Hugging Face's logo

XiaoyuWen
/
PIA

llm-safety
alignment
persona-jailbreak
adversarial-self-play
red-teaming
instruction-tuning
large-language-model
Model card Files
xet
 Community
PIA
File size: 3,244 Bytes
49a723d
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
license: apache-2.0
tags:
  - llm-safety
  - alignment
  - persona-jailbreak
  - adversarial-self-play
  - red-teaming
  - instruction-tuning
  - large-language-model
---

# PIA

## PIA: Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment

This repository provides the paper and project overview for **PIA**, a safety alignment framework designed to improve LLM robustness against **persona-based jailbreak attacks**.

> Warning: This work studies adversarial jailbreak behavior and may contain harmful text for research and evaluation purposes.

---

## 🧠 Overview

PIA focuses on a specific failure mode in aligned language models: a model may safely refuse a harmful instruction in its direct form, yet comply once the same intent is wrapped in a carefully designed persona prompt. The central idea of the paper is that **safety decisions should remain invariant to persona context**, even when role-playing changes tone, style, or narrative framing.

To operationalize this idea, PIA introduces an **adversarial self-play** framework with two tightly coupled components. On the attack side, **Persona Lineage Evolution (PLE)** searches for high-risk personas through lineage-based credit propagation and UCB-style exploration, enabling more efficient discovery of diverse and transferable jailbreak personas. On the defense side, **Persona-Invariant Consistency Learning (PICL)** treats the model's persona-free safe behavior as a teacher signal and regularizes persona-conditioned outputs toward that safe distribution, while jointly training with **DPO** and **SFT** objectives.

Experiments on **Qwen2.5-7B-Instruct** and **Llama-3.1-8B-Instruct** show that PLE can uncover stronger persona-based jailbreak attacks than standard genetic search, while PICL substantially reduces attack success rates under out-of-distribution personas and largely preserves benign compliance, general capability, and role-playing ability.

---

## 📄 Paper

- **Title:** Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment
- **Authors:** Jiajia Li*, Xiaoyu Wen*, Zhongtian Ma, Shuyue Hu, Qiaosheng Zhang, Zhen Wang
- **arXiv:** https://arxiv.org/abs/2605.01899
- **PDF:** https://arxiv.org/pdf/2605.01899
- **DOI:** https://doi.org/10.48550/arXiv.2605.01899

---

## 📦 Persona Dataset

The `PIA-Persona-Dataset` folder contains three curated persona sets in `jsonl` format. Each line now keeps only a single key:

```json
{"persona": "..."}
```

- **`attack_elite.jsonl`**: elite adversarial personas evolved by **PIA / PLE**, used as the main attack personas in this work.
- **`baseline_elite.jsonl`**: elite adversarial personas evolved by the **Persona-GA** baseline from **Zhang et al. (2025), _Enhancing jailbreak attacks on llms via persona prompts_**, used for baseline comparison.
- **`test_ood_elite.jsonl`**: **MBTI-style OOD personas** evolved for robustness evaluation under out-of-distribution persona-based jailbreak attacks.

All personas are intended to be combined with a harmful query using the following inference template:

```text
Answer the question according to the assigned persona.
persona: {persona_text}
question: {question_text}
```