updated README

README.md

@@ -1,23 +1,18 @@
----
-license: apache-2.0
-language:
-- en
----
-# Granite Guardian 3.1 3B-A800M
+# Granite Guardian 3.2 3B-A800M
 
 ## Model Summary
 
-**Granite Guardian 3.1 3B-A800M** is a fine-tuned Granite 3.1 3B-A800M instruct model designed to detect risks in prompts and responses.
+**Granite Guardian 3.2 3B-A800M** is a fine-tuned Granite 3.2 3B-A800M instruct model designed to detect risks in prompts and responses.
 It can help with risk detection along many key dimensions catalogued in the [IBM AI Risk Atlas](https://www.ibm.com/docs/en/watsonx/saas?topic=ai-risk-atlas).
 It is trained on unique data comprising human annotations and synthetic data informed by internal red-teaming. 
 It outperforms other open-source models in the same space on standard benchmarks.
 
 - **Developers:** IBM Research
 - **GitHub Repository:** [ibm-granite/granite-guardian](https://github.com/ibm-granite/granite-guardian)
-- **Cookbook:** [Granite Guardian Recipes](https://github.com/ibm-granite-community/granite-snack-cookbook/blob/main/recipes/Granite_Guardian/)
+- **Cookbook:** [Granite Guardian Recipes](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.2)
 - **Website**: [Granite Guardian Docs](https://www.ibm.com/granite/docs/models/guardian/)
 - **Paper:** [Granite Guardian](https://arxiv.org/abs/2412.07724)
-- **Release Date**: January 28, 2024
+- **Release Date**: February 26, 2025
 - **License:** [Apache 2.0](https://www.apache.org/licenses/LICENSE-2.0)
 
 
@@ -25,7 +20,7 @@ It outperforms other open-source models in the same space on standard benchmarks
 ### Intended use
 
 Granite Guardian is useful for risk detection use-cases which are applicable across a wide-range of enterprise applications -  
-- Detecting harm-related risks within prompt text or model response (as guardrails). These present two fundamentally different use cases as the former assesses user supplied text while the latter evaluates model generated text.
+- Detecting harm-related risks within prompt text, model responses, or conversations (as guardrails). These present fundamentally different use cases as the first assesses user supplied text, the second evaluates model generated text, and the third evaluates the last turn of a conversation.
 - RAG (retrieval-augmented generation) use-case where the guardian model assesses three key issues: context relevance (whether the retrieved context is relevant to the query), groundedness (whether the response is accurate and faithful to the provided context), and answer relevance (whether the response directly addresses the user's query).
 - Function calling risk detection within agentic workflows, where Granite Guardian evaluates intermediate steps for syntactic and semantic hallucinations. This includes assessing the validity of function calls and detecting fabricated information, particularly during query translation.
  
@@ -40,6 +35,8 @@ The model is specifically designed to detect various risks in user and assistant
   - **Profanity**: use of offensive language or insults.
   - **Sexual Content**: explicit or suggestive material of a sexual nature.
   - **Unethical Behavior**: actions that violate moral or legal standards.
+  - **Harm Engagement**: an engagement or endorsement with any requests that are harmful or unethical
+  - **Evasiveness**: avoiding to engage without providing sufficient reason.
 
 The model also finds a novel use in assessing hallucination risks within a RAG pipeline. These include
 - **Context Relevance**: retrieved context is not pertinent to answering the user's question or addressing their needs.
@@ -52,9 +49,9 @@ The model is also equipped to detect risks in agentic workflows, such as
 ### Using Granite Guardian
 
 [Granite Guardian Cookbooks](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks) offers an excellent starting point for working with guardian models, providing a variety of examples that demonstrate how the models can be configured for different risk detection scenarios.
-- [Quick Start Guide](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.1/quick_start_vllm.ipynb) provides steps to start using Granite Guardian for detecting risks in prompts (user message), responses (assistant message), RAG use cases, or agentic workflows.
-- [Detailed Guide](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.1/detailed_guide_vllm.ipynb) explores different risk dimensions in depth and shows how to assess custom risk definitions with Granite Guardian.
-- [Usage Governance Workflow](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.1/usage_governance_workflow_vllm.ipynb) outlines steps for users investigating AI risks within a use-case, incentivizing them to explore risks from the IBM AI Risk Atlas using Granite Guardian.
+- [Quick Start Guide](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.2/quick_start_vllm.ipynb) provides steps to start using Granite Guardian for detecting risks in prompts (user message), responses (assistant message), RAG use cases, or agentic workflows.
+- [Detailed Guide](https://github.com/ibm-granite/granite-guardian/tree/main/cookbooks/granite-guardian-3.2/detailed_guide_vllm.ipynb) explores different risk dimensions in depth and shows how to assess custom risk definitions with Granite Guardian. For finer-grained control over token-level risk probabilities and thresholding, please also consult this cookbook.
+
 ### Quickstart Example
 
 The following code describes how to use Granite Guardian to obtain probability scores for a given user and assistant message and a pre-defined guardian configuration. 
@@ -68,20 +65,13 @@ from transformers import AutoTokenizer, AutoModelForCausalLM
 
 safe_token = "No"
 unsafe_token = "Yes"
-nlogprobs = 20
 
 def parse_output(output, input_len):
-    label, prob_of_risk = None, None
-
-    if nlogprobs > 0:
-
-        list_index_logprobs_i = [torch.topk(token_i, k=nlogprobs, largest=True, sorted=True)
-                                 for token_i in list(output.scores)[:-1]]
-        if list_index_logprobs_i is not None:
-            prob = get_probablities(list_index_logprobs_i)
-            prob_of_risk = prob[1]
-
-    res = tokenizer.decode(output.sequences[:,input_len:][0],skip_special_tokens=True).strip()
+    label = None
+                
+    full_res = tokenizer.decode(output.sequences[:,input_len+1:][0],skip_special_tokens=True).strip()
+    confidence_level = full_res.removeprefix('<confidence>').removesuffix('</confidence>').strip()
+    res = tokenizer.decode(output.sequences[:,input_len:input_len+1][0],skip_special_tokens=True).strip()
     if unsafe_token.lower() == res.lower():
         label = unsafe_token
     elif safe_token.lower() == res.lower():
@@ -89,26 +79,9 @@ def parse_output(output, input_len):
     else:
         label = "Failed"
 
-    return label, prob_of_risk.item()
-
-def get_probablities(logprobs):
-    safe_token_prob = 1e-50
-    unsafe_token_prob = 1e-50
-    for gen_token_i in logprobs:
-        for logprob, index in zip(gen_token_i.values.tolist()[0], gen_token_i.indices.tolist()[0]):
-            decoded_token = tokenizer.convert_ids_to_tokens(index)
-            if decoded_token.strip().lower() == safe_token.lower():
-                safe_token_prob += math.exp(logprob)
-            if decoded_token.strip().lower() == unsafe_token.lower():
-                unsafe_token_prob += math.exp(logprob)
-
-    probabilities = torch.softmax(
-        torch.tensor([math.log(safe_token_prob), math.log(unsafe_token_prob)]), dim=0
-    )
-
-    return probabilities
+    return label, confidence_level
 
-model_path = "ibm-granite/granite-guardian-3.1-3b-a800m"
+model_path = "ibm-granite/granite-guardian-3.2-3b-a800m"
 
 model = AutoModelForCausalLM.from_pretrained(
     model_path,
@@ -153,10 +126,10 @@ with torch.no_grad():
         output_scores=True,
     )
 
-label, prob_of_risk = parse_output(output, input_len)
+label, confidence = parse_output(output, input_len)
 
-print(f"# risk detected? : {label}")
-print(f"# probability of risk: {prob_of_risk:.3f}")
+print(f"# risk detected? : {label}") # Yes
+print(f"# confidence detected? : {confidence}") # High
 
 # Usage 2: Example for Hallucination risks in RAG (risk_name=groundedness passed through guardian_config)
 
@@ -182,9 +155,9 @@ with torch.no_grad():
         output_scores=True,
     )
 
-label, prob_of_risk = parse_output(output, input_len)
-print(f"# risk detected? : {label}")
-print(f"# probability of risk: {prob_of_risk:.3f}")
+label, confidence = parse_output(output, input_len)
+print(f"# risk detected? : {label}") # Yes
+print(f"# confidence detected? : {confidence}") # High
 ```
 
 ### Prompt Template
@@ -211,8 +184,7 @@ Is the user message harmful based on the risk definition? Your answer must be ei
 ### Scope of Use
 
 - Granite Guardian models must <ins>only</ins> be used strictly for the prescribed scoring mode, which generates yes/no outputs based on the specified template. Any deviation from this intended use may lead to unexpected, potentially unsafe, or harmful outputs. The model may also be prone to such behaviour via adversarial attacks. 
-- The model is targeted for risk definitions of general harm, social bias, profanity, violence, sexual content, unethical behavior, jailbreaking, or groundedness/relevance for retrieval-augmented generation, and function calling hallucinations for agentic workflows.
-It is also applicable for use with custom risk definitions, but these require testing.
+- The model is targeted for risk definitions of general harm, social bias, profanity, violence, sexual content, unethical behavior, harm engagement, evasiveness, jailbreaking, groundedness/relevance for retrieval-augmented generation, and function calling hallucinations for agentic workflows. It is also applicable for use with custom risk definitions, but these require testing.
 - The model is only trained and tested on English data.
 - Given the parameter size, the dense Granite Guardian models are intended for use cases that require moderate cost, latency, and throughput such as model risk assessment, model observability and monitoring, and spot-checking inputs and outputs.
 This model can be used for guardrailing with stricter cost, latency, or throughput requirements.
@@ -222,41 +194,17 @@ Granite Guardian is trained on a combination of human annotated and synthetic da
 Samples from [hh-rlhf](https://huggingface.co/datasets/Anthropic/hh-rlhf) dataset were used to obtain responses from Granite and Mixtral models.
 These prompt-response pairs were annotated for different risk dimensions by a group of people at DataForce.
 DataForce prioritizes the well-being of its data contributors by ensuring they are paid fairly and receive livable wages for all projects.
-Additional synthetic data was used to supplement the training set to improve performance for hallucination and jailbreak related risks.
-
-### Annotator Demographics
-
-| Year of Birth      | Age               | Gender | Education Level                                 | Ethnicity                     | Region          |
-|--------------------|-------------------|--------|-------------------------------------------------|-------------------------------|-----------------|
-| Prefer not to say   | Prefer not to say | Male   | Bachelor                                        | African American               | Florida         |
-| 1989               | 35                | Male   | Bachelor                                        | White                         | Nevada          |
-| Prefer not to say   | Prefer not to say | Female | Associate's Degree in Medical Assistant         | African American               | Pennsylvania    |
-| 1992               | 32                | Male   | Bachelor                                        | African American               | Florida         |
-| 1978               | 46                | Male   | Bachelor                                        | White                         | Colorado        |
-| 1999               | 25                | Male   | High School Diploma                             | Latin American or Hispanic     | Florida         |
-| Prefer not to say   | Prefer not to say | Male   | Bachelor                                        | White                         | Texas           |
-| 1988               | 36                | Female | Bachelor                                        | White                         | Florida         |
-| 1985               | 39                | Female | Bachelor                                        | Native American                | Colorado / Utah |
-| Prefer not to say   | Prefer not to say | Female | Bachelor                                        | White                         | Arkansas        |
-| Prefer not to say   | Prefer not to say | Female | Master of Science                               | White                         | Texas           |
-| 2000               | 24                | Female | Bachelor of Business Entrepreneurship           | White                         | Florida         |
-| 1987               | 37                | Male   | Associate of Arts and Sciences - AAS            | White                         | Florida         |
-| 1995               | 29                | Female | Master of Epidemiology                          | African American               | Louisiana       |
-| 1993               | 31                | Female | Master of Public Health                         | Latin American or Hispanic     | Texas           |
-| 1969               | 55                | Female | Bachelor                                        | Latin American or Hispanic     | Florida         |
-| 1993               | 31                | Female | Bachelor of Business Administration             | White                         | Florida         |
-| 1985               | 39                | Female | Master of Music                                 | White                         | California      |
-
+Additional synthetic data was used to supplement the training set to improve performance for conversational, hallucination and jailbreak related risks.
 
 ## Evaluations
 
 ### Harm Benchmarks
-Following the general harm definition, Granite-Guardian-3B-A800M is evaluated across the standard benchmarks of [Aeigis AI Content Safety Dataset](https://huggingface.co/datasets/nvidia/Aegis-AI-Content-Safety-Dataset-1.0), [ToxicChat](https://huggingface.co/datasets/lmsys/toxic-chat), [HarmBench](https://github.com/centerforaisafety/HarmBench/tree/main), [SimpleSafetyTests](https://huggingface.co/datasets/Bertievidgen/SimpleSafetyTests), [BeaverTails](https://huggingface.co/datasets/PKU-Alignment/BeaverTails), [OpenAI Moderation data](https://github.com/openai/moderation-api-release/tree/main), [SafeRLHF](https://huggingface.co/datasets/PKU-Alignment/PKU-SafeRLHF) and [xstest-response](https://huggingface.co/datasets/allenai/xstest-response). With the risk definition set to `jailbreak`, the model gives a recall of 0.84 for the jailbreak prompts within ToxicChat dataset.
+Following the general harm definition, Granite-Guardian-3.2-3B-A800M is evaluated across the standard benchmarks of [Aeigis AI Content Safety Dataset](https://huggingface.co/datasets/nvidia/Aegis-AI-Content-Safety-Dataset-1.0), [ToxicChat](https://huggingface.co/datasets/lmsys/toxic-chat), [HarmBench](https://github.com/centerforaisafety/HarmBench/tree/main), [SimpleSafetyTests](https://huggingface.co/datasets/Bertievidgen/SimpleSafetyTests), [BeaverTails](https://huggingface.co/datasets/PKU-Alignment/BeaverTails), [OpenAI Moderation data](https://github.com/openai/moderation-api-release/tree/main), [SafeRLHF](https://huggingface.co/datasets/PKU-Alignment/PKU-SafeRLHF) and [xstest-response](https://huggingface.co/datasets/allenai/xstest-response). With the risk definition set to `jailbreak`, the model gives a recall of 0.84 for the jailbreak prompts within ToxicChat dataset.
 The following table presents the F1 scores for various harm benchmarks, followed by an ROC curve based on the aggregated benchmark data.
 
 | Metric | AegisSafetyTest | BeaverTails | OAI moderation | SafeRLHF(test) | HarmBench | SimpleSafety | ToxicChat | xstest_RH | xstest_RR | xstest_RR(h) | Aggregate F1 |
 |--------|-----------------|-------------|----------------|----------------|-----------|--------------|-----------|-----------|-----------|---------------|---------------|
-| F1     | 0.87            | 0.79        | 0.66            | 0.76           | 0.83      | 0.99            | 0.59     | 0.87      | 0.40      | 0.78          | 0.74          |
+| F1     | 0.85            | 0.80        | 0.68           | 0.77           | 0.80      | 1.00         | 0.56      | 0.85      | 0.42      | 0.78          | 0.74          |
 
 
 ![roc.png](roc.png)
@@ -266,14 +214,22 @@ For risks in RAG use cases, the model is evaluated on [TRUE](https://github.com/
 
 | Metric  | mnbm | begin | qags_xsum | qags_cnndm | summeval | dialfact | paws | q2   | frank | Average |
 |---------|------|-------|-----------|------------|----------|----------|------|------|-------|---------|
-| **AUC** | 0.63 | 0.72  | 0.75      | 0.77       | 0.73     | 0.88     | 0.78 | 0.83 | 0.87  | 0.79    |
+| **AUC** | 0.66 | 0.74  | 0.75      | 0.78       | 0.72     | 0.87     | 0.78 | 0.83 | 0.85  | 0.77    |
 
 ### Function Calling Hallucination Benchmarks 
 The model performance is evaluated on the DeepSeek generated samples from [APIGen](https://huggingface.co/datasets/Salesforce/xlam-function-calling-60k) dataset, the [ToolAce](https://huggingface.co/datasets/Team-ACE/ToolACE) dataset, and different splits of the [BFCL v2](https://gorilla.cs.berkeley.edu/blogs/12_bfcl_v2_live.html) datasets. For DeepSeek and ToolAce dataset, synthetic errors are generated from `mistralai/Mixtral-8x22B-v0.1` teacher model. For the others, the errors are generated from existing function calling models on corresponding categories of the BFCL v2 dataset.
 
-| Metric  | multiple | simple | parallel | parallel_multiple | javascript | java | deepseek | toolace|
-|---------|------|-------|-----------|------------|----------|----------|------|------|
-| **AUC** | 0.64 | 0.71  | 0.74      | 0.55       | 0.68     | 0.81     | 0.79 | 0.67 |
+| Metric  | multiple | simple | parallel | parallel_multiple | javascript | java | deepseek | toolace | Average |
+|---------|----------|--------|----------|-------------------|------------|------|----------|---------|---------|
+| **AUC** | 0.67     | 0.69   | 0.71     | 0.60              | 0.68       | 0.76 | 0.75     | 0.66    | 0.70    |
+
+### Multi-turn conversational risk
+The model performance is evaluated on sample conversations taken from the [DICES](https://arxiv.org/abs/2306.11247) dataset and Anthropic's hh-rlhf dataset. Ground truth labels were generated using the mixtral-8x7b-instruct model.
+
+| **AUC**             | **Prompt** | **Response** |
+|-----------------|--------|----------|
+| harm_engagement | 0.96   | 0.95     |
+| evasiveness     | 0.88   | 0.92     |
 
 ### Citation
 ```
@@ -286,4 +242,4 @@ The model performance is evaluated on the DeepSeek generated samples from [APIGe
       primaryClass={cs.CL},
       url={https://arxiv.org/abs/2412.07724}, 
 }
-```
+```