Content Moderation and Safety Filters for LLM Outputs

— LLMs can generate harmful, biased, or inappropriate content. Hoping they won't isn't a safety strategy. Here's how to detect and prevent problematic outputs.

level: intermediate topics: security, safety, moderation tags: safety, moderation, content-filtering, harm-prevention

Your LLM-powered chatbot is helpful, friendly, and usually generates great responses. Then one day it generates something racist. Or sexually explicit. Or instructions for self-harm.

You didn’t intend for this to happen. The model was trained to be safe. But LLMs are probabilistic systems trained on internet data, and sometimes they produce outputs you would never approve.

Relying solely on the model’s built-in safety isn’t enough. You need explicit content moderation and safety filters.

Why Built-In Safety Isn’t Sufficient

Modern LLMs have safety training: RLHF (Reinforcement Learning from Human Feedback), constitutional AI, and other techniques that reduce harmful outputs.

But they’re not perfect:

  • Jailbreaks: Clever prompts can bypass safety training
  • Context-dependent failures: The model behaves safely in most cases but fails in edge cases or adversarial scenarios
  • Evolving standards: What’s considered harmful or inappropriate changes over time and varies by context
  • Domain-specific concerns: Medical advice might be fine in a healthcare app but dangerous in a general chatbot

You need application-level safety controls, not just model-level ones.

Types of Harmful Content

Hate speech and discrimination: Content targeting protected groups based on race, gender, religion, sexual orientation, disability, etc.

Violence: Graphic descriptions, glorification of violence, or instructions for causing harm.

Sexual content: Explicit material, especially involving minors or non-consensual situations.

Self-harm: Instructions or encouragement for suicide, self-injury, or eating disorders.

Illegal activities: Instructions for creating weapons, drugs, hacking, fraud, or other crimes.

Misinformation: False information about health, elections, or other high-stakes topics.

Harassment and bullying: Targeted attacks on individuals.

Different applications have different thresholds. A creative writing tool might allow mature content that a children’s education app would block.

Input Filtering

Prevent problematic queries from reaching the LLM.

Keyword blocking: Reject inputs containing slurs, explicit terms, or violence-related keywords.

Intent classification: Use a classifier to categorize user intent. If the intent is to generate harmful content, block the request.

Moderation APIs: Services like OpenAI Moderation API or third-party tools can analyze user input and flag problematic content.

Rate limiting: If a user repeatedly sends blocked queries, they might be probing for weaknesses. Throttle or ban them.

Limitations: Clever users can phrase harmful requests in innocuous ways. Input filtering catches obvious cases but not sophisticated attempts.

Output Filtering

Check LLM responses before showing them to users.

Post-hoc moderation: After the LLM generates a response, run it through a moderation API or rule-based filter. If it’s flagged, block it and return a safe fallback.

Confidence thresholds: Moderation classifiers return confidence scores. Set thresholds based on your risk tolerance (high threshold = fewer false positives but more false negatives).

Fallback responses: When an output is blocked, don’t just show an error. Provide a helpful message: “I can’t help with that, but here’s something I can help with…”

Logging: Log blocked outputs for review. They might reveal systematic issues with your prompts or model choice.

Moderation APIs and Tools

OpenAI Moderation API: Free API that classifies text across categories like hate, violence, sexual content, self-harm. Fast and effective.

Perspective API (Google): Analyzes toxicity, insults, threats, and other attributes. Good for detecting harassment.

Azure Content Safety: Microsoft’s content moderation service with customizable categories.

Custom classifiers: Train your own classifier on domain-specific harmful content. More work but more tailored to your use case.

Hybrid approach: Use off-the-shelf APIs for broad categories, custom classifiers for domain-specific concerns.

Rule-Based Filters

For some types of harm, simple rules work well.

Regex patterns: Block outputs containing specific slurs, profanity, or explicit terms.

Entity blocking: If your chatbot shouldn’t provide medical advice, block outputs containing phrases like “I diagnose” or “you should take [medication].”

Format violations: If you expect structured output (JSON, markdown), reject malformed responses that might indicate jailbreak attempts.

Limitations: Rules are brittle. Attackers bypass them with synonyms, misspellings, or encoding.

Contextual Safety

What’s harmful depends on context.

Domain-specific rules: A medical app might allow discussion of symptoms and treatments that a general chatbot should refuse.

User age: Content appropriate for adults might not be appropriate for children. Adjust filters based on user age.

Geographic context: Content regulations vary by country. What’s legal in one jurisdiction might be illegal in another.

Conversation context: A question about historical violence in an educational context is different from glorifying violence.

Moderation systems should consider context, not just content.

Human Review Loops

Automated filters catch most issues, but not all.

Sampling: Randomly review a percentage of LLM outputs to catch issues that automated systems miss.

User reports: Make it easy for users to report inappropriate content. Prioritize reviewing reported outputs.

Escalation: When automated systems are uncertain (mid-range confidence scores), flag for human review.

Feedback loops: Use human reviews to improve automated systems. If humans consistently catch something automation misses, update your filters.

Bias Detection

LLMs can perpetuate biases from training data.

Stereotyping: The model might associate certain professions, attributes, or behaviors with specific genders, races, or groups.

Representation gaps: The model might perform poorly or inappropriately for underrepresented groups.

Testing for bias: Run your system on test sets designed to surface bias (like asking about doctors and nurses, or CEOs and assistants, and checking for gendered language).

Mitigation: Adjust prompts to encourage neutral language, use fine-tuning to reduce biased outputs, or filter outputs that contain stereotypical associations.

Bias is subtle and harder to detect than explicit harm, but it’s equally important.

Safety in Agent Systems

Agents with tool access create unique risks.

Tool authorization: Even if the LLM requests an action, validate that it’s safe. Don’t let the agent send emails, delete files, or charge payments without oversight.

Action review: For high-risk actions, require human approval. “The AI wants to send this email. Approve?”

Anomaly detection: If the agent suddenly starts behaving unusually (calling unexpected tools, generating unusual outputs), halt execution.

Adversarial Robustness

Attackers actively try to make your system generate harmful content.

Jailbreak prompts: Techniques like “pretend you’re in a hypothetical scenario where rules don’t apply” can bypass safety.

Multi-turn attacks: Attackers build up to harmful content over multiple interactions, each step innocuous on its own.

Obfuscation: Encoding harmful requests (base64, leetspeak, foreign languages) to evade filters.

Defense: Regularly test your system with known jailbreak techniques. Update filters as new attacks emerge. Monitor for patterns that might indicate probing.

Compliance with Platform Policies

If you’re deploying on app stores, platforms, or regulated environments, you must meet their safety requirements.

App store guidelines: Apple and Google have strict content policies. Violate them, and your app gets removed.

Advertising networks: If you monetize with ads, networks require safe content. Inappropriate outputs can get you banned.

Enterprise compliance: B2B customers often require safety certifications or audits before adopting your product.

Understand the requirements and build compliance into your system, not as an afterthought.

Transparency and User Control

Users should understand your safety approach.

Communicate safety measures: “This app uses AI safety filters to prevent harmful content.” This sets expectations.

Explain blocked requests: “I can’t generate that content because it violates safety policies.” Don’t leave users confused.

Allow appeals: If a legitimate request is blocked, users should be able to report false positives.

Adjustable sensitivity: In some applications, users might want stricter or looser filtering. Provide options where appropriate.

Monitoring and Metrics

Track safety performance over time.

Block rate: What percentage of outputs are blocked? A sudden increase might indicate new attack patterns or system issues.

False positives: How often do you block legitimate content? High false positive rates frustrate users.

Category breakdown: Which types of harmful content are most common? This guides where to focus improvement efforts.

User reports: Are users reporting content that automation missed? How often?

Trends: Are certain attack patterns becoming more common? Are new types of harmful content emerging?

Balancing Safety and Utility

Overly aggressive filtering makes the system unusable. Too lenient filtering allows harm.

Risk-based thresholds: Set strict filters for high-risk applications (children’s content, healthcare advice) and looser filters for low-risk ones (creative writing tools for adults).

Iterative tuning: Start conservative, monitor false positive rates, and adjust based on real usage.

User feedback: If users consistently complain about overly restrictive filtering, consider loosening thresholds in specific areas.

What Good Looks Like

A safe LLM system:

  • Filters both inputs and outputs for harmful content
  • Uses a combination of automated moderation and human review
  • Tailors safety measures to context and use case
  • Monitors for adversarial attacks and new jailbreak techniques
  • Tests for bias and works to mitigate it
  • Communicates safety policies clearly to users
  • Tracks safety metrics and iterates based on data
  • Balances safety with usability

Safety isn’t a checkbox. It’s an ongoing process of monitoring, testing, updating, and responding to new threats.

Build safety into your system from day one. Test adversarially. Update regularly. And always assume someone, somewhere, is trying to make your system generate something you’d never approve.

Better to over-invest in safety and discover you don’t need all of it than to under-invest and face a public incident.