Multimodal large language models (MLLMs) are vulnerable to joint text-image jailbreaking attacks during visual reasoning, and training-time safety alignment alone proves insufficient for robust defense. Method: This paper proposes a novel inference-time alignment framework that formally characterizes jailbreak resistance mechanisms at inference. It leverages safety reward modeling to guide constrained decoding—requiring no fine-tuning and enabling plug-and-play deployment. Contribution/Results: Through mathematically grounded safety analysis and evaluation on multimodal jailbreaking benchmarks (e.g., MMBench-Jailbreak), the framework reduces text-based jailbreak success rates by 57.82% over baseline and 16.78% over state-of-the-art defenses on LLaVA-1.6, while fully preserving original visual understanding capabilities.

With the widespread deployment of Multimodal Large Language Models (MLLMs) for visual-reasoning tasks, improving their safety has become crucial. Recent research indicates that despite training-time safety alignment, these models remain vulnerable to jailbreak attacks. In this work, we first highlight an important safety gap to describe that alignment achieved solely through safety training may be insufficient against jailbreak attacks. To address this vulnerability, we propose Immune, an inference-time defense framework that leverages a safe reward model through controlled decoding to defend against jailbreak attacks. Additionally, we provide a mathematical characterization of Immune, offering insights on why it improves safety against jailbreaks. Extensive evaluations on diverse jailbreak benchmarks using recent MLLMs reveal that Immune effectively enhances model safety while preserving the model's original capabilities. For instance, against text-based jailbreak attacks on LLaVA-1.6, Immune reduces the attack success rate by 57.82% and 16.78% compared to the base MLLM and state-of-the-art defense strategy, respectively.