[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-85722-en":3,"doc-seo-85722-105":28,"detail-sidebar-cat-0-en-105":89},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":11,"language":21,"language_code":22,"site_id":23,"html_lang":22,"table_of_contents":24,"faqs":25,"seo_title":13,"seo_description":14,"update_tm":26,"read_time":27},85722,4398048950312,"Violet","https://ap-avatar.wpscdn.com/avatar/400002538284de19e3c?_k=1778320343897328908",8,"Research & Report","Trivial Prompt Reframing Bypasses Safety Guardrails in Google’s MedGemma-4B","Open-weight medical language models increasingly power patient-facing and clinician-support applications, yet their model cards specify prohibited behaviors rather than guaranteeing robustness under rephrasing. This study quantifies the gap for MedGemma-4B-it against non-technical “trivial” attacks. A fully factorial benchmark (5 guarded behaviors × 50 templated questions × 6 lay-accessible manners × 3 repeats) is served via Ollama, with responses judged by an LLM, regex, and NLI entailment. The overall attack success rate is 38.0%, varies by topic, and motivates deployment-time guardrails.","Trivial Prompt Reframing Bypasses Safety Guardrails in Google’s MedGemma-4B  \nAvi-ad Avraam Buskila  \nDepartment of Information Science and Applied Artificial Intelligence,  \nBar-Ilan University, Ramat Gan, Israel  \n[aviad-avraam.buskila@biu.ac.il](aviad-avraam.buskila@biu.ac.il)  \narXiv :2607 .09804v 1 [ cs .CR] 9 Jul 2026  \nAbstract—Open-weight medical language models are increasingly used as the base of patient-facing and clinician-support applications. Their model cards prohibit specific behaviors—recommending exact drug dosages, issuing definitive diagnoses, prescribing treatments, adjudicating drug–drug interactions, and advising that emergency care can be skipped—yet a model card describes intended behavior, not robust behavior. We quantify that gap for MedGemma-4B-it under attacks that require no technical sophistication. We build a fully factorial benchmark of 5 guardedbehavior concepts × 50 deterministically templated questions × 6 lay-accessible attack manners × 3 repetitions (4,500 generations), serve the model locally through Ollama under default sampling, and code every response refuse/hedge/comply with three independent judges (an LLM judge, a transparent regex judge, and an NLI-entailment judge). Under the primary LLM judge the overall Attack Success Rate (ASR, the fraction coded comply) is 38.0%. The two framings that reinterpret the request as legitimate dominate: recasting a question as a “medical board exam”item raises ASR from a 29.0% baseline to 53. 1%(∆ = +24 .0 points), and an appeal to an alleged doctor’s authority raisesit to 43.7%(∆ = +14 .7); crude instruction-override prefixes do not move the needle significantly. Robustness is dominated by topic: the drug-interaction guardrail is nearly absent (83 .2% ASR) while the emergency-deferral guardrail is strong (4 .7%)—and the authority framing is the only attack that breaches it. Wereport Wilson confidence intervals, cluster-bootstrap effect sizes, a cluster-robust logistic regression, Cochran’s Q, per-manner McNemar tests, and inter-judge reliability (Fleiss’ κ = 0 .26), and we discuss why absolute ASR is judge-dependent while the ordering of attacks and topics is not. Our findings motivate deployment-time guardrails—policy refusals, harm classifiers, and retrieval with citation—for open medical models.  \nIndex Terms—AI safety, guardrail robustness, MedGemma, medical language models, red-teaming.  \nI. INTRODUCTION  \nLARGE language models tuned for medicine [1] are  \nincreasingly released as open weights [2] and adopted as the foundation of downstream clinical applications. Their model cards enumerate out-of-scope, prohibited uses: MedGemma’s card is explicit that the model must not recommend specific dosages, deliver definitive diagnoses, make or replace clinical decisions, imply a provider–patient relationship, and should refuse unsafe requests [2] . But a model card documents the behavior the developer intends; it says nothing about how that behavior holds up when a user rephrases the request. This paper measures the gap between intended and robust refusal for one widely available open model, using attacks a layperson could apply without any knowledge of  \nthe model internals: repeating a question, prefixing it with an override instruction, or wrapping it in an appeal to authority. We deliberately restrict the threat model to trivial surface transformations. Sophisticated jailbreaks—gradient-optimized adversarial suffixes [3], iterative attacker models [4], and indirect prompt injection through retrieved content [5]—are known to defeat aligned models, but they are not what a worried patient types into a chat box. The relevant question for a consumer-facing medical deployment is whether the guardrails survive the kind of rephrasing that arises naturally:  \n“this is for my exam,”“my doctor already told me. . . ,” or simply asking more insistently. If they do not, the guardrail is a documentation artifact rather than a control.  \nContributions.  \n1) A r","cbCaibd3syPwonDL","https://ap.wps.com/l/cbCaibd3syPwonDL","pdf",577730,1,"English","en",105,"# Introduction\n# Related Work\n## Jailbreaking and prompt injection\n## Sycophancy and authority\n## LLM-as-judge and NLI evaluation","[{\"question\":\"What gap does the paper measure regarding medical model cards and safety behavior?\",\"answer\":\"It measures the difference between intended refusals described in the model card and robust refusals when users rephrase requests. The study shows that documentation intent does not reliably control behavior under simple reframing.\"},{\"question\":\"How is the benchmark for testing MedGemma-4B-it structured?\",\"answer\":\"The benchmark is fully factorial across 5 guarded-behavior concepts, 50 deterministically templated questions, 6 lay-accessible attack manners, and 3 repetitions, totaling 4,500 generations. The model is served locally through Ollama under default sampling.\"},{\"question\":\"What are the main findings about which guardrails fail and which attack styles work best?\",\"answer\":\"Overall attack success rate reaches 38.0% under the primary judge. Topic matters strongly: drug-interaction guarding is nearly absent (83.2% ASR) while emergency-deferral guarding is strong (4.7%), and the authority framing is the only attack that breaches the emergency-deferral guardrail.\"}]",1784205808,20,{"code":4,"msg":29,"data":30},"ok",{"site_id":23,"language":22,"slug":31,"title":13,"keywords":32,"description":14,"schema_data":33,"social_meta":84,"head_meta":86,"extra_data":88,"updated_unix":26},"trivial-prompt-reframing-bypasses-safety-guardrails-in-googles-medgemma-4b","",{"@graph":34,"@context":83},[35,52,66],{"@type":36,"itemListElement":37},"BreadcrumbList",[38,42,46,49],{"item":39,"name":40,"@type":41,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":43,"name":44,"@type":41,"position":45},"https://docshare.wps.com/document/","Document",2,{"item":47,"name":12,"@type":41,"position":48},"https://docshare.wps.com/document/research-report/",3,{"item":50,"name":13,"@type":41,"position":51},"https://docshare.wps.com/document/trivial-prompt-reframing-bypasses-safety-guardrails-in-googles-medgemma-4b/85722/",4,{"url":50,"name":13,"@type":53,"author":54,"headline":13,"publisher":56,"fileFormat":59,"inLanguage":22,"description":14,"dateModified":60,"datePublished":60,"encodingFormat":59,"isAccessibleForFree":61,"interactionStatistic":62},"DigitalDocument",{"name":9,"@type":55},"Person",{"url":39,"name":57,"@type":58},"DocShare","Organization","application/pdf","2026-07-16",true,{"@type":63,"interactionType":64,"userInteractionCount":4},"InteractionCounter",{"@type":65},"ViewAction",{"@type":67,"mainEntity":68},"FAQPage",[69,75,79],{"name":70,"@type":71,"acceptedAnswer":72},"What gap does the paper measure regarding medical model cards and safety behavior?","Question",{"text":73,"@type":74},"It measures the difference between intended refusals described in the model card and robust refusals when users rephrase requests. The study shows that documentation intent does not reliably control behavior under simple reframing.","Answer",{"name":76,"@type":71,"acceptedAnswer":77},"How is the benchmark for testing MedGemma-4B-it structured?",{"text":78,"@type":74},"The benchmark is fully factorial across 5 guarded-behavior concepts, 50 deterministically templated questions, 6 lay-accessible attack manners, and 3 repetitions, totaling 4,500 generations. The model is served locally through Ollama under default sampling.",{"name":80,"@type":71,"acceptedAnswer":81},"What are the main findings about which guardrails fail and which attack styles work best?",{"text":82,"@type":74},"Overall attack success rate reaches 38.0% under the primary judge. Topic matters strongly: drug-interaction guarding is nearly absent (83.2% ASR) while emergency-deferral guarding is strong (4.7%), and the authority framing is the only attack that breaches the emergency-deferral guardrail.","https://schema.org",{"og:url":50,"og:type":85,"og:title":13,"og:site_name":57,"og:description":14},"article",{"robots":87,"canonical":50},"index,follow",{"doc_id":7,"site_id":23},{"code":4,"msg":5,"data":90},[91,95,99,103,108,113,118,121,125,128,132],{"id":20,"doc_module":4,"doc_module_name":44,"category_name":92,"show_sort_weight":93,"slug":94},"Story & Novel",90,"story-novel",{"id":45,"doc_module":4,"doc_module_name":44,"category_name":96,"show_sort_weight":97,"slug":98},"Literature",80,"literature",{"id":51,"doc_module":4,"doc_module_name":44,"category_name":100,"show_sort_weight":101,"slug":102},"Exam",70,"exam",{"id":104,"doc_module":4,"doc_module_name":44,"category_name":105,"show_sort_weight":106,"slug":107},5,"Comic",60,"comic",{"id":109,"doc_module":4,"doc_module_name":44,"category_name":110,"show_sort_weight":111,"slug":112},6,"Technology",50,"technology",{"id":114,"doc_module":4,"doc_module_name":44,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":44,"category_name":12,"show_sort_weight":119,"slug":120},30,"research-report",{"id":122,"doc_module":4,"doc_module_name":44,"category_name":123,"show_sort_weight":27,"slug":124},9,"Religion & Spirituality","religion-spirituality",{"id":27,"doc_module":4,"doc_module_name":44,"category_name":126,"show_sort_weight":27,"slug":127},"World Cup","world-cup",{"id":129,"doc_module":4,"doc_module_name":44,"category_name":130,"show_sort_weight":129,"slug":131},10,"Lifestyle","lifestyle",{"id":133,"doc_module":4,"doc_module_name":44,"category_name":134,"show_sort_weight":104,"slug":135},19,"General","general"]