This work addresses the challenge of securing large reasoning models in deployment, where inconsistencies between internal reasoning processes and final outputs render them vulnerable to semantic obfuscation and long-context attacks in black-box settings. To mitigate these risks, the authors propose the Safety Context Injection (SCI) framework, which decouples safety assessment from task generation and steers model outputs toward safety by injecting structured external risk reports. SCI uniquely integrates Static Model Filtering (SMF) for low-latency, single-pass detection with Dynamic Agent Filtering (DAF) for iterative evidence gathering and holistic risk analysis. Empirical evaluations on AdvBench and GPTFuzz demonstrate that SCI substantially reduces both the success rates of five types of jailbreaking attacks and output toxicity, with SMF excelling in time-sensitive scenarios and DAF offering superior robustness against complex adversarial strategies.

Large Reasoning Models (LRMs) improve performance on complex tasks, but they also make safety control harder at deployment time. In black-box settings, defenders cannot modify model weights and must instead intervene at inference time. This setting creates three practical challenges: harmful intent may be hidden by educational or role-play framing, deep safety analysis can introduce non-trivial latency, and long adversarial contexts can dilute the local cues that simpler filters rely on. These challenges can expose an apparent thinking--output gap, where the model appears cautious during reasoning but still produces an unsafe final answer. To address this problem, we propose Safety Context Injection (SCI), an inference-time framework that separates safety assessment from task generation and prepends a structured external risk report as injected safety context for the protected model. The framework is instantiated in two complementary variants: Static Model Filtering (SMF), a lightweight one-pass guard for fast deployment, and Dynamic Agents Filtering (DAF), an agentic-loop-based analyzer that iteratively gathers and synthesizes evidence for ambiguous or long-context attacks. Across AdvBench and GPTFuzz, spanning base and reasoning models under five jailbreak families, both variants reduce attack success rate and toxicity in the evaluated settings. SMF offers an efficient low-latency option, while DAF is more effective when harmful intent is semantically disguised or dispersed across long contexts.