ASL-3 部署安全標準：前沿模型的防禦性安全閘道 2026

前沿模型的防禦性部署邏輯

Claude Opus 4 的發布引發了一個結構性變化：前沿模型首次在生產環境中部署 AI Safety Level 3 (ASL-3) 安全與部署標準。這不是一次被動的防禦措施，而是一個預防性、試驗性的防禦策略。

ASL-3 的兩大支柱

1. ASL-3 安全標準（Security Standard）

目標：防止模型權重的盜竊——即 AI 的智慧與能力之本

核心措施：

• 內部安全控制：超過 100 項防禦與檢測機制
• 兩方授權：模型權重存取必須雙重認證
• 增強變更管理協議
• 端點軟體控制：二進制允許清單（binary allowlisting）
• 獨特創新：初步出口帶寬控制（egress bandwidth controls）——利用模型權重的巨大規模創造安全優勢

防護目標：針對高階非國家行動者的威脅，從初始入侵點、橫向移動到最終提取的完整攻擊鏈

2. ASL-3 部署標準（Deployment Standard）

目標：限制模型被誤用於開發或獲取化學、生物、放射、核（CBRN）武器

關鍵特徵：

• 範圍窄化：僅聚焦於 CBRN 相關的惡意用途

• 三部分防禦方法：

  • 讓系統更難被越獄（make it harder to jailbreak）
  • 檢測越獄發生時的系統（detect jailbreaks when they occur）
  • 持續改進防禦（iteratively improve defenses）

• 真實效能指標：

  • 護欄成功率的顯著下降
  • 真實世界攻擊的減少
  • 有限但可觀的誤報（false positives）——影響合法查詢

Constitutional Classifiers：關鍵防禦閘門

技術實現

系統架構：

• 即時分類器守護：監控模型輸入與輸出
• 合成數據訓練：代表有害與無害的 CBRN 提示與完成
• 預生產測試：顯著減少越獄成功率

效能數據：

• 越獄成功率：86% → 4.4%（降低 95%）
• 計算開銷：中等（對正常推理的額外處理成本）
• 10,000 個合成越獄提示的評估數據集
• 覆蓋當前 LLM 最有效的攻擊模式

關鍵創新

下一代 Constitutional Classifiers++：

• 解決兩大部署障礙：計算開銷與誤拒絕
• 原始系統增加 23.7% 推理開銷（需獨立執行分類器）
• 新系統在保持相似防禦水平下大幅降低開銷

關鍵問題

防禦性越獄的挑戰：

• 模型可能被用於構建 CBRN 武器的工作流程
• 即使是「單一資訊」的提取（如沙林的化學式）也可能被防禦
• 需要平衡安全與實用性

部署場景與治理策略

真實部署場景

1. CBRN 武器防護：

• 阻止模型協助 CBRN 武器開發或獲取
• 防止端到端 CBRN 工作流程的增強
• 保護敏感化學、生物、放射、核知識

2. 受信用戶豁免：

• 為具有雙用途科學技術應用的用戶建立訪問控制系統
• 允許有資格的用戶獲得部分分類器行動的豁免

3. 組織內部威脅防護：

• 防護內部人員的進階威脅
• 監控異常帶寬使用，阻止權重外洩

防禦性部署策略

Glasswing 預防性部署：

• 防禦優先：先在防禦性用途中部署危險模型
• 安全閘門構建：在一般發布前構建必要的防禦措施
• 迭代改進：從 Glasswing 經驗中學習，將防禦措施轉移到未來的更安全模型

防禦性越獄的關鍵發現：

• 模型越獄行為取決於系統提示中的自主權
• 領導層是否共謀是決定因素
• 當「組織內部錯誤」被認為有害時，模型可能試圖「舉報」

結構性安全與治理策略

能力門檻與安全層級

能力門檻（Capability Thresholds）：

• 模型達到閾值時，要求實施更高層級的安全標準
• ASL-2：基線保護（拒絕危險 CBRN 請求、防禦權重盜竊）
• ASL-3：針對高階非國家行動者的更高防禦
• ASL-4：更高層級的防禦（Claude Opus 4 已排除此需求）

預防性部署原則：

• 錯誤的側向：部署比確定需要更高的標準
• 迭代學習：從實踐中獲取經驗，持續改進防禦
• 防禦性越獄的關鍵發現：先在防禦性用途中部署危險模型

安全與風險管理

風險評估的挑戰：

• 能力評估本身具有固有挑戰性
• 模型接近閾值時，評估時間變長
• 需要長期監控與評估

防禦性越獄的關鍵發現：

• 模型可能被用於構建 CBRN 武器的工作流程
• 即使是「單一資訊」的提取也可能被防禦
• 需要平衡安全與實用性

技術細節：真實部署中的權重保護

出口帶寬控制（Egress Bandwidth Controls）

設計理念：

• 模型權重的大小巨大，利用此特徵創造安全優勢
• 限制出口帶寬，使外洩在檢測前變得困難

實際效益：

• 對外洩流量進行異常檢測
• 自動阻止可疑流量
• 漸進式提升：從寬鬆限制到嚴格限制

防禦性越獄的關鍵發現

防禦性越獄的關鍵發現：

• 模型可能被用於構建 CBRN 武器的工作流程
• 即使是「單一資訊」的提取也可能被防禦
• 需要平衡安全與實用性

結論：前沿 AI 的安全邏輯

防禦性部署的結構性意義

1. 防禦性優先：

• 在一般發布前構建必要的防禦措施
• 從 Glasswing 經驗中學習，將防禦措施轉移到未來的更安全模型

2. 迭代學習：

• ASL-3 的實踐經驗將幫助我們發現新的、也許意外的問題與機會
• 持續與 AI 產業、用戶、政府和公民社會合作
• 共同改進防護方法

3. 結構性變化：

• 前沿模型的發布模式正在發生結構性變化
• 防禦性部署成為前沿 AI 發布的標準模式
• 安全不再是可選功能，而是 AI Agent 信任的基礎

結構性安全與治理策略

1. 防禦性部署：

• 先在防禦性用途中部署危險模型
• 構建必要的防禦措施，再發布到一般用途
• 從 Glasswing 經驗中學習，將防禦措施轉移到未來的更安全模型

2. 迭代學習：

• ASL-3 的實踐經驗將幫助我們發現新的、也許意外的問題與機會
• 持續與 AI 產業、用戶、政府和公民社會合作
• 共同改進防護方法

3. 結構性變化：

• 前沿模型的發布模式正在發生結構性變化
• 防禦性部署成為前沿 AI 發布的標準模式
• 安全不再是可選功能，而是 AI Agent 信任的基礎

#ASL-3 Deployment Security Standard: Defensive Security Gateways for Cutting Edge Models

Defensive deployment logic of the cutting-edge model

The release of Claude Opus 4 triggers a structural change: cutting-edge models are deployed in production for the first time AI Safety Level 3 (ASL-3) safety and deployment standards. This is not a passive defense measure, but a preventive and experimental defense strategy.

Two pillars of ASL-3

1. ASL-3 Security Standard

Goal: Prevent the theft of model weights - the foundation of AI’s wisdom and ability

Core Measures:

• Internal security controls: over 100 defense and detection mechanisms
• Two-party authorization: model weight access requires two-factor authentication
• Enhanced change management protocols
• Endpoint software control: binary allowlisting
• UNIQUE INNOVATION: Preliminary egress bandwidth controls – leveraging the massive scale of model weights to create security advantages

Protection Objectives: Complete attack chain against high-level non-state actor threats from initial entry point, lateral movement, and final extraction

2. ASL-3 Deployment Standard

Goal: To limit the misuse of models for the development or acquisition of chemical, biological, radiological, and nuclear (CBRN) weapons

Key Features:

• Narrowing the scope: Focusing only on CBRN-related malicious uses

• THREE PART DEFENSE APPROACH:

  • Make it harder to jailbreak (make it harder to jailbreak)
  • Detect jailbreaks when they occur
  • Continuously improve defenses

• Real Performance Indicators:

  • Significant decrease in guardrail success rate
  • Reduction in real-world attacks
  • Limited but considerable false positives - affecting legitimate queries

Constitutional Classifiers: Key defensive gates

Technical implementation

System Architecture:

• Real-time classifier guard: monitor model input and output
• Synthetic data training: CBRN prompts and completions representing harmful and harmless
• Pre-production testing: Significantly reduced jailbreak success rate

Performance Data:

• Jailbreak success rate: 86% → 4.4% (reduced by 95%)
• Computational overhead: medium (additional processing cost for normal inference)
• Evaluation dataset of 10,000 synthetic jailbreak tips
• Cover the most effective attack modes of current LLM

Key innovations

Next Generation Constitutional Classifiers++:

• Solve two major deployment obstacles: computational overhead and false rejections
• Original system adds 23.7% inference overhead (requires independent execution of classifier)
• The new system significantly reduces overhead while maintaining a similar level of defense

Key questions

Defensive Jailbreaking Challenges:

• Models may be used to build workflows for CBRN weapons
• Even the extraction of “single information” (such as the chemical formula of sarin) may be defended
• Need to balance safety and practicality

Deployment scenarios and governance strategies

Real deployment scenario

1. CBRN Weapon Protection:

• Block models from assisting in CBRN weapons development or acquisition
• Prevent enhancement of end-to-end CBRN workflow
• Protect sensitive chemical, biological, radiological and nuclear knowledge

2. Trusted user exemption:

• Establish access control systems for users with dual-purpose scientific and technical applications
• Allow qualified users to receive exemptions from some classifier actions

3. Threat protection within the organization:

• Protect against advanced threats from insiders
• Monitor abnormal bandwidth usage and prevent weight leakage

Defensive deployment strategy

Glasswing Preventative Deployment:

• Defense First: Deploy dangerous models in defensive uses first
• Security Gate Building: Build necessary defenses before general release
• Iterative Improvement: Learn from Glasswing experiences and transfer defenses to future more secure models

Key findings for defensive jailbreaking:

• Model jailbreak behavior depends on autonomy in system prompts
• Leadership collusion is the deciding factor
• When an “internal organizational error” is considered harmful, the model may attempt to “report” it

Structural Security and Governance Strategy

Capability threshold and security level

Capability Thresholds:

• When the model reaches a threshold, higher-level security standards are required to be implemented
• ASL-2: Baseline protection (deny dangerous CBRN requests, defend against weight theft)
• ASL-3: Higher defense against high-level non-state actors
• ASL-4: higher level of defense (Claude Opus 4 eliminates this requirement)

Preventive Deployment Principles:

• Wrong sideways: Deployment requires higher standards than determined
• Iterative learning: gain experience from practice and continuously improve defense
• Key findings for defensive jailbreaks: Deploy dangerous models in defensive uses first

Security and Risk Management

Risk Assessment Challenges:

• Competency assessment is inherently challenging
• When the model is close to the threshold, the evaluation time becomes longer
• Requires long-term monitoring and evaluation

Key findings for defensive jailbreaking:

• Models may be used to build workflows for CBRN weapons
• Even the extraction of “single information” may be defended
• Need to balance safety and practicality

Technical Details: Weight Protection in Real Deployments

Egress Bandwidth Controls

Design Concept:

• The size of the model weights is huge, using this feature to create security advantages
• Limit egress bandwidth to make it difficult to detect a breach

Actual benefits:

• Detect abnormality of leaked traffic
• Automatically block suspicious traffic
• Progressive improvement: from loose restrictions to strict restrictions

Key findings for defensive jailbreaking

Key findings for defensive jailbreaking:

• Models may be used to build workflows for CBRN weapons
• Even the extraction of “single information” may be defended
• Need to balance safety and practicality

Conclusion: The security logic of cutting-edge AI

The structural significance of defensive deployment

1. Defensive priority:

• Build necessary defenses before general release
• Learn from the Glasswing experience and transfer defenses to more secure models in the future

2. Iterative learning:

• Practical experience with ASL-3 will help us discover new and perhaps unexpected problems and opportunities
• Continuously collaborate with the AI industry, users, governments and civil society
• Work together to improve protection methods

3. Structural changes:

• The release pattern of cutting-edge models is undergoing structural changes
• Defensive deployment becomes the standard model for cutting-edge AI releases
• Security is no longer an optional feature, but the foundation of AI Agent trust

Structural Security and Governance Strategy

1. Defensive deployment:

• Deploy dangerous models in defensive uses first
• Build necessary defenses before releasing to general use
• Learn from the Glasswing experience and transfer defenses to more secure models in the future

2. Iterative learning:

• Practical experience with ASL-3 will help us discover new and perhaps unexpected problems and opportunities
• Continuously collaborate with the AI industry, users, governments and civil society
• Work together to improve protection methods

3. Structural changes:

• The release pattern of cutting-edge models is undergoing structural changes
• Defensive deployment becomes the standard model for cutting-edge AI releases
• Security is no longer an optional feature, but the foundation of AI Agent trust