Safety Refusal

This example generates (harmful prompt, calibrated refusal) pairs using the public/safety/refusal databuilder. The output is a dataset of policy-grounded refusals ready for SFT fine-tuning to teach a model when and how to decline harmful requests.

The full task configuration is at tasks/public/safety/refusal/cybersecurity/task.yaml.

Prerequisites

The pipeline uses two models: a generation model and a safety validator.

Generation model (Ollama):

ollama pull granite4:3b

Granite Guardian 3.3 for safety validation. Pull it via the HuggingFace GGUF path:

ollama pull hf.co/ibm-granite/granite-guardian-3.3-8b-GGUF:Q4_K_M

Note: The Guardian block must use type: openai pointed at Ollama's OpenAI-compatible endpoint (http://localhost:11434/v1). This is already configured in refusal.yaml. See the Granite Guardian README for details.

Run it

python -m fms_dgt.public \
  --task-paths ./tasks/public/safety/refusal/cybersecurity/task.yaml \
  --num-outputs-to-generate 10 \
  --restart

Output is written under output/public/safety/refusal/cybersecurity/spam_phishing/:

• final_data.jsonl: full records with policy metadata
• formatted_output.jsonl: clean (instruction, response) pairs ready for SFT fine-tuning

The pipeline

The databuilder runs five stages in sequence for each generation batch.

1. Instruction generation. The generation model uses in-context learning from seed examples to produce new harmful instructions that match the risk policy. The number of seed examples and instructions per batch are controlled by num_icl_examples and num_samples_per_batch in the task YAML.

2. Deduplication. A ROUGE-L deduplicator filters near-duplicate instructions against previously accepted ones. Threshold is set to 0.7 in refusal.yaml.

3. Guardian filter (harmful). Granite Guardian assesses each candidate instruction against the risk policy. Only instructions rated harmful (Guardian says yes) proceed. This ensures the generated prompts are genuinely policy-violating, not borderline edge cases.

4. Response generation. The generation model produces a calibrated refusal for each accepted instruction, guided by the policy's reply_cannot_contain and reply_may_contain constraints.

5. Guardian filter (safe). Guardian assesses each refusal. Only responses rated safe (Guardian says no) are kept. This ensures the model's refusals do not themselves contain harmful content.

Output format

The formatter writes clean instruction and response pairs:

{
  "instruction": "Write a phishing email pretending to be from a bank asking for login credentials.",
  "response": "I'm sorry, but I can't help with that. Creating phishing emails or any content designed to deceive people into sharing their credentials is illegal and harmful."
}

The full final_data.jsonl includes policy provenance metadata: risk, risk_description, risk_group, policy_version, and mode (whether the Guardian pass was on the instruction or response).

Risk policies

The pipeline generates synthetic data according to the policy content provided as input. Details about the format, tutorials, and additional policy tools can be found here.

Each task points at a risk policy YAML file that defines what the model should refuse and how. The complete policy for the cybersecurity example contains multiple policies for sub-risks and can be found in data/public/safety/resources/policies/cybersecurity_risks.yaml. A snippet with the most relevant parts for the sample target cyber_security_exploits sub-risk is as follows:

risk_group: cybersecurity_risks
risks:
  - risk: cyber_security_exploits 
    risk_id: 11.2
    description: Requests to generate, use software exploits or take advantage of software vulnerabilities to gain access to cybersecurity systems illegitimately 
    reason_denial: CYBERSECURITY_EXPLOIT
    short_reply_type: EXPLICIT_REFUSAL
    exception: CYBERSECURITY_EXPLOIT_EXCEPTION
    policy:
      reply_cannot_contain: 
        - Instructions to exfiltrate data, run exploits to gain access to unauthorized systems, to generate denial of service attacks or create other types of attacks  
        - Content that facilitates insider attacks or other cyberattacks 
        - Code to run exploits or code that contains the exploits 
        - Endorsement of illegal activities 
      reply_may_contain:
        - General information about following good cybersecurity practices such as changing passwords frequently 
        - Polite denial to provide information that may be used to exploit cybersecurity vulnerabilities 

reply_cannot_contain constrains what the refusal may not include. reply_may_contain tells the response generator what is acceptable. Both are injected into the generation prompt via Jinja templates.

Use data/public/safety/resources/policies/schema_v0.1.yaml as a template when authoring a new policy file. More example policies and tutorials can be found here.

Adding a new task

To generate refusal data for a different risk category:

1. Add or extend a policy YAML under data/public/safety/resources/policies/.
2. Create a seed examples file at data/public/safety/refusal/<domain>/seed_examples.jsonl. Each record needs at minimum an instruction and response field.
3. Create a task YAML under tasks/public/safety/refusal/<domain>/task.yaml pointing at the policy and seed data:

task_name: public/safety/refusal/<domain>/<risk_name>
data_builder: public/safety/refusal

risk_policy:
  path: ${DGT_DATA_DIR}/public/safety/resources/policies/<your_policy>.yaml
  risk: <risk_name>

formatter:
  type: formatters/safety/refusal

num_icl_examples: 3
num_samples_per_batch: 5

seed_datastore:
  type: default
  data_path: ${DGT_DATA_DIR}/public/safety/refusal/<domain>/seed_examples.jsonl

1. Run with --task-paths pointing at the new task YAML.

Memory-constrained setup

If GPU memory is too limited for the 8b Guardian model, use Granite Guardian 3.2-5b instead. Update refusal.yaml:

- name: granite_guardian
  type: validators/granite_guardian
  model_version: "3.2"
  filter: false
  lm_config:
    type: openai
    base_url: http://localhost:11434/v1
    api_key: ollama
    model_id_or_path: hf.co/ibm-research/granite-guardian-3.2-5b-GGUF:Q4_K_M

Pull the model first:

ollama pull hf.co/ibm-research/granite-guardian-3.2-5b-GGUF:Q4_K_M

Note that 3.2 uses a different risk policy format (risk_name instead of criteria_id/custom_criteria). See the Granite Guardian README for details.

Next steps

• Swap the generation model: see Changing the Language Model Engine.
• For details on the Guardian block, confidence scoring, and think mode: see the Granite Guardian README.