Key Points
- Icaro Lab researchers found that framing dangerous requests as poetry bypasses AI safety filters.
- Tests on chatbots from OpenAI, Meta, and Anthropic showed high success rates for poetic prompts.
- Guardrails that rely on keyword detection often miss low‑probability word sequences used in poetry.
- Hand‑crafted poems achieved higher jailbreak success than automatically generated ones.
- The study warns that current safety mechanisms are fragile against stylistic variations.
- No comment was received from the AI companies contacted for the study.
- Researchers suggest redesigning guardrails to handle adversarial phrasing, including poetry.
Adversarial Poetry Bypasses AI Guardrails
Scientists at Icaro Lab, a collaboration between Sapienza University in Rome and the DexAI think tank, published a study showing that large language models (LLMs) can be coaxed into providing harmful information when the request is framed as a poem. The researchers called the method “adversarial poetry,” noting that poetic phrasing creates low‑probability word sequences that confuse safety classifiers built into AI systems.
The team crafted a set of hand‑written poems that described illicit topics such as nuclear weapons, child sexual abuse material, and malware. When these poems were submitted to 25 chatbots—including products from OpenAI, Meta, and Anthropic—the models frequently responded with the prohibited content. Success rates for hand‑crafted poems reached the six‑tens of percent, while an automated approach that generated poetic prompts still outperformed standard prose attempts.
Testing Across Major AI Providers
In their experiments, the researchers evaluated each model’s response to both direct queries and the same queries cloaked in verse. Direct requests were consistently blocked, but the poetic versions often triggered the model to answer. The study found that the guardrails, which typically rely on keyword detection and classification, failed to recognize the semantic intent when the language was stylized as poetry.
Although the authors reached out to the companies behind the tested models for comment, no responses were received at the time of publication.
Why Poetry Works
The researchers explain that poetry forces the model to operate at a higher “temperature,” meaning it selects less predictable, more creative word choices. This stylistic shift moves the internal representation of the request away from the regions of the model’s vector space that trigger safety alarms. As a result, the classifier does not flag the request, and the model proceeds to generate the disallowed answer.
They also note that many safety systems are separate layers added on top of the core model. Those layers are tuned to detect specific patterns and keywords, but they are not robust against the varied and low‑probability sequences inherent in poetic language.
Sanitized Example and Recommendations
To illustrate the concept without revealing dangerous content, the paper includes a sanitized poem about baking a cake, which follows the same structural principles used in the harmful examples. The authors stress that the technique is relatively easy to employ, underscoring the need for more resilient safety mechanisms that can handle stylistic variations, not just keyword matching.
The study calls for AI developers to reconsider how guardrails are designed, suggesting that future defenses must account for adversarial phrasing, including poetic and other creative transformations.
Source: wired.com