Trust The Typical

Current approaches to LLM safety fundamentally rely on a brittle cat-and-mouse game of identifying and blocking known threats via guardrails. We argue for a fresh approach: robust safety comes not from enumerating what is harmful, but from deeply understanding what is safe. We introduce Trust The Typical (T3), a framework that operationalizes this principle by treating safety as an out-of-distribution (OOD) detection problem. T3 learns the distribution of acceptable prompts in a semantic space and flags any significant deviation as a potential threat. Unlike prior methods, it requires no training on harmful examples, yet achieves state-of-the-art performance across 18 benchmarks spanning toxicity, hate speech, jailbreaking, multilingual harms, and over-refusal, reducing false positive rates by up to 40x relative to specialized safety models. A single model trained only on safe English text transfers effectively to diverse domains and over 14 languages without retraining. Finally, we demonstrate production readiness by integrating a GPU-optimized version into vLLM, enabling continuous guardrailing during token generation with less than 6% overhead even under dense evaluation intervals on large-scale workloads.

💡 Research Summary

The paper “Trust The Typical” (T3) reframes large language model (LLM) safety as an out‑of‑distribution (OOD) detection problem rather than a reactive pattern‑matching task. The authors observe that benign user prompts, despite surface diversity, occupy a concentrated region in high‑dimensional embedding space—a “typical set” in information‑theoretic terms. Adversarial prompts must deviate from this typicality to exploit model vulnerabilities, making them natural OOD examples.

To operationalize this insight, T3 employs three sentence‑transformer encoders (Qwen3‑Embedding‑0.6B, BGE‑M3, and E5‑Large‑v2). Each input is normalized to a unit vector, and four per‑point PRDC metrics—Precision, Recall, Density, and Coverage—are computed using k‑nearest‑neighbor balls in each embedding space. The authors provide a rigorous theoretical analysis (Theorem 3.1) showing the expected values of these metrics under the null hypothesis (test and reference samples drawn from the same distribution) and how they diverge when the test sample originates from a harmful distribution (partial support mismatch, density shift, local perturbations).

The PRDC vectors from all encoders are concatenated into a 4K‑dimensional representation. Two unsupervised density estimators are trained on safe data only: a Gaussian Mixture Model (GMM) selected via Bayesian Information Criterion, and a One‑Class SVM (OCSVM) with an RBF kernel. An anomaly score is defined as the negative log‑likelihood under the fitted model, then sigmoid‑scaled to