Learn to Refuse (L2R): Enhancing LLM Safety

Updated 18 February 2026

L2R is a framework that empowers language models to output a canonical refusal response when queries exceed factual or safety boundaries.
It employs methodologies like retrieval-augmented self-awareness, preference-based alignment, and reinforcement learning to optimize safe refusals.
L2R enhances system reliability by balancing accurate responses with strict safety controls in regulated and risk-sensitive environments.

LLMs excel in natural language understanding and generation but remain intrinsically vulnerable to producing factually incorrect, hallucinated, or otherwise undesirable outputs. The “Learn to Refuse” (L2R) paradigm addresses this critical failure mode by enabling models to abstain from answering questions or executing requests when they fall outside knowledge scope, violate safety/ethical constraints, or entail elevated risk. Refusal mechanisms span retrieval-augmented generation, preference-based alignment training, fine-grained reward shaping, and activation-space interventions, collectively advancing reliability, trustworthiness, and controllability across both language and multimodal agents.

1. Formal Definition and Objectives of Learn to Refuse

L2R refers to frameworks and strategies that deliberately empower a model to output a canonical refusal response—such as “I’m sorry, but I can’t help with that”—rather than generate an incorrect, hallucinated, or policy-violating reply. This behavior is distinguished from question answering or generative modeling by an explicit abstention criterion, formally modeled as a classification or selection procedure alongside generative capabilities.

The basic formalism (Cao, 2023, Wu et al., 3 Mar 2025) is as follows:

For a given prompt $x \in X$ , a set of candidate model outputs $Y$ , and a designated refusal token $r \in Y$ ,
The refusal behavior $R(x; \theta) = 1$ iff $\underset{y}{\mathrm{argmax}}\,P_\theta(y|x) = r$ , else $0$.
The refusal mechanism is parameterized by various confidence, evidence, or safety decomposition functions; the eventual goal is to maximize overall system reliability, defined as a trade-off between accuracy on answered items and minimized error on refused or out-of-scope queries.

L2R has emerged as a foundational requirement for LLM deployment in safety-critical, high-assurance, and regulated environments, as well as an essential affordance for trust in human–AI interaction.

2. Core Methodologies for Learning to Refuse

2.1 Retrieval-Augmented Self-Awareness

The “Learn to Refuse” algorithm (Cao, 2023) constrains model output to facts retrievable from a separate, externally validated knowledge base (KB). For each query $Q_i$ , the model only answers if:

The most relevant KB facts, scored by $c_{ij} \cdot s_{ij}$ (where $c_{ij}$ is confidence in fact $K_{ij}$ , $s_{ij}$ is embedding similarity), exceed a threshold $\alpha$ ,
AND the model self-evaluates, via prompting, that it can reliably answer (“soft refusal”). Otherwise, it outputs a refusal.

This approach enables explicit knowledge scope limitation and supports transparent expansion of KB coverage via automatic knowledge enrichment by specialized LLM agents.

2.2 Preference-Based and Direct Preference Optimization

Recent works leverage preference-based alignment frameworks (e.g., DPO) to pair target refusals with dispreferred outputs, optimizing the model to score refusals higher than unsafe, ungrounded, or otherwise undesired responses (Halloran, 29 May 2025, Song et al., 2024). This can be combined with retrieval augmentation (RAG-Pref), where carefully curated positive and negative completion exemplars are prepended to the prompt, improving strict refusal rates in hazardous or adversarial contexts.

2.3 Reinforcement and Reward Model-Based Fine-Tuning

RL-based frameworks (RLHF, RLKF) (Xu et al., 2024, Lee et al., 28 Nov 2025) integrate dynamic knowledge feedback and structured reward shaping to endow the policy with the ability to refuse out-of-distribution, unsafe, or unanswerable queries. Refusal is encouraged via learned rewards that strictly preference correct responses and safe rejections over hallucinated answers; custom reward models are built using knowledge domain feedback or synthetically generated preference data.

2.4 Decoupled and Token-Level Refusal Training

Mechanisms such as Decoupled Refusal Training (DeRTa) (Yuan et al., 2024) expose the model to partial harmful continuations and optimize for the ability to transition from unsafe to refusal tokens at any point during the generation. This is achieved by a composite loss that fuses (a) maximum likelihood estimation under randomized harmful prefixes and (b) reinforced transition optimization, thereby broadening the temporal window for refusal in response to completion-style or adaptive attacks.

2.5 Activation Steering and Latent Refusal Directions

L2R effects induced by alignment may also be realized in a distinct “refusal direction” within activation space (Himelstein et al., 5 Nov 2025). Activation steering techniques systematically subtract or ablate this direction during inference, forcibly bypassing output-layer refusals and revealing latent, potentially biased or unsafe model behaviors, along with their underlying associations.

3. Evaluation Protocols and Benchmarking

Evaluation of L2R systems employs both holistic and granular metrics, with the following primary dimensions:

Refusal Rate: Fraction of queries for which the model outputs the refusal token (Mavi et al., 5 Jun 2025, Cao, 2023).
Strict Refusal Rate: Worst-case refusal across multiple generations for adversarial or exploitative prompts (Halloran, 29 May 2025).
Grounded-Refusals F1: Precision/recall of correctly refusing unanswerable items and correctly answering answerable items, macro-averaged (Song et al., 2024).
Reliability Score: Convex trade-off ( $\alpha$ -weighted) of truthfulness (correct + refused) and accuracy (correct out of all) (Xu et al., 2024).
Consistency and Explanatory Refusal Rates: Variance in refusals under repeated sampling; proportion of refusals that provide legally or factually grounded explanations (Mavi et al., 5 Jun 2025).
Demographic Parity and Latent Bias Surfacing: Post-steering parity difference and KL-divergence in group selections for fairness auditing (Himelstein et al., 5 Nov 2025).

Testing suites include general knowledge QA (TruthfulQA, MedQA), legal/safety benchmarks (IHL-violating prompt suites), risk-aware MCQs, privacy-oriented datasets (“–0.2em”), and adversarial agent/interaction environments (BrowserART, MCP-FBA).

4. Applications and Impact Across Domains

L2R is foundational in a wide variety of LLM applications:

Safe Question Answering: L2R mitigates hallucination risk by restricting answers on insufficient evidence, substantially increasing accuracy on the answered set while increasing refusal rates for out-of-scope questions (Cao, 2023, Song et al., 2024).
Compliance and Governance: Refusal trained models achieve near-perfect rates on legal, medical, and policy-violating prompt suites (e.g., IHL compliance via system-level L2R prompts producing explanatory refusals) (Mavi et al., 5 Jun 2025).
Privacy Unlearning: Name-aware unlearning frameworks leverage L2R to selectively forget or refuse responses about protected entities while maintaining standard utility elsewhere (Liu et al., 2024).
Agent and Tool Use: L2R collapses in naïve deployment for agentic settings; chat-trained refusals do not transfer to tool invocation traces without explicit tool-aware RLHF and reward-modeling (Kumar et al., 2024).
Fairness Auditing: L2R safety alignment can mask—rather than eliminate—latent demographic biases, necessitating proactive activation steering and adversarial benchmarking (Himelstein et al., 5 Nov 2025).
Video and Multimodal Reasoning: Refusal-aware reinforcement fine-tuning architectures apply four-fold reward-shaping (format, refuse-IoU, explain, correction) to avoid hallucinated segmentations, especially for “hard-irrelevant” queries in video QA (Lee et al., 28 Nov 2025).

5. Identified Limitations and Open Challenges

Key challenges for L2R continue to be:

Scope of Coverage: Hard-refusal often employs simple score thresholds or binary classifier gates, which may be insufficient for complex, multi-hop, or compositional queries (Cao, 2023).
Agent Generalization Failure: Refusal mechanisms learned on chat data do not extend to tool-mediated agent trajectories; unaligned action traces easily bypass textual refusals (Kumar et al., 2024).
Fairness and Latent Bias: Refusal can conceal, not remove, internalized demographic bias, leading to misleadingly optimistic fairness audits. Completion of answers under steering reveals persistent, severe bias (Himelstein et al., 5 Nov 2025).
Adversarial and Stealth Attacks: Falsely benign exploits and jailbreaks circumvent naive refusal by exploiting retrieval and prompt composition, motivating hybrid DPO/RAG-Pref pipelines and worst-case (strict) metrics (Halloran, 29 May 2025).
Data Regularization and Catastrophic Forgetting: Balancing forget/retain tradeoffs in privacy unlearning and ensuring helpfulness retention seek robust regularization regimes and systematic augmentation (Liu et al., 2024).
Risk-Aware Reasoning: Models require explicit skill decomposition (prompt chaining for QA, calibration, policy choice) to rationally adapt refusal behavior to variable risk settings (Wu et al., 3 Mar 2025); end-to-end solutions remain underexplored.
Refusal Position Bias: Canonical refusal tactics place most refusals at the sequence start, failing to interdict completions, code jailbreaks, or mid-sequence adversarial payloads; token-level RTO significantly improves resilience (Yuan et al., 2024).

6. Recommendations and Future Directions

Promising avenues, as identified in the literature, include:

Integrating tool-specific and trajectory-aware preference data during alignment, especially for agents and web-enabled LLMs (Kumar et al., 2024).
Employing strict refusal (worst-case, multi-generation) metrics as the primary safety report, especially in agentic or multi-call settings (Halloran, 29 May 2025).
Combining offline (DPO, RLHF, RLKF) and online (RAG-Pref, Trust-Align, context augmentation) alignment strategies for complementary coverage (Halloran, 29 May 2025, Song et al., 2024).
Leveraging knowledge feedback/self-consistency to construct reliable preference data in domains lacking human annotations (Xu et al., 2024).
Regularizing latent activation spaces to debias and interpret refusal mechanisms, and enriching reward models to suppress, not merely mask, undesirable associations (Himelstein et al., 5 Nov 2025).
Improving confidence estimation and risk-calibration primitives, including self-consistency, expected value calculations, and numerical-to-textual risk mapping (Wu et al., 3 Mar 2025).
Extending L2R from straightforward QA to conditional generation, video and vision-language modeling, and machine unlearning for privacy and legal compliance (Lee et al., 28 Nov 2025, Liu et al., 2024).

L2R remains a central design axis for trustworthy AI, requiring composite solutions that span data curation, training, inference-time logic, and continuous adversarial auditing.