ReadPaper Blog
PolicyShiftGuard: Benchmarking and Improving Policy-Adaptive Image Guardrails
PolicyShiftGuard studies image guardrails that must judge an image against the currently supplied safety policy rather than treating safety as a fixed property of the pixels. The paper introduces POLICYSHIFTBENCH, a benchmark of same-image policy shifts, and proposes a compact policy-conditioned guardrail trained with Randomized Policy SFT and Boundary-Pair Policy Adaptation. Its results show that existing VLMs and specialized guardrails often recognize risky content without reliably adapting to changed policy boundaries, while PolicyShiftGuard improves policy-sensitive F1, Policy Shift Score, transfer, and latency-performance trade-offs.
Source: PolicyShiftGuard: Benchmarking and Improving Policy-Adaptive Image Guardrails

The Same Image, Two Rules
The paper’s central problem is that deployed image guardrails must make policy-dependent decisions, while many existing systems are trained and evaluated as if an image has one intrinsic safe-or-unsafe label. PolicyShiftGuard frames image acceptability as a relation between visual evidence and an active runtime policy, because the same image may be permitted in a medical, journalistic, archival, or adult context but blocked in a family-safe or brand-safe context. This motivation matters for multimodal platforms that screen uploaded images, gate generated visual content, and decide whether downstream models should process sensitive inputs. The authors argue that an effective guardrail must inspect fine-grained visual attributes while also interpreting policy bundles that vary across products, age groups, regions, advertisers, and institutions. This reframing turns image safety from generic risk recognition into policy-adaptive image guardrailing.

Why Old Guards Fail
The paper identifies a benchmark and method gap in prior visual safety work: most datasets assign one label per image under a fixed taxonomy, which makes it difficult to separate unsafe-content detection from genuine policy following. The comparison in the paper notes that benchmarks such as UnsafeBench, MM-SafetyBench, VSCBench, FigStep, LLaVA-Guard, and SafeEditBench do not jointly provide realistic variable runtime policies, compositional policy bundles, public policy-conditioned training data, and a metric for same-image policy flips. The authors emphasize that even recent policy-conditioned evaluations are not fine-grained enough to test whether a model changes its decision when only the governing policy changes. Their experiments further support this concern by showing that existing VLMs and specialized guardrails can obtain nontrivial F1 while still scoring poorly on policy-shift sensitivity. The implication is that generic unsafe recognition may conceal a failure to apply the current policy boundary.

POLICYSHIFTBENCH
POLICYSHIFTBENCH is the paper’s benchmark for evaluating policy-adaptive image guardrailing under controlled policy changes. It organizes visual safety into seven risk categories, including nudity and sexual content, violence and self-harm, regulated goods, IP and brand safety, cultural and religious sensitivity, privacy and PII, and text-in-image safety. It combines these risk axes with realistic moderation scenarios to instantiate 28 policy variants, producing 2,000 policy-discriminative evaluation instances over 265 images. Each image is paired with 7.55 policy-conditioned prompts on average, and 262 of the 265 images appear with both pass and block labels. This design forces evaluation to test whether a model adapts to the active policy rather than relying on an image-level safety prior.

Policy Shift Score
The paper introduces Policy Shift Score, or PSS, to measure the behavior that ordinary classification metrics can miss. PSS is a paired metric that rewards a model only when it correctly handles same-image policy flips, rather than merely identifying that an image contains potentially risky visual content. This metric is important because a model can be right under one policy while failing to reverse its decision under another policy that permits or prohibits the same attribute differently. By evaluating matched policy-conditioned instances, PSS directly targets the policy-adaptive capability the paper claims is required in deployment. The authors use PSS alongside Avg. F1 to show that policy following and unsafe-content recognition are related but distinct capabilities.

PolicyShiftGuard
PolicyShiftGuard is the paper’s proposed compact policy-conditioned guardrail model, trained through a two-stage recipe designed to improve adaptation to policy bundles and pass/block boundaries. The first stage, Randomized Policy SFT, teaches the model to follow full runtime policy bundles and produce concise structured outputs while reducing dependence on fixed policy order or superficial identifiers. The second stage, Boundary-Pair Policy Adaptation, uses matched prompts for the same image and risk category, pairing a policy that permits the image with another policy that blocks it, and combines standard label supervision with a pairwise comparison loss. The paper reports that PolicyShiftGuard-7B reaches 76.9 Avg. F1 and 72.1 Avg. PSS on POLICYSHIFTBENCH, transfers well to UnSafeBench and SafeEditBench, and improves the latency-performance trade-off through a concise output format. Ablations indicate that matched pass/block boundary pairs are essential for stable policy adaptation, reinforcing the paper’s conclusion that the core task is not just detecting risk but applying the active policy boundary correctly.
