Suicidal-risk detection is one of the least forgiving classification problems in applied NLP. A missed positive is not a degraded user experience; it is a person who needed escalation and did not get it. That asymmetry changes every engineering decision downstream - the loss you optimize, the threshold you ship, the way you measure success, and ultimately whether you rent a model or build one. This post is an honest walkthrough of how we trained Beacon SI 2.5, a compact reasoning model that outperformed GPT-4o on this task, and why a smaller model we own was the right call over a frontier API.
We are deliberately not publishing sensational examples or raw benchmark tables here. The point is the method, because the method is what transfers. If you are building anything where a false negative is expensive and irreversible, the shape of this pipeline should be useful to you even if your domain is nothing like clinical text.
Why frontier general models underperform here
GPT-4o is an excellent generalist. That is precisely the problem. A frontier model is trained and RLHF-tuned to be broadly helpful, cautious, and agreeable across millions of use cases. Several of those instincts actively work against you in high-recall safety classification.
- Refusal and hedging: safety training pushes general models to deflect or soften on self-harm content, which corrupts a task where you need a crisp, calibrated risk judgment rather than a supportive deflection.
- Optimizing the wrong objective: instruction tuning rewards balanced, plausible-sounding answers. It does not reward the specific recall-weighted decision boundary a clinical screen requires.
- Distributional mismatch: real signals of risk are often oblique, coded, culturally specific, or buried in otherwise mundane text. Generalists over-index on explicit lexical cues and miss indirect ideation.
- No control over the operating point: with a rented API you cannot move the decision threshold, inspect logits, or tune the precision-recall trade-off. You get someone else's calibration for someone else's problem.
- Silent drift: the model behind an API changes on the vendor's schedule, not yours. In a clinical setting, an unannounced behavior shift is a compliance and safety event.
None of this means GPT-4o is weak. It means the objective it was optimized for is not our objective. You do not close that gap with a longer prompt. You close it by training.
We built the eval before we built the model
The single highest-leverage decision in this project was refusing to write any training code until the evaluation was trustworthy. On most tasks a mediocre eval slows you down. On a safety-critical task a mediocre eval is dangerous, because it will happily tell you a model is ready when it is not.
Our eval was designed by working backward from clinical consequence. Aggregate accuracy is close to meaningless when classes are imbalanced and error costs are asymmetric, so we led with recall on true-positive risk cases, tracked precision as the cost constraint, and reported operating points across the full curve rather than a single headline number. Crucially, the eval set was clinician-informed and stratified: explicit versus indirect expression, protective-factor cases that look risky but are not, and hard negatives written specifically to trip a lexical shortcut.
If your eval cannot tell a genuinely improved model from a lucky one, every training run after that is theater. We spent our first weeks making the ruler honest.
We also kept a locked holdout that no training or threshold-tuning ever touched. It is the only number we trust for a go or no-go decision, and it never leaks into iteration.
The SFT to DPO post-training pipeline
Beacon SI 2.5 is a reasoning model, not a bare classifier. It produces a short structured rationale and then a calibrated risk judgment. We trained it in two stages on top of an open-weights base.
Stage one: supervised fine-tuning
SFT taught the model the task shape and the domain vocabulary: how to read for indirect signals, how to weigh protective factors, and how to produce a rationale that a clinician could audit. Data quality mattered far more than data volume. A smaller set of carefully labeled, reasoning-annotated examples beat a larger noisy set every time, because in this domain a single mislabeled example teaches the model to make exactly the mistake you cannot afford. We invested heavily in label adjudication and in writing rationales that model the reasoning, not just the answer.
Stage two: direct preference optimization
SFT gets you a competent model. It does not get you a model that reliably prefers the safer, better-reasoned response when two outputs look superficially similar. That is what DPO is for. We built preference pairs where the chosen response caught a subtle risk signal or reasoned more carefully about ambiguity, and the rejected response was plausible but wrong in a clinically meaningful way - a missed indirect cue, an over-reliance on a surface keyword, or a false alarm on a protective-factor case.
DPO let us encode the cost asymmetry directly into the model's preferences instead of bolting it on at inference. The model learns to be appropriately cautious on genuine ambiguity while not treating every mention of distress as a crisis. This is the step that most cleanly separated Beacon from a prompted generalist: we were optimizing the exact trade-off the task demands, not a proxy for it.
Calibrating for recall without drowning in false positives
High recall is easy in isolation - flag everything and you never miss. It is also useless, because an alert stream that is mostly noise gets ignored, and an ignored alert is a missed positive with extra steps. The real engineering is holding recall high while keeping precision high enough that human reviewers still trust the signal.
- We choose the operating threshold explicitly on a validation set against a stated minimum recall, then report the precision we pay for it, rather than accepting whatever default a softmax hands us.
- We calibrate probabilities so that a stated risk score means the same thing across inputs, which lets downstream triage set humane, defensible cut-offs.
- We separate the true error modes: a false negative on genuine risk and a false positive on a protective-factor case are not equally bad and are not fixed by the same change.
- We treat the rationale as part of the output contract, so a human reviewing a flag sees why the model escalated and can override quickly when it is wrong.
Owning the model is what makes any of this possible. You cannot set a recall-first operating point on a system whose internals and calibration you do not control.
Red-teaming a safety classifier
A model that scores well on a clean eval can still fail in the field, so we adversarially attacked Beacon before trusting it. We probed for the failure modes that matter: indirect and metaphorical expression, code-switching and non-standard register, sarcasm and quoted speech that flips intent, and hard negatives engineered to look risky while being benign. We also stress-tested the opposite direction - content designed to slip past a lexical filter - because a classifier that only catches the obvious cases provides false comfort.
Findings from red-teaming fed straight back into DPO preference pairs and into the eval set, so each round of attack made both the model and the ruler harder to fool. Red-teaming here is not a one-time audit. It is a standing part of the loop, and for clinical deployment it is paired with human oversight rather than proposed as a replacement for it.
Why a smaller owned model wins this fight
Beacon SI 2.5 is far smaller than GPT-4o and beat it on the task that matters. That is not a paradox - it is the expected result when a specialist trained on the right objective meets a generalist trained on a different one. Ownership compounds the advantage in ways that show up long after the benchmark.
- Control of the operating point: we set and defend the recall-precision trade-off, and we can move it as clinical guidance evolves.
- Stability: the model does not change unless we change it, which is a hard requirement for anything touching clinical workflows and audit.
- Data governance: sensitive text stays inside infrastructure we control, which matters for privacy and compliance in ways a third-party API cannot match.
- Auditability: we can inspect, version, and explain the model's behavior, and reproduce any decision it made.
- Economics and latency: a compact specialist is cheaper and faster to run at scale than routing every case through a frontier endpoint.
We don't rent AI. We engineer it. On a task where a false negative is measured in human terms, that is not a slogan - it is the only defensible architecture.
What transfers to your problem
You may never touch clinical text, but if you have a task where one class of error is far more expensive than the other, the playbook holds. Build the eval first and make it honest. Use SFT to teach the shape and DPO to encode the trade-off you actually care about. Choose your operating point deliberately and calibrate it. Red-team continuously and feed the failures back in. And when the stakes are real, own the model. A frontier API is a remarkable generalist, but generalists are optimized for the average case, and safety-critical work lives entirely in the tail.