[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-82602-en":3,"doc-seo-82602-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},82602,8796095360427,"Lucas Martin","https://ap-avatar.wpscdn.com/davatar_994ba38a5ba835b3df7d355c54d3ed8d",8,"Research & Report","Cognitive Firewall: A Proactive, Zero-Trust, Multi-Gate Framework for LLM Safety","Large language models (LLMs) can be steered to produce harmful content through multi-turn strategies where no single user message is clearly unsafe. Existing runtime safeguards typically score prompts or responses in isolation, limiting recovery of accumulated intent, verification of claimed authority, and detection of harmful objectives decomposed across dialogue. The Cognitive Firewall introduces proactive runtime oversight with four categorical gates—intent, zero-trust context, consistency, and output risk—combined via escalation for auditable blocking. Experiments on jailbreak benchmarks show attack success drops to 2% or below on three sets and to 14% on a human-crafted set, while keeping an 8% refusal-rate.","Cognitive Firewall: A Proactive, Zero-Trust, Multi-Gate Framework for LLM Safety  \nMichele Guida 1 , Ruslan Shikhhamzayev2 , Sindhuja Penchala2 , Stefano Iannucci 1 , Jiacheng Li2 , Shahram Rahimi2 , and Noorbakhsh Amiri Golilarz2  \n1Roma Tre University, Rome, Italy  \n2The University of Alabama, Tuscaloosa, AL, USA  \narXiv :2607 .0 1277v 1 [ cs .CR] 1 Jul 2026  \nAbstract—Large language models (LLMs) can be induced to produce harmful content through multi turn strategies in which no single user message appears clearly unsafe. Existing runtime safeguards commonly evaluate prompts or responses as isolated messages, which limits their ability to recover accumulated intent, verify asserted authority, or detect harmful objectives decomposed across a dialogue. This paper presents the Cognitive Firewall, a proactive runtime oversight framework that interposes an independent oversight model between a user and a protected target model. The framework decomposes safety assessment into four categorical gates: an intent gate that identifies the operational objective of a request, a zero trust context gate that treats claimed roles and permissions as unverified evidence, a consistency gate that detects escalation and decomposition across turns, and an output risk gate that inspects candidate responses before release. Gate decisions are combined through escalation rather than score averaging, allowing any confident danger signal to block an interaction while preserving an auditable rationale. Experiments on four jailbreak benchmarks and a benign safety test set show that the Cognitive Firewall substantially reduces attack success across single turn, multi turn, authority based, and human crafted attacks. It lowers attack success to 2 percent or below on three attack sets and to 14 percent on the most difficult human crafted set, while maintaining an 8 percent over refusal rate. These results indicate that decomposed, conversation level oversight can improve proactive containment and auditability for LLM safety.  \nIndex Terms—AI safety, cognitive oversight, conversationlevel safety, intent recognition, jailbreak defense, large language models, multi-turn attacks, proactive moderation, zero-trust  \nI. INTRODUCTION  \nContemporary LLM guardrails are predominantly formulated as harm classifiers [1]–[4] . They score each prompt and each response against a fixed catalogue of harms, then admit or refuse it in isolation. We argue that guarding a model is a comprehension problem, not a classification one, and that the classifier framing is why a patient adversary can still extract restricted content from a defended model. Harm need not appear in any single message. It can reside in the interaction as a whole, whether in the objective a user steers toward, inan authority the user asserts but does not hold, or in a goal assembled from individually innocuous parts.  \nDeployed safety operates almost entirely at the level of the single message. Training-time alignment writes refusal into the weights [5], [6], yet adversarial prompting routinely circumvents it [7] . The runtime layer meant to compensate  \nconsists of moderation and guard models such as Llama Guard [1] and ShieldGemma [2], which score each prompt and response in isolation. Their central limitation is what they observe, not when they act, since input filters already run before generation. A per-message classifier carries no model of the user’s evolving objective, retains no memory of the conversational trajectory, and has no means of judging whether a claimed role or authority warrants belief.  \nA mature class of attacks exploits this gap. Crescendo escalates from an innocuous opening and uses the model’sown replies as leverage [8], while ActorAttack splits a forbidden objective into a network of individually benign subquestions [9] . Human red-teamers routinely defeat defenses that withstand automated single-turn attacks [10], and harm that emerges only as a conversation unfolds has motivated","cbCailBPMfv9kU26","https://ap.wps.com/l/cbCailBPMfv9kU26","pdf",260023,1,9,"English","en",105,"# Introduction\n## Motivation: Limits of per-message guardrails\n## Cognitive Firewall overview and approach","[{\"question\":\"为什么现有的运行时防护很难有效阻止多轮攻击？\",\"answer\":\"因为多数防护把每条提示或每条回复当作独立单元进行评分，无法建模用户不断演化的目标、验证对方所宣称的权限，也难以识别对话中把危险目标分解后逐步拼装出来的情形。\"},{\"question\":\"Cognitive Firewall 的核心机制是什么？\",\"answer\":\"它在用户与受保护目标模型之间插入一个独立的监督模型，并将安全评估拆分为四个门：意图门、零信任上下文门、一致性门与输出风险门；只要任一门判断交互存在危险，就通过升级策略阻断。\"},{\"question\":\"实验结果表明该框架能显著降低哪类攻击的成功率？\",\"answer\":\"在四个越狱基准以及一个良性安全测试集上，框架能显著降低攻击成功率，特别是在单轮、多轮、基于权威以及人工构造的攻击中表现更好。\"}]",1784181739,23,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"cognitive-firewall-a-proactive-zero-trust-multi-gate-framework-for-llm-safety","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/cognitive-firewall-a-proactive-zero-trust-multi-gate-framework-for-llm-safety/82602/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"为什么现有的运行时防护很难有效阻止多轮攻击？","Question",{"text":75,"@type":76},"因为多数防护把每条提示或每条回复当作独立单元进行评分，无法建模用户不断演化的目标、验证对方所宣称的权限，也难以识别对话中把危险目标分解后逐步拼装出来的情形。","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"Cognitive Firewall 的核心机制是什么？",{"text":80,"@type":76},"它在用户与受保护目标模型之间插入一个独立的监督模型，并将安全评估拆分为四个门：意图门、零信任上下文门、一致性门与输出风险门；只要任一门判断交互存在危险，就通过升级策略阻断。",{"name":82,"@type":73,"acceptedAnswer":83},"实验结果表明该框架能显著降低哪类攻击的成功率？",{"text":84,"@type":76},"在四个越狱基准以及一个良性安全测试集上，框架能显著降低攻击成功率，特别是在单轮、多轮、基于权威以及人工构造的攻击中表现更好。","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,120,123,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":116,"doc_module":4,"doc_module_name":45,"category_name":117,"show_sort_weight":118,"slug":119},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":121,"slug":122},30,"research-report",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]