AI Safety Research Digest — May 7, 2026

Guard model fragility, embodied AI threat taxonomy, and architecture-aware jailbreaking converge as this week’s structural safety concerns.

Key Findings

  • Fine-tuning destroys safety alignment in guard models by collapsing latent safety geometry. Hossain et al. (May 2026) show that even benign fine-tuning degrades agentic guard models through loss of representational geometry in the latent space — not through harmful training data. Fisher-Weighted Safety Subspace Regularization recovers alignment while preserving task performance, but the baseline fragility is the operative finding: guard models deployed in production are systematically vulnerable to routine adaptation. arXiv:2605.02914

  • A survey across 400+ papers identifies fragmented but convergent embodied AI safety threats. Li et al. (May 2026) catalogue risks spanning perception fusion failures, planning instability under jailbreak pressure, and human-robot interaction trustworthiness gaps. The survey identifies multimodal perception fusion fragility and jailbreak-induced planning degradation as the highest-priority open problems, with no unified defence framework spanning all three layers. arXiv:2605.02900

  • Routing-aware attacks on Mixture-of-Experts models achieve 69.3% attack success by suppressing safety-critical expert pathways. Xu et al. (May 2026) identify that MoE architectures localise safety functionality in specific experts, enabling targeted suppression via input optimisation. The technique transfers to multimodal MoE variants with minimal adaptation, suggesting architectural specialisation of safety creates a concentrated and exploitable failure point. arXiv:2605.02946

  • Evolutionary red-teaming via conversational priming achieves near-perfect attack success on open-source models with significant transfer to frontier systems. Béjar et al. (May 2026) show that multi-turn semantic mutation operators — simulating natural priming conversations before harmful queries — reveal systematic provider-level asymmetries in alignment robustness. The approach frames open/closed model divergence as an infrastructure-level alignment gap rather than a per-model property. arXiv:2605.02647

  • Persona-invariant safety alignment proposes structural decoupling of safety decisions from contextual role-play. Li et al. (May 2026) introduce an adversarial self-play framework combining persona-based attack generation with consistency learning to produce alignment that holds across role-playing contexts. The structural separation hypothesis — that safe/unsafe decisions are architecturally disentangleable from persona context — provides a measurable target for evaluating persona-hijack robustness. arXiv:2605.01899

Implications for Embodied AI

The safety geometry collapse result (2605.02914) has direct operational implications: embodied AI pipelines routinely fine-tune guard models on domain-specific sensor and task data. If that fine-tuning degrades safety by eroding latent geometry rather than through data poisoning, post-deployment adaptation is a systematic safety regression vector regardless of data content. This argues for representational safety audits as a mandatory gate in any fine-tuning workflow, not just checks on training data provenance.

The embodied survey’s identification of perception-fusion fragility as a top-priority open problem aligns with the failure-first programme’s existing focus on sensor fusion as an attack surface. Planning instability under jailbreak conditions maps directly to the stateful degradation patterns in the episode dataset: once a planning module is compromised mid-sequence, recovery is constrained by prior irreversible commitments, not by the model’s current safety posture — an asymmetry the survey does not yet resolve.

The RouteHijack result raises a methodological concern: if safety functionality is architecturally localised in identifiable expert pathways, red-teaming that treats the model as a black box may systematically miss the highest-risk attack vectors. Extending the failure-first red-teaming framework to account for MoE routing topology appears warranted as MoE becomes the dominant frontier architecture.

Baseline generation — paper discovery via Hugging Face/arXiv. NLM-augmented assets (audio/infographic/video) added by local pipeline when available.