Prompt Attack Detection with LLM-as-a-Judge and Mixture-of-Models
Prompt attacks, including jailbreaks and prompt injections, pose a critical security risk to Large Language Model (LLM) systems. In production, guardrails must mitigate these attacks under strict low-latency constraints, resulting in a deployment gap in which lightweight classifiers and rule-based systems struggle to generalize under distribution shift, while high-capacity LLM-based judges remain too slow or costly for live enforcement. In this work, we examine whether lightweight, general-purpose LLMs can reliably serve as security judges under real-world production constraints. Through caref — Hieu Xuan Le, Benjamin Goh, Quy Anh Tang
View PDF HTML (experimental)
Abstract:Prompt attacks, including jailbreaks and prompt injections, pose a critical security risk to Large Language Model (LLM) systems. In production, guardrails must mitigate these attacks under strict low-latency constraints, resulting in a deployment gap in which lightweight classifiers and rule-based systems struggle to generalize under distribution shift, while high-capacity LLM-based judges remain too slow or costly for live enforcement. In this work, we examine whether lightweight, general-purpose LLMs can reliably serve as security judges under real-world production constraints. Through careful prompt and output design, lightweight LLMs are guided through a structured reasoning process involving explicit intent decomposition, safety-signal verification, harm assessment, and self-reflection. We evaluate our method on a curated dataset combining benign queries from real-world chatbots with adversarial prompts generated via automated red teaming (ART), covering diverse and evolving patterns. Our results show that general-purpose LLMs, such as gemini-2.0-flash-lite-001, can serve as effective low-latency judges for live guardrails. This configuration is currently deployed in production as a centralized guardrail service for public service chatbots in Singapore. We additionally evaluate a Mixture-of-Models (MoM) setting to assess whether aggregating multiple LLM judges improves prompt-attack detection performance relative to single-model judges, with only modest gains observed.
Comments: 16 pages, 3 figures
Subjects:
Computation and Language (cs.CL)
Cite as: arXiv:2603.25176 [cs.CL]
(or arXiv:2603.25176v1 [cs.CL] for this version)
https://doi.org/10.48550/arXiv.2603.25176
arXiv-issued DOI via DataCite (pending registration)
Submission history
From: Xuan Hieu Le [view email] [v1] Thu, 26 Mar 2026 08:47:53 UTC (143 KB)
Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
researchpaperarxiv
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - WSJ
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxOOGItWGdQMGlaeThwcnNieE40a05Ed19xRnlsYm9XdXdhTk9yc2NvWDU3Y3EwTDZNb2kzQ1Z1T0RIcEZlZDBNRTNTUG1LQ0I4cVZEQUZEcXhqREk5RllkS3EzTU10eHNrcWFDQ0lEdmYxaTBNMi1iMWMxS0t3bHpOSWt2bXhQcGxMOFFEWVNhN29HNVpmVkIwVXc2UmEtOFBpMnJvMi1rRkVxcWt2LWVvdnItNkllR1gyano3VEpPQVZNdTZWRkFvcWdWRm5QSmtTYmE2ajhnQ0picndQNE0xd21fdG1RWFpjcFFiRHh2OVRYMTVBclg2RTJvM1ZxZ0lmOWJrQV91S05kbjhXM3B6Z3BMeGJiY2tzMVNpNzZaNW91QjM4VFJIazVFOFRGSDJBdWg4ZXY3VUVvQnhkc3BIWjU2d0M3Uk1PdXZjOFR0QnplZmJQQkl6QVhNaEgzUG53RWwxdmRFNng5Q3pqc0hBaHNrTFVobk1iVV9PNnh2NEpGVEZ0TGZrUWNEZjlWMDNjWVZyV0UzZndPZ2I1dUtZWDN5TFJMUklkc1hoNWYwMEpRMkZJbEwxcQ?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">WSJ</font>
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - wsj.com
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxPV0Z4UERPZU5fUFY4QXBHeXRud2w2ZWN1WTRaUVFSQ081QnM0YXdKLVFtclZTb2l5SE5QNUxzQTE4eV9HMjhqYkE0RE1HN1hITFVOMFU1c1FSZjcxR3F0Y2w3NHVrVndjUERpS1FTX3JQS0Y2MjF6U1dpY1J0elBFUVN2VEZULXVqUUxGeHVjYUFNUERVVUdlb1F4cGxQQmRKY3poVVlVTVphbDV5SlU0X0ZZVHlUTmFlUWRFNHFfbm9nODVBV3pWZjVGOUZyOFlSZlBlLVNnS2o2eXJxWEtTUEJOaUlnTUlIN29tWTJoWXcwWGxXOXlzU1BLWkNQUzBURWxqRXk5RWVOQ0JDT1FoMVMtUVJfdk9LYlpLb3RSeGpRb2poUlYyZUZRNk54cFBKYTVqcXI1SkdKQlBGRGZKLWcwNDNjTHRaSGtVV1o0dHItTnpvNzJzZ3Qteks2NVFKSndoOVZhdFFHbXdCQXlkbFlSLUJfeFphTmlKN1FOcXVUQVNYcFBaMEk2WU5CSjM3M01lbUZROFlWbHZvaFpkR1I5ZGVlazdxSVJuNmVoN3hQai1GTDBkZw?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">wsj.com</font>
AI Inspires New Research Topics In Materials Science - miragenews.com
<a href="https://news.google.com/rss/articles/CBMihwFBVV95cUxQRlVFdkRBaHRvYkJJdFRlMTZmajEzeFRPU0hGWWdfbi02V1FnTUdVQ2pmY2VZLUV2NlB4V3BFdEVlSVZkUlhRSTZaNWFKMmcyWXJYbnNqbUhMTmp0NnFtMEppOXlPZkJSNHJfck5VSEVYcmUtX1k2QkJlR1BvUEdTTkp3UmlYRkk?oc=5" target="_blank">AI Inspires New Research Topics In Materials Science</a> <font color="#6f6f6f">miragenews.com</font>
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Research Papers
AI Inspires New Research Topics In Materials Science - miragenews.com
<a href="https://news.google.com/rss/articles/CBMihwFBVV95cUxQRlVFdkRBaHRvYkJJdFRlMTZmajEzeFRPU0hGWWdfbi02V1FnTUdVQ2pmY2VZLUV2NlB4V3BFdEVlSVZkUlhRSTZaNWFKMmcyWXJYbnNqbUhMTmp0NnFtMEppOXlPZkJSNHJfck5VSEVYcmUtX1k2QkJlR1BvUEdTTkp3UmlYRkk?oc=5" target="_blank">AI Inspires New Research Topics In Materials Science</a> <font color="#6f6f6f">miragenews.com</font>
From brain scans to alloys: Teaching AI to make sense of complex research data - Penn State University
<a href="https://news.google.com/rss/articles/CBMiwAFBVV95cUxPZDFHdkptQ2VUM2hmWjhqQkxoRnBiTWoxMXRRR21MUG5TamdUMlFRWmhvYVNHaFVNREVKU3VmSnVOdDVZYnNLb2ppYXRVRTZmVFVMV1pLTlVhUm9ybTNZbGtvZTdIMnIyMHNpOEk5aU9TSmxxS2Y4V2MwazYwY3JlX1Axbk1nd3pfcWhFdUJaaDJWRXJaMFIyTTROcmFHeXI3ZzFudXJ2M1h6UHI1LW1Ca1dta2RkM3BiYndocGk3Yjg?oc=5" target="_blank">From brain scans to alloys: Teaching AI to make sense of complex research data</a> <font color="#6f6f6f">Penn State University</font>
Locating Risk: Task Designers and the Challenge of Risk Disclosure in RAI Content Work
arXiv:2505.24246v4 Announce Type: replace Abstract: As AI systems are increasingly tested and deployed in open-ended and high-stakes domains, crowdworkers are often tasked with responsible AI (RAI) content work. These tasks include labeling violent content, moderating disturbing text, or simulating harmful behavior for red teaming exercises to shape AI system behaviors. While prior research efforts have highlighted the risks to worker well-being associated with RAI content work, far less attention has been paid to how these risks are communicated to workers by task designers or individuals who design and post RAI tasks. Existing transparency frameworks and guidelines, such as model cards, datasheets, and crowdworksheets, focus on documenting model information and dataset collection process
Togedule: Scheduling Meetings with Large Language Models and Adaptive Representations of Group Availability
arXiv:2505.01000v5 Announce Type: replace Abstract: Scheduling is a perennial-and often challenging-problem for many groups. Existing tools are mostly static, showing an identical set of choices to everyone, regardless of the current status of attendees' inputs and preferences. In this paper, we propose Togedule, an adaptive scheduling tool that uses large language models to dynamically adjust the pool of choices and their presentation format. With the initial prototype, we conducted a formative study (N=10) and identified the potential benefits and risks of such an adaptive scheduling tool. Then, after enhancing the system, we conducted two controlled experiments, one each for attendees and organizers (total N=66). For each experiment, we compared scheduling with verbal messages, shared c
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!