This work addresses a critical vulnerability in existing reinforcement learning from human feedback (RLHF) systems, where the reward model (RM) and the large language model (LLM) may jointly fail, leading to systemic safety risks. The authors propose the first red-teaming and end-to-end mitigation framework specifically designed to expose and rectify such co-failures. Their approach employs a “safety mentor” that dynamically assembles structured components—including topics, personas, strategies, and objectives—to generate semantically coherent adversarial prompts that simultaneously reveal weaknesses in both the RM and the policy model. This is followed by a two-stage fine-tuning procedure: first enhancing the RM’s ability to discriminate harmful content, then refining the LLM using the improved RM. Experiments demonstrate that the method substantially improves system safety across multiple adversarial benchmarks while preserving original language capabilities, confirming its effectiveness and generalizability.

Reinforcement Learning from Human Feedback (RLHF) is central to aligning Large Language Models (LLMs), yet it introduces a critical vulnerability: an imperfect Reward Model (RM) can become a single point of failure when it fails to penalize unsafe behaviors. While existing red-teaming approaches primarily target policy-level weaknesses, they overlook what we term systemic weaknesses cases where both the core LLM and the RM fail in tandem. We present ARES, a framework that systematically discovers and mitigates such dual vulnerabilities. ARES employs a ``Safety Mentor'' that dynamically composes semantically coherent adversarial prompts by combining structured component types (topics, personas, tactics, goals) and generates corresponding malicious and safe responses. This dual-targeting approach exposes weaknesses in both the core LLM and the RM simultaneously. Using the vulnerabilities gained, ARES implements a two-stage repair process: first fine-tuning the RM to better detect harmful content, then leveraging the improved RM to optimize the core model. Experiments across multiple adversarial safety benchmarks demonstrate that ARES substantially enhances safety robustness while preserving model capabilities, establishing a new paradigm for comprehensive RLHF safety alignment.