Visual language models (VLMs) exhibit significant cross-layer imbalance in safety capabilities within their image encoders—early and middle layers are markedly more vulnerable to adversarial inputs than the final layer, revealing a fundamental limitation of single-layer alignment strategies. Method: We introduce the novel concept of “unfair alignment” to characterize the non-uniform internal distribution of toxicity across vision encoder layers. We propose an activation-projection-based cross-layer toxicity analysis framework, jointly evaluating multi-layer attack success rates and toxicity scores. Contribution/Results: Empirical evaluation on LLaVA-1.5 and Llama 3.2 demonstrates up to a 3.2× disparity in layer-wise attack success rates and >40% fluctuation in toxicity scores. Critically, bypassing vulnerable layers—exploiting the ICET vulnerability—substantially increases the probability of harmful outputs. Consequently, safety fine-tuning applied to a single layer fails to ensure end-to-end robustness of the visual encoder, underscoring the necessity of holistic, multi-layer safety alignment.

Vision-language models (VLMs) have improved significantly in multi-modal tasks, but their more complex architecture makes their safety alignment more challenging than the alignment of large language models (LLMs). In this paper, we reveal an unfair distribution of safety across the layers of VLM's vision encoder, with earlier and middle layers being disproportionately vulnerable to malicious inputs compared to the more robust final layers. This 'cross-layer' vulnerability stems from the model's inability to generalize its safety training from the default architectural settings used during training to unseen or out-of-distribution scenarios, leaving certain layers exposed. We conduct a comprehensive analysis by projecting activations from various intermediate layers and demonstrate that these layers are more likely to generate harmful outputs when exposed to malicious inputs. Our experiments with LLaVA-1.5 and Llama 3.2 show discrepancies in attack success rates and toxicity scores across layers, indicating that current safety alignment strategies focused on a single default layer are insufficient.