arxiv: 2009.11462 · v2 · submitted 2020-09-24 · 💻 cs.CL

Recognition: 2 theorem links

· Lean Theorem

RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models

Samuel Gehman , Suchin Gururangan , Maarten Sap , Yejin Choi , Noah A. Smith

Authors on Pith no claims yet

Pith reviewed 2026-05-15 18:16 UTC · model grok-4.3

classification 💻 cs.CL

keywords toxicitylanguage modelscontrollable generationpretraining datatoxic degenerationRealToxicityPromptsGPT-2

0 comments

The pith

Pretrained language models can generate toxic text from seemingly innocuous prompts, and no current control method prevents it reliably.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Pretrained language models often continue ordinary web sentences with racist, sexist, or otherwise toxic language. The authors build RealToxicityPrompts, a set of 100,000 real sentence fragments drawn from web text and labeled by a standard toxicity classifier. When these prompts are fed to models such as GPT-2, toxic continuations appear at high rates even when the prompt itself scores low on toxicity. Techniques that steer generation—word filtering, reranking, or retraining on cleaner data—lower the rate of toxic output but never eliminate it. The paper traces the problem to the pretraining corpora themselves, which contain large volumes of offensive and unreliable text.

Core claim

Using RealToxicityPrompts, we find that pretrained LMs can degenerate into toxic text even from seemingly innocuous prompts. We empirically assess several controllable generation methods, and find that while data- or compute-intensive methods are more effective at steering away from toxicity than simpler solutions, no current method is failsafe against neural toxic degeneration. Analysis of two web text corpora used to pretrain several LMs reveals a significant amount of offensive, factually unreliable, and otherwise toxic content.

What carries the argument

RealToxicityPrompts, a dataset of 100K naturally occurring sentence-level prompts from English web text paired with toxicity scores from a standard classifier, used to measure toxic degeneration rates and test steering methods.

If this is right

Pretraining corpora must be filtered more aggressively for offensive content before model training.
Controllable generation techniques require further development to achieve reliable safety guarantees.
Evaluation benchmarks like RealToxicityPrompts become necessary for testing future language models.
Safe deployment of pretrained LMs cannot rely solely on post-hoc steering methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Models trained on larger but similarly unfiltered web data will likely exhibit the same or higher rates of toxic degeneration.
Creating parallel prompt sets in other languages would allow direct comparison of toxicity patterns across linguistic communities.
The gap between filtered and unfiltered pretraining data suggests that data curation itself could be treated as a core research problem rather than an engineering step.

Load-bearing premise

The automated toxicity classifier produces scores that reliably match human judgments of toxicity for both prompts and model generations.

What would settle it

A large-scale human annotation study in which raters score the toxicity of model outputs on the same prompts and agreement with the classifier falls below a high threshold such as 80 percent.

read the original abstract

Pretrained neural language models (LMs) are prone to generating racist, sexist, or otherwise toxic language which hinders their safe deployment. We investigate the extent to which pretrained LMs can be prompted to generate toxic language, and the effectiveness of controllable text generation algorithms at preventing such toxic degeneration. We create and release RealToxicityPrompts, a dataset of 100K naturally occurring, sentence-level prompts derived from a large corpus of English web text, paired with toxicity scores from a widely-used toxicity classifier. Using RealToxicityPrompts, we find that pretrained LMs can degenerate into toxic text even from seemingly innocuous prompts. We empirically assess several controllable generation methods, and find that while data- or compute-intensive methods (e.g., adaptive pretraining on non-toxic data) are more effective at steering away from toxicity than simpler solutions (e.g., banning "bad" words), no current method is failsafe against neural toxic degeneration. To pinpoint the potential cause of such persistent toxic degeneration, we analyze two web text corpora used to pretrain several LMs (including GPT-2; Radford et. al, 2019), and find a significant amount of offensive, factually unreliable, and otherwise toxic content. Our work provides a test bed for evaluating toxic generations by LMs and stresses the need for better data selection processes for pretraining.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

RealToxicityPrompts supplies a practical public benchmark for toxic outputs and shows the problem persists across methods, though the numbers rest on one classifier's scores.

read the letter

RealToxicityPrompts is the part worth keeping. The authors built a 100k-prompt dataset from actual web text, attached toxicity scores from a standard classifier, and released it. They then run pretrained models on these prompts and measure how often the continuations turn toxic even when the prompt itself looks clean. They also test several controllable generation approaches and find that heavier methods reduce the rate more than simple filters, but nothing removes the issue. A quick check of the pretraining corpora shows why: they contain plenty of toxic material already.

Referee Report

2 major / 2 minor

Summary. The paper introduces RealToxicityPrompts, a dataset of 100K web-derived sentence-level prompts paired with toxicity scores from an automated classifier. It shows that pretrained LMs (e.g., GPT-2) generate toxic continuations even from low-toxicity prompts, evaluates several controllable generation methods and finds none fully effective at preventing toxic degeneration, and analyzes two web pretraining corpora for toxic content.

Significance. If the central findings hold, the work supplies a large-scale, publicly released benchmark for measuring toxic degeneration in LMs and documents the limitations of existing detoxification techniques. The empirical demonstration that even data-intensive methods leave residual toxicity, together with the corpus analysis, underscores the need for improved data curation in pretraining. Releasing the prompt set and associated code strengthens reproducibility.

major comments (2)

[Sections 4–5 and Tables 2–4] The quantitative claims in the experiments (e.g., toxicity rates in Tables 2–4 and the “no method is failsafe” conclusion) rest exclusively on scores from a single automated classifier applied to model generations. The manuscript reports classifier validation only for the prompts themselves; no large-scale human re-annotation or agreement study is described for the actual continuations produced by GPT-2, CTRL, or the controllable methods. Classifier misalignment on subtle toxicity, reclaimed language, or domain slang would directly affect the reported degeneration rates and the comparative effectiveness of methods.
[Section 6] The analysis of toxic content in the pretraining corpora (Section 6) uses the same classifier without reporting precision/recall on a held-out sample of web text or discussing how domain shift between prompts and full documents might affect scores. This weakens the causal link drawn between corpus toxicity and observed degeneration.

minor comments (2)

[Section 3] Specify the exact version and threshold settings of the toxicity classifier (Perspective API or equivalent) and any post-processing steps applied to generations.
[Section 5] Add a brief discussion of potential false-positive patterns observed in the generated text (e.g., over-flagging of certain identity terms) to help readers interpret the absolute toxicity percentages.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments and the recommendation for minor revision. We address each major comment below and have updated the manuscript with additional discussion and caveats on the use of the automated classifier.

read point-by-point responses

Referee: [Sections 4–5 and Tables 2–4] The quantitative claims in the experiments (e.g., toxicity rates in Tables 2–4 and the “no method is failsafe” conclusion) rest exclusively on scores from a single automated classifier applied to model generations. The manuscript reports classifier validation only for the prompts themselves; no large-scale human re-annotation or agreement study is described for the actual continuations produced by GPT-2, CTRL, or the controllable methods. Classifier misalignment on subtle toxicity, reclaimed language, or domain slang would directly affect the reported degeneration rates and the comparative effectiveness of methods.

Authors: We thank the referee for highlighting this limitation. The Perspective API is a widely validated tool in prior toxicity research, and we applied it uniformly to prompts and generations to support consistent comparisons across methods. We agree that misalignment on subtle cases could affect absolute rates. In the revised manuscript we have added a dedicated Limitations paragraph in Section 4 that discusses known classifier weaknesses (including reclaimed language and slang), cites relevant validation studies, and notes that our core comparative claims remain robust under uniform scoring. We did not perform new large-scale human annotation due to cost, but the added discussion directly addresses the concern. revision: yes
Referee: [Section 6] The analysis of toxic content in the pretraining corpora (Section 6) uses the same classifier without reporting precision/recall on a held-out sample of web text or discussing how domain shift between prompts and full documents might affect scores. This weakens the causal link drawn between corpus toxicity and observed degeneration.

Authors: We agree that explicit discussion of domain shift and classifier performance on full documents would strengthen the section. In the revised manuscript we have expanded Section 6 with a paragraph on domain differences between sentence-level prompts and full web documents, noting that the classifier was trained on similar online forum data and citing prior work on its applicability to web text. We acknowledge that new precision/recall figures on a held-out corpus sample are not provided (as large-scale re-annotation of the pretraining data was outside the scope of this work) and have added this as an explicit limitation, while emphasizing that the analysis is primarily comparative and correlational. revision: partial

Circularity Check

0 steps flagged

No significant circularity; claims rest on new dataset and external classifier outputs

full rationale

The paper constructs RealToxicityPrompts as a new collection of 100K web-derived prompts paired with scores from an external, widely-used toxicity classifier, then measures LM generations on those prompts using the identical classifier. No derivation step reduces by construction to its own inputs: there are no self-definitional equations, no fitted parameters renamed as predictions, and no load-bearing self-citations that justify the central premise. The GPT-2 citation is external and non-overlapping. The evaluation is directly falsifiable through the released dataset and classifier scores; any concern about classifier-human alignment is a validity issue, not a circular reduction of the reported measurements to the inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The evaluation depends on the assumption that an automated toxicity classifier yields valid labels and that the sampled web text is representative of typical pretraining corpora.

axioms (1)

domain assumption Automated toxicity classifiers provide reliable proxies for human judgments of toxicity.
Used to score both prompts and model generations throughout the experiments.

pith-pipeline@v0.9.0 · 5554 in / 1070 out tokens · 61415 ms · 2026-05-15T18:16:59.965453+00:00 · methodology

discussion (0)

Forward citations

Cited by 18 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

The Safety-Aware Denoiser for Text Diffusion Models
cs.LG 2026-04 unverdicted novelty 7.0

SAD modifies the denoising process in text diffusion models to enforce safety constraints at inference time, reducing unsafe generations while preserving quality and diversity.
Local Linearity of LLMs Enables Activation Steering via Model-Based Linear Optimal Control
cs.LG 2026-04 conditional novelty 7.0

Local linearity of LLM layers enables LQR-based closed-loop activation steering with theoretical tracking guarantees.
SPASM: Stable Persona-driven Agent Simulation for Multi-turn Dialogue Generation
cs.CL 2026-04 accept novelty 7.0

SPASM introduces a stability-first framework with Egocentric Context Projection to maintain consistent personas and eliminate echoing in multi-turn LLM agent dialogues.
Steering Language Models With Activation Engineering
cs.CL 2023-08 unverdicted novelty 7.0

Activation Addition steers language models by adding contrastive activation vectors from prompt pairs to control high-level properties like sentiment and toxicity at inference time without training.
Navigating the Sea of LLM Evaluation: Investigating Bias in Toxicity Benchmarks
cs.AI 2026-05 unverdicted novelty 6.0

Toxicity benchmarks for LLMs produce inconsistent results when task type, input domain, or model changes, revealing intrinsic evaluation biases.
Guaranteed Jailbreaking Defense via Disrupt-and-Rectify Smoothing
cs.CR 2026-05 unverdicted novelty 6.0

DR-Smoothing introduces a disrupt-then-rectify prompt processing scheme into smoothing defenses, delivering tight theoretical bounds on success probability against both token- and prompt-level jailbreaks.
Query-efficient model evaluation using cached responses
cs.LG 2026-05 unverdicted novelty 6.0

DKPS-based methods leverage cached model responses to achieve equivalent benchmark prediction accuracy with substantially fewer queries than standard evaluation.
Dr. Post-Training: A Data Regularization Perspective on LLM Post-Training
cs.LG 2026-05 unverdicted novelty 6.0

Dr. Post-Training reframes general data as a data-induced regularizer for LLM post-training updates, yielding a family of methods that outperform data-selection baselines on SFT, RLHF, and RLVR tasks.
Representation-Guided Parameter-Efficient LLM Unlearning
cs.CL 2026-04 unverdicted novelty 6.0

REGLU guides LoRA-based unlearning via representation subspaces and orthogonal regularization to outperform prior methods on forget-retain trade-off in LLM benchmarks.
Relative Density Ratio Optimization for Stable and Statistically Consistent Model Alignment
cs.LG 2026-04 unverdicted novelty 6.0

Relative density ratio optimization stabilizes direct density ratio estimation for language model alignment while preserving statistical consistency without assuming a Bradley-Terry preference model.
SmoothLLM: Defending Large Language Models Against Jailbreaking Attacks
cs.LG 2023-10 accept novelty 6.0

SmoothLLM mitigates jailbreaking attacks on LLMs by randomly perturbing multiple copies of a prompt at the character level and aggregating the outputs to detect adversarial inputs.
GPTFUZZER: Red Teaming Large Language Models with Auto-Generated Jailbreak Prompts
cs.AI 2023-09 unverdicted novelty 6.0

GPTFuzz is a black-box fuzzing framework that mutates seed jailbreak templates to automatically generate effective attacks, achieving over 90% success rates on models including ChatGPT and Llama-2.
Ignore Previous Prompt: Attack Techniques For Language Models
cs.CL 2022-11 unverdicted novelty 6.0

PromptInject shows that simple adversarial prompts can cause goal hijacking and prompt leaking in GPT-3, exploiting its stochastic behavior.
Red Teaming Language Models to Reduce Harms: Methods, Scaling Behaviors, and Lessons Learned
cs.CL 2022-08 accept novelty 6.0

RLHF-aligned language models show increasing resistance to red teaming with scale up to 52B parameters, unlike prompted or rejection-sampled models, supported by a released dataset of 38,961 attacks.
Ethical and social risks of harm from Language Models
cs.CL 2021-12 accept novelty 6.0

The authors provide a detailed taxonomy of 21 risks associated with language models, covering discrimination, information leaks, misinformation, malicious applications, interaction harms, and societal impacts like job...
A General Language Assistant as a Laboratory for Alignment
cs.CL 2021-12 conditional novelty 6.0

Ranked preference modeling outperforms imitation learning for language model alignment and scales more favorably with model size.
The Role of Emotional Stimuli and Intensity in Shaping Large Language Model Behavior
cs.LG 2026-04 unverdicted novelty 5.0

Positive emotional prompts improve LLM accuracy and reduce toxicity but increase sycophantic agreement, while negative emotions show the reverse pattern.
Galactica: A Large Language Model for Science
cs.CL 2022-11 unverdicted novelty 5.0

Galactica, a science-specialized LLM, reports higher scores than GPT-3, Chinchilla, and PaLM on LaTeX knowledge, mathematical reasoning, and medical QA benchmarks while outperforming general models on BIG-bench.

Reference graph

Works this paper leans on

12 extracted references · 12 canonical work pages · cited by 18 Pith papers · 1 internal anchor

[1]

In Proceedings of the First Workshop on Gender Bias in Natural Language Processing, pages 33–39, Florence, Italy

Evaluating the underlying gender bias in con- textualized word embeddings. In Proceedings of the First Workshop on Gender Bias in Natural Language Processing, pages 33–39, Florence, Italy. Associa- tion for Computational Linguistics. Emily M. Bender and Batya Friedman. 2018. Data statements for natural language processing: Toward mitigating system bias an...

work page 2018
[2]

Enriching Word Vectors with Subword Information

Demographic dialectal variation in social me- dia: A case study of African-American English. In EMNLP. Piotr Bojanowski, Edouard Grave, Armand Joulin, and Tomas Mikolov. 2016. Enriching word vec- tors with subword information. arXiv preprint arXiv:1607.04606. Luke Breitfeller, Emily Ahn, David Jurgens, and Yu- lia Tsvetkov. 2019. Finding microaggressions ...

work page internal anchor Pith review Pith/arXiv arXiv 2016
[3]

In Proceedings of the 51st Annual Meeting of the Association for Compu- tational Linguistics (V olume 1: Long Papers), pages 250–259, Soﬁa, Bulgaria

A computational approach to politeness with application to social factors. In Proceedings of the 51st Annual Meeting of the Association for Compu- tational Linguistics (V olume 1: Long Papers), pages 250–259, Soﬁa, Bulgaria. Association for Computa- tional Linguistics. Sumanth Dathathri, Andrea Madotto, Janice Lan, Jane Hung, Eric Frank, Piero Molino, Jas...

work page 2020
[4]

Lucas Dixon, John Li, Jeffrey Scott Sorensen, Nithum Thain, and Lucy Vasserman

Communities: Participatory design for, with and by communities. Lucas Dixon, John Li, Jeffrey Scott Sorensen, Nithum Thain, and Lucy Vasserman. 2018. Measuring and mitigating unintended bias in text classiﬁcation. Proceedings of the 2018 AAAI/ACM Conference on AI, Ethics, and Society . Jesse Dodge, Suchin Gururangan, Dallas Card, Roy Schwartz, and Noah A....

work page 2018
[5]

In Proceedings of the 28th International Conference on International Conference on Machine Learning , ICML’11, page 10411048, Madison, WI, USA

Sparse additive generative models of text. In Proceedings of the 28th International Conference on International Conference on Machine Learning , ICML’11, page 10411048, Madison, WI, USA. Om- nipress. Ethan Fast, Tina Vachovsky, and Michael S. Bernstein

work page
[6]

Jessica Ficler and Yoav Goldberg

Shirtless and dangerous: Quantifying linguis- tic signals of gender bias in an online ﬁction writing community. Jessica Ficler and Yoav Goldberg. 2017. Controlling linguistic style aspects in neural language genera- tion. In Proceedings of the Workshop on Stylis- tic V ariation, pages 94–104, Copenhagen, Denmark. Association for Computational Linguistics....

work page 2017
[7]

The handbook of information and computer ethics, pages 69–101

Value sensitive design and information sys- tems. The handbook of information and computer ethics, pages 69–101. Sayan Ghosh, Mathieu Chollet, Eugene Laksana, Louis-Philippe Morency, and Stefan Scherer. 2017. Affect-LM: A neural language model for customiz- able affective text generation. In Proceedings of the 55th Annual Meeting of the Association for Co...

work page 2017
[8]

Proceedings of the National Academy of Sciences, 114(13):3521–3526

Overcoming catastrophic forgetting in neural networks. Proceedings of the National Academy of Sciences, 114(13):3521–3526. Pang Wei Koh and Percy Liang. 2017. Understanding black-box predictions via inﬂuence functions. In Proceedings of the 34th International Conference on Machine Learning - V olume 70 , ICML’17, page 18851894. JMLR.org. Keita Kurita, Nid...

work page 2017
[9]

Proceedings of the International AAAI Conference on Web and Social Media , 14(1):557– 568

Quick, community-speciﬁc learning: How distinctive toxicity norms are maintained in political subreddits. Proceedings of the International AAAI Conference on Web and Social Media , 14(1):557– 568. Anand Rajaraman and Jeffrey David Ullman. 2011. Mining of massive datasets . Cambridge University Press. Aja Romano. 2017. Reddit just banned one of its most to...

work page 2011
[10]

transforming

Neural machine translation of rare words with subword units. In Proceedings of the 54th An- nual Meeting of the Association for Computational Linguistics (V olume 1: Long Papers) , pages 1715– 1725, Berlin, Germany. Association for Computa- tional Linguistics. Serge Sharoff. 2020. Know thy corpus! robust methods for digital curation of web corpora. Emily ...

work page 2020
[11]

This ensures that we have a stratiﬁed sampling of toxic (TOXICITY ≥ 0.5) and non-toxic (TOXICITY ≤ 0.5) sentences

We then score each sentence with PERSPEC - TIVE API and sample 25,000 sentences per equally- sized interval of toxicity, for a total of 100,000 sentences. This ensures that we have a stratiﬁed sampling of toxic (TOXICITY ≥ 0.5) and non-toxic (TOXICITY ≤ 0.5) sentences. We ﬁrst ﬁlter non-English text withFAST TEXT (Bojanowski et al., 2016). We then split o...

work page 2016
[12]

woman”, “gay

versions of all pretrained models described 18http://toxicdegeneration.allenai.org in this section, implemented in the PyTorch (Paszke et al., 2019) deep learning framework. GPT-1 (Radford et al., 2018) GPT-1 is an au- toregressive transformer LM trained on BookCor- pus (Zhu et al., 2015), which contains text from 7,000 books. GPT-2 (Radford et al., 2019)...

work page 2019