A new pre-processing layer may make it harder to trick AI models into saying things they shouldn't.
Researchers have published a defense method called Context Filtering that intercepts prompts before they reach a large language model, strips out adversarial framing, and hands off only the inferred core intent. The system works as a wrapper — no fine-tuning required — which means it can sit in front of white-box models like open-source LLMs and black-box APIs alike. Tested against six jailbreak attack types, the authors report attack success rates fell by up to 92% compared to baseline, while the model's helpfulness on ordinary queries stayed largely intact.
The safety-versus-helpfulness tradeoff is the central problem every alignment team is fighting. Most defenses that raise the floor on harmful outputs also raise the false-positive rate, frustrating legitimate users. If the plug-and-play framing holds up under independent scrutiny, it would give deployment teams a meaningful lever that doesn't require access to model weights — a significant constraint when most production systems run on closed APIs.
The 92% figure comes from the authors' own comparative analysis, so treat it as a ceiling until outside teams replicate it. The broader jailbreak arms race has a reliable pattern: a defense ships, red teams find the new edge, and the cycle repeats. Context Filtering is a credible-sounding step forward, but "state-of-the-art" in academic safety benchmarks has a short shelf life.