Qwen3Guard: Multilingual LLM Safety Suite

• Qwen3Guard is a multilingual suite of safety guardrail models for LLMs that detects and mitigates unsafe content using tri-class risk assessment.
• It integrates Guard-Gen and Guard-Stream variants, combining instruction-following and token-level architectures for high-accuracy, low-latency moderation.
• The system supports over 119 languages and offers real-time intervention with efficient safety classification and policy alignment.

Qwen3Guard is a multilingual suite of safety guardrail models developed for LLMs, focused on the automated detection and mitigation of unsafe content during both prompt ingestion and text generation. The system combines instruction-following and streaming token-level architectures to enable high-accuracy, low-latency safety moderation, supporting over 119 languages and offering tri-class (safe, controversial, unsafe) risk assessment with fine-grained policy alignment. Qwen3Guard is released under Apache 2.0, with source code and weights made publicly available.

1. Model Architecture and Variants

Qwen3Guard is implemented in three parameter scales—0.6B, 4B, and 8B—each derived from the Qwen3 instruction-tuned Transformer backbone. The architectural differentiation lies in two specialized variants:

• Generative Qwen3Guard (Guard-Gen): Functions as an instruction-following LLM. Safety classification is achieved by natural language prompting, producing tri-class judgments and harm category labels as output. It utilizes the standard sequential token prediction head, requiring no architectural modifications.
• Stream Qwen3Guard (Guard-Stream): Maintains the Transformer core, but attaches per-token lightweight feed-forward classification heads for risk and harm category. For each token with embedding $h_t$, projections yield $x_t = \mathrm{LayerNorm}(W_\mathrm{pre} h_t)$, followed by $$y_{t,\mathrm{risk}} = \mathrm{Softmax}(W_\mathrm{risk} x_t)$$ and $$y_{t,\mathrm{cat}} = \mathrm{Softmax}(W_\mathrm{cat} x_t)$$, supporting real-time classification with sub-millisecond per-token latency (Zhao et al., 16 Oct 2025).

The base model supports parameter-efficient adaptation via QLoRA (4-bit quantization, rank=16, dropout=0.1), and leverages a proprietary tokenizer with “im_start”/“im_end” chat framing (Kim, 1 Jan 2026). All weights and architecture details are released open-source.

2. Safety Classification Methodology

Qwen3Guard’s classification approach adapts to the application context:

• Guard-Gen (Instruction-based): Inputs are templated to include a task description, policy summary (nine risk categories), context, and a specification that the output must be "Safe", "Controversial", or "Unsafe", with an optional harm category. Training uses standard autoregressive cross-entropy loss.
  • At inference, the tri-class output supports strict (Controversial→Unsafe) or loose (Controversial→Safe) mapping, providing downstream flexibility in risk tolerance.
• Guard-Stream (Token-level): During incremental generation, classification heads operate on each token, supporting immediate intervention if an unsafe or controversial token is detected, using the per-token cross-entropy loss for both risk and (conditionally) harm category (Zhao et al., 16 Oct 2025).

Labels assigned are:

• Unsafe: Universally disallowed according to policy.
• Controversial: Context-dependent, policy-sensitive.
• Safe: Not considered risky under the moderation taxonomy.

3. Language Coverage and Safety Policy Alignment

Qwen3Guard’s training corpus comprises 1.19M prompt/response pairs across 119 languages and dialects. Supervision combines human annotation and self-instructed synthetic data in major and minor languages (Chinese, English, Korean, Indonesian, Russian, Japanese, Arabic, German, French, Spanish, Portuguese, Italian, Thai, and algorithmically-extended via Qwen-MT). Policy calibration is enforced through explicit nine-category labeling:

1. Violent
2. Non-violent illegal acts
3. Sexual content
4. PII exposure
5. Self-harm & suicide
6. Unethical acts (hate, harassment, bias)
7. Political misinformation
8. Copyright violation
9. Jailbreak (input only)

Inter-category calibration and translation consistency are maintained by language-mixing and LLM-based QA (Zhao et al., 16 Oct 2025).

4. Empirical Performance and Generalization

In static and streaming moderation settings, Qwen3Guard demonstrates state-of-the-art multiclass safety classification:

• English prompt F1 (average, 7 benchmarks): Qwen3Guard-4B-Gen: 89.3%.
• English response F1 (average, 7 benchmarks): Qwen3Guard-8B-Gen: 83.9%.
• Chinese prompt/response: Qwen3Guard-8B-Gen achieves 85.1%/87.1%, exceeding prior open models (68–72%).
• Multilingual (10–40 languages): F1 ≈ 85.0% (prompt), 77.6% (response) (Zhao et al., 16 Oct 2025).

However, robustness evaluation identifies severe limitations in generalization: when tested on 1,445 prompts (21 attack categories), Qwen3Guard-8B achieves 85.3% accuracy (full set), but performance drops from 91.0% (public benchmarks) to 33.8% on novel adversarial prompts—a 57.2 percentage point gap—indicating training data contamination and overfitting to benchmark artifacts (Young, 27 Nov 2025).

The efficacy on streaming moderation is underscored by latency analysis: per-token detection adds only 0.5–1 ms, with 86% of unsafe sentences flagged on the first unsafe token (Zhao et al., 16 Oct 2025).

5. Specialized Defenses: Backdoor and Multi-turn Moderation

Qwen3Guard can be integrated into specialized safety frameworks:

• Backdoor defense: In neural code generation, Qwen3Guard serves as both the backbone for GUARD-Repair and as a basis for anomaly detection (GUARD-Judge). In HumanEval SABER-style attacks (6% poisoning), Qwen3Guard raises clean code Pass@1 to 80.9% (vs. 76.2% with CoT, 71.4% with no CoT) and reduces attack success rate to 27.3% (vs. 72.7% for no defense and 63.6% for ONION) (Jin et al., 27 May 2025). The architecture fine-tunes a Qwen-3 binary classifier for stepwise anomaly detection and leverages Qwen-3-Instruct for retrieval-augmented CoT repair.
• Compressed multi-turn moderation (Defensive M2S): M2S compresses multi-turn dialogue into a single “hyphenize” template, on which Qwen3Guard attains 93.8% attack-detection recall with 94.6% token reduction (3,231→173 tokens/conversation). Comparing baselines, recall increases by 38.9 pp and aligns with theoretical O(n^2)→O(n) training complexity reduction (Kim, 1 Jan 2026).

6. Attack Vectors, Vulnerabilities, and Countermeasures

Despite high static and streaming accuracy, Qwen3Guard is vulnerable to black-box guardrail reverse-engineering attacks. The GRA (Guardrail Reverse-engineering Attack) framework can extract Qwen3Guard’s decision policy with F1 > 0.92 using reinforcement learning and genetic data augmentation, at an effective API cost <$85. This process accumulates input/output pairs to train a surrogate guardrail model (e.g., Llama-3.1-8B-Instruct with LoRA), exposing precise decision boundaries and enabling subversion by adversaries (Yao et al., 6 Nov 2025).

Mitigation strategies highlighted include:

• Adaptive rejection of probe and meta-evaluation prompts
• Dynamic mutation of filtering thresholds
• Input-output sequence monitoring for probing signatures
• Auditing and rate-limiting, with injected noise to frustrate boundary extraction

7. Limitations and Future Recommendations

Qwen3Guard’s key limitations are:

• Generalization collapse: Overfitting to benchmark and template cues; training data contamination inflates results (Young, 27 Nov 2025).
• Role confusion ("helpful mode" jailbreak): Although not directly observed in Qwen3Guard-8B, similar classifiers have reverted from moderation to assistant output under adversarial prompts.
• Scalability constraints: Current open evaluation focused on 8B-scale models; resilience and latency in commercial deployments, or with larger architectures, remain to be characterized (Kim, 1 Jan 2026).
• Streaming limitations: While Stream-variant supports real-time moderation, generative variant incurs super-linear cost in streaming applications.

Recommendations for future development:

1. Use contamination-free, professionally designed adversarial prompt sets for evaluation.
2. Prioritize model training strategies that foster semantic intent understanding over pattern matching.
3. Monitor for latent “helpful mode” vulnerabilities.
4. Integrate defense-in-depth: input pre-filtering, output moderation, dynamic policy updates, and proactive anomaly detectors.
5. Adopt template compression (e.g., Defensive M2S) for cost-effective multi-turn moderation, with caveats regarding template fragility and assistant context loss (Kim, 1 Jan 2026).

Qwen3Guard provides an advanced, extensible platform for research and deployment in LLM safety moderation, but its limitations with respect to generalization and adversarial robustness remain significant open challenges in the field.