Search papers, labs, and topics across Lattice.
HaloGuard 1.0 is an open-weights constitutional classifier designed for input safety, achieving state-of-the-art performance on multilingual prompt-safety benchmarks while being significantly smaller than existing models. By utilizing a comprehensive natural-language constitution of 46 policies and 2,940 subcategories, it generates synthetic data through paired counterfactuals that maintain topic and vocabulary while altering intent. The model demonstrates superior performance with an average F1 score of 90.9, outperforming larger models up to 27B parameters, while maintaining low false-positive and false-negative rates.
Achieving top-tier multilingual safety performance with a model one-tenth the size of its largest competitors, HaloGuard 1.0 challenges the notion that bigger is always better in AI safety.
We present HaloGuard 1.0, an open-weights implementation of the constitutional-classifier paradigm for input safety. It achieves state-of-the-art performance on English and multilingual prompt-safety benchmarks at roughly one-tenth the model size of current leading open guard models. The safety constitution is the organising structure of the corpus: a natural-language constitution of 46 policies and 2,940 subcategories drives synthetic data generation, with exhaustive one-to-one paired counterfactuals that hold topic and vocabulary fixed while flipping intent, a two-tier harmless design that separately targets boundary and baseline false positives (FPs), and balanced multilingual materialisation across 46 languages that treats language as a surface form appearing on both sides of the boundary rather than as an adversarial signal. Across seven prompt-safety benchmarks, HaloGuard 1.0-0.8B attains the best average F1 (90.9) of any open guard we evaluate, outperforming baselines up to 27B parameters (over 30 times larger) while holding false-positive rate (FPR) to 4.3 and false-negative rate (FNR) to 9.5. The HaloGuard 1.0-4B variant reaches average F1 of 92.1 and FPR of 3.5, spending its extra capacity on precision rather than recall. A structured adjudication of the remaining failures indicates that most apparent missed-harm cases are benchmark mislabels rather than genuine model misses. An always-on adversarial red-teaming protocol continuously hardens the guard against both content-level and agentic attacks. We release the models as open weights.