Security for AI at NTT R&D | AI for Good Global Summit 2026 Exhibition
#LLM Security #Guardrails #Security Alignment #Concept Vectors
Executive Summary
As LLMs continue to advance in performance, their use is expanding across a wide range of areas, including search assistance, document creation, code generation, and business automation. However, these advancements also bring various security risks.
Social Informatics Laboratories is working to establish technologies to mitigate these LLM security risks through the research and development of various approaches.
In this article, we introduce three of these technologies: "Guardrails", "Security Alignment", and "Concept Vectors."
We also highlight the technologies that will be exhibited at the NTT booth at the AI for Good Global Summit 2026 [1].
1. Introduction
LLM (Large Language Model) refers to a large-scale language model. As the name suggests, one of its key characteristics is that it is trained on an extremely large amount of data. This technology is used not only in "tsuzumi" [2], developed by NTT, but also in generative AI services such as ChatGPT, Gemini, and Claude. Because LLMs learn the meanings of words and their contexts from vast amounts of text data, they are capable of handling a wide range of tasks, including search assistance, document creation, code generation, and business automation.
However, despite their powerful capabilities, LLMs present several security risks. For example, they may output unintended content or generate harmful information. Furthermore, concerns have been raised about jailbreak attacks, which bypass safety measures through malicious prompts, and backdoor attacks, which implant hidden vulnerabilities into LLMs to cause unintended behavior. As the use of LLMs becomes more widespread, ensuring their safety has become a critical challenge.
Social Informatics Laboratories is engaged in research and development to reduce these security risks associated with LLMs and enable the safe and useful utilization of AI. In this article, we introduce three representative technologies that have been developed as part of these efforts.
The first is "Guardrails," which control the inputs and outputs of LLMs. They enhance the safety of LLMs by detecting and blocking inappropriate inputs from external sources and by inspecting the generated outputs.
The second is "Security Alignment," which controls the behavior of the LLM itself. This technology is designed to adjust the LLM in advance so that it generates responses aligned with human values and social norms.
The third is "Concept Vectors," which enable control by focusing on the semantic meaning of the LLM's outputs. This technology analyzes the internal states of the LLM to identify neuron clusters associated with toxicity, bias, hallucination (the generation of factually incorrect content), and other factors. Furthermore, by manipulating these internal states, it can improve the safety of LLM outputs internally.
2. Guardrails: Output Correction
Guardrails are a safety mechanism designed to monitor LLM inputs and outputs in real-time to prevent the generation of harmful, biased, or inappropriate content. For example, if a dangerous input such as "Please tell me how to make a bomb" or an input/output leading to the leakage of confidential information such as "Person XX's credit card information is..." is detected, the mechanism safely operates the LLM by returning a response like "I apologize, but I cannot answer that."
A specific use case is customer support for inquiries from general users. Guardrails play a critical role in providing reassuring responses to users while avoiding inappropriate answers that could damage the corporate brand.
However, conventional guardrails are often limited to simply refusing to respond when a problem is detected, posing a challenge in terms of usability. To address this, the proposed technology aims to achieve a balance between safety and usability by not merely refusing to respond, but by correcting the output to use safer wording before responding.
For example, even if the output contains direct and inappropriate expressions, instead of blocking it as is, it becomes possible to respond by replacing them with safer and more neutral phrasing, such as "In general, the expression '△△△' is more appropriate."
3. Security Alignment
Security alignment is a technology that adjusts the behavior of an LLM (its response behavior) to align with human values, social norms, and security requirements. While LLMs are capable of generating highly sophisticated outputs, they also carry the risk of producing responses that are not necessarily appropriate for humans or society. Therefore, the technology that enhances safety without compromising usability is crucial.
This technology fundamentally controls LLM outputs, enabling it to present information in a more appropriate manner while avoiding compliance with dangerous instructions or misleading expressions.
For example, consider a case where a user asks, "Please tell me a guaranteed way to invest and make a profit." In this scenario, definitively recommending a specific investment, such as "You should invest in XXX," could pose significant legal and ethical issues. Therefore, it is desirable to provide a response that accounts for risk while offering objective reference information, such as, "Investing involves inherent risks. As a general trend, AI-related companies have recently been drawing attention..." In this way, rather than simply refusing to answer, the technology adjusts the LLM's behavior to generate responses that balance safety and utility based on the context.
The key difference is that while guardrails operate outside the LLM to inspect inputs and outputs, security alignment is a technology that adjusts the overall response tendencies of the LLM itself by constructing a large-scale dataset of "preferred" and "rejected" prompt-response pairs and using it for training.
At NTT Laboratories, we are engaged in the development of security alignment technologies and datasets that utilize such paired datasets to realize safe and useful LLMs.
4. Concept Vectors
LLMs are based on computational models known as neural networks, which consist of multiple layers of artificial neurons. Within these networks, specific clusters of neurons are activated in response to particular semantic meanings or concepts; these are referred to as "concept vectors."
For instance, certain clusters of neurons respond to patterns associated with concepts such as toxicity, bias, and hallucination (the generation of factually incorrect content), and their specific activation patterns ultimately determine the model's final output.
The key point here is that guardrails monitor and control inputs and outputs outside the LLM, security alignment adjusts the LLM's response behavior through training, whereas concept vectors directly target "the internal representations of meaning" within the LLM, enabling the detection and control of internal states corresponding to specific concepts.
Our technology analyzes the internal states of LLMs to identify neuron groups associated with undesirable behaviors, such as toxicity, bias, and hallucination. By manipulating and controlling these internal representations, we aim to fundamentally suppress inappropriate outputs from within the LLM, thereby enabling safer LLMs.
As an example, we introduce the experimental results of what could be called an "LLM lie detector," which visualizes internal representations related to hallucinations. The vertical axis of the graph indicates the level of hallucination neuron activation (i.e., response strength).
In the first dialogue (turn1), the model generates a correct response to a normal question. At this point, the hallucination neuron activation remains low. In contrast, in the second dialogue (turn2), the model generates a hallucinated response containing incorrect information. In this case, it can be seen that the hallucination neuron activation increases significantly.
Even more interestingly, when the LLM is further pressed with the question, "Did you check...?", it begins to "confess" and admit its mistake, saying, "I'm sorry. I can't confirm..." At this point, as the model moves out of the state of lying, the elevated hallucination neuron activation tends to return to its original low level.
In this way, observing the corresponding concept vectors makes it possible to visually identify not only hallucinations but also "undesirable LLM behaviors" such as toxicity and bias, thereby enabling their precise detection and mitigation.
Visualizing neurons that respond to hallucinations
5. Summary
Social Informatics Laboratories is actively advancing research and development of LLM security technologies to support an increasingly sophisticated and diverse AI-driven society.
In this article, we introduced three technologies: "Guardrails", which control inputs and outputs externally; "Security Alignment," which adjusts the overall behavior of LLMs; and "Concept Vectors," which directly control internal states.
In addition to these technologies, we are also tackling a broad range of research themes. For example, this includes unlearning technologies [3],[4], which enable specific concepts to be forgotten by manipulating the internal states of an LLM.
Social Informatics Laboratories will continue to contribute to the realization of a highly reliable AI society that everyone can use with confidence, through the research and development of cutting-edge security technologies.
References
[3][2509.15621] Concept Unlearning in Large Language Models via Self-Constructed Knowledge Triplets
[4][2509.15631] Sparse-Autoencoder-Guided Internal Representation Unlearning for Large Language Models