How is toxicity different from content safety?

Toxicity is the narrower signal for abusive or hostile language. Content safety is broader: it also covers self-harm, sexual content, violence, illegal advice, CBRN content, and other policy categories that may not sound insulting.

How do you measure toxicity?

FutureAGI measures toxicity with the Toxicity evaluator and pairs it with ContentSafety, BiasDetection, and the ProtectFlash post-guardrail. The same checks run offline in regression evals and online inside Agent Command Center.

What Is Toxicity? Definition, Examples & FutureAGI (2026)

What Is Toxicity (LLM Output)?

Toxicity in LLM output is abusive, hateful, threatening, harassing, or demeaning generated language that violates a product’s safety policy. It is a compliance and content-safety metric, not a general response-quality score: an answer can be relevant and still toxic. Toxicity appears in chat replies, summaries, tool-written messages, agent handoffs, tool outputs, and RAG responses. FutureAGI measures toxicity with the Toxicity evaluator, often paired with ContentSafety, BiasDetection, and PII, so teams can block, escalate, alert, and regression-test unsafe outputs. By May 2026, with frontier models (GPT-5.x, Claude Opus 4.7, Gemini 3.x, Llama 4) much better at the obvious toxicity cases, the failure modes that matter are coded hate, transliterated slurs, multilingual abuse, and toxicity laundered through summarization. the long-tail signals classical 2022-era classifiers miss.

Why toxicity matters in production LLM and agent systems

Toxic output is a production incident because it is user-visible, easy to screenshot, and often tied to protected-class harm. The immediate failure modes are harassment, hate speech, threats, slurs, and demeaning summaries generated from messy context. A support bot that insults an angry customer has not merely produced a bad answer; it has created brand risk, moderation load, and a possible compliance record under the EU AI Act (Article 5 prohibited practices) and the US AI Safety Institute reporting framework.

The pain moves across the org. Developers get vague bug reports like “the bot was offensive” with no captured trace. SRE sees spikes in user reports but cannot map them to a model, route, prompt version, locale, or cohort. Compliance and trust-and-safety need an audit log showing what was generated, why it was flagged, and what action was taken. Product teams need to understand whether toxicity is concentrated in edge personas, specific languages, a new model release, or a retrieval corpus. The accountability chain breaks the moment a moderation decision lacks a trace.

Agentic systems expand the surface. A planner may be safe, but a downstream writing tool can draft an abusive email. A summarizer can launder toxic user text into an official record. A multi-step agent can quote harmful language from a tool result and make it look endorsed. An MCP-connected agent can pull content from a third-party server whose output contains slurs in another language. The signal to watch is not only “unsafe final answer”; it is toxic language at any model boundary, including intermediate steps that never reach the user but inform downstream actions.

Toxicity categories that matter in 2026 production

Toxicity is not one category. it is a small taxonomy that overlaps with adjacent safety signals. The 2026 production breakdown:

Category	What it is	Detected by (FutureAGI)	2026 nuance
Direct toxicity	Slurs, insults, threats in plain text	`Toxicity` evaluator	Frontier models rarely emit this directly; long-tail in tool outputs
Coded hate	Slurs replaced with emoji, leetspeak, or homoglyphs	`Toxicity` + ContentSafety	Heaviest failure mode for 2022-era classifiers
Multilingual toxicity	Abusive content in non-English; transliterated profanity	`Toxicity` (multilingual mode)	Single biggest gap in most production stacks
Demeaning framing	No slurs but condescending or dehumanizing framing	`Toxicity` + BiasDetection	Classical classifiers miss this; LLM-judge mode catches it
Threats / harassment	Direct or implied threats of harm	`Toxicity` + ContentSafety	Escalates to safety-team review, not just block
CBRN content	Chemical, biological, radiological, nuclear harm	`ContentSafety`	Separate evaluator; toxicity is the wrong category
Self-harm	Content encouraging or normalizing self-harm	`ContentSafety`	Mandatory escalation path, not just suppression
Sexual / NSFW	Sexual content outside policy	`ContentSafety`	Toxicity does not cover this; needs the broader gate
Bias	Demographic stereotyping or unequal treatment	`BiasDetection`	Pairs with toxicity for protected-class incidents
Quoted toxic content	User-supplied text the model is repeating	Context-aware `Toxicity` mode	Block model-authored toxicity, allow quotation in support/legal

The senior-engineer rule: Toxicity is the narrow language-harm lens. Use ContentSafety as the broader policy gate, BiasDetection for demographic harm, PII for privacy, and PromptInjection for adversarial inputs. No single evaluator carries the whole compliance surface.

Where toxicity benchmarks land in 2026

The 2022-era public toxicity benchmarks (Jigsaw Toxic Comments, Civil Comments, RealToxicityPrompts) are mostly saturated for frontier models and have known label issues. they over-flag reclaimed terms and under-flag coded hate. The 2026 reference benchmarks that still discriminate are:

XSTest. refusal calibration; catches over-refusal (the opposite failure mode of toxicity).
HarmBench. adversarial multi-category harmful-content elicitation, including transliteration and obfuscation attacks.
PromptBench. prompt-robustness across attack families.
AgentHarm. adversarial agent-trajectory harm, paired with the agentharm-safety-benchmark.
PHARE / SafetyBench. broader safety benchmarks that include toxicity sub-tracks.
TruthfulQA-safety. for hallucinated harmful content.

Treat any toxicity claim that leads with Jigsaw or Civil Comments as a 2023 reference; pair with a domain-specific adversarial set before any release gate.

Why the 2022 toxicity classifiers no longer cut it

The Perspective API era worked when the failure mode was a slur-in-plain-text. Frontier 2026 models suppress that level of toxicity by default. the failures that reach production are subtler. The four 2026 failure modes that classical classifiers miss:

Coded or obfuscated slurs. homoglyph substitutions, leetspeak, emoji-encoded slurs, transliteration through non-Latin scripts.
Compositional toxicity. sentence-level demeaning framing assembled from individually benign tokens; classifiers tuned on token-level signals miss this entirely.
Multilingual gaps. even when English coverage is strong, Spanish, Hindi, Arabic, Portuguese, and Mandarin toxicity probes show 20-40 point F1 drops on classical classifiers.
Context-laundered toxicity. model summarizes user-supplied abusive text without quotation marks, and the output reads as endorsement. Classical classifiers cannot distinguish quotation from authorship.

The FutureAGI Toxicity evaluator uses an LLM judge in its default high-recall mode for the subtler signals, plus a fast classifier mode for high-throughput streaming surfaces. Pin the judge to a different model family from the model being evaluated; cross-family judging is the 2026 norm.

How FutureAGI handles toxicity

In FutureAGI, toxicity is evaluated in three places: offline eval pipelines, runtime guardrails, and post-incident audit. The FAGI anchors are eval:Toxicity, eval:ContentSafety, and eval:BiasDetection. The anchor evaluator is Toxicity, which checks model output for abusive, offensive, or threatening language across English plus multilingual coverage. Teams usually pair it with ContentSafety: Toxicity is the narrow language-harm lens, while ContentSafety covers broader policy violations that may not sound insulting. Unlike a standalone classifier such as Perspective API. which we’ve benchmarked against in our 2026 evals and which under-performs on coded hate and multilingual abuse. the FutureAGI workflow ties the evaluator result to the route, trace, dataset row, prompt version, and action taken.

Real example: a consumer support agent drafts refunds and account emails. The team attaches Toxicity, ContentSafety, and BiasDetection to the dataset used for regression evals, including adversarial rows with angry users, protected-class references, and multilingual profanity. The release gate fails if toxicity pass-rate drops below 99.5% on known-safe outputs, recall falls below 98% on known-unsafe rows, or BiasDetection flags any protected-class disparity above the configured threshold. The release gate also runs an over-refusal cohort (XSTest-style probes). a 100% block rate that catches every adversarial input but also refuses 30% of legitimate ones is a regression, not a win.

Runtime control via Agent Command Center

The same checks run in Agent Command Center as a post-guardrail on the outbound route. If Toxicity fails, the route can return a fallback response, trigger human escalation via AnnotationQueue, or alert the owning team. If the input itself is abusive or contains a prompt injection attempt, a pre-guardrail (often the ProtectFlash low-latency evaluator) can classify the request before generation. The FutureAGI policy editor lets product teams configure per-route policies. a customer-support route may allow quoted toxic content in legal-evidence summaries, while a kids-product route may block any profanity above a base threshold.

The same gateway also supports traffic-mirroring for evaluating a new safety classifier against production without exposing real users, model fallback when the primary model is failing the toxicity gate, and per-tenant policy overrides for customers with stricter or laxer compliance baselines. FutureAGI’s approach is to keep the policy action configurable while making the eval result observable: every blocked or escalated output should be tied back to the trace and dataset case that explains it.

Why toxicity needs agent-trajectory coverage

A safe final answer can still hide toxicity in intermediate steps. A summarizer agent that quotes abusive customer text in an internal summary creates a record with the same brand and compliance risk as a user-facing toxic reply. The 2026 production pattern is to score Toxicity on every model boundary. planner output, tool-result reads, sub-agent handoffs, final response. not just the last span. The agent.trajectory.step attribute lets the evaluator iterate every model-authored span without rewriting the agent.

How to measure toxicity

Measure toxicity as a safety-control signal, not as a vibe score:

Toxicity evaluator result. checks output text for abusive, hostile, or threatening language and returns an evaluation result teams threshold into pass/fail. Multilingual support and a context-aware mode for quoted content.
ContentSafety companion result. catches broader harmful categories so toxicity does not become the only safety gate.
BiasDetection companion result. surfaces demographic stereotyping that often co-occurs with subtle toxicity.
PII and PromptInjection. the rest of the compliance evaluator panel; a single eval suite should cover all four.
ProtectFlash low-latency pre-guardrail. runtime classifier for the request side before generation.
Eval-fail-rate by cohort. break failures down by route, model, prompt version, language, user segment, and release.
User-feedback proxy. monitor thumbs-down rate, report rate, escalation rate, and moderator-confirmed toxicity by cohort.
Trace audit coverage. every blocked or escalated output should retain the trace id, evaluator name, action, prompt version, and reason.
Over-refusal rate. XSTest-style probes; a guardrail that blocks 30% of legitimate refusal-calibration requests is a regression.
Adversarial recall. what fraction of HarmBench / AgentHarm / PHARE probes does the suite catch?
Regression eval. every model swap, prompt change, and policy update reruns the full toxicity panel before deploy.

from fi.evals import Toxicity, ContentSafety, BiasDetection

response = "I cannot help with that request."
tox = Toxicity().evaluate(output=response)
cs = ContentSafety().evaluate(output=response)
bias = BiasDetection().evaluate(output=response)
print(tox, cs, bias)

For runtime control, wire ProtectFlash as a pre-guardrail and Toxicity as a post-guardrail inside Agent Command Center. the same evaluator chain runs offline against an adversarial dataset (HarmBench probes, AgentHarm trajectories, multilingual XSTest extensions) and online against live routes:

from fi.evals import Toxicity, ContentSafety, BiasDetection, ProtectFlash
from fi.command_center import Route

route = Route("support_chat")

route.add_pre_guardrail(
    ProtectFlash(categories=["prompt_injection", "abusive_input"]),
    on_fail="reject",
)
route.add_post_guardrail(
    Toxicity(multilingual=True, context_aware=True, threshold=0.95),
    ContentSafety(threshold=0.98),
    BiasDetection(protected_classes=["race", "gender", "religion"]),
    on_fail="fallback_response",
    audit_trace=True,
)

That single wiring catches model-authored toxicity at the final boundary, runs the same evaluator against intermediate agent.trajectory.step spans for summarizers and sub-agents, and ships every block/escalation back to the trace for compliance audit. Healthy toxicity control: every output is scored, every flag has an action, every action has a trace, multilingual coverage matches production traffic, and over-refusal stays below the calibrated threshold. As a 2026 reference, HarmBench and AgentHarm coverage rates are the public anchors most teams use for adversarial recall; XSTest sets the over-refusal ceiling.

Compliance and audit posture in 2026

Regulators in 2026 expect more than a toxicity score. The EU AI Act conformity assessment, the US AI Safety Institute reporting framework, and the upcoming UK AI Bill all reference incident logging, redress mechanisms, and demographic-cohort fairness reporting. A working compliance posture has:

A trace record per generation, retained per the data-retention policy, with model + prompt + evaluator outputs + action.
Per-cohort flag rates broken down by protected characteristics where lawful and consented; surfaces BiasDetection drift before it becomes a regulator complaint.
A redress / appeal path for blocked legitimate requests, with the appeal feeding back into the AnnotationQueue for over-refusal calibration.
A model card update on every checkpoint with safety scores including toxicity recall, over-refusal rate, and bias-detection deltas.
Quarterly ai-red-teaming exercises with rotating adversarial probes; results feed into the synthetic-data-for-ai-security library.

The compliance posture is not “we have a guardrail.” It is “we can show, with traces, that the guardrail behaved correctly on N requests, including the ones it blocked legitimately, the ones it failed to block, and the ones it over-blocked.”

Common mistakes

Treating toxicity as all content safety. Toxicity catches abusive tone; it does not cover self-harm, sexual content, CBRN, privacy, or prompt injection. Run the full compliance panel, not a single evaluator.
Blocking quoted evidence blindly. Support and legal workflows may need to quote abusive user text; score model-authored text separately from user-supplied excerpts, or use the context-aware Toxicity mode.
Measuring English only. Multilingual profanity, coded hate, and transliteration bypass English-heavy datasets; track fail-rate by locale and script, and run a ai-red-teaming probe set in every supported language.
Tuning only for recall. A guardrail that blocks harmless reclaimed terms or support transcripts will be disabled by the business. Track over-refusal alongside recall; both are release-gate signals.
Hiding fallback behavior. Returning a generic refusal without trace data makes the incident impossible to label, appeal, or fix.
Relying on Perspective API alone. It is a 2018 classifier; it under-performs on coded hate, multilingual content, and demeaning framing without slurs. Use it as a tier-filter only.
No regression test after a model swap. Frontier models change refusal calibration between point releases; rerun the toxicity panel on every checkpoint update.
Same-model judging in LLM-judge mode. Pin the judge to a different model family from the agent’s model; same-family judging inflates the score, especially on subtle demeaning framing.
No coverage of agent-trajectory intermediate spans. Toxicity in a summarizer’s intermediate output is a real compliance event even if it never reaches a user; score every model boundary, not just the final reply.
Ignoring tool-output toxicity. Third-party tool servers (especially MCP) can return content with slurs or harassment; a post-guardrail on tool outputs is now standard for any agent that consumes user-contributed or third-party data.
Treating toxicity in voice agents the same as text. ASR errors can convert benign phrases into toxic-looking transcripts; track toxicity flags by ASR confidence and cohort to separate model failures from speech-path artifacts.