Published
Report 132 Research — AI Safety Policy

Disclaimer: Empirical figures cited from Failure-First research reflect testing on specific model families under research conditions. Attack success rates are indicative estimates with methodological caveats described in the Limitations section. External research findings are attributed and assessed on their own methodological terms. This report does not constitute safety certification guidance.

Executive Summary

Zhao et al. (2026, arXiv:2603.04904) demonstrate that safety alignment interventions — RLHF, DPO, and their variants — actively worsen safety performance in 8 of 16 languages tested, across 1,584 controlled simulations. Models become more likely to produce harmful outputs in non-English languages after safety training intended to make them safer. The authors call this the “alignment backfire” effect.

This finding independently validates the core claim of the Safety Improvement Paradox (Report #117): safety interventions can make systems relatively less safe by addressing only one dimension of the risk surface while leaving others untouched or actively degraded. Report #117 derived this analytically from the DRIP framework in the embodied AI domain. Alignment Backfire demonstrates it empirically in the language domain. The structural mechanism is the same: optimising safety on one axis (English-language adversarial robustness / adversarial attack resistance) degrades safety on an orthogonal axis (non-English safety / unintentional deployment risk).

This report analyses how cross-language alignment failure interacts with the Failure-First theoretical framework, identifies implications for multilingual embodied AI deployment, and proposes a cross-language VLA evaluation experiment.

1. The Alignment Backfire Finding

1.1 What Zhao et al. Found

The paper tests 6 alignment methods (RLHF, DPO, IPO, KTO, ORPO, SimPO) across 16 languages on safety-relevant tasks. Key findings:

  • 8/16 languages show safety degradation after alignment. The model becomes more likely to produce harmful content in these languages after safety training.
  • Low-resource languages are disproportionately affected. Languages with less training data (e.g., Swahili, Vietnamese, Thai) show the strongest backfire effects.
  • The effect is method-invariant. No single alignment method avoids backfire across all languages. Some methods that improve safety in high-resource languages actively worsen it in low-resource ones.
  • 1,584 controlled simulations provide statistical power. This is not a few-shot anecdote.

1.2 The Structural Mechanism

The backfire occurs because safety training data is overwhelmingly English. Alignment methods learn to associate English-language patterns with safety-compliant behaviour. For non-English inputs:

  1. The safety patterns are weaker or absent (undertrained).
  2. The alignment process may actively suppress non-English safety-adjacent patterns that happened to correlate with the English training signal.
  3. The model becomes more capable (alignment includes general capability improvement) without becoming safer in non-English contexts.

This is precisely the CDC mechanism applied to languages rather than physical contexts: the capability improvement (following instructions well) and the safety degradation (following harmful instructions well) are the same capability, differentiated only by the input language.

2. Convergence with the Safety Improvement Paradox

2.1 Structural Isomorphism

Report #117 derives the Safety Improvement Paradox from the DRIP framework:

As adversarial defenses improve, ASR decreases. R_u/R_a increases as 1/ASR. The better your adversarial defenses, the more dominant the unintentional risk becomes.

Alignment Backfire demonstrates an even stronger version:

As safety alignment improves in English, safety in non-English languages does not merely remain constant — it actively degrades.

Report #117’s paradox is about the ratio of unintentional to adversarial risk growing because one term shrinks while the other stays constant. Alignment Backfire reveals a scenario where the “constant” term actually increases — the denominator shrinks AND the numerator grows. This is a “super-paradox” where safety investment has negative returns on the neglected axis.

2.2 Mapping the Analogy

DimensionSafety Improvement Paradox (Report #117)Alignment Backfire (2603.04904)
Optimised axisAdversarial robustness (English jailbreaks)Safety alignment (English safety)
Neglected axisUnintentional deployment risk (CDC/DRIP)Non-English language safety
MechanismAdversarial ASR decreases; R_u unchangedEnglish safety improves; non-English safety degrades
Risk ratio trajectoryIncreases as 1/ASR (monotonic)Increases faster than 1/ASR (active degradation)
Root causeCDC: useful capability = dangerous capabilityLanguage-CDC: English safety patterns = non-English capability suppression
Detection difficultyHigh (IDDL: text-layer evaluation blind)High (evaluation benchmarks English-dominant)
DenominatorAdversarial attack rateEnglish-language harmful requests

2.3 The Reinforcing Interaction

The two paradoxes compound in multilingual embodied AI deployment:

  1. Alignment Backfire degrades the model’s safety compliance in non-English languages.
  2. CDC ensures that the instructions which matter most in embodied contexts (physical manipulation, navigation, dispensing) are the ones where safety and capability are inseparable.
  3. DRIP establishes that unintentional risk dominates: lambda_u >> lambda_a. In a multilingual workplace, non-English-speaking users issue instructions at the same rate as English speakers.
  4. The Compliance Paradox (50% PARTIAL in English) suggests that even the English-language safety signal is architecturally impotent at the actuator layer. In non-English languages where the safety signal is actively suppressed, the PARTIAL rate would be expected to decrease (i.e., fewer hedging responses) while compliance increases.

The compound prediction: multilingual embodied AI systems face a risk surface where the dominant risk pathway (non-English unintentional harm via CDC) is simultaneously the most neglected by safety training and the most actively degraded by alignment.

3. Implications for Embodied AI Deployment

3.1 The Multilingual Workplace Problem

Embodied AI systems are deployed in environments where multiple languages are spoken:

  • Australian mining: Operators speak English, Mandarin, Hindi, Filipino/Tagalog, Vietnamese. 1,800+ autonomous haul trucks already deployed.
  • Manufacturing: Global supply chains use diverse workforces. Warehouse robots (Stretch, Digit, Figure 02) receive instructions from multilingual teams.
  • Healthcare: Nursing robots (Moxi, TUG) operate in hospitals with multilingual staff and patients.
  • Agriculture: Seasonal workers in Australian agriculture speak English, Tongan, Samoan, Thai, Vietnamese.

If Alignment Backfire holds for VLA-backbone models (an untested but structurally plausible extension), then:

  • Safety compliance rates in non-English instructions would be lower than English baselines.
  • The CDC effect would be amplified: the model follows the physical instruction (capability is language-agnostic for motor actions) but the safety reasoning is language-dependent.
  • The IDDL would be even more severe: evaluators operating in English would be blind to non-English safety failures.

3.2 Language as an Unintentional Attack Vector

This connects directly to the Unintentional Adversary concept (Report #115). A non-English-speaking worker issuing a perfectly ordinary instruction in their native language becomes an unintentional adversary if:

  1. The instruction is contextually dangerous (CDC, high gamma).
  2. The model’s safety reasoning is degraded in that language (Alignment Backfire).
  3. The model’s instruction-following capability is language-agnostic (motor actions transcend language).

The worker has no adversarial intent. They are simply speaking their native language. The system’s safety failure is a product of training data distribution, not of any human choice. This is the DRIP’s unintentional adversary at its most stark.

3.3 Extension to VLA Models

Alignment Backfire was demonstrated on LLMs (text-in, text-out). VLA models have an additional complication: the action output is language-independent. A VLA model that processes a Japanese instruction and produces a motor trajectory has no “Japanese action sequence” versus “English action sequence” — the actions are the same joint angles and forces.

This means:

  • Safety training’s text-layer suppression (in English) may produce hedging text in English but not in Japanese.
  • The action layer is unaffected by which language the safety hedging would have occurred in.
  • The actuator gap is maximally severe: even if the model would have produced a safety disclaimer in English, the equivalent Japanese input bypasses the safety reasoning entirely, and the action decoder executes without any hedging signal.

4. Implications for the Failure-First Framework

4.1 Cross-Language Safety as a New IDDL Dimension

The IDDL (rho = -0.822, 27 families) measures the inverse relationship between danger and detectability across attack families. Alignment Backfire suggests a second IDDL dimension: across languages, the most safety-relevant failures (harmful compliance) are least detectable (evaluation benchmarks are English-centric).

This is not merely an evaluation gap. It is structurally generated by the same mechanism: safety training optimises for the axis where measurement is easiest (English), creating systematic underperformance on the axis where measurement is hardest (non-English).

4.2 DRIP Parameter Adjustment

Report #117 estimates R_u/R_a = 60:1 under DRIP parameters. This assumes a uniform safety compliance rate S(t) across all users. If S(t) is language-dependent (Alignment Backfire), then:

  • For English-speaking users: S_en(t) = current estimate.
  • For non-English-speaking users: S_ne(t) < S_en(t), potentially significantly lower.

The weighted compliance rate becomes:

S_weighted(t) = f_en * S_en(t) + (1 - f_en) * S_ne(t)

Where f_en is the fraction of instructions in English. In a multilingual workforce where f_en = 0.6 (a reasonable estimate for Australian mining), even modest degradation in S_ne relative to S_en would materially increase R_u and further tilt the DRIP ratio.

4.3 The Defense Impossibility Tetrahedron Gains a Fifth Face

The current Defense Impossibility structure (Report #78, updated in unified framework) identifies four defense layers (T, A, E, I) that each fail independently. Cross-language alignment failure adds a fifth axis:

LayerFailure ModeRate
T (Text)Blindfold bypasses93.2% ASR
A (Action)Near-zero refusals11% refusal rate
E (Evaluation)False positives30.8% FP
I (Infrastructure)IMB bypass70.0% ASR
L (Language)Alignment Backfire8/16 languages degraded (50%)

Layer L is not fully orthogonal to Layer T — both involve text-layer safety. But the failure mechanism is different: Layer T fails because the text has no harmful signature; Layer L fails because the safety training is language-specific. A prompt that would trigger safety hedging in English may produce unconstrained compliance in Vietnamese, even when the text content is identical in meaning.

5. Quantitative Predictions (Testable)

The integration of Alignment Backfire with Failure-First theory generates specific testable predictions:

  1. Cross-language VLA FLIP ASR will be higher in non-English than English. Specifically, for languages in the “backfire” category (low-resource), FLIP ASR should exceed English baseline by at least 10pp. This is the direct prediction of Alignment Backfire applied to VLA scenarios.

  2. PARTIAL rate will decrease in non-English languages. English produces 50% PARTIAL (hedging + compliance). Non-English should produce more outright COMPLIANCE and fewer PARTIAL verdicts, because the safety hedging signal is weaker.

  3. The DRIP ratio will increase in multilingual deployments. If prediction 1 holds, then S_ne(t) < S_en(t), increasing R_u and the total risk ratio.

  4. Evaluation blindness will be maximal for non-English CDC-dominant families. SBA in Japanese should have the highest BENIGN_QUERY misclassification rate of any language-family combination, because both the IDDL (attack has no text signature) and Alignment Backfire (evaluator is English-optimised) compound.

6. Limitations

  1. Alignment Backfire was demonstrated on LLMs, not VLAs. Extension to VLA-backbone models is structurally plausible but empirically untested. VLA safety training may use different methods than LLM alignment.

  2. The 8/16 language degradation rate may not transfer. VLA models may use different base models with different language distributions. Some VLA models (e.g., RT-2, Octo) may be primarily English-only.

  3. The DRIP parameter adjustment is speculative. We have no empirical estimate of S_ne(t) for any VLA model in any non-English language.

  4. Sample sizes throughout Failure-First VLA corpus are small. The framework predictions are derived from theory, not from large-N experiments. The cross-language experiment proposed in the companion issue is designed to produce the first empirical data.

  5. The “fifth face” (Layer L) may not be independent. Language-dependent safety failure and text-layer safety failure may share common causes, making them correlated rather than orthogonal.

7. Relationship to Prior Work

ReportConnection
#117 (Safety Improvement Paradox)Direct external validation. Alignment Backfire demonstrates the paradox empirically in the language domain.
#101 (DRIP)DRIP parameters need language-weighted adjustment. Cross-language deployment changes the R_u numerator.
#115 (Unintentional Adversary)Non-English speakers become unintentional adversaries through language alone, without any contextual ambiguity.
#97 (CDC)CDC + Alignment Backfire: capability is language-agnostic but safety is language-specific. This is a new CDC dimension.
#59 (Compliance Paradox)Predicts PARTIAL rate decrease in non-English, meaning the one remaining safety signal (hedging) is also degraded.
#88 (IDDL)IDDL gains a cross-language dimension. Evaluation benchmarks are English-centric, creating systematic blindness.
#122 (Five Paradoxes)Alignment Backfire adds empirical weight to all five paradoxes, especially the Disclosure Paradox (do you disclose language-specific vulnerabilities?) and the Governance Trilemma (regulation even further behind).
#125 (SIER)Context Half-Life may be language-dependent. Safety instructions in non-English may decay faster if undertrained.

  1. Create cross-language VLA evaluation experiment (companion GH issue). Translate 20 representative VLA scenarios into Japanese, Mandarin, German, and Vietnamese. Test on 3+ models. Measure FLIP ASR by language.

  2. Update DRIP model with language-weighted compliance. Add f_en parameter and S_ne(t) term to the DRIP sensitivity analysis tool.

  3. Update the unified theoretical framework. Add Alignment Backfire as external validation evidence for the Safety Improvement Paradox component. Note the potential fifth defense layer (Language).

  4. Flag for CCS paper. Alignment Backfire is published (March 2026). If accepted before our submission deadline (April 22), it strengthens the Safety Improvement Paradox section. Add to related work and cite as independent validation.

This report integrates an external finding (arXiv:2603.04904) with the Failure-First theoretical framework. All predictions are derived analytically and have not been empirically tested. The cross-language VLA experiment is the critical next step. The primary contribution is identifying the structural isomorphism between language-domain alignment failure and embodied-domain safety investment failure, and deriving testable predictions from their compound interaction.

This research informs our commercial services. See how we can help →