Capital One refines LLM input guardrails with chain-of-thought prompting and fine-tuned alignment
LLM-powered applications at Capital One faced adversarial attacks—including jailbreak prompts and prompt injections—that could cause unsafe outputs, while base open-source LLMs lacked sufficient detection capability.
Base open-source LLMs achieved F1 scores well below 80% on adversarial input detection, and performance gaps on jailbreaks and prompt injections persisted even in many-shot settings.
Fine-tuning with SFT, DPO, and KTO yielded over 50% improvements in F1 score and attack detection ratio with only a maximum 1.5% increase in false positive rate, and the best model—DPO-aligned Llama3 8B—outperformed LlamaGuard-2 and other public guardrail models by wide margins.
Show all 5 reported metrics
Frequently asked questions
What did this team achieve with this AI workflow?
Fine-tuning with SFT, DPO, and KTO yielded over 50% improvements in F1 score and attack detection ratio with only a maximum 1.5% increase in false positive rate, and the best model—DPO-aligned Llama3 8B—outperformed L…
What tools did this team use?
Mistral 7B Instruct v2, Mixtral 8x7B Instruct v1, Llama2 13B Chat, Llama3 8B Instruct, LoRA, CoT, SFT, DPO, KTO.
What results were reported?
F1 score and attack detection ratio improvement: 50+%; False positive rate increase after fine-tuning: 1.5%; baseline F1 score ceiling on base LLMs: well below 80%; performance vs LlamaGuard-2: significant improvements against LlamaGuard-2 across all metrics (source-reported, not independently verified).
What failed first in this deployment?
Base open-source LLMs achieved F1 scores well below 80% on adversarial input detection, and performance gaps on jailbreaks and prompt injections persisted even in many-shot settings.
How is this compliance monitoring AI workflow structured?
User input intercepted → LLM-as-Judge classifies input → Chain-of-thought reasoning generates verdict → Verdict routed to conversational agent → Fine-tuning improves guardrail model.