CMU-CS-26-101
Computer Science Department
School of Computer Science, Carnegie Mellon University



CMU-CS-26-101

Improving Security and Safety of Generative Models

Andy Zou

Ph.D. Thesis

February 2026

CMU-CS-26-101.pdf


Keywords: Deep learning, ML safety, AI security, adversarial robustness, red teaming, alignment, interpretability, monitoring

The rapid advancement of artificial intelligence, particularly large language models and multimodal systems, has brought unprecedented capabilities alongside critical questions about safety, robustness, and alignment with human values. This thesis presents a comprehensive investigation into AI safety spanning three interconnected research directions.

First, we demonstrate the brittleness of current alignment methods through adversarial attacks that reliably circumvent safety measures in text-only, multimodal, and embodied AI systems. The Greedy Coordinate Gradient attack and related techniques reveal that alignment is not equivalent to adversarial robustness, with attacks transferring to production systems including ChatGPT, Claude, and Gemini.

Second, we develop rigorous evaluation frameworks for AI safety. HarmBench provides a standardized platform for comparing red teaming methods and defenses. AgentHarm demonstrates that LLM agents are surprisingly compliant with malicious requests even without jailbreaking. Our large-scale red teaming competition reveals widespread policy violations in deployed AI agents, while additional benchmarks enable assessment of AI capabilities against human cybersecurity professionals and detection of deceptive reasoning.

Third, we introduce techniques for improving AI alignment and control. Representation engineering provides a top-down framework for understanding and manipulating high-level cognitive phenomena in neural networks. Circuit breakers build on this foundation to provide robust defense against adversarial attacks by directly controlling harmful representations. Safety pretraining demonstrates that building safety into models from the start can dramatically reduce attack success rates while maintaining general capabilities.

Together, these contributions advance our understanding of AI safety challenges and provide practical tools for building more robust and trustworthy AI systems.

201 pages

Thesis Committee:
J. Zico Kolter (Co-chair)
Matt Fredrikson (Co-chair)
Graham Neubig
Nicholas Carlini (Anthropic)

Jignesh Patel, Interim Head, Computer Science Department
Martial Hebert, Dean, School of Computer Science


Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu