This study addresses the unique safety challenges confronting vision-language-action (VLA) models in embodied intelligence, including physically irreversible risks, expansive multimodal attack surfaces, and the need for real-time defenses—distinct from those of purely textual large language models or traditional robotics. The work presents the first systematic delineation of VLA safety and introduces a unified classification framework organized along dual training/inference temporal axes, integrating four key dimensions: attack typologies, defense mechanisms, evaluation benchmarks, and deployment scenarios. It encompasses threats such as data poisoning, adversarial patches, and semantic jailbreaking, alongside corresponding training- and runtime-level countermeasures. Furthermore, the paper synthesizes existing evaluation methodologies and identifies critical research directions—including certified robustness, physically realizable defenses, and safety-aware training—to advance standardized assessment protocols and unified runtime safety architectures for VLA systems.

Vision-Language-Action (VLA) models are emerging as a unified substrate for embodied intelligence. This shift raises a new class of safety challenges, stemming from the embodied nature of VLA systems, including irreversible physical consequences, a multimodal attack surface across vision, language, and state, real-time latency constraints on defense, error propagation over long-horizon trajectories, and vulnerabilities in the data supply chain. Yet the literature remains fragmented across robotic learning, adversarial machine learning, AI alignment, and autonomous systems safety. This survey provides a unified and up-to-date overview of safety in Vision-Language-Action models. We organize the field along two parallel timing axes, attack timing (training-time vs. inference-time and defense timing (training-time vs. inference-time, linking each class of threat to the stage at which it can be mitigated. We first define the scope of VLA safety, distinguishing it from text-only LLM safety and classical robotic safety, and review the foundations of VLA models, including architectures, training paradigms, and inference mechanisms. We then examine the literature through four lenses: Attacks, Defenses, Evaluation, and Deployment. We survey training-time threats such as data poisoning and backdoors, as well as inference-time attacks including adversarial patches, cross-modal perturbations, semantic jailbreaks, and freezing attacks. We review training-time and runtime defenses, analyze existing benchmarks and metrics, and discuss safety challenges across six deployment domains. Finally, we highlight key open problems, including certified robustness for embodied trajectories, physically realizable defenses, safety-aware training, unified runtime safety architectures, and standardized evaluation.