AI Safety | Xuhong Wang

SafeVerse: Building a Safe and Trustworthy Digital Twin Arena for Embodied AI

Tue, 10 Feb 2026 00:00:00 +0000

Table of Contents

Abstract

Safe and trustworthy embodied AI needs realistic testing grounds, but running attack-and-defense drills directly in the physical world is expensive, risky, and hard to reproduce. SafeVerse addresses this gap by first digitizing a specified real-world environment, then turning that twin world into an editable arena for safety evaluation, adversarial testing, and online reinforcement learning.

Unlike world models that mainly aim to generate plausible open-ended environments, SafeVerse focuses on reconstructing a particular real scene with low cost and high controllability. Its emphasis is not just realism, but operational realism: the reconstructed world should be interactive, editable, and useful for agent training and verification.

Why SafeVerse Matters

Existing embodied environments often fall into one of two extremes:

Traditional simulators rely heavily on manual asset construction, offer limited interactive objects, and struggle to reflect the diversity of real-world scenes.
Generative world models can imagine rich environments, but they are not faithful twins of a user-specified home, office, or factory floor, so they are hard to use for targeted security drills.

SafeVerse starts from a more practical premise: what safety testing needs is not an imagined world, but a controllable digital twin of a real one. It therefore builds a three-step loop:

Reconstruct a real environment from video.
Edit that environment according to attack or evaluation goals.
Let the agent evolve online under continual adversarial pressure.

Three Core Breakthroughs

The system is organized around three main capabilities:

Real-world Ctrl+C / Ctrl+V: it tries to preserve not only appearance, but also structure, semantics, and interaction logic.
Minute-level construction with operable objects: a short video can become an interactive 3D scene where doors open, lights switch, and furniture moves.
Unified evaluation, attack, and evolution: the same environment can support testing, adversarial scene mutation, and online RL-based agent improvement.

This makes SafeVerse less like a standalone simulator and more like a digital twin infrastructure for trustworthy embodied intelligence.

From Ordinary Video to an Interactive Twin World

The first step in SafeVerse is to make the system actually understand the source video. Instead of leaning on a purely geometric 3D optimization pipeline, it uses multimodal understanding to parse objects, layouts, and scene semantics, then maps them into operable 3D entities.

Built on top of Minecraft and its rich physical interaction rules, SafeVerse converts recognized scene elements into 3D objects with explicit interaction affordances. The result is not a static reconstructed set, but a sandbox where an embodied agent can enter, move, manipulate, and explore.

These four GIFs illustrate the pipeline from input video to interactive 3D environment. The key point of the original webpage is that SafeVerse makes video in, operable twin out practical at minute-level turnaround.

Editing the Scene with Attack Instructions

Reconstruction alone is not enough for safety validation. The environment also needs to change in response to specific attack goals.

SafeVerse emphasizes a combination of realism and editability. Once a twin scene has been built, it can be modified directly for attack-and-defense scenarios, including:

changing interaction properties, such as turning an ordinary door into one that must be unlocked first
altering semantic cues, such as changing an object’s appearance to mislead recognition
perturbing spatial layout, such as repositioning furniture or obstacles to break a navigation plan

This allows attack vectors to be injected into the environment itself, creating more realistic and better targeted embodied stress tests.

Online Evolution Against Discovered Vulnerabilities

SafeVerse does not stop at evaluation. It pushes the loop one step further toward online evolution.

Conventional embodied training often depends on fixed datasets and static scenes. When a new attack or environmental shift appears, agents can fail catastrophically. SafeVerse tries to solve this through a reconstruction-attack-defense loop: rebuild the scene, perturb it dynamically, and retrain the agent immediately after failure.

That means the agent is no longer tested in a frozen benchmark. It must adapt to changing layouts, newly inserted obstacles, altered object states, and other evolving threats in real time.

One example from the original page is especially clear: when a chair blocks the only path to the goal, the agent initially fails. After online training, it learns to recognize the obstacle, reroute, or even move the chair away. The point is not only that it encounters a failure, but that it can grow inside that failure.

Full SafeVerse Demo

This video restores the full-process demo referenced in the original webpage and shows the combined effect of reconstruction, attack-oriented editing, and online evolution more clearly.

Your browser does not support the video tag.

What This Work Shows

SafeVerse is not just another embodied simulator. Its main contribution is that it connects three capabilities into one loop: fast digitization of a specified real scene, attack-oriented scene editing, and online RL-based agent evolution.

Many embodied platforms are good at offering training spaces. SafeVerse is more specifically about offering safety drill spaces. It turns real-scene digitization into a working capability for safe and trustworthy embodied AI research.

GitHub:

SafeWork-R1: Co-Evolving Intelligence and Safety under the AI-45 Degree Law

Sat, 12 Jul 2025 00:00:00 +0000

Table of Contents

Abstract

SafeWork-R1 is built around a specific claim: safety and capability do not have to trade off against each other. Instead of treating safety as a lightweight filter added after reasoning, this work introduces SafeLadder, a training framework that attempts to make safety part of the model’s internal reasoning ability.

The resulting model, SafeWork-R1, is not just safer in the sense of being more conservative. It improves safety benchmark performance by 46.54% over Qwen2.5-VL-72B, while also improving average performance by 13.45% across seven general reasoning and multimodal benchmarks. The central message is therefore not safety instead of ability, but safety together with ability.

Why Revisit the Relationship Between Safety and Capability

Reasoning-oriented large models have advanced rapidly in recent years, but the gap between capability and safety has also widened. Better problem solving does not automatically imply stronger compliance with ethical constraints, social norms, or trustworthy deployment requirements.

SafeWork-R1 is motivated by what the original page calls the AI-45 Degree Law: the desirable direction for model development is not pure capability growth on a single axis, but coordinated improvement along both capability and safety.

The main argument is straightforward: if the base model is strong enough and the training process is designed properly, safety and general competence need not be a zero-sum game.

Safety and General Capability in SafeWork-R1

SafeWork-R1 is built on the SafeLadder framework, whose goal is to deeply integrate safety mechanisms into the native ability structure of multimodal models, rather than relying on superficial post hoc refusal layers.

Key results reported on the original page include:

an average 46.54% gain on safety benchmarks over Qwen2.5-VL-72B
an average 13.45% improvement across seven general benchmarks: MMMU, MathVista, GPQA, Olympiad, Gaokao-MM, IFEVAL, and MM-IFEval
70.94 on MMMU, 76.1 on MathVista, and 78.17 on Gaokao-MM
successful transfer of SafeLadder to additional models such as SafeWork-R1-InternVL-78B, SafeWork-R1-DeepSeek-70B, and SafeWork-R1-QwenVL-7B

Taken together, these numbers suggest that SafeWork-R1 is not merely optimized for safety metrics at the expense of open-ended performance. It tries to lift both.

The SafeLadder Technical Roadmap

SafeLadder uses a structured and progressive reinforcement-learning-based post-training pipeline to internalize safety as part of model capability. The original webpage breaks it into four stages:

CoT-SFT: chain-of-thought supervised fine-tuning as a cold start for long-form reasoning.
M³-RL: multimodal, multitask, multi-objective RL that progressively aligns safety, values, knowledge reliability, and general capability.
Safe-and-Efficient RL: reducing overthinking and treating reasoning efficiency itself as part of safety.
Deliberative Search RL: enabling the model to retrieve, verify, and filter external information during answering.

The page also mentions a scalable RL infrastructure named SafeWork-T1, designed for thousand-GPU-scale training with multiple validators and modular verification components.

Core Functional Highlights

SafeWork-R1 is not only about safer outputs. It also emphasizes trustworthy reasoning and interaction. The webpage highlights three major capabilities:

Deliberative Search: combining calibration and search so the model can verify and refine its own answer through RL-based multi-step reflection.
Inference-Time Alignment: bringing professional value models into the generation process to constrain intermediate reasoning and final responses.
Human Intervention on Chain-of-Thought: allowing users or supervisors to directly correct flawed reasoning steps so the model better aligns with desired logic, style, and values.

Together, these features show that the goal is not only to stop harmful behavior, but to produce reasoning processes that are themselves more reliable and controllable.

Discussion and Outlook

The original page closes with several takeaways that are likely to matter beyond this specific model:

Safety and capability are not necessarily zero-sum: with the right training design, they can co-evolve.
Reasoning efficiency is closely tied to safety: overly long and redundant chains of thought can themselves introduce security and alignment risks.
Trustworthy interaction remains a long-term frontier: future work needs better error correction, test-time adaptation, language calibration, and norm-aware interaction.

The broader significance of SafeWork-R1 is therefore not just that it releases a strong model, but that it presents a training path where safety is treated as part of reasoning ability rather than a patch applied after the fact.

Paper:

AI Safety | Xuhong Wang

SafeVerse: Building a Safe and Trustworthy Digital Twin Arena for Embodied AI

Abstract

Why SafeVerse Matters

Three Core Breakthroughs

From Ordinary Video to an Interactive Twin World

Editing the Scene with Attack Instructions

Online Evolution Against Discovered Vulnerabilities

Full SafeVerse Demo

What This Work Shows

Related Links

SafeWork-R1: Co-Evolving Intelligence and Safety under the AI-45 Degree Law

Abstract

Why Revisit the Relationship Between Safety and Capability

Safety and General Capability in SafeWork-R1

The SafeLadder Technical Roadmap

Core Functional Highlights

Discussion and Outlook

Related Links