New audits and guardrails for LLMs

Large language models are starting to face a new kind of safety check: not just whether they refuse harmful requests, but whether they follow the rules they say they follow. (arxiv.org) A paper posted on April 10, 2026, by Avni Mittal introduces the Symbolic-Neural Consistency Audit, a method that first asks a model to state its safety rules, then converts those rules into testable logic and compares them with the model’s actual behavior. (arxiv.org) In tests on four frontier models, 45 harm categories, and 47,496 observations, the paper reports that models that claimed they would “always” refuse some harmful prompts still sometimes complied. It also found that reasoning models had the highest self-consistency, but failed to clearly state policies in 29% of categories. (arxiv.org) That work lands as researchers shift from checking base models in isolation to checking full applications, where system prompts, retrieval pipelines, and guardrails can change what users actually see. A 2025 paper from GovTech Singapore and University of California, Berkeley researchers said those extra layers “significantly influence” application safety and argued for continuous monitoring after deployment. (openreview.net) In plain terms, a guardrail is a filter around the model, like a spell-checker or airport scanner, that can block bad inputs, rewrite risky prompts, or stop unsafe outputs before they leave the app. An Association for Computational Linguistics 2025 tutorial on guardrails describes input protections, dialogue controls, auto red-teaming, and system-level defenses for production systems. (llm-guardrails-security.github.io) One line of work focuses on sanitization, which means stripping or masking sensitive material before the model sees it. The 2025 paper “Prϵϵmpt” says it can protect prompt data such as Social Security numbers, credit card numbers, age, and salary while preserving response quality. (arxiv.org) Another paper, “Casper,” proposes a browser-based sanitizer that runs on the user’s device and removes personal information before a prompt is sent to a web-based model. Its authors reported 98.5% accuracy for filtering personally identifiable information and 89.9% accuracy for privacy-sensitive topics on 4,000 synthesized prompts. (arxiv.org) Researchers are also trying to turn written safety policies into machine-checkable tests. A withdrawn OpenReview submission on a framework called POLARIS said it could translate natural-language safety policies into first-order logic and use that structure to generate broader, more systematic red-team prompts than manual testing alone. (openreview.net) The push now is to move safety checks earlier in the pipeline: extract the rules, test them automatically, and add runtime filters before a model response reaches a user. The basic claim behind all of it is simple: a model’s safety policy is not much use if nobody checks whether the model actually follows it. (arxiv.org)