JADR: Measuring LLM Safety via J-Space
JADR (Jacobian Assessment of Danger Recognition) flips this by looking at the Jacobian space (J-space). Instead of reading the response, it analyzes the internal activations and verbalizable concepts across layers before the first token is even generated.
Here is why this approach is actually useful for those of us tracking model performance:
1. Zero External Judges: It runs locally on the model's own activations. No need to pay for another API call just to grade a response.
2. Quantization Tracking: It reveals how shrinking a model (BF16 → INT8 → INT4) actually degrades its internal safety mechanisms. Some models might still "sound" safe in INT4, but their internal danger recognition is crumbling.
3. Internal vs. External: By comparing "danger" samples against safe controls, it uses a SafetyAUC metric to see if the model internally recognizes a threat, even if the final output is filtered or censored.
The researchers tested this across several versions of Qwen3 and Gemma 2 9B. The results show a statistically significant gap between models with robust internal safety and those that are just "pretending" via fine-tuning.
For anyone doing a deep dive into model deployment, this is a reminder that quantization isn't just about VRAM—it can fundamentally shift how a model perceives risk. If you're running a 4-bit quant, your safety guardrails might be thinner than you think.