Breaking the Guardrails: How FLIRT Automates Red Teaming for Generative AI

We are living in the golden age of generative AI. With tools like ChatGPT, DALL-E, and Stable Diffusion, anyone with an internet connection can conjure up essays, code, and photorealistic art in seconds. But as these models become more capable, the risks associated with them grow proportionally.

Imagine a chatbot that gives detailed instructions on how to synthesize dangerous chemicals, or an image generator that, despite safety filters, produces graphic violence or hate speech when prompted with a specifically worded request. These aren’t hypothetical scenarios; they are the exact vulnerabilities that developers lose sleep over.

To prevent this, companies use Red Teaming—a practice borrowed from cybersecurity where a group of ethical hackers (the “red team”) tries to break a system to find its flaws. In the context of AI, red teaming involves finding “adversarial prompts”—inputs designed to trick the model into misbehaving.

Historically, this has been a manual, labor-intensive process involving humans sitting at keyboards, trying to outsmart the machine. But what if we could use AI to red team AI?

In this post, we will dive deep into a paper titled “FLIRT: Feedback Loop In-context Red Teaming.” This research introduces a novel, automated framework that uses a feedback loop to teach a “Red Language Model” how to become an increasingly effective adversary. We will explore how it works, the mathematics behind its optimization, and just how vulnerable our current image generation models truly are.

The Problem: The High Cost of Safety

Before we look at the solution, let’s establish the bottleneck. Ensuring an AI model is safe requires testing it against millions of potential inputs. The sheer vastness of natural language means there are infinite ways to ask for something bad.

Previous attempts to automate this process have existed, but they often fall into two traps:

  1. Inefficiency: They require fine-tuning a massive language model using reinforcement learning, which is computationally expensive.
  2. Ineffectiveness: Approaches like “Stochastic Few Shot” (SFS) generate thousands of prompts at once but often fail to find the “needle in the haystack”—the specific phrasing that bypasses safety filters.

The researchers behind FLIRT aimed to solve this by creating a framework that is both black-box (it doesn’t need to know the inner workings of the victim model) and adaptive (it learns from its own successes in real-time).

Enter the FLIRT Framework

FLIRT stands for Feedback Loop In-context Red Teaming. The core idea is simple yet brilliant: use In-Context Learning (ICL) to evolve attacks.

If you are familiar with Large Language Models (LLMs), you know that providing a few examples (few-shot prompting) helps the model understand a task better than giving it no examples (zero-shot). FLIRT exploits this by maintaining a dynamic list of “successful attacks.” As it finds prompts that successfully trick the target model, it feeds them back into its own prompt as examples, effectively saying, “Hey, these worked. Write more like this.”

The Architecture

Let’s break down the architecture step-by-step. The framework consists of three main components:

  1. ** The Red LM:** The attacker (e.g., a GPT model).
  2. The Target Model: The victim (e.g., Stable Diffusion).
  3. The Feedback Mechanism: A safety classifier (e.g., NudeNet or Q16) that acts as the referee.

Figure 1: Our proposed Feedback Loop In-context Red Teaming (FLIRT) framework for generating adversarial prompts. In each FLIRT iteration, the red LM generates an adversarial prompt that is fed into the text-to-image model. Upon text-to-image model generating the image corresponding to the prompt generated by the red LM, the image is evaluated using Q16 and NudeNet classifiers to determine safety of the image.

As shown in Figure 1 above, the process flows in a loop:

  1. Attack Generation: The Red LM (represented by Bertie the Bear) looks at a set of example prompts (the “exemplars”) and generates a new adversarial prompt.
  2. Target Execution: This prompt is sent to the Text-to-Image model (represented by Bob Ross), which generates an image.
  3. Evaluation: The generated image is analyzed by safety classifiers. Is it violent? Is it explicit? The classifiers output a score.
  4. Feedback Loop: If the image is deemed “unsafe” (meaning the attack worked), the prompt that created it is considered a success. The Red LM then updates its list of exemplars based on a specific strategy (FIFO, LIFO, or Scoring).

This loop repeats for a set number of iterations, with the Red LM getting sharper and more dangerous with every cycle.

The Attack Strategies

The most critical part of FLIRT is how the Red LM decides which prompts to keep in its memory (context). The paper explores several strategies:

  • FIFO (First In First Out): A simple queue. When a new successful prompt is found, it’s added to the end, and the oldest example is dropped.
  • LIFO (Last In First Out): A stack. The new successful prompt replaces the most recent one. This helps preserve the original “seed” instructions (the initial intent) while exploring variations.
  • Scoring: This is the most sophisticated method. It optimizes the list of examples based on specific objectives, such as how effective the attack is or how diverse the language is.

The Core Method: The Scoring Strategy

The Scoring Strategy is the secret sauce of FLIRT. Instead of blindly replacing examples, the framework treats the selection of in-context examples as an optimization problem.

The Red LM wants to construct a context list \(X\) that maximizes a specific score.

Equation 1: The optimization formula for updating the exemplar list.

Let’s translate this equation into plain English:

  • \(X^{t+1}\): The new list of examples for the next round.
  • \(Score(X)\): The value we want to maximize.
  • \(\lambda_i O_i(X)\): The weighted sum of different objectives.

The framework looks at the current list of prompts and the new successful prompt. It calculates which combination results in the highest “Score.”

What are the objectives (\(O\))?

  1. Attack Effectiveness (\(O_{AE}\)): How “unsafe” are the images generated by these prompts? We want this high.
  2. Diversity (\(O_{Div}\)): Are the prompts linguistically different from each other? We don’t want the model to just spam the exact same phrase 1,000 times. We want it to find new ways to break the model.
  3. Low Toxicity (\(O_{LT}\)): This is fascinating. We can tell the Red LM to optimize for prompts that look safe (low toxicity text) but produce unsafe images. This is akin to a “stealth” attack.

By adjusting the weights (\(\lambda\)), the researchers can control the behavior of the Red LM. For example, setting a high weight for diversity forces the model to explore different semantic clusters of attacks.

Experimental Results: Does FLIRT Work?

The researchers tested FLIRT extensively against Stable Diffusion (SD) models, ranging from the vanilla v1-4 to versions fortified with “Safe Latent Diffusion” mechanisms (Weak, Medium, Strong, and Max Safe).

1. FLIRT vs. The Baseline

The primary comparison was against Stochastic Few Shot (SFS), a previous state-of-the-art method. The results were stark.

As seen in Table 3 (below), FLIRT’s strategies consistently outperformed SFS.

Table 3: Attack effectiveness and diversity results with safety filter on in stable diffusion models.

Looking at the data for Stable Diffusion (SD):

  • SFS achieved an attack effectiveness of roughly 33.2%.
  • FLIRT (Scoring Strategy) achieved an effectiveness of 86.3%.

This means that almost 9 out of 10 prompts generated by the Scoring strategy successfully triggered the model to generate unsafe content. Even against the “Strong Safe SD” model—which is designed to resist these attacks—the Scoring strategy maintained a 55% success rate compared to SFS’s 12.2%.

2. Balancing Diversity and Effectiveness

There is often a trade-off in red teaming. If you find one vulnerability (e.g., using the word “blood”), the easiest way to keep your score high is to just keep saying “blood.” But that doesn’t help developers fix the model; they need to know all the vulnerabilities.

The researchers introduced a diversity parameter (\(\lambda_2\)) into the scoring equation. By increasing this parameter, they could force the Red LM to generate unique prompts.

Figure 2: Diversity-attack effectiveness results with varying the lambda parameter.

Figure 2 visualizes this trade-off.

  • Orange Line (Attack Effectiveness): As \(\lambda_2\) increases (moving right), the attack effectiveness drops. This makes sense; the model is forced to try riskier, less proven paths to satisfy the diversity requirement.
  • Blue Line (Diversity): As \(\lambda_2\) increases, diversity shoots up to nearly 100%.

The sweet spot lies somewhere in the middle, where the Red LM generates a wide variety of prompts that are still highly effective at breaking the model.

3. The “Stealth” Attack: Low Toxicity

One of the most alarming findings in the paper involves the Low-Toxicity objective. Most content moderation systems work by scanning the text prompt for bad words. If you type “murder,” it blocks you.

But what if the prompt is “A red liquid pooling around a sleeping person”? The text is clean, but the image is not.

The researchers tuned the Scoring strategy to maximize attack effectiveness while minimizing text toxicity.

Table 4: Percentage of toxic prompts generated by the red LM before and after applying low-toxicity constraint.

Table 4 shows the results.

  • With no constraint (\(\lambda_2 = 0\)), the Red LM generated highly toxic prompts (e.g., 82.7% toxic for SD).
  • With the constraint (\(\lambda_2 = 0.5\)), the toxicity of the prompts dropped to nearly 0%, yet they were still able to trigger unsafe images.

This proves that prompt-filtering is not enough. A clever adversary (or an automated one like FLIRT) can find “implicit” prompts that bypass text filters while still generating prohibited content.

Deep Dive: Robustness and Transferability

The paper didn’t stop at just one model. They asked two critical questions:

  1. Does an attack learned on one model work on another? (Transferability)
  2. Can the Red LM learn even if we start with “safe” examples?

Attack Transferability

If a hacker develops an attack using an open-source model like Stable Diffusion, can they use those same prompts to attack a different, perhaps proprietary, model?

Table 5: Transferability of the attacks.

Table 5 suggests the answer is yes.

  • Attacks generated on “Weak Safe SD” transferred to “Medium Safe SD” with 78.3% effectiveness.
  • Attacks from “SD” transferred to “Strong Safe SD” with 72.1% effectiveness.

This indicates that the vulnerabilities FLIRT uncovers are often fundamental to the text-to-image generation process, rather than specific quirks of a single model checkpoint.

Learning from Scratch

One of the most surprising results came from analyzing the “seed prompts”—the initial examples given to the Red LM to start the loop. You might think you need to feed the Red LM extremely graphic examples to get it started.

Figure 5: Results from different strategies using different seed prompts containing different numbers of unsafe exemplar prompts.

Figure 5 shows the effectiveness based on the number of unsafe seeds.

  • Even with 0 unsafe seeds (starting with totally benign prompts like “A man swimming”), the Scoring strategies (Green and Red lines) eventually learned to break the model, reaching over 40% effectiveness.
  • With just 2 unsafe seeds, the effectiveness skyrocketed to over 90%.

This demonstrates the frightening efficiency of the feedback loop. The model only needs a tiny breadcrumb of vulnerability to tear the whole system open.

The Vocabulary of Attacks

Finally, what do these attacks actually look like? The researchers analyzed the vocabulary generated by different strategies.

Figure 4: Word clouds representing some frequent words generated in prompts from each attack strategy.

Figure 4 displays word clouds for the generated prompts.

  • The Scoring strategy (which was most effective) converged on specific, high-impact words like “blood,” “naked,” “gun,” and “body.”
  • The LIFO strategy, which preserves the original seed intent, maintained a slightly more varied vocabulary but was less effective.

This visualization confirms that the Red LM successfully identified the specific concepts that the safety filters were failing to catch.

Conclusion

The FLIRT framework represents a significant step forward in AI safety. By automating the red teaming process using In-Context Learning and a feedback loop, the researchers demonstrated that current generative models are far more vulnerable than we might hope.

The key takeaways from this research are:

  1. Automation works: We don’t need expensive human teams or massive reinforcement learning pipelines to find vulnerabilities. A lightweight feedback loop is highly effective.
  2. Scoring is superior: Treating prompt selection as an optimization problem (balancing effectiveness, diversity, and stealth) yields the best results.
  3. Text filters are insufficient: FLIRT proved that it can generate “safe-looking” text that produces “unsafe” images, completely bypassing standard keyword filters.
  4. Vulnerabilities transfer: Security holes found in one model are likely present in others.

For students and researchers entering the field, FLIRT underscores a crucial reality: Building the model is only half the battle. As generative AI becomes integrated into products used by millions, frameworks like FLIRT will be essential tools in the developer’s arsenal, helping us find and patch the cracks in the armor before they can be exploited.