separation in high-dimensional hidden-state space using joint erasure, preservation, and separation losses to maintain model usability while minimizing attack success rate (Lu et al., 14 Feb 2025).
In T2I systems, BPJ via token-level and CLIP-based semantic constraints enables bypassing of both prompt and image-level NSFW filters by remaining in a “near-boundary” band (Liu et al., 15 Apr 2025).
In VLMs, attacks jointly optimize text and image input directions guided by estimated latent decision hyperplanes, exploiting the cross-modal fusion to trigger policy violations (Song et al., 26 May 2025).

The emergence of BPJ as a universal methodology underlines the geometric and statistical universality of boundary-adversarial vulnerabilities in complex AI systems.

6. Open Questions and Future Directions

Despite its empirical success, BPJ highlights unresolved challenges:

The effectiveness of BPJ depends on the existence and accessibility of sufficiently “sharp” decision boundaries. For future alignment strategies, more principled margin specification (e.g., optimizing the geometric properties of separation in latent manifolds) may be necessary (Lu et al., 14 Feb 2025).
Curated “boundary-safe” example sets are vital for control, but incomplete or mis-specified sets can leak or fail to generalize to previously unseen adversaries (Lu et al., 14 Feb 2025).
Fully black-box BPJ accentuates the threat of automated, scalable jailbreaks with minimal prior knowledge, calling into question the long-term adequacy of classifier-centered ML safety paradigms (Davies et al., 16 Feb 2026).
A plausible implication is that transparency in latent boundary geometry, improved interpretability of classifier decisions, and continual adversarial red-teaming using BPJ might become requisite components of safety alignment for frontier models.
Applicability to non-safety domains—e.g., hallucination, bias, or robustness boundaries—remains open, but the boundary-manipulation paradigm is, in principle, extensible (Lu et al., 14 Feb 2025).

BPJ thus serves both as a critical empirical tool for exposing deficiencies in current safety protocols and as a conceptual framework for future boundary-aware alignment, defense, and interpretability research across modalities.