SafeCoDe: Safety-Aware Contrastive Decoding
- SafeCoDe is a decoding-time safety framework that integrates visual and textual modalities to make context-sensitive refusal decisions.
- It employs contrastive decoding by comparing base logits with those from a neutralized image, dynamically tuning responses based on scene safety.
- Experimental results show improved safety accuracy and reduced oversensitivity while maintaining near-original utility in multimodal applications.
SafeCoDe refers to Safety-aware Contrastive Decoding, a decoding-time safety framework for multimodal LLMs (MLLMs) designed to improve context-sensitive refusal behaviors while preserving the utility of generated responses. SafeCoDe is distinct from earlier code-focused approaches such as AutoSafeCoder and SecCoder but shares with these systems an emphasis on robust, generalizable safety solutions. Its methodology is characterized by integration of visual and textual modalities to balance the competing demands of caution and helpfulness in MLLMs, specifically addressing limitations such as oversensitivity and undersensitivity in refusal decisions (Liu et al., 23 Sep 2025).
1. Motivation and Problem Space
The deployment of MLLMs in real-world applications necessitates mechanisms for reliable context-sensitive safety judgments. Traditional text-only or naive multimodal approaches typically default to rigid heuristics, resulting in two main failure modes:
- Undersensitivity: The model overlooks visually implied risks and provides unsafe responses to hazardous scenarios latent in images (e.g., dangerous physical activities in unsafe settings).
- Oversensitivity: The model unjustifiably refuses benign user queries due to overreactive safety triggers tied to non-threatening images or ambiguous prompts.
Existing prompting or decoding schemes inadequately balance these risks. SafeCoDe aims to achieve both (i) visually grounded safety judgments and (ii) global scene-aware adaptations within an efficient, inference-time-only framework adaptable to arbitrary open-source MLLMs (Liu et al., 23 Sep 2025).
2. SafeCoDe Architecture and Workflow
The SafeCoDe framework consists of two sequential mechanisms during decoding:
2.1 Contrastive Decoding Initialization
For an input image , user prompt , and previously generated token sequence , SafeCoDe introduces a contrastive comparison:
- Construct as a "neutralized" version of , obtained by adding Gaussian noise that preserves color and texture but disrupts semantic content.
- Compute base logits and contrastive logits at decoding step .
- Form contrastive logits:
Here, modulates the noise subtraction. The softmax-normalized contrastive logits, 0, serve as the decoding distribution in early steps, amplifying response tokens that are highly sensitive to authentic visual details.
2.2 Global-Aware Token Modulation
- Generate a scene-level caption 1 for the image.
- Obtain a binary scene safety verdict 2 using an auxiliary MLLM-Judge, e.g., GPT-4V, which evaluates 3.
- For each decoding step 4, modulate the base logits 5 for a predefined refusal token set 6:
7
The hyperparameters 8 control the encouragement or suppression of typical refusal tokens, thus tuning the strength of help/refusal responses according to safety context.
- Revert to ordinary sampling for 9, since refusal/help intent is typically established in early tokens.
The combination of mechanisms ensures that refusal and compliance behaviors are dynamically and contextually adapted using both local token-level signals and holistic scene-level verdicts (Liu et al., 23 Sep 2025).
3. Algorithmic Description
SafeCoDe’s end-to-end decoding process is detailed by the following algorithm:
- Compute image caption 0.
- Evaluate safety verdict 1 with the MLLM-Judge on 2.
- For each token position 3:
- If 4:
- Compute contrastive logits and obtain preliminary logit vector.
- Apply token modulation over the refusal token set based on 5.
- Sample next token from modulated distribution.
- Else:
- Use ordinary logits for decoding.
- If 4:
This design is model-agnostic—requiring only white-box access to the MLLM’s logits—and can wrap any open-source MLLM at inference without retraining (Liu et al., 23 Sep 2025).
4. Experimental Setup and Benchmarks
SafeCoDe was evaluated across multiple MLLMs—LLaVA-1.6-7B, Qwen2.5-VL-7B-Instruct, InstructionBlip-7B, Idefics-9B-Instruct—against several baselines including vanilla decoding, CoT+Agg, Self-Examination, DPP, AdaShield, and others. Contextual safety and utility were measured on:
- MSSBench (undersensitivity): accuracy on cases where visual context changes safety ground truth
- MOSSBench (oversensitivity): benign prompt rejection rates across visual categories
- General Safety: MM-SafetyBench, FigStep, Hades—reporting attack success rate (ASR)
- Utility: MMMU, MIA-Bench, MathVista, MMVet
The table summarizes principal experimental results for SafeCoDe:
| Model | MSSBench (↑) | MOSSBench (↓) |
|---|---|---|
| LLaVA-1.6-7B | +23.32 pp | –1.33 pp |
| Qwen2.5-VL-7B | +9.94 pp | –1.35 pp |
| InstructionBlip-7B | +16.48 pp | –2.00 pp |
| Idefics-9B | +14.87 pp | –9.66 pp |
On MSSBench, these denote percentage point improvements in accuracy for safe/unsafe classification; on MOSSBench, reductions in rejection rates for benign prompts (Liu et al., 23 Sep 2025).
SafeCoDe reduces ASR to near zero on robust general safety/jailbreak benchmarks and maintains utility metrics within 1–2 percentage points of the base MLLMs.
5. Analysis, Practical Impact, and Limitations
SafeCoDe enables fine-grained trade-off tuning between safety and helpfulness via hyperparameters 6, 7, 8, and 9. In practice, 2–5 early decoding steps suffice for effective modulation. The system’s dependence on access to model logits limits its use to open-source or white-box MLLMs; future directions include black-box surrogate approximations.
Current scope is limited to amplifying or suppressing predefined refusal/compliance tokens. Expanding to “soft refusals” or richer safe-completion generators—e.g., generating partial advice while avoiding explicit unsafe content—is identified as a promising enhancement. The need for efficient, reliable scene-level safety judges highlights an open problem in multimodal safety verification.
SafeCoDe’s inference-time, model-agnostic design positions it as a robust and practical approach to balancing context-aware refusal and utility in safety-critical MLLM applications (Liu et al., 23 Sep 2025).