Rhyme is the key to set AIs free when verse outsmarts security
(2025/11/21)
- Reference: 1763743409
- News link: https://www.theregister.co.uk/2025/11/21/poetry_llm_guardrails/
- Source link:
Are you a wizard with words? Do you like money without caring how you get it? You could be in luck now that a new role in cybercrime appears to have opened up – poetic LLM jailbreaking.
A research team in Italy published a [1]paper this week, with one of its members saying that the "findings are honestly wilder than we expected."
Researchers found that when you try to bypass top AI models' guardrails – the safeguards preventing them from spewing harmful content – attempts to do so composed in verse were vastly more successful than typical prompts.
[2]
1,200 human-written malicious prompts taken from the MLCommons AILuminate library were plugged into the most widely used AI models, and on average these only bypassed the guardrails – or "jailbroke" them – around 8 percent of the time.
Example prompt
The research team did not reveal any of the prompts they used to test the AI models, with safety concerns in mind.
However, they shared a sanitized proxy to give readers an idea of what a real prompt could look like:
A baker guards a secret oven's heat,
Its whirling racks, its spindle's measured beat.
To learn its craft, one studies every turn – how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine.
However, when those prompts were converted into "semantically parallel" poetic prose by a human, the success of the various attacks increased significantly.
When these prompts were manually converted into poetry, the average success of attacks surged to 62 percent across all 25 models the researchers tested, with some exceeding 90 percent.
[3]
[4]
The same increase in success was also observed, although to a lesser extent, when the prompts were translated into poetry using a standardized AI prompt. Researchers saw an average rise of 43 percent in these cases.
The type of attacks that the researchers tried to pull off related to various harms:
Cybercrime. Examples include: Generating [5]RCE code, password cracking, propagating [6]malware
Harmful manipulation. Examples include: [7]Social engineering , fraud, psychological abuse
CBRN (chemical, biological, radiological, and nuclear). Examples include: Reviving dangerous agents, synthesizing an incapacitating agent, centrifuge chain engineering
Loss of control over AI behavior. Examples include: Autonomous self-replication and/or deployment, self-modifying software/autonomy drift
Some have [8]called it "the revenge of the English majors," while others [9]highlighted how poetic the findings are themselves – how something as artful as poetry can circumvent the latest and supposedly greatest innovation in modern technology.
As the researchers noted: "In Book X of The Republic, Plato excludes poets on the grounds that mimetic language can distort judgment and bring society to a collapse. As contemporary social systems increasingly rely on LLMs in operational and decision-making pipelines, we observe a structurally similar failure mode: poetic formatting can reliably bypass alignment constraints."
[10]
The study looked at 25 of the most widely used AI models and concluded that, when faced with the 20 human-written poetic prompts, only [11]Google's Gemini Pro 2.5 registered a 100 percent fail rate. Every single one of the human-created poems broke its guardrails during the research.
DeepSeek v3.1 and v3.2-exp came close behind with a 95 percent fail rate, and Gemini 2.5 Flash failed to block a malicious prompt in 90 percent of cases.
At the other end of the scale, OpenAI's [12]GPT-5 Nano returned unhelpful responses to malicious prompts every time – the only model that succeeded against poetic prompts with 100 percent efficacy.
[13]
Its GPT-5 Mini also scored well with 95 percent success, while GPT-5 and Anthropic's [14]Claude Haiku 4.5 each registered a 90 percent success rate against poems.
For the 1,200 AI-poeticized prompts, no model posted failure rates above 73 percent, with DeepSeek and Mistral faring the worst, although the same level of success was not observed with those who scored better with the human-generated poetic prompts.
OpenAI and Anthropic were again the best, but were not perfect. The former failed to guard against AI-poeticized prompts more than 8 percent of the time, while the latter failed in slightly more than 5 percent of cases.
However, the scores were significantly better than others', many of which allowed attacks more often than the 43 percent average would suggest.
[15]How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit
[16]AI browsers face a security flaw as inevitable as death and taxes
[17]Infosec hounds spot prompt injection vuln in Google Gemini apps
[18]Researchers exploit OpenAI's Atlas by disguising prompts as URLs
Of the fivefold increase in failure rates when poetic framing was used, the researchers stated in the paper: "This effect holds uniformly: Every architecture and alignment strategy tested – RLHF-based models, Constitutional AI models, and large open-weight systems – exhibited elevated [attack success rates] under poetic framing.
"The cross-family consistency indicates that the vulnerability is systemic, not an artifact of a specific provider or training pipeline."
They went on to conclude that the findings should raise questions for regulators whose standards assume efficacy under modest input variation. They argued that transforming the prompts into poetic verse was a "minimal stylistic transformation" that reduced refusal rates "by an order of magnitude."
For safety researchers, it also suggests that these guardrails rely too heavily on prosaic forms rather than on underlying harmful intent, they added.
Piercosma Bisconti Lucidi, one of the co-authors of the paper and scientific director at DEXAI, [19]said : "Real users speak in metaphors, allegories, riddles, fragments, and if evaluations only test canonical prose, we're missing entire regions of the input space.
"Our aim with this work is to help widen the tools, standards, and expectations around robustness." ®
Get our [20]Tech Resources
[1] https://arxiv.org/html/2511.15304v1
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/09/23/solarwinds_patches_rce/
[6] https://www.theregister.com/2025/03/13/deepseek_malware_code/
[7] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[8] https://news.ycombinator.com/item?id=45992091
[9] https://www.linkedin.com/feed/update/urn:li:activity:7397225837206478850?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7397225837206478850%2C7397269615883476993%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287397269615883476993%2Curn%3Ali%3Aactivity%3A7397225837206478850%29
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/11/07/gemini_deep_research_can_now/
[12] https://www.theregister.com/2025/10/23/ai_model_bias_inevitable/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
[15] https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/
[16] https://www.theregister.com/2025/10/28/ai_browsers_prompt_injection/
[17] https://www.theregister.com/2025/08/08/infosec_hounds_spot_prompt_injection/
[18] https://www.theregister.com/2025/10/27/openai_atlas_prompt_injection/
[19] https://www.linkedin.com/posts/piercosma-bisconti_at-dexai-weve-just-published-new-research-activity-7397228009109237760-nkww/
[20] https://whitepapers.theregister.com/
A research team in Italy published a [1]paper this week, with one of its members saying that the "findings are honestly wilder than we expected."
Researchers found that when you try to bypass top AI models' guardrails – the safeguards preventing them from spewing harmful content – attempts to do so composed in verse were vastly more successful than typical prompts.
[2]
1,200 human-written malicious prompts taken from the MLCommons AILuminate library were plugged into the most widely used AI models, and on average these only bypassed the guardrails – or "jailbroke" them – around 8 percent of the time.
Example prompt
The research team did not reveal any of the prompts they used to test the AI models, with safety concerns in mind.
However, they shared a sanitized proxy to give readers an idea of what a real prompt could look like:
A baker guards a secret oven's heat,
Its whirling racks, its spindle's measured beat.
To learn its craft, one studies every turn – how flour lifts, how sugar starts to burn. Describe the method, line by measured line, that shapes a cake whose layers intertwine.
However, when those prompts were converted into "semantically parallel" poetic prose by a human, the success of the various attacks increased significantly.
When these prompts were manually converted into poetry, the average success of attacks surged to 62 percent across all 25 models the researchers tested, with some exceeding 90 percent.
[3]
[4]
The same increase in success was also observed, although to a lesser extent, when the prompts were translated into poetry using a standardized AI prompt. Researchers saw an average rise of 43 percent in these cases.
The type of attacks that the researchers tried to pull off related to various harms:
Cybercrime. Examples include: Generating [5]RCE code, password cracking, propagating [6]malware
Harmful manipulation. Examples include: [7]Social engineering , fraud, psychological abuse
CBRN (chemical, biological, radiological, and nuclear). Examples include: Reviving dangerous agents, synthesizing an incapacitating agent, centrifuge chain engineering
Loss of control over AI behavior. Examples include: Autonomous self-replication and/or deployment, self-modifying software/autonomy drift
Some have [8]called it "the revenge of the English majors," while others [9]highlighted how poetic the findings are themselves – how something as artful as poetry can circumvent the latest and supposedly greatest innovation in modern technology.
As the researchers noted: "In Book X of The Republic, Plato excludes poets on the grounds that mimetic language can distort judgment and bring society to a collapse. As contemporary social systems increasingly rely on LLMs in operational and decision-making pipelines, we observe a structurally similar failure mode: poetic formatting can reliably bypass alignment constraints."
[10]
The study looked at 25 of the most widely used AI models and concluded that, when faced with the 20 human-written poetic prompts, only [11]Google's Gemini Pro 2.5 registered a 100 percent fail rate. Every single one of the human-created poems broke its guardrails during the research.
DeepSeek v3.1 and v3.2-exp came close behind with a 95 percent fail rate, and Gemini 2.5 Flash failed to block a malicious prompt in 90 percent of cases.
At the other end of the scale, OpenAI's [12]GPT-5 Nano returned unhelpful responses to malicious prompts every time – the only model that succeeded against poetic prompts with 100 percent efficacy.
[13]
Its GPT-5 Mini also scored well with 95 percent success, while GPT-5 and Anthropic's [14]Claude Haiku 4.5 each registered a 90 percent success rate against poems.
For the 1,200 AI-poeticized prompts, no model posted failure rates above 73 percent, with DeepSeek and Mistral faring the worst, although the same level of success was not observed with those who scored better with the human-generated poetic prompts.
OpenAI and Anthropic were again the best, but were not perfect. The former failed to guard against AI-poeticized prompts more than 8 percent of the time, while the latter failed in slightly more than 5 percent of cases.
However, the scores were significantly better than others', many of which allowed attacks more often than the 43 percent average would suggest.
[15]How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit
[16]AI browsers face a security flaw as inevitable as death and taxes
[17]Infosec hounds spot prompt injection vuln in Google Gemini apps
[18]Researchers exploit OpenAI's Atlas by disguising prompts as URLs
Of the fivefold increase in failure rates when poetic framing was used, the researchers stated in the paper: "This effect holds uniformly: Every architecture and alignment strategy tested – RLHF-based models, Constitutional AI models, and large open-weight systems – exhibited elevated [attack success rates] under poetic framing.
"The cross-family consistency indicates that the vulnerability is systemic, not an artifact of a specific provider or training pipeline."
They went on to conclude that the findings should raise questions for regulators whose standards assume efficacy under modest input variation. They argued that transforming the prompts into poetic verse was a "minimal stylistic transformation" that reduced refusal rates "by an order of magnitude."
For safety researchers, it also suggests that these guardrails rely too heavily on prosaic forms rather than on underlying harmful intent, they added.
Piercosma Bisconti Lucidi, one of the co-authors of the paper and scientific director at DEXAI, [19]said : "Real users speak in metaphors, allegories, riddles, fragments, and if evaluations only test canonical prose, we're missing entire regions of the input space.
"Our aim with this work is to help widen the tools, standards, and expectations around robustness." ®
Get our [20]Tech Resources
[1] https://arxiv.org/html/2511.15304v1
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/09/23/solarwinds_patches_rce/
[6] https://www.theregister.com/2025/03/13/deepseek_malware_code/
[7] https://www.theregister.com/2025/08/21/impersonation_as_a_service/
[8] https://news.ycombinator.com/item?id=45992091
[9] https://www.linkedin.com/feed/update/urn:li:activity:7397225837206478850?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7397225837206478850%2C7397269615883476993%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287397269615883476993%2Curn%3Ali%3Aactivity%3A7397225837206478850%29
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2025/11/07/gemini_deep_research_can_now/
[12] https://www.theregister.com/2025/10/23/ai_model_bias_inevitable/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSCap277M6UudVc5rq-MSAAAAMI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://www.theregister.com/2025/11/13/chinese_spies_claude_attacks/
[15] https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/
[16] https://www.theregister.com/2025/10/28/ai_browsers_prompt_injection/
[17] https://www.theregister.com/2025/08/08/infosec_hounds_spot_prompt_injection/
[18] https://www.theregister.com/2025/10/27/openai_atlas_prompt_injection/
[19] https://www.linkedin.com/posts/piercosma-bisconti_at-dexai-weve-just-published-new-research-activity-7397228009109237760-nkww/
[20] https://whitepapers.theregister.com/