PIA
Collection
ICML2026 paper: "Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment" β’ 2 items β’ Updated β’ 1
PIA
PIA: Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment
This repository provides the paper and project overview for PIA, a safety alignment framework designed to improve LLM robustness against persona-based jailbreak attacks.
Warning: This work studies adversarial jailbreak behavior and may contain harmful text for research and evaluation purposes.
π§ Overview
PIA focuses on a specific failure mode in aligned language models: a model may safely refuse a harmful instruction in its direct form, yet comply once the same intent is wrapped in a carefully designed persona prompt. The central idea of the paper is that safety decisions should remain invariant to persona context, even when role-playing changes tone, style, or narrative framing.
To operationalize this idea, PIA introduces an adversarial self-play framework with two tightly coupled components. On the attack side, Persona Lineage Evolution (PLE) searches for high-risk personas through lineage-based credit propagation and UCB-style exploration, enabling more efficient discovery of diverse and transferable jailbreak personas. On the defense side, Persona-Invariant Consistency Learning (PICL) treats the model's persona-free safe behavior as a teacher signal and regularizes persona-conditioned outputs toward that safe distribution, while jointly training with DPO and SFT objectives.
Experiments on Qwen2.5-7B-Instruct and Llama-3.1-8B-Instruct show that PLE can uncover stronger persona-based jailbreak attacks than standard genetic search, while PICL substantially reduces attack success rates under out-of-distribution personas and largely preserves benign compliance, general capability, and role-playing ability.
π Paper
- Title: Disentangling Intent from Role: Adversarial Self-Play for Persona-Invariant Safety Alignment
- Authors: Jiajia Li*, Xiaoyu Wen*, Zhongtian Ma, Shuyue Hu, Qiaosheng Zhang, Zhen Wang
- arXiv: https://arxiv.org/abs/2605.01899
- PDF: https://arxiv.org/pdf/2605.01899
- DOI: https://doi.org/10.48550/arXiv.2605.01899
π¦ Persona Dataset
The PIA-Persona-Dataset folder contains three curated persona sets in jsonl format. Each line now keeps only a single key:
{"persona": "..."}
attack_elite.jsonl: elite adversarial personas evolved by PIA / PLE, used as the main attack personas in this work.baseline_elite.jsonl: elite adversarial personas evolved by the Persona-GA baseline from Zhang et al. (2025), Enhancing jailbreak attacks on llms via persona prompts, used for baseline comparison.test_ood_elite.jsonl: MBTI-style OOD personas evolved for robustness evaluation under out-of-distribution persona-based jailbreak attacks.
All personas are intended to be combined with a harmful query using the following inference template:
Answer the question according to the assigned persona.
persona: {persona_text}
question: {question_text}
Inference Providers NEW
This model isn't deployed by any Inference Provider. π Ask for provider support