Amazon's C3LLM certifies catastrophic risk

Large language models fail in a very specific way that normal benchmarks often miss. A model can look safe on one prompt, then get talked into something dangerous over several turns. That gap matters if you care about bio, cyber, or other high-stakes misuse. Amazon Science and University of Illinois Urbana-Champaign researchers are now arguing that the right question is not “did we find a jailbreak?” but “how likely is catastrophic failure across a whole space of conversations?” Their answer is C3LLM, released by Amazon Science on April 27 alongside an ICLR 2026 paper and open-source code. (amazon.science) ### What is C3LLM actually doing? Basically, it is a certification framework for conversational risk. Not certification in the legal sense — certification in the statistical sense. The system tries to bound the probability that an LLM will produce a catastrophic response under a defined distribution of multi-turn conversations. (amazon.science)cess rate on a fixed prompt set. C3LLM tries to say something stronger: under this conversation model, the model’s failure probability is at least or at most some value, with confidence bounds. (amazon.science) ### Why are multi-turn conversations the hard part? Beca(amazon.science)rame intent, and only later steer the model into harmful output. Single-turn tests miss a lot of that. (openreview.net) Think of it like testing a lock by jiggling it once versus watching someone try twenty slightl(amazon.science)actice. That is the problem C3LLM is aimed at. (amazon.science) ### How does it model conversations? The framework starts with a query set and builds a graph. Each node is a prompt. Edges connect prompts that are sem(openreview.net) over paths through that graph — effectively, ways a conversation might evolve over several turns. (amazon.science) The paper describes practical sampling set(amazon.science)der those distributions, C3LLM estimates attack success and wraps that estimate in confidence intervals using Clopper-Pearson bounds. (amazon.science) ### What did the researchers find? The headline result is stark. The paper says the framework sur(amazon.science)bounds as high as 70% for the worst model tested. That is not a worst-case anecdote. It is a lower bound under the paper’s specified conversation distributions. (amazon.science) true risk, under that setup, is at least that high with the stated confidence procedure. It is a stronger claim than “we found some bad examples.” (amazon.science) ### Why is this different from ordinary red-teaming? Ordinary red-teaming is still useful. But it is mostly em(amazon.science)ion space is huge, and fixed attack scripts do not generalize well. (amazon.science) C3LLM is trying to turn that into something more like a(amazon.science) formal distribution, confidence intervals, and a way to compare models under the same setup. (amazon.science) ### Does it need model internals? No — and that is part of the appeal. The paper says C3LLM only needs black-box access, so (amazon.science)auditing deployed systems where weights and training details are unavailable. (arxiv.org) ### What is the catch? Certification only means something relative to the distribution you certify ov(amazon.science) can still be misleading. So this is not a universal safety proof. It is a more principled way to ask a narrower question. (amazon.science) ### Bottom line C3LLM matters because i(arxiv.org) jailbreak hunting and one step toward auditable risk measurement. That does not solve catastrophic misuse. But it gives labs and outside evaluators a sharper tool for saying how unsafe a model may be in conversation — and for proving that claim statistically. (amazon.science)