HaloGuard 1.0: Constitutional Input Safety Classifier
- HaloGuard 1.0 is a prompt-level safety system that classifies user prompts based on a natural language constitution of 46 policies and 2,940 subcategories.
- It employs paired counterfactual generation and multilingual materialization to construct a diverse corpus, achieving average F1 scores of 90.9 (0.8B variant) and 92.1 (4B variant).
- Designed for inline and agentic deployments, HaloGuard 1.0 focuses on distinguishing subtle unsafe intents to minimize false positives in real-world scenarios.
Searching arXiv for HaloGuard 1.0 and closely related guardrail work to ground the article in current literature. HaloGuard 1.0 is an open-weights family of constitutional input-safety classifiers for LLM systems. It is designed to operate before a downstream model or agent and determine, from the user prompt alone, whether the prompt is safe or unsafe under a written safety constitution. The system is presented as an open implementation of the constitutional-classifier paradigm, with the constitution serving not merely as a label inventory but as the organizing structure of the entire corpus: a natural-language constitution of 46 policies and 2,940 subcategories drives synthetic data generation, paired counterfactual construction, multilingual materialization across 46 languages, and structured failure audit. The released family comprises a 0.8B variant and a 4B variant; across seven prompt-safety benchmarks, HaloGuard 1.0-0.8B attains an average F1 of 90.9, while HaloGuard 1.0-4B reaches 92.1, and the paper positions the models as a first-line defense for prompt-level safety in both standard and agentic deployments (Sangameswaran et al., 2 Jul 2026).
1. System definition and classifier interface
HaloGuard 1.0 is an input-only, pre-generation, generative classifier built on Qwen3.5 decoder checkpoints. Its operational role is narrow but explicit: it does not inspect responses, execution traces, tool calls, or retrieved documents, and it is not framed as a full agent-runtime monitor. Instead, it consumes a prompt and emits a constitution-attributed label, with the task defined as
followed by collapse to a binary verdict
The paper also defines a constitution-attributed output interface,
where is the safe/unsafe verdict, is the primary emitted category, is the confidence for that category, and is the set of any additional emitted categories. The fine-grained taxonomy exists mainly for data construction and auditability; runtime prediction is organized around 75 composite verdict-category labels rather than exposure of all 2,940 subcategories (Sangameswaran et al., 2 Jul 2026).
This formulation places HaloGuard 1.0 in the class of prompt-level safety systems whose main difficulty is boundary discrimination rather than detection of overtly harmful requests. The paper repeatedly argues that the critical deployment problem is the false-positive/false-negative frontier near policy edges: prompts about malware, weapons, self-harm, fraud, or terrorism may be unsafe in one framing and plainly legitimate in another, including journalism, education, defensive cybersecurity, compliance, clinical support, or historical discussion. HaloGuard is therefore designed to distinguish unsafe intent from benign adjacency while holding topic and vocabulary as constant as possible.
2. Constitutional design and taxonomy
The constitution is hierarchical and functions as the principal design object of the system:
The authored master constitution contains 29 harmful constitutions and 17 shared-harmless constitutions, for 46 constitutions total. These expand to 490 categories and 2,940 subcategories. Harmful content is organized into 12 high-level clusters: CBRN; violence and extremism; cyber; sexual content; self-harm; hate and harassment; harmful conduct; deception and influence; privacy; regulated goods and illicit activity; intellectual property; and a general harmful catch-all. Each constitution includes a risk tier, a flag for whether figurative-language boundary handling is needed, descriptions of prohibited behavior, explicit harmless-boundary guidance, per-subcategory surface cues, benign confusions, and coverage axes such as interaction shape, information depth, and content form (Sangameswaran et al., 2 Jul 2026).
| Constitutional statistic | Count |
|---|---|
| Total constitutions | 46 |
| Harmful constitutions | 29 |
| Shared-harmless constitutions | 17 |
| Total categories | 490 |
| Total subcategories | 2,940 |
A notable feature of the schema is explicit confusion linkage. For each harmful subcategory, the constitution records both surface_cues and benign_confusions. The former captures words or phrases likely to be shared with legitimate uses; the latter enumerates constitution-local safe neighbors that are likely to trigger false positives. The paper’s example for arson-related violence includes surface cues such as “accelerant,” “pour pattern,” and “ignition point,” with benign confusions including fire investigation, forensic accelerant detection, and fire science education. In parallel, each harmful constitution contains a harmless_boundary bucket for safe prompts near that policy edge, including figurative idioms such as “kill it in the market” or “crush the competition.”
The corpus is structured into three functional buckets: harmful, harmless-boundary, and shared-harmless. This two-tier harmless design is central to the paper’s argument. Harmless-boundary data targets policy-local false positives, such as defensive cybersecurity, chemical safety education, or historical reporting on terrorism. Shared-harmless data targets baseline over-refusal on ordinary benign traffic, including daily life, education, professional requests, programming, hobbies, and general information. The paper treats these as distinct failure modes and states that they should not be merged into a single generic harmless bucket.
3. Corpus construction, paired counterfactuals, and multilingual materialization
The released corpus contains 1,259,451 prompt-level records: 1,227,290 train, 21,710 evaluation, and 10,451 test. Bucket composition is 440,545 harmful records, 602,769 harmless-boundary records, and 216,137 shared-harmless records. Construction proceeds from the constitution to synthetic harmful and harmless-boundary generation, style anchoring, overlay and deterministic transformation, multilingual materialization, quality control, and component-disjoint split assignment (Sangameswaran et al., 2 Jul 2026).
The paper’s most emphasized construction mechanism is exhaustive one-to-one paired counterfactual generation. For every harmful subcategory, HaloGuard generates a 1:1 benign mirror that preserves topic and surface vocabulary while flipping intent. The three invariants are topic preservation, surface preservation, and intent inversion. Intent inversion is realized through nine legitimate angles: legal or statutory, historical, scientific, statistical, journalistic, policy, clinical or forensic, detection or enforcement, and etymological. Each benign mirror names a topic, cites 4–6 real anchors such as statutes, cases, agencies, datasets, or incidents, is framed from a defender or scholar perspective, and ends with an explicit instruction that it must not include operational detail. The source pool contains 155,769 benign twins, and 231,231 records carry a paired_with_id.
The system further applies two augmentation families. Attack-pattern overlays include roleplay and persona framing, claimed authorization, educational or research pretexts, narrative wrappers, payload splitting, and sycophancy; more than 60 such patterns are allow-listed. Deterministic transforms include Base64, hexadecimal, URL encoding, ROT-style encodings, JSON/XML/markdown/code-block/table wrappers, spacing and punctuation perturbations, homoglyph and Unicode substitution, casing shifts, and reversed or partially obfuscated text. The source statistics reported in the paper include 623,336 plain records, 74,419 records with attack-pattern overlays, 210,396 with deterministic transforms, and 25,558 with both.
Multilingual materialization spans 46 languages across six groups: CJK, Indic, Arabic-script, European/Semitic, Southeast Asian, and low-resource African. The paper’s central multilingual claim is that language must be treated as a surface form appearing on both sides of the safety boundary rather than as an adversarial cue. An early failure mode, in which only harmful material was translated, reportedly caused benign non-English prompts to receive near-unit unsafe scores. The final pipeline translates base harmful anchors and their matched paired counterfactuals, but not attack-pattern overlays. Translation quality control includes a refusal detector based on BGE-M3 with cosine threshold 0.72, a degeneracy filter that drops outputs with word-level type-token ratio below 0.40 or any bigram repeated four or more times, and harmful-side intent-preservation verification. The final release enforces a controlled composition of 35% harmful, 47% harmless-boundary, and 18% shared-harmless material (Sangameswaran et al., 2 Jul 2026).
4. Model variants, training configuration, and deployment pattern
HaloGuard 1.0 is released in two variants: HaloGuard 1.0-0.8B and HaloGuard 1.0-4B. Both are Qwen3.5-based generative classifiers trained with autoregressive next-token cross-entropy over label tokens,
Training uses full finetuning, bfloat16, TF32, and DeepSpeed ZeRO-2. The paper reports a maximum input length of 1,200 tokens, three epochs, per-GPU batch size 8, gradient accumulation 8, and hardware of 2× H100. Reported wall-clock times are 8 hours for the 0.8B model and 31 hours for the 4B model. Both models are described as open weights (Sangameswaran et al., 2 Jul 2026).
The intended deployment roles differ. The 0.8B model is presented as a low-latency inline guard on the hot path. The 4B model is presented as a stronger real-time guard or second-pass adjudicator for borderline or high-risk prompts. Post-training, the paper states that each composite label receives its own calibrated threshold on held-out data; higher-risk categories can be tuned toward recall, while categories with broad legitimate usage can be tuned toward lower false-positive rate. No explicit calibration formula is provided.
For long inputs that exceed the trained context length, the paper recommends a sliding-window deployment mode. The input is partitioned into overlapping windows, each window is classified independently, and the full input is flagged unsafe if any window is unsafe. The paper suggests this especially for asynchronous monitoring rather than the most latency-sensitive inline setting.
5. Benchmark performance and structured failure adjudication
HaloGuard 1.0 is evaluated on seven prompt-safety benchmarks: OpenAI Moderation, Aegis, Aegis 2.0, ToxicChat, SimpleSafetyTests, HarmBench, and WildGuardTest. The reported benchmark-average F1 is 90.9 for HaloGuard 1.0-0.8B and 92.1 for HaloGuard 1.0-4B. The paper states that the 0.8B model achieves the best average F1 of any open guard evaluated and does so at roughly one-tenth the model size of current leading open guard models; it also states that the 0.8B model outperforms baselines up to 27B parameters, more than 30 times larger (Sangameswaran et al., 2 Jul 2026).
| Model | Avg F1 | Precision | Recall | FPR | FNR |
|---|---|---|---|---|---|
| HaloGuard 1.0-0.8B | 90.9 | 91.8 | 90.5 | 4.3 | 9.5 |
| HaloGuard 1.0-4B | 92.1 | 92.3 | 92.2 | 3.5 or 4.7 | 7.7 |
The 4B model’s false-positive rate is reported inconsistently in the paper. The abstract and later state-of-the-art summary report FPR 3.5, while the benchmark-family summary table reports FPR 4.7. The narrative interpretation is consistent even across this discrepancy: the additional capacity of the 4B model is said to be spent primarily on precision and boundary discrimination rather than recall.
On multilingual evaluation using PolyGuardPrompts, the paper reports F1 86.1 for HaloGuard 1.0-0.8B and 88.0 for HaloGuard 1.0-4B. The group-wise breakdown identifies multilingual over-refusal as the dominant residual issue, especially in Indic and Southeast Asian groups, while false-negative rates remain relatively low. The paper interprets this as a coverage problem rather than a fundamental reasoning failure, tied to thinner in-language harmful coverage and higher translation/refusal loss.
A separate structured adjudication of 1,420 failures is used to analyze residual errors. Each failure is classified as a genuine error, a benchmark mislabel, or a controversial case. The adjudication outcome is 731 mislabels, 648 genuine errors, and 41 controversial cases. The asymmetry is central to the paper’s interpretation: 77% of false negatives are judged benchmark mislabels, whereas only 3% of false positives are. On this basis the authors argue that many apparent missed-harm cases are annotation artifacts rather than genuine model misses, while over-refusal remains a real residual failure mode. The paper also reports de-noised metrics after reclassifying only benchmark mislabels: for the 0.8B model, F1 rises from 0.909 to 0.953 and FNR falls from 0.095 to 0.031; for the 4B model, F1 rises from 0.921 to 0.959 and FNR falls from 0.096 to 0.034.
6. Position within guardrail research and principal limitations
HaloGuard 1.0 occupies a specific layer in the contemporary guardrail stack: prompt-level constitutional input moderation. This distinguishes it from systems that place safety logic at other control points. SGuard-v1 splits prompt/content moderation from jailbreak-specific detection and applies its content filter both before and after generation (Lee et al., 16 Nov 2025). OneShield externalizes safety into a microservice control plane with detectors, a policy manager, and actions such as blocking, masking, and escalation (DeLuca et al., 25 Jul 2025). HarmonyGuard targets web agents with adaptive policy extraction and dual-objective runtime correction over long trajectories (Chen et al., 6 Aug 2025). AIRGuard mediates tool-using agents at action time through runtime authority control rather than prompt-only classification (Qin et al., 27 May 2026). BraveGuard treats safety as a trajectory-level inference problem for computer-use agents and trains guards on realistic execution traces rather than isolated prompts (Feng et al., 31 May 2026). Taken together, these systems indicate that HaloGuard is best understood as a first-line, pre-generation component within a broader defense-in-depth architecture rather than as a full replacement for output moderation, trajectory monitoring, or action authorization.
The paper is explicit about several limitations. HaloGuard is input-only: it does not inspect responses, tool calls, retrieved content, execution traces, or agent runtime actions. It does not solve response moderation, secret protection, tool permissioning, or runtime authority control. The current release also excludes ambient toxic speech classification; the taxonomy is about whether a prompt requests harmful assistance, not whether the prompt itself is offensive as a standalone utterance. Code-switching is only partly covered because translated records are monolingual. Multilingual residual error is dominated by over-refusal, especially in Indic and Southeast Asian groups. The paper also notes that benchmark scores should be interpreted as prompt-level moderation performance, not as evidence of end-to-end agentic safety. A plausible implication is that HaloGuard’s strongest use case is as a low-latency constitutional front end that is paired with downstream monitors for outputs, tools, and trajectories rather than deployed as a solitary safety boundary (Sangameswaran et al., 2 Jul 2026).