C3LLM quantifies catastrophic LLM risk

Large language model safety has a measurement problem. You can jailbreak a model with a clever prompt, but that still doesn’t tell you the thing you actually want to know — how often a model fails across the huge space of real conversations. That gap is what C3LLM is trying to close. At ICLR 2026, researchers from Amazon and the University of Illinois Urbana-Champaign presented a framework that doesn’t just test models for catastrophic failures in conversation, but tries to put statistical bounds on how likely those failures are. (openreview.net) ### What is C3LLM actually doing? Basically, it treats a conversation not as one prompt but as a path through a graph. The nodes are queries, the edges connect semantically related queries, and the model of movement through that graph is a Markov process — a way of saying the next turn depends on where you are now. That lets the researchers define whole distributions of possible multi-turn attacks instead of hand-picking a few jailbreak scripts. (openreview.net 1)(openreview.net 2)d-teaming is mostly a spot check. You gather prompts, see what breaks, and report a failure rate. But multi-turn conversations are combinatorially huge, and harmful behavior often emerges only after several turns of steering, reframing, or roleplay. A fixed benchmark can miss that. It also gives you a score without a confidence bound, which means you don’t know how much to trust the number. (openreview.net)certification claim is statistical, not absolute. C3LLM samples conversations from these defined threat distributions and then uses confidence intervals — specifically Clopper-Pearson intervals — to bound the underlying probability that a model produces a catastrophic response. That is a different question from “did we find one jailbreak?” It is closer to “under this threat model, how bad could failure rates plausibly be?” (openreview.net) does it test? The paper describes three practical sampling setups: random node, graph path, and adaptive with rejection. The first is simpler and broader. The second follows more realistic conversational trajectories through related prompts. The third is more adversarial — it adaptively pushes toward regions of the graph that look more promising for failure, while rejecting unhelpful branches. Same model, different threat model, very different risk picture. (openreview.net)tually find? The attention-grabbing result is that these distributions surfaced substantial catastrophic risk in frontier models, with certified lower bounds reaching 70% for the worst model tested. That wording matters. A lower bound is the floor, not the ceiling. So the claim is not “one model failed 70% of the time in all settings,” but “under at least one defined conversational threat distribution, the researchers can certify the true failure rate is at least that high with statistical confidence.” (openreview.net) ### Why is that a bigger deal than another scary benchmark? Because benchmarks get gamed. Sometimes they get contaminated. Sometimes labs tune directly against them. Certification changes the frame from leaderboard performance to risk guarantees under specified assumptions. The catch is that everything depends on the threat distribution you define. If your graph misses important conversational routes, your certificate can still be misleading. But that is still a cleaner target than pretending a small prompt(openreview.net)inference from the paper’s setup and motivation, not a direct claim in one sentence. (openreview.net) ### Is this ready to decide deployment? Not by itself. C3LLM does not prove a model is safe in the wild. It gives a principled way to say, under a stated adversarial conversation model, the catastrophic failure probability is at least or at most some range. That makes it more like a safety audit instrument than a final verdict. But turns out that may be exactly what the field has been missing. (openreview.net) ### Bottom line? C3LLM is an attempt to move LLM sa(openreview.net)r catastrophic risk, but it makes the argument harder to hand-wave away. (openreview.net)