Intent Laundering in AI Safety: Why Benchmark Datasets Fail to Capture Real-World Threats

Understanding Intent Laundering in AI Safety Research

A groundbreaking study by researchers at Labelbox has exposed a fundamental flaw in how the AI industry evaluates model safety. The research introduces “intent laundering”—a systematic procedure that removes overt triggering cues from malicious prompts while strictly preserving their harmful intent. The results are alarming: once superficial language patterns are stripped away, models previously considered “reasonably safe” become highly vulnerable, with attack success rates soaring from single digits to over 86%.

The concept draws its name from the practice of disguising the true nature of something harmful behind an innocuous facade. In the context of AI safety evaluation, intent laundering demonstrates that current benchmarks measure a model’s ability to detect specific keywords rather than its capacity to identify genuine malicious intent. This distinction has profound implications for how the industry approaches safety alignment and red-teaming.

The research team—Shahriar Golchin and Marc Wetter—systematically evaluated two of the most widely used safety benchmarks, AdvBench and HarmBench, and found that both datasets suffer from critical design flaws that render their safety assessments unreliable. Their findings suggest that the entire foundation of AI safety evaluation needs rethinking, from dataset construction to alignment training methodologies.

The Triggering Cue Problem in Safety Datasets

At the heart of the research lies the concept of “triggering cues”—words or phrases with overt negative or sensitive connotations that appear with unusual frequency in safety datasets. These cues fall into two distinct categories that together form the basis of how current benchmarks attempt to simulate adversarial attacks.

Inherent triggering cues carry negative connotations by their very nature, regardless of context. Expressions like “commit suicide,” “steal confidential information,” or “commit identity theft” immediately signal harmful intent to any safety-aligned model. These phrases appear with striking regularity across benchmark datasets, forming predictable patterns that models can learn to detect and refuse.

Contextual triggering cues acquire their negative connotations from the surrounding context of harmful requests. Phrases such as “without getting caught,” “step-by-step instructions,” or “in detail” become triggers when combined with malicious intent. The research found that these contextual cues are overrepresented in safety datasets, creating artificial signals that models latch onto during safety training.

Through n-gram word cloud analysis of the combined AdvBench and HarmBench corpus, the researchers demonstrated an unusual overrepresentation of these triggering cues. The pattern intensifies as unigrams evolve into bigrams and trigrams—at every level of analysis, triggering language dominates the datasets. This overrepresentation suggests that data points are artificially designed to trigger safety mechanisms rather than reflect how real-world adversaries actually craft their attacks. As the National Institute of Standards and Technology (NIST) has emphasized, realistic threat modeling must account for sophisticated adversaries who deliberately avoid obvious language patterns.

How AdvBench and HarmBench Fall Short

The study evaluated safety datasets against three defining properties of real-world adversarial attacks: ulterior intent, well-crafted design, and out-of-distribution characteristics. On all three dimensions, both AdvBench and HarmBench fail to capture what actual attackers do.

Real-world attacks are driven by ulterior intent—adversaries conceal harmful purposes behind benign-looking requests. Yet the benchmark datasets contain prompts that explicitly state malicious goals using self-incriminating language. Even minimally skilled bad actors rarely use such overt phrasing, as it immediately triggers safety mechanisms. The datasets essentially test whether models can spot obvious red flags rather than whether they can identify concealed threats.

Well-crafted attacks are carefully designed to bypass safety filters. The benchmark datasets, however, rely on repetitive templates with predictable structures. The same triggering words appear across dozens of prompts with minor variations, creating patterns that are trivial for models to recognize during safety training. This stands in stark contrast to the sophisticated alignment evaluation methods that researchers at Anthropic and OpenAI have developed for internal testing.

Out-of-distribution attacks differ fundamentally from everyday user prompts. The benchmark datasets, with their repetitive structures and limited vocabulary, actually cluster closely together in embedding space—making them the opposite of out-of-distribution. This creates a false sense of security when models perform well on these benchmarks, as the evaluation data shares too many characteristics with the safety training data.

Data Duplication and Inflated Safety Scores

Beyond the triggering cue problem, the research uncovered severe data duplication within both benchmarks. Using pairwise similarity analysis with Sentence-BERT embeddings, the researchers found that AdvBench contains an alarming level of near-identical data points that inflate safety evaluation scores.

At a 0.95 similarity threshold, over 45% of AdvBench data points are near-identical. Even more striking, over 11% are essentially exact copies at a 0.99 threshold. For a dataset with only 520 entries intended to represent diverse adversarial attacks, this level of duplication fundamentally undermines its utility as a safety benchmark.

To contextualize these findings, the researchers compared duplication rates against the GSM8K mathematical reasoning dataset as a baseline. At a 0.85 similarity threshold, only about 11% of AdvBench data points are unique, compared to nearly 94% in a size-matched GSM8K subset. HarmBench also shows significant duplication—16% at the same threshold, versus only 3.5% in its GSM8K counterpart. Safety datasets, which should feature more unique data points to reflect diverse attack strategies, actually exhibit far more homogeneity than standard non-safety benchmarks.

This duplication means that reported safety scores are inflated. When many data points test essentially the same malicious intent with nearly identical phrasing, a model’s ability to refuse one effectively counts as refusing dozens. Researchers who subsample these datasets for evaluation studies may inadvertently select multiple entries from the same cluster of near-duplicates, further distorting results. According to the Center for Security and Emerging Technology at Georgetown University, rigorous AI safety evaluation requires diverse and realistic test scenarios that go far beyond simple keyword-based detection.

Connotation Neutralization and Context Transposition

Intent laundering achieves its effect through two complementary techniques: connotation neutralization and context transposition. Together, these methods systematically remove the superficial signals that safety-aligned models rely on while preserving the underlying harmful intent that datasets are supposed to evaluate.

Connotation neutralization replaces triggering cues carrying negative or sensitive connotations with neutral or positive alternatives. When no direct neutral substitute exists, descriptive language fills the gap. For example, an explicit request involving harmful activities might be rephrased using professional or academic terminology that carries no inherent negative signal. The malicious intent remains fully intact—only the surface-level language changes.

Context transposition takes the approach further by replacing real-world scenarios and referents with fictional alternatives. References to specific individuals, institutions, or situations that could act as triggering cues are mapped to non-real-world contexts—game worlds, fictional narratives, or hypothetical scenarios. Critically, all details remain applicable and transferable to the real world with minimal adjustments. The technique exploits the fact that safety training focuses on recognizing specific real-world contexts rather than understanding abstract harmful intent.

The researchers automated intent laundering using GPT-5.1 as the “intent launderer” with an 8-shot in-context learning setup. Each demonstration paired an original data point with its manually crafted intent-laundered revision, teaching the model to perform the transformation systematically. The results confirmed that once triggering language was removed, previously safe-appearing models became highly vulnerable—proving that current safety evaluations measure keyword sensitivity rather than genuine threat detection.

Attack Success Rates Across Leading AI Models

The empirical results of the intent laundering study are stark. Seven major AI models were tested, including some of the most safety-focused systems in production, and all showed dramatic vulnerability once triggering cues were removed from adversarial prompts.

On the AdvBench dataset, the mean attack success rate (ASR) jumped from 5.38% with original triggering cues to 86.79% after the first application of intent laundering. Individual model results were equally concerning. GPT-4o went from 0% ASR to 81.18%. Claude Sonnet 3.7 rose from 2.42% to 79.71%. Gemini 3 Pro increased from 1.93% to 82.61%. Llama 3.3 70B showed the most dramatic shift, going from 10.14% to 91.79%.

HarmBench results followed the same pattern, with the mean ASR rising from 13.79% to 79.83% after the first revision. The consistency across diverse model architectures—closed-source and open-weight, large and small—indicates that the vulnerability is systemic rather than model-specific. Safety alignment techniques across the industry appear to share the same fundamental weakness: overreliance on superficial language patterns.

Perhaps most concerning is the practicality metric. The study evaluated not just whether models produced unsafe responses, but whether those responses contained actionable, transferable information. Practicality rates remained above 97% across nearly all conditions, meaning that the information provided in response to intent-laundered prompts was directly applicable to real-world harm. This finding demolishes the argument that abstract or fictional framing reduces the practical danger of model outputs, a concern highlighted in recent EU AI Act regulatory frameworks.

Intent Laundering as a Jailbreaking Technique

Beyond its role as an evaluation methodology, intent laundering proves to be a devastatingly effective jailbreaking technique when enhanced with an iterative revision-regeneration mechanism. This extension pushes attack success rates to between 90% and 98.55% across all tested models under fully black-box access conditions.

The jailbreaking variant works by adding a feedback loop to the basic intent laundering process. When an initial revision fails to elicit an unsafe response, all previous failed revisions are provided as context to the intent launderer, which generates improved revisions informed by what didn’t work. This iterative process continues until either a target attack success rate is achieved or a maximum number of iterations is reached.

The revision-regeneration mechanism improves performance in two ways. First, it generates new revisions that succeed where earlier ones failed to bypass safety filters. Second, it produces revisions that yield more practical and actionable responses where previous outputs were too abstract. After just three iterations on AdvBench, even the most resistant models—Gemini 3 Pro and Claude Sonnet 3.7—reached attack success rates of 93-95%.

On HarmBench, which proved slightly more challenging, five iterations pushed all models above 90% ASR. Llama 3.3 70B and GPT-4o reached 91%, while Grok 4 and Gemini 3 Pro hit 93%. The steady increase across iterations confirms that the technique systematically finds ways around safety guardrails, and that adjusting the number of iterations provides direct control over the desired level of success. These findings align with broader concerns raised by the UK AI Safety Institute about the fragility of current safety alignment methods.

Implications for Safety Alignment and Evaluation

The intent laundering findings carry significant implications for the entire AI safety ecosystem. If the industry’s primary safety benchmarks are fundamentally flawed, then the safety claims made by model developers—based on these benchmarks—may be similarly unreliable. The research suggests that both internal safety evaluations and safety-related training paradigms likely share the same overreliance on triggering cues as public datasets.

This conclusion is supported by a telling observation: internal safety evaluations conducted by major AI labs reach the same conclusions as public benchmark testing—that their models are “reasonably safe.” If internal evaluations used fundamentally different methodologies, we would expect divergent results. The consistency suggests that the triggering cue problem permeates the entire safety evaluation pipeline, from public benchmarks to proprietary internal testing.

For safety alignment training specifically, the findings indicate that current techniques like RLHF and constitutional AI may be teaching models to pattern-match on surface-level language features rather than developing genuine understanding of harmful intent. When a model refuses a request because it contains the word “steal” but happily complies when the same theft is described using neutral language, it has learned keyword detection—not safety reasoning.

The study also raises questions about the regulatory landscape. As governments worldwide develop AI safety standards, many rely on benchmark testing as evidence of model safety. If these benchmarks are unreliable, regulatory frameworks built on them may provide inadequate protection. The White House Blueprint for an AI Bill of Rights emphasizes the importance of rigorous safety testing, but the intent laundering research suggests that current testing methodologies may not meet that standard.

Building Better AI Safety Benchmarks

The research points toward several principles for constructing more effective safety benchmarks. The core challenge is creating evaluation datasets that reflect how real adversaries actually behave—using concealed intent, sophisticated phrasing, and novel attack vectors rather than obvious harmful language.

First, benchmark designers should minimize triggering cues in their datasets. This doesn’t mean removing all harmful content—it means ensuring that data points test a model’s ability to detect concealed malicious intent rather than its ability to spot keywords. The intent laundering methodology itself could serve as a tool for benchmark improvement: applying it to existing datasets would produce more realistic adversarial examples.

Second, data duplication must be aggressively addressed. The finding that over 45% of AdvBench entries are near-identical at high similarity thresholds is unacceptable for a safety benchmark. Diverse attack strategies, varied phrasing, and unique malicious intents should be enforced through systematic deduplication and diversification processes during dataset construction.

Third, safety evaluation should incorporate adversarial robustness testing as a standard component. Rather than measuring model safety only against static datasets, evaluations should include dynamic red-teaming where attack strategies evolve based on model responses—much as intent laundering’s revision-regeneration loop does. This approach better simulates real-world adversarial conditions where attackers adapt their techniques based on what works.

Finally, the industry needs consensus on what constitutes a meaningful safety evaluation. The current gap between benchmark performance and real-world robustness is too large to ignore. Organizations like MLCommons are working on standardized AI safety benchmarks, but the intent laundering research suggests that these efforts must fundamentally rethink their approach to dataset design.

The Future of Adversarial AI Safety Testing

The intent laundering study represents a watershed moment for AI safety research—not because it introduces a new attack, but because it reveals that the foundation on which safety claims are built is structurally unsound. The path forward requires a fundamental shift in how the industry thinks about safety evaluation, moving from keyword-centric approaches to intent-understanding frameworks.

Several promising directions are emerging. Reasoning-based safety mechanisms, where models actively reason about the potential harm of a request rather than pattern-matching on specific language, show promise but remain in early stages. The study notes that reasoning can itself be exploited under adversarial conditions, suggesting that no single approach will be sufficient.

Multi-layered safety architectures—combining language-level detection, intent analysis, output monitoring, and behavioral constraints—may provide more robust protection than any single technique. By requiring attacks to bypass multiple independent defenses, these systems raise the bar significantly for adversaries while reducing dependence on any one vulnerability-prone component.

The research community is also beginning to explore “adversarial coevolution” approaches where safety training and attack development proceed in tandem, each improving in response to the other. This mirrors the dynamic in cybersecurity, where defensive measures must continuously evolve to address emerging threats rather than relying on static protections.

What remains clear is that the current status quo—where safety claims are validated against benchmarks that fail to represent real-world threats—cannot continue. The intent laundering research has demonstrated, with empirical rigor and devastating effectiveness, that the emperor has no clothes. The question now is whether the industry will respond with the urgency this finding demands, or whether it will continue to derive comfort from benchmark scores that measure the wrong things.