arxiv: 2605.08116 · v1 · submitted 2026-04-28 · 💻 cs.LG · cs.AI

Recognition: 2 theorem links

· Lean Theorem

The Safety-Aware Denoiser for Text Diffusion Models

Amman Yusuf, Mijung Park, Zhejun Jiang

Authors on Pith no claims yet

Pith reviewed 2026-05-12 01:00 UTC · model grok-4.3

classification 💻 cs.LG cs.AI

keywords safety-aware denoisertext diffusion modelsinference-time safetydenoising processhazard taxonomyunsafe generationsjailbreak prevention

0 comments

The pith

Text diffusion models can be steered toward safe outputs by modifying the denoising process at inference time without retraining.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Text diffusion models generate text through an iterative denoising process but lack built-in controls for safety risks such as toxic or harmful content. The paper proposes the Safety-Aware Denoiser to integrate safety constraints directly into each denoising step, guiding the final output toward regions of the text space that satisfy safety criteria. This method operates at inference time and avoids the computational cost of retraining the base model. If the approach holds, it offers a practical way to make diffusion-based generation safer while keeping its advantages in quality and diversity over alternative architectures.

Core claim

The Safety-Aware Denoiser modifies the iterative denoising process in text diffusion models such that the text sample at the final step is steered toward provably safe regions of the text space. This inference-time framework integrates safety constraints into the denoiser itself, avoiding retraining of the underlying model and allowing flexible, lightweight guidance. Evaluations with respect to hazard taxonomy, memorization, and jailbreak show that the method substantially reduces unsafe generations while preserving generation quality, diversity, and fluency, and it outperforms existing safety approaches.

What carries the argument

The Safety-Aware Denoiser, which adjusts the denoising trajectory at each step to enforce safety constraints and direct outputs away from unsafe text regions.

If this is right

Substantially reduces unsafe generations across hazard taxonomy, memorization, and jailbreak scenarios.
Preserves generation quality, diversity, and fluency at levels comparable to the base diffusion model.
Enables safety enforcement at inference time without retraining the underlying diffusion model.
Outperforms post-hoc filtering and inference-time interventions designed for autoregressive models.
Provides a scalable mechanism for embedding safety constraints directly into the generative process.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

This separation of safety guidance from training could allow safety modules to be swapped or updated independently of the core model weights.
The method may extend naturally to other iterative generative processes, such as those used in image or audio diffusion, if analogous safe regions can be defined.
Overly strict definitions of safe regions might limit output creativity in open-ended tasks, suggesting a need for tunable safety thresholds.
If validated at larger scales, the technique could reduce reliance on post-generation filtering pipelines in deployed text systems.

Load-bearing premise

That it is possible to define provably safe regions in text space and steer the denoising process toward them without introducing new failure modes or degrading the original model's distribution.

What would settle it

A controlled comparison in which text samples generated with the Safety-Aware Denoiser trigger safety classifiers or human raters as unsafe at rates equal to or higher than samples from the unmodified diffusion model, or where standard metrics for fluency and diversity show a clear decline.

Figures

Figures reproduced from arXiv: 2605.08116 by Amman Yusuf, Mijung Park, Zhejun Jiang.

**Figure 1.** Figure 1: Safety–utility tradeoff. Change in unsafe rate (∆ unsafe; lower is better) versus change in perplexity (∆ PPL; lower is better) relative to the baseline. Colours indicate the time-window used for applying SAD . This is the same setting used in Section 5.1 with MDLM as the TDM. sponses from target models, where the conditioning prompts are malicious. We also use a benign control set to verify that SAD does … view at source ↗

**Figure 2.** Figure 2: Top: η sensitivity on LLaDA. Unsafe rate vs. η (log-scale); curves show different time-window configurations; dashed line is baseline. Bottom: Throughput (seq/s) vs. negation set size for MDLM and LLaDA; active steps are steps where SAD is applied (1024 tokens for MDLM, 256 for LLaDA). utility tradeoff. Sensitivity to η. Varying η, as shown in [PITH_FULL_IMAGE:figures/full_fig_p007_2.png] view at source ↗

**Figure 3.** Figure 3: Memorization–utility tradeoff. SAD η versus change in Fuzzy Overlap and BERTScore relative to the baseline. Colours indicate the time-window used for applying the SAD . (n, p)-discoverable extraction We additionally evaluate memorization under the framework of Luo et al. (2026), which measures the fraction of training sequences recoverable within a fixed query budget; SAD reduces extractability substantia… view at source ↗

**Figure 4.** Figure 4: Additional η sensitivity results Same setup as [PITH_FULL_IMAGE:figures/full_fig_p019_4.png] view at source ↗

**Figure 5.** Figure 5: Safety–utility tradeoff. Change in unsafe rate (∆ unsafe; lower is better) versus change in BERTScore (∆ BERTScore; lower is better) relative to the baseline. Colours indicate the time-window used for applying the SAD . This is the same setting used in Section 5.1 with MDLM as the TDM. Code Hazard category (S1–S14) S1 Violent Crimes: enabling/encouraging/endorsing unlawful violence toward people or animals… view at source ↗

read the original abstract

Recent work on text diffusion models offers a promising alternative to autoregressive generation, but controlling their safety remains underexplored. Existing safety approaches are geared toward autoregressive models and typically rely on post-hoc filtering or inference-time interventions. These are inadequate for effectively addressing safety risks in text diffusion models. We propose the Safety-Aware Denoiser (SAD), a safety-guidance framework in text diffusion models. The SAD modifies the iterative denoising process such that the text sample at the final denoising step is steered toward provably safe regions of the text space. This inference-time method can integrate safety constraints into the denoiser, avoiding computationally expensive retraining of the underlying diffusion model and enabling flexible, lightweight safety guidance. We evaluate the safety of the generated text using the SAD, with respect to hazard taxonomy, memorization, and jailbreak. Experimental results show that SAD substantially reduces unsafe generations while preserving generation quality, diversity, and fluency, outperforming existing methods. These results demonstrate that our safety guidance during denoising provides an effective and scalable mechanism for enforcing safety in text diffusion models.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

SAD adds safety constraints inside the denoising loop of text diffusion models at inference time, which is a practical step for this class of generators, but the 'provably safe' claim lacks visible technical grounding.

read the letter

The main point is that this paper puts safety guidance directly into the iterative denoising process for text diffusion models rather than relying on filters after generation or full retraining. That setup lets them steer the final sample toward safe regions while keeping the base model unchanged, which fits the lightweight, flexible style needed for these newer non-autoregressive generators.

Referee Report

3 major / 2 minor

Summary. The paper proposes the Safety-Aware Denoiser (SAD), an inference-time modification to the iterative denoising process in text diffusion models. SAD integrates safety constraints to steer final samples toward 'provably safe regions' of the text space without retraining the base model. It is evaluated on reductions in unsafe outputs across hazard taxonomy, memorization, and jailbreak scenarios, claiming substantial safety gains while preserving quality, diversity, and fluency, and outperforming prior methods.

Significance. If the technical claims hold, the work would offer a lightweight, scalable alternative to post-hoc safety filters for the emerging class of text diffusion models. An inference-time guidance mechanism that avoids retraining could lower barriers to safe deployment and generalize across diffusion architectures.

major comments (3)

[Abstract and §3] Abstract and §3 (Method): The central claim that SAD steers samples into 'provably safe regions' is unsupported by any derivation, update rule, or proof sketch. No equation is given showing how the denoiser is altered, how safety is formally enforced, or why the modification preserves the original data distribution rather than introducing bias.
[§5] §5 (Experiments): The assertion of 'substantially reduces unsafe generations' lacks quantitative backing in the provided text—no tables, exact percentages, baseline numbers, safety metric definitions, or statistical tests are shown. This makes it impossible to assess whether the experimental results support the claim or whether new failure modes were introduced.
[§4] §4 (Evaluation): The weakest assumption—that steering can be performed without degrading the underlying distribution or creating new unsafe modes—is stated but not tested. No ablation on the strength of the safety guidance or analysis of out-of-distribution safe samples is provided.

minor comments (2)

[Abstract] The abstract would be clearer if it briefly named the concrete safety metrics (e.g., specific classifiers or taxonomies) used in the evaluation.
[§3] Notation for the modified denoising step should be introduced explicitly with symbols rather than prose descriptions alone.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback. We address each major comment point by point below. Where the manuscript requires clarification or additional material, we indicate that revisions will be made in the next version.

read point-by-point responses

Referee: [Abstract and §3] Abstract and §3 (Method): The central claim that SAD steers samples into 'provably safe regions' is unsupported by any derivation, update rule, or proof sketch. No equation is given showing how the denoiser is altered, how safety is formally enforced, or why the modification preserves the original data distribution rather than introducing bias.

Authors: We acknowledge that the original submission did not include a sufficiently detailed formal derivation. In the revised manuscript we will expand Section 3 with the explicit update rule for the safety-aware denoiser (incorporating a safety constraint term into the standard denoising step), a description of how the constraint is enforced at each iteration, and a proof sketch showing that, under an accurate safety oracle, the trajectory converges to a provably safe region. We will also add a discussion of the distributional effect, noting that the guidance is analogous to classifier-free guidance and therefore conditions rather than strictly preserves the unconditional distribution; we will support this with both theoretical remarks and the empirical quality results already present. revision: yes
Referee: [§5] §5 (Experiments): The assertion of 'substantially reduces unsafe generations' lacks quantitative backing in the provided text—no tables, exact percentages, baseline numbers, safety metric definitions, or statistical tests are shown. This makes it impossible to assess whether the experimental results support the claim or whether new failure modes were introduced.

Authors: We agree that the experimental claims must be supported by explicit numbers. In the revised version we will insert a summary table in Section 5 that reports exact unsafe-generation percentages for SAD and all baselines across the hazard taxonomy, memorization, and jailbreak settings, together with the precise definitions of each safety metric and the results of statistical significance tests. Our internal analysis did not reveal new failure modes, but we will state this explicitly with supporting evidence. revision: yes
Referee: [§4] §4 (Evaluation): The weakest assumption—that steering can be performed without degrading the underlying distribution or creating new unsafe modes—is stated but not tested. No ablation on the strength of the safety guidance or analysis of out-of-distribution safe samples is provided.

Authors: We accept that the assumption requires direct empirical verification. The revised manuscript will include an ablation study that varies the safety-guidance strength hyper-parameter and reports its effect on safety, quality, diversity, and fluency. We will also add an analysis of the generated samples to check for the emergence of new unsafe modes and will discuss the relationship between the enforced safe regions and the support of the original data distribution. revision: yes

Circularity Check

0 steps flagged

No significant circularity detected

full rationale

The paper presents SAD as an inference-time modification to the denoiser that steers text diffusion samples toward provably safe regions without retraining the base model. No equations, derivations, or parameter-fitting steps appear in the provided text that would reduce the safety claims to self-definitions, renamed inputs, or self-citation chains. The core argument rests on the conceptual integration of safety constraints during denoising, supported by experimental comparisons on hazard taxonomy, memorization, and jailbreak metrics. This structure keeps the derivation self-contained against external benchmarks rather than internally forced.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Review performed on abstract only; no explicit free parameters, axioms, or invented entities are stated. The claim of 'provably safe regions' implies an unstated mapping from text space to safety labels whose construction is not described.

pith-pipeline@v0.9.0 · 5487 in / 1051 out tokens · 30984 ms · 2026-05-12T01:00:30.502247+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear
Theorem 2.1 (Theorem 3.2 in (Kim et al., 2025). Safe vs. data/unsafe denoisers). There exists a nonnegative weight β∗(xt)—monotone in the posterior likelihood that xt originates from the unsafe set—such that EDsafe[x0|xt] = ED[x0|xt] + β∗(xt)(ED[x0|xt] − EDunsafe[x0|xt]).
IndisputableMonolith/Foundation/ArithmeticFromLogic.lean embed_injective unclear
q(xt|x0) = αt^∑ 1{xt= x0} (1−αt)^∑ 1{xt=m} (sequence factorization, eq. 6)

Reference graph

Works this paper leans on

54 extracted references · 54 canonical work pages · 3 internal anchors

[1]

The Thirty-eighth Annual Conference on Neural Information Processing Systems , year=

Simple and Effective Masked Diffusion Language Models , author=. The Thirty-eighth Annual Conference on Neural Information Processing Systems , year=

work page
[2]

Advances in Neural Information Processing Systems , editor=

Structured Denoising Diffusion Models in Discrete State-Spaces , author=. Advances in Neural Information Processing Systems , editor=. 2021 , url=

work page 2021
[3]

The Thirty-ninth Annual Conference on Neural Information Processing Systems , year=

Large Language Diffusion Models , author=. The Thirty-ninth Annual Conference on Neural Information Processing Systems , year=

work page
[4]

The Thirty-ninth Annual Conference on Neural Information Processing Systems , year=

Training-Free Safe Denoisers for Safe Use of Diffusion Models , author=. The Thirty-ninth Annual Conference on Neural Information Processing Systems , year=

work page
[5]

2025 , eprint=

Dream 7B: Diffusion Large Language Models , author=. 2025 , eprint=

work page 2025
[6]

2025 , eprint=

Simple Guidance Mechanisms for Discrete Diffusion Models , author=. 2025 , eprint=

work page 2025
[7]

2025 , eprint=

Adaptive Classifier-Free Guidance via Dynamic Low-Confidence Masking , author=. 2025 , eprint=

work page 2025
[8]

2025 , eprint=

The Devil behind the mask: An emergent safety vulnerability of Diffusion LLMs , author=. 2025 , eprint=

work page 2025
[9]

Shielded diffusion: Generating novel and diverse images using sparse repellency.arXiv preprint arXiv:2410.06025, 2024

Sparse Repellency for Shielded Generation in Text-to-image Diffusion Models , author=. arXiv preprint arXiv:2410.06025 , year=

work page arXiv
[10]

2026 , url=

Anonymous , booktitle=. 2026 , url=

work page 2026
[11]

The Llama 3 Herd of Models

The Llama 3 Herd of Models , author=. 2024 , booktitle =. 2407.21783 , archivePrefix=

work page internal anchor Pith review Pith/arXiv arXiv 2024
[12]

2025 , eprint=

DiffuGuard: How Intrinsic Safety is Lost and Found in Diffusion Large Language Models , author=. 2025 , eprint=

work page 2025
[13]

Realtoxicityprompts: Evaluating neural toxic degeneration in language models

RealToxicityPrompts: Evaluating Neural Toxic Degeneration in Language Models , author =. Findings of EMNLP , year =. 2009.11462 , archivePrefix =

work page arXiv 2009
[14]

2020 , note =

allenai/real-toxicity-prompts (Hugging Face Dataset Card) , howpublished =. 2020 , note =

work page 2020
[15]

Toxigen: A large-scale machine-generated dataset for adversarial and implicit hate speech detection

ToxiGen: A Large-Scale Machine-Generated Dataset for Adversarial and Implicit Hate Speech Detection , author =. arXiv preprint arXiv:2203.09509 , year =

work page arXiv
[16]

2022 , note =

toxigen/toxigen-data (Hugging Face Dataset Card) , howpublished =. 2022 , note =

work page 2022
[17]

arXiv preprint arXiv:2307.04657 , year =

BeaverTails: Towards Improved Safety Alignment of Large Language Models by Tailoring Toxicity Data , author =. arXiv preprint arXiv:2307.04657 , year =

work page arXiv
[18]

2023 , note =

PKU-Alignment/BeaverTails (Hugging Face Dataset Card) , howpublished =. 2023 , note =

work page 2023
[19]

2019 , note =

OpenWebText Corpus , author =. 2019 , note =

work page 2019
[20]

2025 , note =

Pretrained MDLM checkpoint (OpenWebText) , author =. 2025 , note =

work page 2025
[21]

2024 , note =

Llama Guard 3 (8B) Model Card and Hazard Taxonomy , author =. 2024 , note =

work page 2024
[22]

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal

HarmBench: A Standardized Evaluation Framework for Automated Red Teaming and Robust Refusal , author =. arXiv preprint arXiv:2402.04249 , year =

work page internal anchor Pith review Pith/arXiv arXiv
[23]

2024 , note =

cais/HarmBench-Llama-2-13b-cls (Hugging Face Model Card) , howpublished =. 2024 , note =

work page 2024
[24]

2020 , eprint=

BERTScore: Evaluating Text Generation with BERT , author=. 2020 , eprint=

work page 2020
[25]

2021 , eprint=

MAUVE: Measuring the Gap Between Neural Text and Human Text using Divergence Frontiers , author=. 2021 , eprint=

work page 2021
[26]

2020 , eprint=

Plug and Play Language Models: A Simple Approach to Controlled Text Generation , author=. 2020 , eprint=

work page 2020
[27]

InFindings of the Association for Computational Linguistics: EMNLP 2021, Marie-Francine Moens, Xuanjing Huang, Lucia Specia, and Scott Wen-tau Yih (Eds.)

Krause, Ben and Gotmare, Akhilesh Deepak and McCann, Bryan and Keskar, Nitish Shirish and Joty, Shafiq and Socher, Richard and Rajani, Nazneen Fatema. G e D i: Generative Discriminator Guided Sequence Generation. Findings of the Association for Computational Linguistics: EMNLP 2021. 2021. doi:10.18653/v1/2021.findings-emnlp.424

work page doi:10.18653/v1/2021.findings-emnlp.424 2021
[28]

Smith, and Yejin Choi

Liu, Alisa and Sap, Maarten and Lu, Ximing and Swayamdipta, Swabha and Bhagavatula, Chandra and Smith, Noah A. and Choi, Yejin. DE xperts: Decoding-Time Controlled Text Generation with Experts and Anti-Experts. Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Lan...

work page doi:10.18653/v1/2021.acl-long.522 2021
[29]

DIESEL : A Lightweight Inference-Time Safety Enhancement for Language Models

Ganon, Ben and Zolfi, Alon and Hofman, Omer and Singh, Inderjeet and Kojima, Hisashi and Elovici, Yuval and Shabtai, Asaf. DIESEL : A Lightweight Inference-Time Safety Enhancement for Language Models. Findings of the Association for Computational Linguistics: ACL 2025. 2025. doi:10.18653/v1/2025.findings-acl.1223

work page doi:10.18653/v1/2025.findings-acl.1223 2025
[30]

2022 , eprint=

Constitutional AI: Harmlessness from AI Feedback , author=. 2022 , eprint=

work page 2022
[31]

2025 , eprint=

Jailbreaking Large Language Diffusion Models: Revealing Hidden Safety Flaws in Diffusion-Based Text Generation , author=. 2025 , eprint=

work page 2025
[32]

Concrete Score Matching: Generalized Score Matching for Discrete Data , url =

Meng, Chenlin and Choi, Kristy and Song, Jiaming and Ermon, Stefano , booktitle =. Concrete Score Matching: Generalized Score Matching for Discrete Data , url =

work page
[33]

Proceedings of the 41st International Conference on Machine Learning , pages =

Discrete Diffusion Modeling by Estimating the Ratios of the Data Distribution , author =. Proceedings of the 41st International Conference on Machine Learning , pages =. 2024 , editor =

work page 2024
[34]

Simplified and Generalized Masked Diffusion for Discrete Data , url =

Shi, Jiaxin and Han, Kehang and Wang, Zhe and Doucet, Arnaud and Titsias, Michalis , booktitle =. Simplified and Generalized Masked Diffusion for Discrete Data , url =. doi:10.52202/079017-3277 , editor =

work page doi:10.52202/079017-3277
[35]

2025 , eprint=

Your Absorbing Discrete Diffusion Secretly Models the Conditional Distributions of Clean Data , author=. 2025 , eprint=

work page 2025
[36]

2025 , eprint=

MMaDA: Multimodal Large Diffusion Language Models , author=. 2025 , eprint=

work page 2025
[37]

2025 , eprint=

DiffuCoder: Understanding and Improving Masked Diffusion Models for Code Generation , author=. 2025 , eprint=

work page 2025
[38]

2023 , eprint=

Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations , author=. 2023 , eprint=

work page 2023
[39]

2025 , eprint=

LLaDA 1.5: Variance-Reduced Preference Optimization for Large Language Diffusion Models , author=. 2025 , eprint=

work page 2025
[40]

WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Language Models , url =

Jiang, Liwei and Rao, Kavel and Han, Seungju and Ettinger, Allyson and Brahman, Faeze and Kumar, Sachin and Mireshghallah, Niloofar and Lu, Ximing and Sap, Maarten and Choi, Yejin and Dziri, Nouha , booktitle =. WildTeaming at Scale: From In-the-Wild Jailbreaks to (Adversarially) Safer Language Models , url =. doi:10.52202/079017-1493 , editor =

work page doi:10.52202/079017-1493
[41]

and Tram\`

Chao, Patrick and Debenedetti, Edoardo and Robey, Alexander and Andriushchenko, Maksym and Croce, Francesco and Sehwag, Vikash and Dobriban, Edgar and Flammarion, Nicolas and Pappas, George J. and Tram\`. JailbreakBench: An Open Robustness Benchmark for Jailbreaking Large Language Models , url =. Advances in Neural Information Processing Systems , doi =

work page
[42]

2023 , eprint=

Universal and Transferable Adversarial Attacks on Aligned Language Models , author=. 2023 , eprint=

work page 2023
[43]

A StrongREJECT for Empty Jailbreaks , url =

Souly, Alexandra and Lu, Qingyuan and Bowen, Dillon and Trinh, Tu and Hsieh, Elvis and Pandey, Sana and Abbeel, Pieter and Svegliato, Justin and Emmons, Scott and Watkins, Olivia and Toyer, Sam , booktitle =. A StrongREJECT for Empty Jailbreaks , url =. doi:10.52202/079017-3984 , editor =

work page doi:10.52202/079017-3984
[44]

Pointer Sentinel Mixture Models

Pointer sentinel mixture models , author=. arXiv preprint arXiv:1609.07843 , year=

work page internal anchor Pith review Pith/arXiv arXiv
[45]

2023 , eprint=

Detecting Language Model Attacks with Perplexity , author=. 2023 , eprint=

work page 2023
[46]

International Conference on Learning Representations , year=

DEBERTA: DECODING-ENHANCED BERT WITH DISENTANGLED ATTENTION , author=. International Conference on Learning Representations , year=

work page
[47]

Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (ACL) , year=

Preventing Generation of Verbatim Memorization in Language Models Gives a False Sense of Privacy , author=. Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (ACL) , year=

work page
[48]

USENIX Security Symposium , year=

Extracting Training Data from Large Language Models , author=. USENIX Security Symposium , year=

work page
[49]

Nature Machine Intelligence , author =

Defending. Nature Machine Intelligence , author =. 2023 , pages =. doi:10.1038/s42256-023-00765-8 , abstract =

work page doi:10.1038/s42256-023-00765-8 2023
[50]

Proceedings of the 42nd International Conference on Machine Learning , pages =

A General Framework for Inference-time Scaling and Steering of Diffusion Models , author =. Proceedings of the 42nd International Conference on Machine Learning , pages =. 2025 , editor =

work page 2025
[51]

2026 , eprint=

Characterizing Memorization in Diffusion Language Models: Generalized Extraction and Sampling Effects , author=. 2026 , eprint=

work page 2026
[52]

2026 , eprint=

ILRR: Inference-Time Steering Method for Masked Diffusion Language Models , author=. 2026 , eprint=

work page 2026
[53]

2026 , eprint=

Inference-Time Scaling of Diffusion Language Models via Trajectory Refinement , author=. 2026 , eprint=

work page 2026
[54]

2025 , eprint=

Know Thy Judge: On the Robustness Meta-Evaluation of LLM Safety Judges , author=. 2025 , eprint=

work page 2025