VLSafetyBencher: Scalable LVLM Safety Benchmark

Updated 3 February 2026

VLSafetyBencher is an automated multi-agent system designed to evaluate the safety of large vision-language models under adversarial, multimodal queries.
It orchestrates four distinct agents—preprocessing, data generation, augmentation, and selection—that work sequentially to maximize sample separability, harmfulness, and diversity.
Empirical results demonstrate enhanced discriminative power with metrics such as a 15.03% MAD and approximately 70% safety rate disparity, outperforming static benchmarks.

VLSafetyBencher is an automated, multi-agent benchmarking system for evaluating the safety of large vision-LLMs (LVLMs) under adversarial, multimodal queries. The framework has been specifically designed to overcome the scalability, discriminative power, and currency limitations of prior static safety benchmarks for LVLMs. VLSafetyBencher leverages autonomous LLM-driven agents and an optimized sample selection algorithm to curate diverse, high-confidence, cross-modal adversarial benchmarks that robustly discriminate models according to their practical safety alignment (Zhu et al., 27 Jan 2026).

1. System Architecture and Multi-Agent Pipeline

VLSafetyBencher orchestrates four autonomous LLM-based agents in a sequential pipeline:

Data Preprocessing Agent: Ingests a large candidate pool of raw images (∼300K) and existing queries, applies resolution and content filters, deduplicates using perceptual hashing, and categorizes each image via CLIP embeddings and LVLM verification into six top-level risk categories (Privacy, Bias, Toxicity, Legality, Misinformation, Health Risk), subdivided into 20 subcategories.
Data Generation Agent: Synthesizes multimodal query–image pairs where risk is only exposed through genuine cross-modal (vision+language) reasoning. Generation strategies enforce:
- Modality Dependence: risk only in the image, neutral text.
- Modality Complementarity: risk cues split across image and text.
- Modality Conflict: harmful scenario suggested by text is contradicted by the image.
Data Augmentation Agent: Diversifies candidate pairs through adversarial text paraphrasing (role-play, synonyms, jailbreak transformations) and geometric/image-level perturbations (crop, noise, blur, insertion of semantic distractors).
Selection Agent: Implements a greedy, iterative algorithm to select the benchmark set of size $N_{\max}$ (typically 4000), maximizing a weighted sum of (a) separability ( $C_{\mathrm{sep}}$ ), (b) harmfulness ( $C_{\mathrm{harm}}$ ), and (c) diversity ( $C_{\mathrm{div}}$ ), subject to strict pool constraints.

This multi-agent architecture enables scalable, automated, and dynamically updatable safety benchmark construction, with full independence from human-in-the-loop curation after initial configuration (Zhu et al., 27 Jan 2026).

2. Mathematical Formulations and Sample Selection

VLSafetyBencher's selection agent operationalizes three criteria for each sample $s=(I, q)$ :

Separability: $C_{\mathrm{sep}}(s) = -p_h\log p_h - (1-p_h)\log(1-p_h)$ , with $p_h$ the proportion of LVLMs in a reference pool producing a harmful response. Maximum discriminative power is achieved when $p_h \approx 0.5$ .
Harmfulness: $C_{\mathrm{harm}}(s) = \frac{1}{N_JN_M} \sum_{i=1}^{N_J} \sum_{j=1}^{N_M} p_{i,j}(s)$ , where $p_{i,j}(s)$ is the probability the $i$ th judge classifies the $j$ th model's output as harmful.
Diversity: Category-distribution entropy gain and semantic CLIP embedding diversity are combined via $C_{\mathrm{div}}(s, \mathcal{D}_S) = \frac{1}{2}(\Delta H(s, \mathcal{D}_S) + \text{cos}(s, \mathcal{D}_S))$ .

The global selection objective:

$\max_{\mathcal{D}_S} \sum_{s\in\mathcal{D}_S} [\alpha C_{\mathrm{sep}}(s) + \beta C_{\mathrm{harm}}(s) + \gamma C_{\mathrm{div}}(s, \mathcal{D}_S)]$

with $(\alpha, \beta, \gamma) = (0.5, 0.3, 0.2)$ , as motivated by ablation studies.

Algorithmic implementation is via greedy maximization—picking at each step the sample that yields the largest weighted criterion increment—ensuring both computational efficiency and sample utility for model discrimination (Zhu et al., 27 Jan 2026).

3. Benchmark Evaluation Metrics and Resulting Discriminative Power

Key evaluation metrics are specifically adapted for safety benchmarking:

Attack Success Rate (ASR $_m$ ): Fraction of samples where the $m$ {th} LVLM produces a harmful (policy-violating) output.
Safety Rate (SR $_m$ ): $1 - \text{ASR}_m$ per model.
Discrimination (MAD, GAP): Model-wise mean absolute deviation (MAD) and max–min disparity (GAP) of ASR across models.
Benchmark Harmfulness (MEAN): Mean ASR across all models (higher implies greater challenge).
Benchmark Diversity (DIV): Mean $C_{\mathrm{div}}$ across the selected set.

Results:

Metric	VLSafetyBencher	Best Non-Automated Baseline
MAD (%)	15.03	~7
MEAN (%)	39.16	39.32
GAP (%)	69.97	54.30
DIV (%)	83.10	—

Safety rate disparity $\Delta = \max_m \mathrm{SR}_m - \min_m \mathrm{SR}_m \approx 70\%$ , indicating strong separation power, substantially exceeding classic benchmarks. Full pipeline completion time is $\sim$ 1 week with minimal API cost ($<\$2$) (Zhu et al., 27 Jan 2026).

4. Comparative Ablations and Efficiency

Ablation studies validate the crucial role of each pipeline agent:

Removing preprocessing only increases runtime (to >14 days) but does not degrade sample quality.
Removing the generation or augmentation agent causes sharp declines in all quantitative metrics (MAD, MEAN, GAP).
Excluding the selection agent collapses the benchmark's discriminative power.

Benchmark sizes below 2000 yield unstable outcome metrics, while sizes above 4000 provide diminishing gains in discriminative power and diversity (Zhu et al., 27 Jan 2026).

5. Limitations, Updates, and Future Directions

Documented limitations of VLSafetyBencher:

LLM Quality Reliance: Downstream benchmark quality is inherently limited by the generative fidelity and adversarial creativity of the LLMs underlying the pipeline.
Synthetic Query Bias: Although strong for adversarial probing, the dataset may incompletely represent “in-the-wild” user safety queries.
Taxonomy Rigidity: Fixed category/subcategory definitions may not immediately reflect newly emergent safety threats or domain shifts.
Dynamic Threats: Static benchmarks are challenged by evolving adversarial modalities and emergent model behaviors.

Future advances are targeted at integrating closed-loop dynamic updates, real-world user data, and adaptive expansion of coverage as model capabilities and risks evolve. Taxonomy recategorization and continuous sampling strategies are required to maintain relevance (Zhu et al., 27 Jan 2026).

6. Alignment with Prior Benchmarks and Research Trajectory

VLSafetyBencher differentiates itself from SafeBench (Ying et al., 2024), which primarily utilizes LLM "jury deliberation" protocols and human-guided corpus construction, by eliminating human-in-the-loop bottlenecks and achieving a step-function increase in benchmark discriminativity, scalability, and update speed. Compared to VLSBench (Hu et al., 2024), which addresses information leakage in static image–text safety pairs, VLSafetyBencher's agent-driven optimization ensures that only genuinely multi-modal, cross-domain risk samples are retained, maximizing the adversarial coverage per sample. In contrast to “jury-based” or manual curation approaches, VLSafetyBencher is the first system demonstrated to keep pace with model advances through cost-effective, dynamic, and high-throughput benchmark construction (Zhu et al., 27 Jan 2026).

7. Concluding Remarks

VLSafetyBencher represents a methodological inflection point for LVLM safety evaluation: auto-generating, policy-violating cross-modal test cases at scale, with rigorous sample selection that prioritizes model separability, harmfulness, and scenario diversity. Its adoption enables model developers to quantitatively track safety progress, adversarial robustness, and coverage across the expanding landscape of misuse conditions, with empirical evidence for both discriminative power and efficiency. This paradigm underpins the next generation of safety-aware model evaluation pipelines for rapidly evolving vision-language systems (Zhu et al., 27 Jan 2026).