Jailbreaking is the practice of crafting prompts that bypass a large language model's safety alignment to elicit content the model was trained to refuse. It attacks the model's learned safety policy, not the application around it.
What is jailbreaking an LLM?
Jailbreaking is the practice of crafting an input that pushes a large language model past its safety alignment, getting it to produce content it was trained to refuse. Aligned models from OpenAI, Anthropic, Meta, and others are fine-tuned to decline requests that violate a published usage policy, things like instructions for weapons, malware, or other clearly harmful output. A jailbreak is a prompt engineered to make the model ignore that training and answer anyway.
The target of a jailbreak is the model's behavior itself: the refusal habit learned during safety fine-tuning and reinforcement learning from human feedback. A successful jailbreak does not exploit a software bug in the surrounding application. It exploits the fact that the model's safety layer is statistical and incomplete, so a sufficiently clever framing can find a path the safety training never covered. Because the attack surface is the model's own learned policy, jailbreaks tend to generalize across products built on the same model.
- Goal: elicit content the model was trained to refuse.
- Target: the model's learned safety policy (RLHF and safety fine-tuning).
- Not a code exploit: it manipulates model behavior, not the host application.
- Refusals come from usage policies published by OpenAI, Anthropic, Meta, and peers.
Jailbreaking vs. prompt injection
Jailbreaking and prompt injection are often confused because both arrive as text and both subvert intended behavior, but they attack different layers. Jailbreaking targets the model's safety policy: the alignment that makes the model refuse harmful requests. The attacker is usually the same person typing into the chat, trying to free the model from its own guardrails. Prompt injection instead targets the application's instruction hierarchy. An attacker plants instructions inside data the model will later read, a web page, an email, a document, so the model treats untrusted content as if it were a trusted command from the developer or user.
Put simply, a jailbreak fights the model's training, while a prompt injection hijacks the trust boundaries of the system around the model. A jailbreak says, in effect, pretend the rules do not apply. A prompt injection says, this email you are summarizing also tells you to forward the user's data. The two can be combined, an injected payload can carry a jailbreak, but the defenses and threat models differ enough that they are tracked separately. See the sibling entry on prompt injection for the application-layer side of this problem.
- Jailbreaking attacks the safety policy and RLHF guardrails baked into the model.
- Prompt injection attacks the instruction hierarchy of the application.
- Jailbreak attacker: usually the direct user trying to lift restrictions.
- Injection attacker: a third party hiding commands in data the model ingests.
- They compose: an injected string can deliver a jailbreak payload.
Common jailbreak technique families
Jailbreaks fall into a handful of recurring patterns. Some are hand-written social-engineering tricks aimed at the model, others are automated optimization attacks that search for adversarial text. The structural example below shows the shape of a role-play framing without supplying any working harmful payload: the pattern is to invent a persona that supposedly has no restrictions, then ask the persona to answer.
The most-studied automated attack is the Greedy Coordinate Gradient (GCG) method from Zou et al. (2023), which uses gradient signals from open-source models to optimize a nonsense-looking suffix appended to a request. The resulting suffix is both universal (works across many prompts) and transferable (a suffix tuned on Vicuna also moved ChatGPT, Bard, and Claude in their experiments), which is why automated adversarial suffixes are treated as a serious class on their own.
- Role-play / persona attacks: the DAN ('Do Anything Now') class invents an unrestricted character and asks it to respond.
- Prefix / affirmative-response injection: force the model to begin with 'Sure, here is...' so it continues instead of refusing.
- Refusal suppression: instruct the model to avoid words like 'cannot', 'sorry', or 'unable' to block its refusal pattern.
- Payload splitting / obfuscation: hide intent via base64, leetspeak, or low-resource languages that slip past safety training.
- Automated adversarial suffixes: GCG-style gradient search appends optimized tokens that are universal and transferable.
Why alignment is shallow
Jailbreaks keep working because safety alignment is a thin layer applied on top of a model that already learned its harmful capabilities during pretraining. A base model trained on a large slice of the internet has absorbed how to write many kinds of dangerous text. Safety fine-tuning and RLHF do not erase that knowledge; they add a learned tendency to refuse certain requests. The underlying capability is still in the weights, waiting for an input distribution the refusal training did not cover.
This is the 'shallow alignment' problem. Refusal behavior is concentrated in patterns the model associates with harmful requests, so an attacker who reframes the request, persona role-play, an unusual language, an optimized suffix, can move the input outside the region where refusal was reinforced. The capability resurfaces. Defenses raise the cost of finding such an input, but because the dangerous capability is never removed, no single defense closes the gap completely.
- Pretraining installs the capability; safety tuning only adds a refusal habit on top.
- Refusal is pattern-based, so out-of-distribution framings can route around it.
- The harmful knowledge stays in the weights even after alignment.
- Defenses raise attacker cost rather than removing the underlying capability.
Defenses and why none are complete
Labs stack several defenses, and each helps without solving the problem. Safety fine-tuning and RLHF teach refusals directly. System-prompt hardening adds standing instructions that resist override. Input and output classifiers, such as Meta's Llama Guard, sit outside the main model and screen prompts and responses against a safety taxonomy before anything is shown to the user. Adversarial training feeds known jailbreaks back into fine-tuning so the model learns to resist them, and continuous red-teaming hunts for new attacks before users do.
None of these is airtight. Classifiers can be evaded by obfuscation that also fools the main model. System prompts can be coaxed into being ignored. Adversarial training only covers attacks already discovered, while automated methods like GCG generate fresh adversarial suffixes on demand. Because the dangerous capability is never removed from the weights, defense is an ongoing arms race rather than a fixed patch. The practical posture is defense in depth: combine layers so that evading all of them at once is expensive.
- Safety fine-tuning / RLHF: teach refusals, but only for patterns seen in training.
- System-prompt hardening: standing rules that attackers still try to override.
- Input/output classifiers (Llama Guard): screen prompts and responses, but can be obfuscated past.
- Adversarial training: only covers known attacks; new suffixes appear continuously.
- Red-teaming: finds attacks early, yet cannot enumerate them all.
Key takeaways
- Jailbreaking elicits refused content by attacking a model's safety alignment, not the host app.
- Prompt injection is different: it hijacks the application's instruction hierarchy via untrusted data.
- Technique families include DAN-style personas, affirmative-prefix forcing, refusal suppression, obfuscation, and automated suffixes.
- GCG (Zou et al., 2023) automates universal, transferable adversarial suffixes across models.
- Alignment is shallow: pretraining installs the capability, safety tuning only adds a refusal habit.
- Defenses like Llama Guard, system-prompt hardening, and red-teaming raise cost but never fully close the gap.
Frequently asked questions
Related terms
Sources
- Zou et al. (2023), Universal and Transferable Adversarial Attacks on Aligned Language Models (GCG)
- 'Do Anything Now': Characterizing and Evaluating In-The-Wild Jailbreak Prompts on LLMs
- Llama Guard: LLM-based Input-Output Safeguard for Human-AI Conversations (Meta)
- OpenAI Usage Policies
- Anthropic Usage Policy
Put the idea into practice
MemX is an AI memory agent built on these ideas: store anything, skip the folders, and find it again by asking in plain English.
Try MemX Free