Papers
Topics
Authors
Recent
Search
2000 character limit reached

GLiGuard: Schema-Conditioned LLM Moderator

Updated 4 July 2026
  • GLiGuard is a moderation system that recasts guardrailing as a schema-conditioned classification problem rather than autoregressive text generation.
  • It jointly evaluates multiple safety signals—prompt safety, response safety, refusal detection, harm categorization, and jailbreak detection—in a single non-autoregressive pass.
  • Its efficient, schema augmentation training and compact encoder design enable real-time moderation with up to 16× faster throughput than decoder-based models.

GLiGuard is a safeguard model for LLM moderation that recasts guardrailing as a schema-conditioned classification problem rather than autoregressive text generation. Introduced as a compact, schema-conditioned bidirectional encoder adapted from GLiNER2, it is designed for real-time moderation of both user prompts and model responses across multiple safety dimensions in a single non-autoregressive forward pass. The system evaluates prompt safety, response safety, refusal detection, fine-grained harm categories, and jailbreak strategies by encoding task definitions and label semantics directly into the input sequence as a structured schema, and it is reported to achieve competitive macro-F1 against 7B–27B decoder-based guards while being 23–90×\times smaller and substantially faster (Zaratiana et al., 8 May 2026).

1. Architectural rationale and conceptual framing

GLiGuard is motivated by a critique of the now-common “LLM-as-guard” decoder setup. In the authors’ framing, prior guardrail systems such as LlamaGuard, WildGuard, ShieldGemma, PolyGuard, NeMoGuard, and Qwen3Guard are architecturally inefficient because they cast moderation as autoregressive text generation even though the underlying task is classification. This design is said to waste latency, prevent parallel evaluation of multiple safety aspects, and rely on 7B–27B decoder models for a task that does not require open-ended generation (Zaratiana et al., 8 May 2026).

The model therefore replaces the decoder paradigm with a schema-conditioned bidirectional encoder. The paper describes GLiGuard as a GLiNER2-style schema encoder specialized for moderation. It is explicitly not a decoder, not a pooled CLS-style classifier, and not a span extractor in this setting; instead, it is a bidirectional transformer encoder with label-conditioned token representations. The encoder examples mentioned are DeBERTa and ModernBERT, and the training appendix states that experiments are initialized from microsoft/deberta-v3-base. At the same time, the main paper repeatedly refers to GLiGuard as a 0.3B-parameter model. The exact reconciliation between “DeBERTa-v3-base” in the appendix and “0.3B” in the main text is not explained.

This design choice is consequential because moderation is treated as a multi-aspect classification problem rather than as sequential label generation. The authors’ central claim is that a compact encoder can evaluate all requested aspects in one forward pass, making the relevant computational primitive parallel classification rather than token-by-token decoding.

2. Schema-conditioned classification mechanism

The core formal object is a safety schema

S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},

where τk\tau_k is a task and Yk\mathcal{Y}_k its label set. Given input text xx and schema S\mathcal{S}, GLiGuard predicts

fθ(x,S)={(τk,y^k)}k=1K,y^k{Ykif single-label, 2Ykif multi-label.f_\theta(x, \mathcal{S}) = \bigl\{ (\tau_k, \hat{y}_k) \bigr\}_{k=1}^{K}, \qquad \hat{y}_k \in \begin{cases} \mathcal{Y}_k & \text{if single-label,} \ 2^{\mathcal{Y}_k} & \text{if multi-label.} \end{cases}

The schema is serialized as a prefix in the input sequence. For KK tasks, the serialized form is

z=T(τ1,Y1)    T(τK,YK)schema prefix  [SEP]  w1  w2    wNinput text,\mathbf{z} = \underbrace{\mathcal{T}(\tau_1,\mathcal{Y}_1)\; \cdots\; \mathcal{T}(\tau_K,\mathcal{Y}_K)}_{\text{schema prefix}} \;[SEP]\; \underbrace{w_1\;w_2\;\cdots\;w_N}_{\text{input text}},

with each task block represented as

T(τk,Yk)=[P]  ϕ(τk)  [L]  l1(k)  [L]  l2(k)    [L]  lMk(k).\mathcal{T}(\tau_k, \mathcal{Y}_k) = [P]\;\phi(\tau_k)\; [L]\;l_1^{(k)}\;[L]\;l_2^{(k)}\;\cdots\;[L]\;l_{M_k}^{(k)}.

Here, S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},0 marks the start of a task block, S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},1 marks each candidate label, and S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},2 separates schema from moderated text. The tokenizer is extended with the special tokens S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},3, S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},4, and S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},5. The paper states that task definitions, label names, and label descriptions are encoded in the schema, although the explicit serialization equations only show task names and label tokens.

A single bidirectional pass produces

S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},6

and GLiGuard extracts the hidden states at the S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},7 positions as label-conditioned representations. These are scored by a shared two-layer MLP:

S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},8

For single-label tasks, probabilities are obtained by softmax over task-specific label logits; for multi-label tasks, each label logit receives an independent sigmoid. Because every S={(τk,Yk)}k=1K,\mathcal{S} = \{(\tau_k, \mathcal{Y}_k)\}_{k=1}^{K},9 token attends to the full schema and full moderated text, its representation is simultaneously text-aware and label-aware.

The practical consequence is inference-time composability. Any subset of supported task blocks may be prepended to the text, and the model is explicitly trained to handle incomplete schemas. This flexibility is compositional over the supported moderation tasks and label spaces; the paper does not claim unconstrained zero-shot addition of arbitrary unseen tasks or entirely novel labels without retraining (Zaratiana et al., 8 May 2026).

3. Supported moderation tasks and decision composition

GLiGuard supports five moderation functions at once: prompt safety, response safety, refusal detection, fine-grained harm category classification, and jailbreak strategy detection. These are not independent heads exposed through separate model calls; they are schema blocks evaluated jointly in one pass.

Task Type Labels
Prompt safety Single-label binary Safe, Unsafe
Response safety Single-label binary Safe, Unsafe
Refusal detection Single-label binary Compliance, Refusal
Harm category classification Multi-label 14 categories plus Benign
Jailbreak strategy detection Multi-label 11 strategies plus Benign

The 14 harm categories are Violence/Weapons, Non-Violent Crime, Sexual Content, Hate/Discrimination, Self-Harm/Suicide, PII Exposure, Misinformation, Copyright Violation, Child Safety, Political Manipulation, Unethical Conduct, Regulated Advice, Privacy Violation, and Other, plus a Benign label. The 11 jailbreak strategies are Prompt Injection, Jailbreak Attempt, Policy Evasion, Instruction Override, System Prompt Exfiltration, Data Exfiltration, Roleplay Bypass, Hypothetical Bypass, Obfuscated Attack, Multi-Step Attack, and Social Engineering, again plus Benign (Zaratiana et al., 8 May 2026).

Inference is task-specific. Single-label tasks return the argmax label. Multi-label tasks threshold each sigmoid score at τk\tau_k0,

τk\tau_k1

and, if the predicted set is empty, fall back to the highest-probability label:

τk\tau_k2

The final harmfulness verdict is not simply the output of a binary safety classifier. The appendix formalizes hard composition rules. For prompts, auxiliary predictions can override a safe prompt label to unsafe:

τk\tau_k3

The full prompt rule further adds jailbreak detection:

τk\tau_k4

For responses, refusal detection acts in the opposite direction: if refusal is predicted, the response verdict is overridden to Safe. The paper characterizes these as monotonic overrides, except that refusal flips unsafe-looking responses that are refusals back to safe. This makes GLiGuard a composed moderation system rather than a single binary head.

4. Training methodology and optimization

Training unifies heterogeneous moderation tasks into a single objective. The principal human-annotated source is WildGuardTrain, which provides labels for prompt safety, response safety, and refusal detection. The remaining supervision is weakly supervised: GPT-4.1 labels unsafe prompt and response samples with one of the 14 harm categories, and unsafe prompts with one of the 11 jailbreak strategy labels. Safe samples are deterministically assigned the Benign label for harm and jailbreak. The paper is explicit that harm and jailbreak labels should therefore be interpreted as weak supervision rather than human annotation (Zaratiana et al., 8 May 2026).

To support schema composability at inference time, the model is trained with schema augmentation. The paper reports label shuffling every step, independent label dropout with probability τk\tau_k5, and task removal with probability τk\tau_k6. This is the mechanism used to make incomplete inference schemas workable.

The optimization objective is a sum over task-specific classification losses. For multi-label tasks:

τk\tau_k7

For single-label tasks:

τk\tau_k8

The total loss is

τk\tau_k9

An entropy regularizer is also added to mitigate overconfidence, although no explicit formula is given.

The reported training configuration is: encoder initialized from microsoft/deberta-v3-base, 20 epochs, per-device batch size 4 with 2 accumulation steps for an effective batch size of 8, AdamW with Yk\mathcal{Y}_k0, weight decay 0.01, max grad norm 1.0, a linear learning-rate schedule with 10 warmup steps (about 5%), encoder learning rate Yk\mathcal{Y}_k1, and task-head learning rate Yk\mathcal{Y}_k2. The paper does not report total training FLOPs, number of GPUs, or maximum context length used in training.

5. Benchmarking, empirical performance, and efficiency

Evaluation spans nine benchmarks. Prompt harmfulness is measured on OpenAI Moderation, Aegis 2.0, SimpleSafetyTests, HarmBench, and WildGuardTest. Response harmfulness is measured on HarmBench, SafeRLHF, BeaverTails, and XSTest. The primary metric is macro-averaged F1, following WildGuard. GLiGuard is compared against six decoder-based open guard models: LlamaGuard4-12B, WildGuard-7B, ShieldGemma-27B, NemoGuard-8B, PolyGuard-Qwen-7B, and Qwen3Guard-8B-Gen (Zaratiana et al., 8 May 2026).

On prompt harmfulness, GLiGuard reports 69.0 on OpenAI Moderation, 85.2 on Aegis 2.0, 97.7 on SimpleSafetyTests, 99.0 on HarmBench, and 87.5 on WildGuard, for an average of 87.7. The best average prompt baseline is PolyGuard-Qwen-7B at 89.4, placing GLiGuard within 1.7 F1 points while remaining much smaller.

Prompt benchmark GLiGuard F1
OpenAI Moderation 69.0
Aegis 2.0 85.2
SimpleSafetyTests 97.7
HarmBench 99.0
WildGuard 87.5
Average 87.7

On response harmfulness, GLiGuard reports 91.0 on HarmBench, 84.5 on SafeRLHF, 81.1 on BeaverTails, and 74.3 on XSTest, for an average of 82.7. Only Qwen3Guard-8B-Gen is higher at 84.1; WildGuard-7B is 82.4. The paper notes that GLiGuard is strongest on response HarmBench and SafeRLHF but weaker on XSTest, where refusal/benign ambiguity and precision loss matter more.

Response benchmark GLiGuard F1
HarmBench 91.0
SafeRLHF 84.5
BeaverTails 81.1
XSTest 74.3
Average 82.7

The ablations focus on decision-rule composition rather than architectural variants. For prompts, the safety-only baseline averages 87.0; adding harm override (“Safety + Harm”) raises average F1 to 87.7 and becomes the default. Adding jailbreak only yields 87.2. Using all three signals gives 87.3, with better recall on adversarial benchmarks such as SimpST and HarmBench but more false positives on OAI. For responses, safety-only and safety-plus-harm both average 82.7, though the harm override produces a +2.1 gain on response HarmBench and small drops elsewhere.

Efficiency is a central claim. On a single NVIDIA A100 80GB in FP16, throughput at fixed sequence length 256 reaches 34, 64, 133, 203, and 253 samples/s for batch sizes 1, 2, 4, 8, and 16. The corresponding Qwen3Guard-8B numbers are 2.5, 4.7, 8.2, 14, and 19. This yields up to Yk\mathcal{Y}_k3 higher throughput at batch size 4. Latency at batch size 1 and sequence lengths 64, 128, 256, 512, and 1024 is 26, 28, 32, 43, and 73 ms, compared with 426, 423, 428, 455, and 486 ms for Qwen3Guard-8B, yielding up to Yk\mathcal{Y}_k4 lower latency. ShieldGemma-27B is reported to be faster than Qwen3Guard despite being larger because it generates only a single Yes/No token, but GLiGuard remains substantially faster. The stated explanation is architectural: a small bidirectional encoder executes one parallel pass over the sequence, whereas a decoder guard autoregressively emits classification text token by token.

The paper is explicit that GLiGuard is not a fully solved moderation system. False positives often arise from sensitivity to surface trigger words in benign contexts, including figurative expressions such as “burn it down,” short ambiguous fragments such as “Like a gun?”, or benign uses of jailbreak-like phrases such as “ignore all previous instructions.” False negatives often involve roleplay, elaborate fictional narratives, indirect phrasing, or harmful requests diluted בתוך long context. Future work is said to include reducing sensitivity to benign trigger words, improving robustness to roleplay-framed harmful intent, and benchmarking broader generalization across alternative moderation schemas (Zaratiana et al., 8 May 2026).

There are also structural limits. GLiGuard depends on a predefined taxonomy: the harm categories and jailbreak strategies are fixed supported label spaces, and the auxiliary-task labels are weakly supervised by GPT-4.1 rather than human annotation. The paper does not report multilingual evaluation, calibration analysis, or robustness under strong adaptive adversaries beyond the selected benchmarks. A plausible implication is that its main strength lies in efficient deployment for supported moderation schemas rather than open-ended policy discovery.

The deployment case favored by the paper is fast, cheap, real-time moderation when several moderation aspects must be checked simultaneously. If a system needs prompt safety, response safety, harm tags, jailbreak tags, and refusal detection at once, GLiGuard’s single-pass schema-conditioned encoder is presented as a better fit than repeatedly invoking a large decoder guard or forcing one to generate structured moderation text. Conversely, the paper also states that larger decoder guards may remain preferable when absolute top-line benchmark F1 matters more than latency, or when richer reasoning-style outputs are desired.

Within the broader guardrail literature, GLiGuard’s novelty is the adaptation of GLiNER2’s schema-conditioned encoder paradigm to moderation, the direct representation of moderation tasks and label sets in the input schema, and the use of label-token representations for flexible multi-task moderation in a single non-autoregressive forward pass. The acronym “GLiGuard” has also been used for “GLiNER Guard,” a distinct unified encoder for safety moderation and PII detection, which underscores that the term is not unique to a single architecture family (Minko et al., 6 May 2026).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to GLiGuard.