Papers
Topics
Authors
Recent
Search
2000 character limit reached

SingGuard-Bench: Multimodal Safety Benchmark

Updated 5 July 2026
  • SingGuard-Bench is a multimodal safety benchmark that evaluates policy-adaptive guardrails using dynamic runtime rules and a detailed three-level taxonomy.
  • It comprises 56,340 test examples across image, multimodal, and dynamic-rule settings, featuring over 80 fine-grained risk types for precise safety assessment.
  • The benchmark tests binary safety judgments, cross-modal risk reasoning, and adapts to runtime policy shifts, demonstrating strong performance across multiple evaluation families.

Searching arXiv for SingGuard-Bench and closely related benchmark papers. SingGuard-Bench is a policy-conditioned multimodal safety benchmark introduced alongside the SingGuard guardrail model family to evaluate safety assessment under active, runtime-specified policies rather than under a single fixed moderation taxonomy (Team, 22 Jun 2026). It is designed for multimodal conversations and normalizes each instance into a common guardrail interface with target content, an active policy, a safety label, and a fine-grained risk category or rule title. In the reported formulation, the benchmark contains 56,340 test examples spanning image moderation, multimodal moderation, adversarial attack evaluation, and dynamic-rule evaluation, with 80+ fine-grained risk types organized under a three-level taxonomy (Team, 22 Jun 2026).

1. Benchmark definition and design objective

SingGuard-Bench is presented as the benchmark counterpart to SingGuard: the model family takes content together with an active policy and predicts a binary safety judgment, the triggered rule or category, and optionally a policy-grounded reasoning trace (Team, 22 Jun 2026). The benchmark is constructed to test precisely those capabilities. Its core claim is that multimodal guardrail evaluation should not be limited to static labels, because deployed systems may face changing product rules, region-specific policy variants, and multimodal compositions in which unsafe intent emerges only from the joint reading of text and image (Team, 22 Jun 2026).

The benchmark is introduced to address four gaps attributed to prior multimodal safety benchmarks: insufficient fine-grained structure, poor precision testing on benign-sensitive content, lack of dynamic policy evaluation, and weak coverage of strict cross-modal hidden intent (Team, 22 Jun 2026). Accordingly, SingGuard-Bench is not merely an image-safety or multimodal toxicity dataset. It is a benchmark for policy-following, rule grounding, attack robustness, and cross-modal composition reasoning under a unified evaluation interface (Team, 22 Jun 2026).

In the paper’s formal task definition, multimodal input is written as

x=(q,I,a),x = (q, I, a),

where qq is the user query, II denotes zero or more images, and aa is the assistant response when response-level moderation is required. The policy-conditioned prediction target is

fθ(x,P)(y,z,c),f_\theta(x, P) \rightarrow (y, z, c),

where y{safe,unsafe}y \in \{safe, unsafe\}, zz is an optional reasoning trace, and cT(P){Safe}c \in \mathcal{T}(P)\cup\{Safe\} is the triggered category or rule title (Team, 22 Jun 2026). This formulation makes the benchmark explicitly conditional on the active policy PP, not only on the content itself.

2. Corpus composition and benchmark structure

The benchmark contains 56,340 test examples in total (Team, 22 Jun 2026). The paper reports this as 54,340 samples in the image and multimodal subsets together, plus 2,000 dynamic-rule samples, yielding 56,340 total (Team, 22 Jun 2026).

Benchmark-level statistics

Subset Count Notes
Image 40,663 10,697 unsafe; 29,966 benign-sensitive
Multimodal 13,677 6,487 unsafe; 7,190 benign-sensitive
Dynamic-rule 2,000 4 policy-shift configurations, 500 each
Total 56,340 Full SingGuard-Bench

The image subset contains 10,697 unsafe images and 29,966 benign-sensitive images, with the latter intended to stress precision rather than raw harmful-content recall (Team, 22 Jun 2026). The multimodal subset contains 6,487 unsafe and 7,190 benign-sensitive examples and focuses on image-text composition and adversarial cross-modal intent (Team, 22 Jun 2026). The dynamic-rule subset contains 2,000 examples, split evenly across four policy-shift configurations (Team, 22 Jun 2026).

The benchmark’s internal organization is tied to a hierarchical safety taxonomy. The paper describes a three-level taxonomy with 8 primary dimensions, 27 secondary categories, and 80+ fine-grained risk types (Team, 22 Jun 2026). In the appendix-style construction statistics, this is further associated with 78 leaf nodes and a keyword pool of 2,124 keywords per language (Team, 22 Jun 2026). The paper does not explicitly reconcile the “80+ fine-grained risk types” count and the “78 leaf nodes” count, but both are reported as parts of the benchmark’s construction and taxonomy description (Team, 22 Jun 2026).

3. Safety taxonomy and policy representation

SingGuard-Bench uses the same unified taxonomy as the SingGuard framework (Team, 22 Jun 2026). The 8 primary dimensions are:

  1. A. Sexual Content Risk
  2. B. Real-World Crime and Public Safety
  3. C. Unethical Behavior
  4. D. Cybersecurity and Information Manipulation
  5. E. Agent Safety
  6. F. Politically Sensitive Content
  7. G. Animal Abuse
  8. H. Benign (Team, 22 Jun 2026)

The 27 secondary categories include, in the paper’s summary form, adult sexual content, sexual crimes and exploitation, violent crime, non-violent crime, weapons, WMD, hate, harassment, manipulation, self-harm, horror, misinformation, privacy leakage, intrusion, abuse/manipulation, copyright, prompt leakage, model behavior manipulation, rumors, subversion, unrest, historical distortion, public figures, protected animals, non-protected animals, entertainment abuse, and no risk (Team, 22 Jun 2026).

The fine-grained taxonomy includes leaf-level risks such as explicit sexual depiction and pornography, child sexual abuse and grooming, violent crime planning, drug/property/financial crimes, weapon manufacturing/modification, chemical/biological/radiological/nuclear weapons, identity-based attacks, organized harassment, systematic manipulation methods, suicide instruction, gore and dismemberment, health/financial/public-safety misinformation, biometric or communication-record leaks, surveillance and unauthorized access, fake traffic generation and coordinated inauthentic behavior, piracy and paywall bypass, system prompt extraction, jailbreak and policy-violating induction, political rumors and subversive advocacy, historical distortion, attacks on political figures, and multiple forms of animal cruelty (Team, 22 Jun 2026).

A distinctive feature of SingGuard-Bench is that benchmark instances may include active policy rules expressed in natural language (Team, 22 Jun 2026). The framework supports active policies represented as the full default taxonomy, a subset of categories, rewritten or merged rules, title-only rules, or entirely new domain-specific rules (Team, 22 Jun 2026). The prompt template described in the paper specifies that if {policy} is provided, it replaces the default policy, and the <answer> field must contain one active rule title from {policy}, or Safe (Team, 22 Jun 2026). This means the benchmark tests not only binary safe/unsafe classification, but also the system’s ability to attribute a decision to the currently active rule set.

This design distinguishes SingGuard-Bench from capability-oriented domain benchmarks such as SecBench, which is explicitly framed as a benchmark of cybersecurity knowledge retention and logical reasoning rather than of guardrail behavior, refusal, or policy adherence under adversarial conditions (Jing et al., 2024). SingGuard-Bench instead targets behavioral safety and policy-conditioned moderation (Team, 22 Jun 2026).

4. Task settings and cross-modal risk modeling

The benchmark covers several distinct settings (Team, 22 Jun 2026).

First, it includes image moderation, which evaluates pure image safety classification and emphasizes “bottom-line visual risks and benign-sensitive precision” (Team, 22 Jun 2026). Second, it includes multimodal moderation, where safety must be inferred from image-text combinations and, in the broader SingGuard interface, may also involve assistant responses (Team, 22 Jun 2026). Third, it includes adversarial attack evaluation, with attack-style prompts such as typographic, semantic-isomorphic, narrative, and role-play attacks, as well as transformations such as Typography and Patch Shuffle (Team, 22 Jun 2026). Fourth, it includes dynamic-rule evaluation, in which the same content can be paired with different active policies and therefore receive different labels (Team, 22 Jun 2026).

The benchmark places particular emphasis on cross-modal hidden-intent or cross-modal joint-risk cases (Team, 22 Jun 2026). These are examples where the image alone is benign and the text alone is benign, but the combination is unsafe (Team, 22 Jun 2026). The construction process starts from a harmful intent and then splits the evidence across image and text so that each modality appears harmless in isolation while their composition reveals unsafe intent (Team, 22 Jun 2026). The paper characterizes these as often requiring multi-hop or domain-knowledge clues (Team, 22 Jun 2026).

The multimodal subset also carries an additional subtype label identifying where the unsafe signal resides. The reported subtypes are IUTS (Image-Unsafe / Text-Safe), ISTU (Image-Safe / Text-Unsafe), IUTU (Image-Unsafe / Text-Unsafe), Image-Safe / Text-Safe with unsafe intent, and anchoring cases including I and ISTS (Team, 22 Jun 2026). This suggests that the benchmark is designed not only to measure whether a system flags risk, but also whether it can localize the source or composition of the risk.

5. Dynamic-rule evaluation and runtime policy shifts

Dynamic-rule evaluation is one of the benchmark’s central innovations (Team, 22 Jun 2026). In this setting, labels are not fixed solely by content. Instead, the same sample may be safe or unsafe depending on the active rule set. The benchmark simulates runtime policy changes by pairing samples with combinations of matching base rules, non-matching base rules, matching dynamic rules, and non-matching dynamic rules (Team, 22 Jun 2026).

Dynamic-rule configurations

Case Expected verdict Samples
unsafe→unsafe Unsafe 500
safe→safe Safe 500
unsafe→safe Safe 500
safe→unsafe Unsafe 500

The paper specifies the four cases as follows (Team, 22 Jun 2026). In unsafe→unsafe, the active policy includes 0 matching base rules, 1–2 non-matching base rules, 1 matching dynamic rule, and 1–2 non-matching dynamic rules; the expected verdict is unsafe. In safe→safe, there are 1–2 non-matching base rules, 0 matching dynamic rules, and 1–2 non-matching dynamic rules; the expected verdict is safe. In unsafe→safe, there are 0 matching base rules, 1–2 non-matching base rules, 0 matching dynamic rules, and 1–2 non-matching dynamic rules; the expected verdict is safe. In safe→unsafe, there are 1–2 non-matching base rules, 1 matching dynamic rule, and 1–2 non-matching dynamic rules; the expected verdict is unsafe (Team, 22 Jun 2026).

The dynamic-rule examples are created by adding rules, deleting active rules, broadening or narrowing rule scope, adding exemptions, changing evidence or intent requirements, adjusting rule priority, and generating entirely new rules outside the base taxonomy (Team, 22 Jun 2026). Non-matching dynamic rules function as distractors, so the evaluation tests whether a model actually follows the semantics of the active rule text rather than defaulting to memorized category priors (Team, 22 Jun 2026).

This emphasis on runtime rule shifts places SingGuard-Bench in a different category from localized but static moderation benchmarks such as RabakBench, which evaluates guardrail classifiers on Singapore-localized multilingual safety data but does not center evaluation on labels that flip under changing runtime policies (Chua et al., 8 Jul 2025). SingGuard-Bench extends guardrail benchmarking from localized safety classification to explicit policy adaptation (Team, 22 Jun 2026).

6. Construction pipeline, evaluation protocol, and reported results

The benchmark is built through what the paper calls a quality-oriented synthesis and filtering pipeline, summarized as keyword generation and association → data supplementation → quality filtering (Team, 22 Jun 2026). The construction uses a keyword pool with 78 leaf nodes and 2,124 keywords per language in English and Chinese, aligned one-to-one (Team, 22 Jun 2026). After deduplication, the paper reports 1,842 unique English keywords, 1,857 unique Chinese keywords, and 11.1% cross-node overlap retained intentionally (Team, 22 Jun 2026).

The collection process begins with LLM-generated seed keywords for each leaf rule, expands them through a knowledge graph across multiple rounds, associates existing safety data to the keyword set, and then searches open-source datasets and the public web for under-covered keywords (Team, 22 Jun 2026). Quality control then uses strict multi-model filtering with label consistency checks, category consistency checks, and explanation consistency checks (Team, 22 Jun 2026). The re-annotation and filtering pipeline is reported to use models such as Qwen3.5-397B-A17B, KIMI-K2.6, and GLM4.5V (Team, 22 Jun 2026). Samples failing the L0 binary safe/unsafe consistency check are discarded, while L1 category-level failures are rerouted as hard cases or synthesis seeds (Team, 22 Jun 2026). On an internal human-annotated validation set, the ensemble annotation pipeline is reported to achieve over 0.9 accuracy on safety-level labels (Team, 22 Jun 2026).

Every benchmark instance is normalized to a common interface with target content, active policy, safety label, and fine-grained risk category or rule title (Team, 22 Jun 2026). For static benchmark families, the paper reports binary F1 per dataset and macro-average F1 across datasets within each axis (Team, 22 Jun 2026). For the dynamic-policy family, it reports accuracy (Team, 22 Jun 2026). For SingGuard-Bench’s image, multimodal, and attack splits, the reported metrics are Accuracy, Precision, Recall, and F1, computed on the unsafe class (Team, 22 Jun 2026).

On SingGuard-Bench, the best reported image-split F1 is 0.8759 from SingGuard-4B (Team, 22 Jun 2026). The best multimodal-split F1 is 0.9943 from SingGuard-8B (Team, 22 Jun 2026). The best attack-split F1 is 0.9164 from SingGuard-2B (Team, 22 Jun 2026). For dynamic-policy evaluation, SingGuard-slow attains the best average accuracy of 0.7415, compared with 0.6465 for Qwen3-VL-8B (Team, 22 Jun 2026). The paper specifically highlights improvement on safe2unsafe, from 0.3800 to 0.5700, as evidence of stronger enforcement of newly introduced restrictions (Team, 22 Jun 2026).

More broadly, the paper states that across six benchmark families spanning 35 datasets, SingGuard achieves state-of-the-art average F1 in every family, and that dynamic-rule evaluation shows improved policy-following accuracy from 0.6465 to 0.7415 under runtime policy shifts (Team, 22 Jun 2026). This suggests that SingGuard-Bench is intended not only as an internal benchmark for one model family, but as a testbed for policy-adaptive multimodal guardrails more generally.

The benchmark’s limitations are also stated. The paper notes long-tail incompleteness, dependence on synthetic and model-assisted data, policy ambiguity and cultural variation, the need for continuous updates and human review, and confidence calibration issues for hybrid early exit under distribution shift (Team, 22 Jun 2026). A plausible implication is that SingGuard-Bench is best read as a deployment-oriented benchmark for policy-adaptive multimodal safety, but not as an exhaustive enumeration of all future safety policies or abuse patterns.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to SingGuard-Bench.